Server Guides: Difference between revisions

Line 5:

== Community Server Guides ==

'' [[matrix-server-guide~~.md~~|Matrix Server Guide]]

* [[matrix-server-guide|Matrix Server Guide]]

~~''''~~ [[ssh-keys|Create SSH Keys]]

* [[ssh-keys|Create SSH Keys]]

'' [[Service%20-%20storage%20-%20Nextcloud~~.md~~|Service - Storage - Nextcloud]]

* [[Service%20-%20storage%20-%20Nextcloud|Service - Storage - Nextcloud]]

'' [[Authentik%20Installation~~.md~~|Authentik Installation]]

* [[Authentik%20Installation|Authentik Installation]]

'' [[setting%20up%20cryptpad%20server~~.md~~|Setting Up Cryptpad Server]]

* [[setting%20up%20cryptpad%20server|Setting Up Cryptpad Server]]

== Best Practices to Secure Servers in 2024 ==

Source: - [https://www.reddit.com/r/linuxadmin/comments/1an0vqp/best_practice_to_secure_servers_in_2024/ Best practice to secure servers in 2024] - [https://madaidans-insecurities.github.io/guides/linux-hardening.html Madaidans Insecurities Linux Hardening Guide] - [https://www.cyberciti.biz/tips/linux-security.html Cyberciti Linux Security Tips]

Source:

* [https://www.reddit.com/r/linuxadmin/comments/1an0vqp/best_practice_to_secure_servers_in_2024/ Best practice to secure servers in 2024]

* [https://madaidans-insecurities.github.io/guides/linux-hardening.html Madaidans Insecurities Linux Hardening Guide]

* [https://www.cyberciti.biz/tips/linux-security.html Cyberciti Linux Security Tips]

=== General Security Practices ===

= '''No Root Login''': Disable root login to enhance security. =

* '''No Root Login''': Disable root login to enhance security.

= '''SSH Keys with Password''': Use SSH keys with a passphrase and disable password login. =

* '''SSH Keys with Password''': Use SSH keys with a passphrase and disable password login.

= '''VPN Access''': Require VPN access to reach the SSH server. =

* '''VPN Access''': Require VPN access to reach the SSH server.

= '''Firmware and Auto Updates''': Enable automatic updates for both firmware and software. =

* '''Firmware and Auto Updates''': Enable automatic updates for both firmware and software.

= '''Firewall''': Configure a firewall to control incoming and outgoing traffic. =

* '''Firewall''': Configure a firewall to control incoming and outgoing traffic.

= '''Regular Updates''': Ensure the server and all software are regularly updated. =

* '''Regular Updates''': Ensure the server and all software are regularly updated.

= '''Split Disks''': Separate <code>/tmp</code> and <code>/var</code> partitions with <code>noexec</code> flag. =

* '''Split Disks''': Separate <code>/tmp</code> and <code>/var</code> partitions with <code>noexec</code> flag.

= '''Log Monitoring''': Regularly monitor server logs for suspicious activities. =

* '''Log Monitoring''': Regularly monitor server logs for suspicious activities.

= '''Privilege Escalation Mitigation''': Use <code>sysctl</code> variables and kernel parameters to mitigate privilege escalation. =

* '''Privilege Escalation Mitigation''': Use <code>sysctl</code> variables and kernel parameters to mitigate privilege escalation.

= '''Audit''': Regularly audit the server using tools like <code>rkhunter</code> and <code>debsecan</code>. =

* '''Audit''': Regularly audit the server using tools like <code>rkhunter</code> and <code>debsecan</code>.

= '''Open Ports''': Only open necessary ports (e.g., 80, 443, 22). =

* '''Open Ports''': Only open necessary ports (e.g., 80, 443, 22).

=== Detailed Security Measures ===

= '''Data Encryption''': Encrypt all data communication. =

* '''Data Encryption''': Encrypt all data communication.

~~#''~~ Use <code>scp</code>, <code>ssh</code>, <code>rsync</code>, or <code>sftp</code> for file transfer.

1. Use <code>scp</code>, <code>ssh</code>, <code>rsync</code>, or <code>sftp</code> for file transfer.

~~#''~~ Consider VPNs like OpenVPN or tinc for secure connections.

2. Consider VPNs like OpenVPN or tinc for secure connections.

= '''Service Management''': =

* '''Service Management''':

~~#''~~ Avoid using insecure services like FTP, Telnet, and Rsh.

1. Avoid using insecure services like FTP, Telnet, and Rsh.

~~#''~~ Minimize installed software to reduce vulnerability.

2. Minimize installed software to reduce vulnerability.

= '''Kernel and Software Updates''': =

* '''Kernel and Software Updates''':

~~#''~~ Apply all security patches promptly.

1. Apply all security patches promptly.

~~#''~~ Consider using tools like <code>apticron</code> for Debian-based systems.

2. Consider using tools like <code>apticron</code> for Debian-based systems.

= '''Linux Security Extensions''': =

* '''Linux Security Extensions''':

~~#''~~ Enable SELinux or other security extensions to enforce limitations on applications.

