Fix About me page
This commit is contained in:
parent
caed2adc3c
commit
8d2804795e
@ -1,9 +1,9 @@
|
||||
+++
|
||||
draft = true
|
||||
categories = ["About me"]
|
||||
title = "About me"
|
||||
displayInMenu = true
|
||||
dropCap = true
|
||||
categories = ["English"]
|
||||
title = "Setting up a linux server for self hosting"
|
||||
displayInMenu = false
|
||||
dropCap = false
|
||||
featuredImage = "/img/secure-server/hero.jpg"
|
||||
description = "When you setup your own self-hosted server, you shouldn't sacrifice security. But it's not easy to do when you don't know how to start; thankfully you can read this article and fend of hackers now !"
|
||||
date = "2019-01-16T22:25:20Z"
|
||||
@ -16,19 +16,19 @@ So you want to self-host ? Great ideal. Over the past years, many people have st
|
||||
|
||||
I'm going to write this guide for me, as futur reference. It's not meant to be a definitive guide, but mearly a guide for some practices that people recommended or wrote about on the internet. I hope it might help someone, one day ! I assume people reading it will know how to use the terminal in Linux.
|
||||
|
||||
So, the first question we need to ask ourselves is, who are we protecting ourselves against ? The basis of security is knowing who wants your bits. Actually, it kind of applies to a lot of situations, war or playing poker. Reading [__The Art Of War__](https://en.wikibooks.org/w/index.php?title=Pinyin/Art_of_war) by Sun Ze is actually a great read for any sysadmin. But I digress. For the purpose of this guide, I'll try to defend myself againt someone with the same capacities as me : a script kiddie with access to open-source tools, a knowledge of known 0-days, automated port scanners, and someone who's pissed at me. I'm not going to defend myself against people with a shitload of money, or three letter agencies.
|
||||
So, the first question we need to ask ourselves is, who are we protecting ourselves against ? The basis of security is knowing who wants your bits. Actually, it kind of applies to a lot of situations, war or playing poker. Reading [__The Art Of War__](https://en.wikibooks.org/w/index.php?title=Pinyin/Art_of_war) by Sun Ze is actually a great read for any sysadmin. But I digress. For the purpose of this guide, I'll try to defend myself againt someone with the same capacities as me : a script kiddie with access to open-source tools, a knowledge of known 0-days, automated port scanners, and someone who's pissed at me. I'm not going to defend myself against people with a shitload of money, or three letter agencies.
|
||||
|
||||
So, the second question is, **what** are my protecting ? For my purpose, I'll be hosting a personnal blog, along with a few self-hosted services, namely a [NextCloud](https://nextcloud.com) instance, and a Pleroma/Mastodon instance. How important is this data, and how much effort am I ready to put into keeping it safe ? I'll be kind of anoyed but not much more, as I suspect I'll have a backup in place. Most of the important information, i.e NextCloud data, will be encrypted client-side, so if someone gains access to it, they won't learn much.
|
||||
|
||||
## What's the box I'm running ?
|
||||
## What's the box I'm running ?
|
||||
|
||||
The server it self is a Debian, running on a AMD processor, 8Gb of RAM and 5To de storage. It's on a 1Gpbs/200Mb fiber.
|
||||
The server it self is a Debian, running on a AMD processor, 8Gb of RAM and 5To de storage. It's on a 1Gpbs/200Mb fiber.
|
||||
|
||||
Most of the hardrives are salvaged from old computers, and are actually 500Gb. They are brought into a 1To drive for services and web content. The reste is composed of 2To for personnal storage duplicated to the other 2To in RAID for access speeds.
|
||||
|
||||
## Step-by-step
|
||||
|
||||
Security is based on layers, and I'm gonna think about my box as layers too. The first layer will be physical. Let's say someone has access to your computer, for example someone breaks into your home and steal your server. The second one will be networking. Someone accessing your computer from the internet. The third one will be the filesystem. Someone who has planted a malware in software you're using, or trusted software gone roge.
