Server Guides: Difference between revisions

Line 25:

* '''Firewall''': Configure a firewall to control incoming and outgoing traffic.

* '''Regular Updates''': Ensure the server and all software are regularly updated.

* '''Split Disks''': Separate <~~code~~>/tmp</~~code~~> and <~~code~~>/var</~~code~~> partitions with <~~code~~>noexec</~~code~~> flag.

* '''Split Disks''': Separate <pre>/tmp</pre> and <pre>/var</pre> partitions with <pre>noexec</pre> flag.

* '''Log Monitoring''': Regularly monitor server logs for suspicious activities.

* '''Privilege Escalation Mitigation''': Use <~~code~~>sysctl</~~code~~> variables and kernel parameters to mitigate privilege escalation.

* '''Privilege Escalation Mitigation''': Use <pre>sysctl</pre> variables and kernel parameters to mitigate privilege escalation.

* '''Audit''': Regularly audit the server using tools like <~~code~~>rkhunter</~~code~~> and <~~code~~>debsecan</~~code~~>.

* '''Audit''': Regularly audit the server using tools like <pre>rkhunter</pre> and <pre>debsecan</pre>.

* '''Open Ports''': Only open necessary ports (e.g., 80, 443, 22).

Line 34:

* '''Data Encryption''': Encrypt all data communication.

## Use <~~code~~>scp</~~code~~>, <~~code~~>ssh</~~code~~>, <~~code~~>rsync</~~code~~>, or <~~code~~>sftp</~~code~~> for file transfer.

** Use <pre>scp</pre>, <pre>ssh</pre>, <pre>rsync</pre>, or <pre>sftp</pre> for file transfer.

## Consider VPNs like OpenVPN or tinc for secure connections.

** Consider VPNs like OpenVPN or tinc for secure connections.

* '''Service Management''':

## Avoid using insecure services like FTP, Telnet, and Rsh.

** Avoid using insecure services like FTP, Telnet, and Rsh.

## Minimize installed software to reduce vulnerability.

** Minimize installed software to reduce vulnerability.

* '''Kernel and Software Updates''':

## Apply all security patches promptly.

** Apply all security patches promptly.

## Consider using tools like <~~code~~>apticron</~~code~~> for Debian-based systems.

** Consider using tools like <pre>apticron</pre> for Debian-based systems.

* '''Linux Security Extensions''':

## Enable SELinux or other security extensions to enforce limitations on applications.

** Enable SELinux or other security extensions to enforce limitations on applications.

* '''User Accounts and Password Policies''':

## Enforce strong password policies.

** Enforce strong password policies.

## Use tools like <~~code~~>pam_cracklib</~~code~~> to enforce password strength.

** Use tools like <pre>pam_cracklib</pre> to enforce password strength.

## Set up password aging policies using <~~code~~>chage</~~code~~>.

** Set up password aging policies using <pre>chage</pre>.

* '''Fail2ban''':

## Install and configure Fail2ban to block IP addresses after failed login attempts.

** Install and configure Fail2ban to block IP addresses after failed login attempts.

* '''Disable Unwanted Services''':

## Disable unnecessary services and daemons.

** Disable unnecessary services and daemons.

## Use <~~code~~>systemctl</~~code~~> to manage services on modern Linux distributions.

** Use <pre>systemctl</pre> to manage services on modern Linux distributions.

* '''Network Security''':

## Use <~~code~~>iptables</~~code~~> or <~~code~~>firewalld</~~code~~> to manage firewall rules.

** Use <pre>iptables</pre> or <pre>firewalld</pre> to manage firewall rules.

## Use tools like <~~code~~>nmap</~~code~~> to scan open ports.

** Use tools like <pre>nmap</pre> to scan open ports.

* '''File System Security''':

## Separate critical file systems into different partitions with appropriate mount options (<~~code~~>noexec</~~code~~>, <~~code~~>nodev</~~code~~>, <~~code~~>nosuid</~~code~~>).

** Separate critical file systems into different partitions with appropriate mount options (<pre>noexec</pre>, <pre>nodev</pre>, <pre>nosuid</pre>).