1. Enable SELinux or other security extensions to enforce limitations on applications.

= '''User Accounts and Password Policies''': =

* '''User Accounts and Password Policies''':

~~#''~~ Enforce strong password policies.

1. Enforce strong password policies.

~~#''~~ Use tools like <code>pam_cracklib</code> to enforce password strength.

2. Use tools like <code>pam_cracklib</code> to enforce password strength.

~~#''~~ Set up password aging policies using <code>chage</code>.

3. Set up password aging policies using <code>chage</code>.

= '''Fail2ban''': =

* '''Fail2ban''':

~~#''~~ Install and configure Fail2ban to block IP addresses after failed login attempts.

1. Install and configure Fail2ban to block IP addresses after failed login attempts.

= '''Disable Unwanted Services''': =

* '''Disable Unwanted Services''':

~~#''~~ Disable unnecessary services and daemons.

1. Disable unnecessary services and daemons.

~~#''~~ Use <code>systemctl</code> to manage services on modern Linux distributions.

2. Use <code>systemctl</code> to manage services on modern Linux distributions.

= '''Network Security''': =

* '''Network Security''':

~~#''~~ Use <code>iptables</code> or <code>firewalld</code> to manage firewall rules.

1. Use <code>iptables</code> or <code>firewalld</code> to manage firewall rules.

~~#''~~ Use tools like <code>nmap</code> to scan open ports.

2. Use tools like <code>nmap</code> to scan open ports.

= '''File System Security''': =

* '''File System Security''':

~~#''~~ Separate critical file systems into different partitions with appropriate mount options (<code>noexec</code>, <code>nodev</code>, <code>nosuid</code>).

1. Separate critical file systems into different partitions with appropriate mount options (<code>noexec</code>, <code>nodev</code>, <code>nosuid</code>).

= '''Regular Backups''': =

* '''Regular Backups''':

~~#''~~ Implement regular, encrypted backups to an offsite location.

1. Implement regular, encrypted backups to an offsite location.

= '''Intrusion Detection Systems (IDS)''': =

* '''Intrusion Detection Systems (IDS)''':

~~#''~~ Use tools like AIDE and RKHunter for host-based intrusion detection.

1. Use tools like AIDE and RKHunter for host-based intrusion detection.

= '''Secure SSH Configuration''': =

* '''Secure SSH Configuration''':

#* Configure SSH for maximum security (e.g., disabling root login, using SSH keys, configuring fail2ban).