|
||||
Security is based on layers, and I'm gonna think about my box as layers too. The first layer will be physical. Let's say someone has access to your computer, for example someone breaks into your home and steal your server. The second one will be networking. Someone accessing your computer from the internet. The third one will be the filesystem. Someone who has planted a malware in software you're using, or trusted software gone roge.
|
||||
|
||||
|
||||
### Physicial security
|
||||
@ -46,9 +46,9 @@ As for the installation of the server, it was done from a USB key plugged direct
|
||||
|
||||
Partitions and VM ?
|
||||
|
||||
### Security from the internet
|
||||
### Security from the internet
|
||||
|
||||
The internet, a.k.a the Big Cloud of Hate is a bad place. It has a lot of robots and people who will try to attack any IP adress and find something. Thankfully, most of the time, it's low intensity and can be defeated with simple tools.
|
||||
The internet, a.k.a the Big Cloud of Hate is a bad place. It has a lot of robots and people who will try to attack any IP adress and find something. Thankfully, most of the time, it's low intensity and can be defeated with simple tools.
|
||||
|
||||
Most of the following instructions will assume that you are on a Debian 9.0 system. I use debian because it's a widely used, well maintained and funded project. It's not gonna go bust in a few days. That's also security.
|
||||
|
||||
@ -62,7 +62,7 @@ Once we're on the server, we're gonna start by upgrading everything to the last
|
||||
sudo apt-get update && sudo apt-get dist-upgrade && sudo apt-get clean
|
||||
```
|
||||
|
||||
We are upgrading the package list, updating the distribution, and removing any junk left around.
|
||||
We are upgrading the package list, updating the distribution, and removing any junk left around.
|
||||
|
||||
Then, we will install a few tools to make things easier during the setup. It's more of a personnal preference.
|
||||
|
||||
@ -108,7 +108,7 @@ nameserver 2001:910:800::40
|
||||
```
|
||||
|
||||
```
|
||||
### Installing the services
|
||||
### Installing the services
|
||||
|
||||
|
||||
### Backups !
|
||||
@ -123,7 +123,7 @@ nameserver 2001:910:800::40
|
||||
- http://etutorials.org/Linux+systems/red+hat+linux+bible+fedora+enterprise+edition/Part+III+Administering+Red+Hat+Linux/Chapter+14+Computer+Security+Issues/Guarding+Your+Computer+with+PortSentry/
|
||||
- https://engineering.videoblocks.com/web-architecture-101-a3224e126947?ref=abhimanyu&gi=2093e8df5744
|
||||
- https://www.cyberciti.biz/tips/linux-security.html
|
||||
- http://www.ipdeny.com/ipblocks/
|
||||
- http://www.ipdeny.com/ipblocks/
|
||||
- https://www.rackaid.com/blog/server-security-tips/
|
||||
- https://www.ossramblings.com/whitelisting-ipaddress-with-iptables-ipset
|
||||
- https://www.process.st/server-security/
|
||||
@ -131,7 +131,7 @@ nameserver 2001:910:800::40
|
||||
- https://drwho.virtadpt.net/archive/2016-11-13/fully-remote-backups-of-websites
|
||||
- https://github.com/virtadpt/ubuntu-hardening
|
||||
- https://wiki.archlinux.org/index.php/Logwatch
|
||||
- https://en.wikipedia.org/wiki/Advanced_Intrusion_Detection_Environment
|
||||
- https://en.wikipedia.org/wiki/Advanced_Intrusion_Detection_Environment
|
||||
- https://github.com/ioerror/duraconf
|
||||
- https://www.ibm.com/developerworks/linux/tutorials/l-harden-server/index.html
|
||||
- https://github.com/lfit/itpol/blob/master/linux-workstation-security.md
|
||||
|
||||
Loading…
Reference in New Issue
Block a user