What are common practice's for hardening/securing your server?
What are common practice's for hardening/securing your server?
11 comments
-
-
Don't expose anything you don't absolutely have to. If you can, put everything behind a VPN gateway.
Make backups. Follow the 3-2-1 rule.
-
Will a wireguard docker image work for getting ssh access to my server?
-
-
fail2ban
-
- crowdsec
- SSH - change port, disable root login, disable password login, setup SSH keys using SK(YubiKey in my case)
- nftables - I use https://github.com/etkaar/nftm to keep things quick and simple. I like the fact if will convert DNS entries to IPs. I then just use dynamic DNS update clients on all my endpoints
- WireGuard for access to services other than SSH(in some cases port 443 will be open if its a web server or proxy)
- rsyslog to forward auth logs to my central syslog server
-
disable root login
That does not do much in practice. When a user is compromised a simple alias put in the .bashrc can compromise the sudo password.
Explicitly limit the user accounts that can login so that accidentally no test or service account with temporary credentials can login via ssh is the better recommendation.
-
-
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:
Fewer Letters More Letters DNS Domain Name Service/System IP Internet Protocol SSH Secure Shell for remote terminal access SSL Secure Sockets Layer, for transparent encryption TCP Transmission Control Protocol, most often over IP VNC Virtual Network Computing for remote desktop access VPN Virtual Private Network VPS Virtual Private Server (opposed to shared hosting) [Thread #693 for this sub, first seen 20th Apr 2024, 15:55] [FAQ] [Full list] [Contact] [Source code]
-
Use a hardened-by-default OS like OpenBSD, HardenedBSD, or something similar in Linux.
-
- fail2ban / brute forcing prevention
- quick, frequent updates(!)
- containerization / virtualization
- secure passwords, better keys
- firewall
- a hardened operating system (distribution)
- SELinux / Apparmor / ... / OpenBSD
- not installing unnecessary stuff
- An admin who is an expert and knows what they do.
-
Kicksecure Debian CLI: https://www.kicksecure.com/wiki/Debian
-
Move services away from known ports and don't use ports that end with well known port numbers (22,80,443).
Moving ssh from 22 to 2222 or 443 to 10443 does nothing. You have ~65000 ports. Pick something random like 6744 or 2458
11 comments
Setup Fail2ban
Login only with SSH keys. MFA on SSH login. Use SSH proto 2.
Disable passwords, x11 forwarding, root logins
Reduce Idle timeout interval
Limit users' SSH access
That should be more than enough for the average use case.