* '''Regular Backups''':

## Implement regular, encrypted backups to an offsite location.

** Implement regular, encrypted backups to an offsite location.

* '''Intrusion Detection Systems (IDS)''':

## Use tools like AIDE and RKHunter for host-based intrusion detection.

** Use tools like AIDE and RKHunter for host-based intrusion detection.

* '''Secure SSH Configuration''':

## Configure SSH for maximum security (e.g., disabling root login, using SSH keys, configuring Fail2ban).

** Configure SSH for maximum security (e.g., disabling root login, using SSH keys, configuring Fail2ban).

[[Category:Self-hosting]]

[[Category:Guides]]

[[Category:Server]]

[[Category:Network]]

@@ Line 25: / Line 25: @@
 * '''Firewall''': Configure a firewall to control incoming and outgoing traffic.
 * '''Regular Updates''': Ensure the server and all software are regularly updated.
-* '''Split Disks''': Separate <code>/tmp</code> and <code>/var</code> partitions with <code>noexec</code> flag.
+* '''Split Disks''': Separate <pre>/tmp</pre> and <pre>/var</pre> partitions with <pre>noexec</pre> flag.
 * '''Log Monitoring''': Regularly monitor server logs for suspicious activities.
-* '''Privilege Escalation Mitigation''': Use <code>sysctl</code> variables and kernel parameters to mitigate privilege escalation.
+* '''Privilege Escalation Mitigation''': Use <pre>sysctl</pre> variables and kernel parameters to mitigate privilege escalation.
-* '''Audit''': Regularly audit the server using tools like <code>rkhunter</code> and <code>debsecan</code>.
+* '''Audit''': Regularly audit the server using tools like <pre>rkhunter</pre> and <pre>debsecan</pre>.
 * '''Open Ports''': Only open necessary ports (e.g., 80, 443, 22).
@@ Line 34: / Line 34: @@
 * '''Data Encryption''': Encrypt all data communication.
-## Use <code>scp</code>, <code>ssh</code>, <code>rsync</code>, or <code>sftp</code> for file transfer.
+** Use <pre>scp</pre>, <pre>ssh</pre>, <pre>rsync</pre>, or <pre>sftp</pre> for file transfer.
-## Consider VPNs like OpenVPN or tinc for secure connections.
+** Consider VPNs like OpenVPN or tinc for secure connections.
 * '''Service Management''':
-## Avoid using insecure services like FTP, Telnet, and Rsh.
+** Avoid using insecure services like FTP, Telnet, and Rsh.
-## Minimize installed software to reduce vulnerability.
+** Minimize installed software to reduce vulnerability.
 * '''Kernel and Software Updates''':
-## Apply all security patches promptly.
+** Apply all security patches promptly.
-## Consider using tools like <code>apticron</code> for Debian-based systems.
+** Consider using tools like <pre>apticron</pre> for Debian-based systems.
 * '''Linux Security Extensions''':
-## Enable SELinux or other security extensions to enforce limitations on applications.
+** Enable SELinux or other security extensions to enforce limitations on applications.
 * '''User Accounts and Password Policies''':
-## Enforce strong password policies.
+** Enforce strong password policies.
-## Use tools like <code>pam_cracklib</code> to enforce password strength.
+** Use tools like <pre>pam_cracklib</pre> to enforce password strength.
-## Set up password aging policies using <code>chage</code>.
+** Set up password aging policies using <pre>chage</pre>.
 * '''Fail2ban''':
-## Install and configure Fail2ban to block IP addresses after failed login attempts.
+** Install and configure Fail2ban to block IP addresses after failed login attempts.
 * '''Disable Unwanted Services''':
-## Disable unnecessary services and daemons.
+** Disable unnecessary services and daemons.
-## Use <code>systemctl</code> to manage services on modern Linux distributions.
+** Use <pre>systemctl</pre> to manage services on modern Linux distributions.
 * '''Network Security''':
-## Use <code>iptables</code> or <code>firewalld</code> to manage firewall rules.
+** Use <pre>iptables</pre> or <pre>firewalld</pre> to manage firewall rules.
-## Use tools like <code>nmap</code> to scan open ports.
+** Use tools like <pre>nmap</pre> to scan open ports.
 * '''File System Security''':
-## Separate critical file systems into different partitions with appropriate mount options (<code>noexec</code>, <code>nodev</code>, <code>nosuid</code>).
+** Separate critical file systems into different partitions with appropriate mount options (<pre>noexec</pre>, <pre>nodev</pre>, <pre>nosuid</pre>).
 * '''Regular Backups''':
-## Implement regular, encrypted backups to an offsite location.
+** Implement regular, encrypted backups to an offsite location.
 * '''Intrusion Detection Systems (IDS)''':
-## Use tools like AIDE and RKHunter for host-based intrusion detection.
+** Use tools like AIDE and RKHunter for host-based intrusion detection.
 * '''Secure SSH Configuration''':
-## Configure SSH for maximum security (e.g., disabling root login, using SSH keys, configuring Fail2ban).
+** Configure SSH for maximum security (e.g., disabling root login, using SSH keys, configuring Fail2ban).
 [[Category:Self-hosting]]
 [[Category:Guides]]
 [[Category:Server]]
 [[Category:Network]]