I, recently, started running a Lemmy instance. I am, also, new to Linux servers.
At the advisement of some tech acquaintances, I’ve installed UnnattendedUpgrades and Fail2ban.
What would you recommend?
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
- 0 users online
- 5 users / day
- 20 users / week
- 27 users / month
- 16 users / 6 months
- 20 subscribers
- 684 Posts
- 1.7K Comments
- Modlog
Below a couple of ideas, some building on what has already been stated. It’s all detailed here:
Feedback really welcomed, as there’s always something to be learned in server security :)
–
General hardening:
SSH:
MySQL (if applicable):
Apache (if applicable):
PHP (if applicable):
Network security (sysctl):
Fantastic answer! Thanks so much :)
Is all of this really necessary?
Not really. Especially the antivirus. Its pretty easy to avoid such things by not installing any untrusted aoftware. Not to mentionitf youd likely be ransomwared before you detectedanhthing.
But hosting publicly facing services is always a risk.
The linux upskill challenge guides users through setting up a server from the beginning and shows you how to set up a firewall with ufw as well as disabling root login via ssh.
Thank you. I will look into this.
Don’t allow root ssh access, you could also change the ssh port to one that’s not 22. Also you could disallow ssh password login and allow key-based authentication only.
Also try to set it up without installing sudo , which will eliminate a lot of privilege escalationvulnerabilities.
i personally don’t recommend fail2ban: it’s a good way to lock yourself out of your own server but will probably not protect you from any attacks.
for protection unattended upgrades (like you have) and disabling SSH password auth (
PasswordAuthentication noin /etc/ssh/sshd_config) is the best you can do.also i’ve never run a lemmy instance but make sure the database isn’t reachable from the internet, only from localhost :)
If you get locked out by your own fail2ban rules then you’ve probably forgotten your password.
Not to mentionyoull probably be able to get control back using your hosts console.
sure sure it’s just fail2ban doesn’t just apply to SSH and can get your IP banned if you typo on your password on some web service… and from there you can’t SSH into the server to fix the problem ;) ;)
Yeah if you dont configure it properly. Ive never actually know anyone get locked out by fail2ban
Oh i’m pretty good at making stupid mistakes ;)
disable root login over ssh, and use public keys auth if possible.
fail2ban is good, but needs to be configured properly.
there’s probably lots more, but that’s a start.
Thank you for responding kindly. Is there a resource that you’d recommend looking into proper configuration?
I think their doc’s are decent? and I could be wrong, and maybe it depends on the Linux distribution, but I’m just not 100% sure if it actually does anything without some basic configuration.