Server Guides: Difference between revisions
| Line 11: | Line 11: | ||
* Proxmox | * Proxmox | ||
* Clapper | * Clapper | ||
* [[Linux Server Initial Setup]] | |||
* [[Linux Server Storage]] | |||
== Best Practices to Secure Servers in 2024 == | == Best Practices to Secure Servers in 2024 == | ||
Latest revision as of 04:05, 21 November 2024
Server Guides
Community Server Guides
- Matrix Server Guide
- Maubot Chatbot Guides
- SimpleX Server
- Service - Storage - Nextcloud
- Authentik Installation
- Setting Up Cryptpad Server
- Proxmox
- Clapper
- Linux Server Initial Setup
- Linux Server Storage
Best Practices to Secure Servers in 2024
Source:
- Best practice to secure servers in 2024
- Madaidans Insecurities Linux Hardening Guide
- Cyberciti Linux Security Tips
General Security Practices
- No Root Login: Disable root login to enhance security.
- SSH Keys with Password: Use SSH keys with a passphrase and disable password login.
- VPN Access: VPN access is required to reach the SSH server.
- Firmware and Auto Updates: Enable automatic updates for both firmware and software.
- Firewall: Configure a firewall to control incoming and outgoing traffic.
- Regular Updates: Ensure the server and all software are regularly updated.
- Split Disks: Separate /tmp and /var partitions with noexec flag.
- Log Monitoring: Regularly monitor server logs for suspicious activities.
- Privilege Escalation Mitigation: Use sysctl variables and kernel parameters to mitigate privilege escalation.
- Audit: Regularly audit the server using tools like rkhunter and debsecan.
- Open Ports: Only open necessary ports (e.g., 80, 443, 22).
Detailed Security Measures
- Data Encryption: Encrypt all data communication.
- Use scp, ssh, rsync, rclone or sftp for file transfer.
- Consider reverse proxy (tail scale, Cloudflare) or wireguard.
- Service Management:
- Avoid using insecure services like FTP, Telnet, and Rsh.
- Minimize installed software to reduce vulnerability.
- Kernel and Software Updates:
- Apply all security patches promptly.
- Use an Ansible Script to patch multiple servers periodically including OS, docker, git, etc
- Apply all security patches promptly.
- Linux Security Extensions:
- Enable SELinux or other security extensions to enforce limitations on applications.
- User Accounts and Password Policies:
- Enforce strong password policies.
- Use tools like pam_cracklib to enforce password strength.
- Set up password aging policies using chage.
- Fail2ban:
- Install and configure Fail2ban to block IP addresses after failed login attempts.
- Disable Unwanted Services:
- Disable unnecessary services and daemons.
- Use systemctl to manage services on modern Linux distributions.
- Network Security:
- Use iptables or firewalld to manage firewall rules.
- Use tools like nmap to scan open ports.
- File System Security:
- Separate critical file systems into different partitions with appropriate mount options (noexec, nodev, nosuid).
- Regular Backups:
- Implement regular, encrypted backups to an offsite location.
- Intrusion Detection Systems (IDS):
- Use tools like AIDE and RKHunter for host-based intrusion detection.
- Secure SSH Configuration:
- Configure SSH for maximum security (e.g., disabling root login, using SSH keys, configuring Fail2ban).