gofoss

joined 3 years ago
sorted by: new top controversial old
Any server security suggestions for a noob? in c/linux@lemmy.ml
[–] gofoss@lemmy.ml 9 points 2 years ago (3 children)

Below a couple of ideas, some building on what has already been stated. It's all detailed here:

Feedback really welcomed, as there's always something to be learned in server security :)

--

General hardening:

  • set up a firewall (ufw)
  • make sure your system time is correct (ntp)
  • enable unattended upgrades
  • limit privileged access (sudo)
  • hide process information (/proc)
  • enforce strict password policy (pam, login.defs)
  • enforce stricter permissions (umask)
  • close all unused ports (check with nmap)
  • install a malware scanner (lmd)
  • install an antivirus (clamav)
  • disable core dumps
  • disable unused kernel modules
  • add legal banner

SSH:

  • change the port
  • limit the nb of login attempts
  • limit access to admin users
  • enable access logs
  • forbid remote access to root
  • use auth keys with instead of password auth
  • disconnect after inactivity period
  • remove short encryption keys

MySQL (if applicable):

  • run a hardening script
  • disable remote access
  • prevent unauthorised access to local files
  • create separate users with limited privileges for each app

Apache (if applicable):

  • enable security modules
  • hide http headers
  • set up modsecurity, a web app firewall

PHP (if applicable):

  • hide php version in headers
  • disable remote code execution
  • disable potentially harmful functions
  • limit script runtime & memory allocation

Network security (sysctl):

  • ip spoofing protection
  • ignore icmp broadcasts & redirects
  • disable source paket routing
  • block syn attacks
  • log martians
  • ignore pings
[Announcement] gofoss.net, a guide to privacy, data ownership & sustainable tech in c/privacy@lemmy.ml
[–] gofoss@lemmy.ml 2 points 2 years ago

Thx for the post & feel free to elaborate. While we can't please all, we are always open to constructive feedback. To be fair:

a) we're a bunch of FOSS idealists. So no affiliate links, sponsorships, crypto-shadiness or any other bullshit on our website

b) we make it pretty clear none of those services is the panacea. We're still convinced they're better than Big Tech/GAFAM

c) we mention caveats/criticism where deemed necessary, e.g. Mozilla's conflict of interest, Signal's privacy flaws, etc.

d) we always mention a couple of alternatives, so that readers can pick & choose according to their needs

The real MVP in c/opensource@lemmy.ml
[–] gofoss@lemmy.ml 4 points 2 years ago

Fun story: originally, this whole construction cone thing was a student joke. VLC has been developed at a French university, which was under construction when the software was created. The students - possibly cheered up by a few drinks - had fun with some construction cones and ended up choosing it as their emblem.

20
[Announcement] gofoss.net, a guide to privacy, data ownership & sustainable tech (gofoss.net)
 

Hey Lemmy!

We've released gofoss.net, a beginner's guide to free and open source software, privacy and sustainable tech.

The site is available in English, French and German. We hope that it can help some of you to:

  • safely browse the Internet
  • encrypt your conversations
  • protect your data
  • switch to Linux
  • free your phone from Google & Apple
  • join the Fediverse & use alternative cloud providers
  • self-host your stuff

The source code is available on GitLab. Happy to chat, let us know what you think!

For more information, please come find us at gofoss.net :)

--

PS: We are 100% non-profit: no ads, no tracking, no sponsored or paywalled content.