this post was submitted on 06 Apr 2022
16 points (100.0% liked)

Linux

1259 readers
28 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
AgreeableLandscape@lemmy.ml
nooter692@lemmy.ml
MarcellusDrum@lemmy.ml
cypherpunks@lemmy.ml
cyclohexane@lemmy.ml
d3Xt3r@lemmy.nz
16
Any server security suggestions for a noob? (lemmy.ml)
submitted 2 years ago by suspended@lemmy.ml to c/linux@lemmy.ml
16 comments fedilink hide all child comments
 

I, recently, started running a Lemmy instance. I am, also, new to Linux servers.

At the advisement of some tech acquaintances, I've installed UnnattendedUpgrades and Fail2ban.

What would you recommend?

you are viewing a single comment's thread
view the rest of the comments
[–] gofoss@lemmy.ml 9 points 2 years ago (2 children)

Below a couple of ideas, some building on what has already been stated. It's all detailed here:

Feedback really welcomed, as there's always something to be learned in server security :)

--

General hardening:

  • set up a firewall (ufw)
  • make sure your system time is correct (ntp)
  • enable unattended upgrades
  • limit privileged access (sudo)
  • hide process information (/proc)
  • enforce strict password policy (pam, login.defs)
  • enforce stricter permissions (umask)
  • close all unused ports (check with nmap)
  • install a malware scanner (lmd)
  • install an antivirus (clamav)
  • disable core dumps
  • disable unused kernel modules
  • add legal banner

SSH:

  • change the port
  • limit the nb of login attempts
  • limit access to admin users
  • enable access logs
  • forbid remote access to root
  • use auth keys with instead of password auth
  • disconnect after inactivity period
  • remove short encryption keys

MySQL (if applicable):

  • run a hardening script
  • disable remote access
  • prevent unauthorised access to local files
  • create separate users with limited privileges for each app

Apache (if applicable):

  • enable security modules
  • hide http headers
  • set up modsecurity, a web app firewall

PHP (if applicable):

  • hide php version in headers
  • disable remote code execution
  • disable potentially harmful functions
  • limit script runtime & memory allocation

Network security (sysctl):

  • ip spoofing protection
  • ignore icmp broadcasts & redirects
  • disable source paket routing
  • block syn attacks
  • log martians
  • ignore pings
[–] suspended@lemmy.ml 4 points 2 years ago

Fantastic answer! Thanks so much :)

[–] sexy_peach@feddit.de 3 points 2 years ago (1 children)

Is all of this really necessary?

[–] krolden@lemmy.ml 6 points 2 years ago* (last edited 2 years ago)

Not really. Especially the antivirus. Its pretty easy to avoid such things by not installing any untrusted aoftware. Not to mentionitf youd likely be ransomwared before you detectedanhthing.

But hosting publicly facing services is always a risk.