I, recently, started running a Lemmy instance. I am, also, new to Linux servers.

At the advisement of some tech acquaintances, I’ve installed UnnattendedUpgrades and Fail2ban.

What would you recommend?

  • gofoss.net
    link
    fedilink
    102 years ago

    Below a couple of ideas, some building on what has already been stated. It’s all detailed here:

    Feedback really welcomed, as there’s always something to be learned in server security :)

    General hardening:

    • set up a firewall (ufw)
    • make sure your system time is correct (ntp)
    • enable unattended upgrades
    • limit privileged access (sudo)
    • hide process information (/proc)
    • enforce strict password policy (pam, login.defs)
    • enforce stricter permissions (umask)
    • close all unused ports (check with nmap)
    • install a malware scanner (lmd)
    • install an antivirus (clamav)
    • disable core dumps
    • disable unused kernel modules
    • add legal banner

    SSH:

    • change the port
    • limit the nb of login attempts
    • limit access to admin users
    • enable access logs
    • forbid remote access to root
    • use auth keys with instead of password auth
    • disconnect after inactivity period
    • remove short encryption keys

    MySQL (if applicable):

    • run a hardening script
    • disable remote access
    • prevent unauthorised access to local files
    • create separate users with limited privileges for each app

    Apache (if applicable):

    • enable security modules
    • hide http headers
    • set up modsecurity, a web app firewall

    PHP (if applicable):

    • hide php version in headers
    • disable remote code execution
    • disable potentially harmful functions
    • limit script runtime & memory allocation

    Network security (sysctl):

    • ip spoofing protection
    • ignore icmp broadcasts & redirects
    • disable source paket routing
    • block syn attacks
    • log martians
    • ignore pings
      • krolden
        link
        fedilink
        6
        edit-2
        2 years ago

        Not really. Especially the antivirus. Its pretty easy to avoid such things by not installing any untrusted aoftware. Not to mentionitf youd likely be ransomwared before you detectedanhthing.

        But hosting publicly facing services is always a risk.

  • seahorse [Ohio]
    link
    fedilink
    62 years ago

    The linux upskill challenge guides users through setting up a server from the beginning and shows you how to set up a firewall with ufw as well as disabling root login via ssh.

  • @sexy_peach@feddit.de
    link
    fedilink
    52 years ago

    Don’t allow root ssh access, you could also change the ssh port to one that’s not 22. Also you could disallow ssh password login and allow key-based authentication only.

    • krolden
      link
      fedilink
      42 years ago

      Also try to set it up without installing sudo , which will eliminate a lot of privilege escalationvulnerabilities.

  • @smorks@lemmy.ca
    link
    fedilink
    42 years ago

    disable root login over ssh, and use public keys auth if possible.

    fail2ban is good, but needs to be configured properly.

    there’s probably lots more, but that’s a start.

    • @suspended@lemmy.mlOP
      link
      fedilink
      12 years ago

      fail2ban is good, but needs to be configured properly.

      Thank you for responding kindly. Is there a resource that you’d recommend looking into proper configuration?

      • @smorks@lemmy.ca
        link
        fedilink
        22 years ago

        I think their doc’s are decent? and I could be wrong, and maybe it depends on the Linux distribution, but I’m just not 100% sure if it actually does anything without some basic configuration.

      • @smorks@lemmy.ca
        link
        fedilink
        22 years ago

        to be clear, the only way to access ssh is by connecting through the VPN? yeah, it should be fine, as long as your vpn is secure.

  • @southerntofu@lemmy.ml
    link
    fedilink
    42 years ago

    i personally don’t recommend fail2ban: it’s a good way to lock yourself out of your own server but will probably not protect you from any attacks.

    for protection unattended upgrades (like you have) and disabling SSH password auth (PasswordAuthentication no in /etc/ssh/sshd_config) is the best you can do.

    also i’ve never run a lemmy instance but make sure the database isn’t reachable from the internet, only from localhost :)

    • krolden
      link
      fedilink
      6
      edit-2
      2 years ago

      If you get locked out by your own fail2ban rules then you’ve probably forgotten your password.

      Not to mentionyoull probably be able to get control back using your hosts console.

      • @southerntofu@lemmy.ml
        link
        fedilink
        02 years ago

        sure sure it’s just fail2ban doesn’t just apply to SSH and can get your IP banned if you typo on your password on some web service… and from there you can’t SSH into the server to fix the problem ;) ;)