gofoss.net

We make https://gofoss.net.

The ultimate, free and open source guide to online privacy, data ownership and durable tech.

  • 1 Post
  • 17 Comments
Joined 3 years ago
cake
Cake day: October 8th, 2021

help-circle
  • Below a couple of ideas, some building on what has already been stated. It’s all detailed here:

    Feedback really welcomed, as there’s always something to be learned in server security :)

    General hardening:

    • set up a firewall (ufw)
    • make sure your system time is correct (ntp)
    • enable unattended upgrades
    • limit privileged access (sudo)
    • hide process information (/proc)
    • enforce strict password policy (pam, login.defs)
    • enforce stricter permissions (umask)
    • close all unused ports (check with nmap)
    • install a malware scanner (lmd)
    • install an antivirus (clamav)
    • disable core dumps
    • disable unused kernel modules
    • add legal banner

    SSH:

    • change the port
    • limit the nb of login attempts
    • limit access to admin users
    • enable access logs
    • forbid remote access to root
    • use auth keys with instead of password auth
    • disconnect after inactivity period
    • remove short encryption keys

    MySQL (if applicable):

    • run a hardening script
    • disable remote access
    • prevent unauthorised access to local files
    • create separate users with limited privileges for each app

    Apache (if applicable):

    • enable security modules
    • hide http headers
    • set up modsecurity, a web app firewall

    PHP (if applicable):

    • hide php version in headers
    • disable remote code execution
    • disable potentially harmful functions
    • limit script runtime & memory allocation

    Network security (sysctl):

    • ip spoofing protection
    • ignore icmp broadcasts & redirects
    • disable source paket routing
    • block syn attacks
    • log martians
    • ignore pings

  • Thx for the post & feel free to elaborate. While we can’t please all, we are always open to constructive feedback. To be fair:

    a) we’re a bunch of FOSS idealists. So no affiliate links, sponsorships, crypto-shadiness or any other bullshit on our website

    b) we make it pretty clear none of those services is the panacea. We’re still convinced they’re better than Big Tech/GAFAM

    c) we mention caveats/criticism where deemed necessary, e.g. Mozilla’s conflict of interest, Signal’s privacy flaws, etc.

    d) we always mention a couple of alternatives, so that readers can pick & choose according to their needs



  • Fun story: originally, this whole construction cone thing was a student joke. VLC has been developed at a French university, which was under construction when the software was created. The students - possibly cheered up by a few drinks - had fun with some construction cones and ended up choosing it as their emblem.