We make https://gofoss.net.

The ultimate, free and open source guide to online privacy, data ownership and durable tech.

  • 1 Post
  • 13 Comments
Joined 2Y ago
cake
Cake day: Oct 08, 2021

help-circle
rss

Below a couple of ideas, some building on what has already been stated. It’s all detailed here:

Feedback really welcomed, as there’s always something to be learned in server security :)

General hardening:

  • set up a firewall (ufw)
  • make sure your system time is correct (ntp)
  • enable unattended upgrades
  • limit privileged access (sudo)
  • hide process information (/proc)
  • enforce strict password policy (pam, login.defs)
  • enforce stricter permissions (umask)
  • close all unused ports (check with nmap)
  • install a malware scanner (lmd)
  • install an antivirus (clamav)
  • disable core dumps
  • disable unused kernel modules
  • add legal banner

SSH:

  • change the port
  • limit the nb of login attempts
  • limit access to admin users
  • enable access logs
  • forbid remote access to root
  • use auth keys with instead of password auth
  • disconnect after inactivity period
  • remove short encryption keys

MySQL (if applicable):

  • run a hardening script
  • disable remote access
  • prevent unauthorised access to local files
  • create separate users with limited privileges for each app

Apache (if applicable):

  • enable security modules
  • hide http headers
  • set up modsecurity, a web app firewall

PHP (if applicable):

  • hide php version in headers
  • disable remote code execution
  • disable potentially harmful functions
  • limit script runtime & memory allocation

Network security (sysctl):

  • ip spoofing protection
  • ignore icmp broadcasts & redirects
  • disable source paket routing
  • block syn attacks
  • log martians
  • ignore pings


Thx for the clarification! Added GitLab Issue #107 and will add a comment on the website


Thx for your feedback! Added GitLab Issue #106 and will look into Snikket when possible


Thx for the hint, will include a comment on the website. GitLab Issue #105 created.



Seems like quad9 is blocking our domain. Reached out to report false positive, hope that’ll solve it.


tbh, we don’t see this as a competition. Those guys (and gals) were there WAY before us, and they know their stuff. And there are many more people covering similar topics, too. We’re humble enough to know that we stand on the shoulders of giants. Our feeling is that the subject is complex and fast-paced. With more reliable sources, people have better chances to find whats working best for them.


You’re right. We’ve pondered this for quite some time, and if you check older commits you’ll even see that we included Conversations at some point. We really like XMPP (and are also a bit nostalgic). In the end, we however decided to favour messengers which provide encryption out of the box, irrespective which client is used, and give XMPP an “honorable mention”. If there is enough interest, or if people contribute, we can still cover the topic in future releases



thanks! the idea is indeed to make the subject accessible even to non-techies. It’s a challenge, and we can still do better ;)




[Announcement] gofoss.net, a guide to privacy, data ownership & sustainable tech
pin
Hey Lemmy! We've released [gofoss.net](https://gofoss.net/), a beginner's guide to free and open source software, privacy and sustainable tech. The site is available in English, French and German. We hope that it can help some of you to: * safely browse the Internet * encrypt your conversations * protect your data * switch to Linux * free your phone from Google & Apple * join the Fediverse & use alternative cloud providers * self-host your stuff The source code is available on [GitLab](https://gitlab.com/curlycrixus/gofoss). Happy to chat, let us know what you think! For more information, please come find us at [gofoss.net](https://gofoss.net) :) -- PS: We are 100% non-profit: no ads, no tracking, no sponsored or paywalled content.
fedilink