Community Server Guides

• Matrix Server Guide
• Create SSH Keys
• Service - Storage - Nextcloud
• Authentik Installation
• Setting Up Cryptpad Server
• Proxmox

Best Practices to Secure Servers in 2024

Source:

• Best practice to secure servers in 2024
• Madaidans Insecurities Linux Hardening Guide
• Cyberciti Linux Security Tips

General Security Practices

• No Root Login: Disable root login to enhance security.
• SSH Keys with Password: Use SSH keys with a passphrase and disable password login.
• VPN Access: Require VPN access to reach the SSH server.
• Firmware and Auto Updates: Enable automatic updates for both firmware and software.
• Firewall: Configure a firewall to control incoming and outgoing traffic.
• Regular Updates: Ensure the server and all software are regularly updated.
• Split Disks: Separate /tmp and /var partitions with noexec flag.
• Log Monitoring: Regularly monitor server logs for suspicious activities.
• Privilege Escalation Mitigation: Use sysctl variables and kernel parameters to mitigate privilege escalation.
• Audit: Regularly audit the server using tools like rkhunter and debsecan.
• Open Ports: Only open necessary ports (e.g., 80, 443, 22).

Detailed Security Measures

• Data Encryption: Encrypt all data communication.

1. 1. Use scp, ssh, rsync, or sftp for file transfer.
   2. Consider VPNs like OpenVPN or tinc for secure connections.

• Service Management:

1. 1. Avoid using insecure services like FTP, Telnet, and Rsh.
   2. Minimize installed software to reduce vulnerability.

• Kernel and Software Updates:

1. 1. Apply all security patches promptly.
   2. Consider using tools like apticron for Debian-based systems.

• Linux Security Extensions:

1. 1. Enable SELinux or other security extensions to enforce limitations on applications.

• User Accounts and Password Policies:

1. 1. Enforce strong password policies.
   2. Use tools like pam_cracklib to enforce password strength.
   3. Set up password aging policies using chage.

• Fail2ban:

1. 1. Install and configure Fail2ban to block IP addresses after failed login attempts.

• Disable Unwanted Services:

1. 1. Disable unnecessary services and daemons.
   2. Use systemctl to manage services on modern Linux distributions.

• Network Security:

1. 1. Use iptables or firewalld to manage firewall rules.
   2. Use tools like nmap to scan open ports.

• File System Security:

1. 1. Separate critical file systems into different partitions with appropriate mount options (noexec, nodev, nosuid).

• Regular Backups:

1. 1. Implement regular, encrypted backups to an offsite location.

• Intrusion Detection Systems (IDS):

1. 1. Use tools like AIDE and RKHunter for host-based intrusion detection.

• Secure SSH Configuration:

1. 1. Configure SSH for maximum security (e.g., disabling root login, using SSH keys, configuring Fail2ban).