Server Guides

Revision as of 03:31, 21 November 2024 by Sac (talk | contribs) (formatting)

Server Guides

Community Server Guides

Best Practices to Secure Servers in 2024

Source:

General Security Practices

  • No Root Login: Disable root login to enhance security.
  • SSH Keys with Password: Use SSH keys with a passphrase and disable password login.
  • VPN Access: Require VPN access to reach the SSH server.
  • Firmware and Auto Updates: Enable automatic updates for both firmware and software.
  • Firewall: Configure a firewall to control incoming and outgoing traffic.
  • Regular Updates: Ensure the server and all software are regularly updated.
  • Split Disks: Separate
    /tmp
    and
    /var
    partitions with
    noexec
    flag.
  • Log Monitoring: Regularly monitor server logs for suspicious activities.
  • Privilege Escalation Mitigation: Use
    sysctl
    variables and kernel parameters to mitigate privilege escalation.
  • Audit: Regularly audit the server using tools like
    rkhunter
    and
    debsecan
    .
  • Open Ports: Only open necessary ports (e.g., 80, 443, 22).

Detailed Security Measures

  • Data Encryption: Encrypt all data communication.
    • Use
      scp
      ,
      ssh
      ,
      rsync
      , or
      sftp
      for file transfer.
    • Consider VPNs like OpenVPN or tinc for secure connections.
  • Service Management:
    • Avoid using insecure services like FTP, Telnet, and Rsh.
    • Minimize installed software to reduce vulnerability.
  • Kernel and Software Updates:
    • Apply all security patches promptly.
    • Consider using tools like
      apticron
      for Debian-based systems.
  • Linux Security Extensions:
    • Enable SELinux or other security extensions to enforce limitations on applications.
  • User Accounts and Password Policies:
    • Enforce strong password policies.
    • Use tools like
      pam_cracklib
      to enforce password strength.
    • Set up password aging policies using
      chage
      .
  • Fail2ban:
    • Install and configure Fail2ban to block IP addresses after failed login attempts.
  • Disable Unwanted Services:
    • Disable unnecessary services and daemons.
    • Use
      systemctl
      to manage services on modern Linux distributions.
  • Network Security:
    • Use
      iptables
      or
      firewalld
      to manage firewall rules.
    • Use tools like
      nmap
      to scan open ports.
  • File System Security:
    • Separate critical file systems into different partitions with appropriate mount options (
      noexec
      ,
      nodev
      ,
      nosuid
      ).
  • Regular Backups:
    • Implement regular, encrypted backups to an offsite location.
  • Intrusion Detection Systems (IDS):
    • Use tools like AIDE and RKHunter for host-based intrusion detection.
  • Secure SSH Configuration:
    • Configure SSH for maximum security (e.g., disabling root login, using SSH keys, configuring Fail2ban).