1. Configure SSH for maximum security (e.g., disabling root login, using SSH keys, configuring fail2ban).

@@ Line 5: / Line 5: @@
 == Community Server Guides ==
-'' [[matrix-server-guide.md|Matrix Server Guide]]
+* [[matrix-server-guide|Matrix Server Guide]]
-'''' [[ssh-keys|Create SSH Keys]]
+* [[ssh-keys|Create SSH Keys]]
-'' [[Service%20-%20storage%20-%20Nextcloud.md|Service - Storage - Nextcloud]]
+* [[Service%20-%20storage%20-%20Nextcloud|Service - Storage - Nextcloud]]
-'' [[Authentik%20Installation.md|Authentik Installation]]
+* [[Authentik%20Installation|Authentik Installation]]
-'' [[setting%20up%20cryptpad%20server.md|Setting Up Cryptpad Server]]
+* [[setting%20up%20cryptpad%20server|Setting Up Cryptpad Server]]
 <span id="best-practices-to-secure-servers-in-2024"></span>
 == Best Practices to Secure Servers in 2024 ==
-Source: - [https://www.reddit.com/r/linuxadmin/comments/1an0vqp/best_practice_to_secure_servers_in_2024/ Best practice to secure servers in 2024] - [https://madaidans-insecurities.github.io/guides/linux-hardening.html Madaidans Insecurities Linux Hardening Guide] - [https://www.cyberciti.biz/tips/linux-security.html Cyberciti Linux Security Tips]
+Source:
+* [https://www.reddit.com/r/linuxadmin/comments/1an0vqp/best_practice_to_secure_servers_in_2024/ Best practice to secure servers in 2024]
+* [https://madaidans-insecurities.github.io/guides/linux-hardening.html Madaidans Insecurities Linux Hardening Guide]
+* [https://www.cyberciti.biz/tips/linux-security.html Cyberciti Linux Security Tips]
 <span id="general-security-practices"></span>
 === General Security Practices ===
-= '''No Root Login''': Disable root login to enhance security. =
+* '''No Root Login''': Disable root login to enhance security.
-= '''SSH Keys with Password''': Use SSH keys with a passphrase and disable password login. =
+* '''SSH Keys with Password''': Use SSH keys with a passphrase and disable password login.
-= '''VPN Access''': Require VPN access to reach the SSH server. =
+* '''VPN Access''': Require VPN access to reach the SSH server.
-= '''Firmware and Auto Updates''': Enable automatic updates for both firmware and software. =
+* '''Firmware and Auto Updates''': Enable automatic updates for both firmware and software.
-= '''Firewall''': Configure a firewall to control incoming and outgoing traffic. =
+* '''Firewall''': Configure a firewall to control incoming and outgoing traffic.
-= '''Regular Updates''': Ensure the server and all software are regularly updated. =
+* '''Regular Updates''': Ensure the server and all software are regularly updated.
-= '''Split Disks''': Separate <code>/tmp</code> and <code>/var</code> partitions with <code>noexec</code> flag. =
+* '''Split Disks''': Separate <code>/tmp</code> and <code>/var</code> partitions with <code>noexec</code> flag.
-= '''Log Monitoring''': Regularly monitor server logs for suspicious activities. =
+* '''Log Monitoring''': Regularly monitor server logs for suspicious activities.
-= '''Privilege Escalation Mitigation''': Use <code>sysctl</code> variables and kernel parameters to mitigate privilege escalation. =
+* '''Privilege Escalation Mitigation''': Use <code>sysctl</code> variables and kernel parameters to mitigate privilege escalation.
-= '''Audit''': Regularly audit the server using tools like <code>rkhunter</code> and <code>debsecan</code>. =
+* '''Audit''': Regularly audit the server using tools like <code>rkhunter</code> and <code>debsecan</code>.
-= '''Open Ports''': Only open necessary ports (e.g., 80, 443, 22). =
+* '''Open Ports''': Only open necessary ports (e.g., 80, 443, 22).
 <span id="detailed-security-measures"></span>
 === Detailed Security Measures ===
-= '''Data Encryption''': Encrypt all data communication. =
+* '''Data Encryption''': Encrypt all data communication.
-#'' Use <code>scp</code>, <code>ssh</code>, <code>rsync</code>, or <code>sftp</code> for file transfer.
+. Use <code>scp</code>, <code>ssh</code>, <code>rsync</code>, or <code>sftp</code> for file transfer.
-#'' Consider VPNs like OpenVPN or tinc for secure connections.
+. Consider VPNs like OpenVPN or tinc for secure connections.
-= '''Service Management''': =
+* '''Service Management''':
-#'' Avoid using insecure services like FTP, Telnet, and Rsh.
+. Avoid using insecure services like FTP, Telnet, and Rsh.
-#'' Minimize installed software to reduce vulnerability.
+. Minimize installed software to reduce vulnerability.
-= '''Kernel and Software Updates''': =
+* '''Kernel and Software Updates''':
-#'' Apply all security patches promptly.
+. Apply all security patches promptly.
-#'' Consider using tools like <code>apticron</code> for Debian-based systems.
+. Consider using tools like <code>apticron</code> for Debian-based systems.
-= '''Linux Security Extensions''': =
+* '''Linux Security Extensions''':
-#'' Enable SELinux or other security extensions to enforce limitations on applications.
+. Enable SELinux or other security extensions to enforce limitations on applications.
-= '''User Accounts and Password Policies''': =
+* '''User Accounts and Password Policies''':
-#'' Enforce strong password policies.
+. Enforce strong password policies.
-#'' Use tools like <code>pam_cracklib</code> to enforce password strength.
+. Use tools like <code>pam_cracklib</code> to enforce password strength.
-#'' Set up password aging policies using <code>chage</code>.
+. Set up password aging policies using <code>chage</code>.
-= '''Fail2ban''': =
+* '''Fail2ban''':
-#'' Install and configure Fail2ban to block IP addresses after failed login attempts.
+. Install and configure Fail2ban to block IP addresses after failed login attempts.
-= '''Disable Unwanted Services''': =
+* '''Disable Unwanted Services''':
-#'' Disable unnecessary services and daemons.
+. Disable unnecessary services and daemons.
-#'' Use <code>systemctl</code> to manage services on modern Linux distributions.
+. Use <code>systemctl</code> to manage services on modern Linux distributions.
-= '''Network Security''': =
+* '''Network Security''':
-#'' Use <code>iptables</code> or <code>firewalld</code> to manage firewall rules.
+. Use <code>iptables</code> or <code>firewalld</code> to manage firewall rules.
-#'' Use tools like <code>nmap</code> to scan open ports.
+. Use tools like <code>nmap</code> to scan open ports.
-= '''File System Security''': =
+* '''File System Security''':
-#'' Separate critical file systems into different partitions with appropriate mount options (<code>noexec</code>, <code>nodev</code>, <code>nosuid</code>).
+. Separate critical file systems into different partitions with appropriate mount options (<code>noexec</code>, <code>nodev</code>, <code>nosuid</code>).
-= '''Regular Backups''': =
+* '''Regular Backups''':
-#'' Implement regular, encrypted backups to an offsite location.
+. Implement regular, encrypted backups to an offsite location.
-= '''Intrusion Detection Systems (IDS)''': =
+* '''Intrusion Detection Systems (IDS)''':
-#'' Use tools like AIDE and RKHunter for host-based intrusion detection.
+. Use tools like AIDE and RKHunter for host-based intrusion detection.
-= '''Secure SSH Configuration''': =
+* '''Secure SSH Configuration''':
-#* Configure SSH for maximum security (e.g., disabling root login, using SSH keys, configuring fail2ban).
+. Configure SSH for maximum security (e.g., disabling root login, using SSH keys, configuring fail2ban).