7.9 KiB
+++ draft = true categories = ["About me"] title = "About me" displayInMenu = true dropCap = true featuredImage = "/img/secure-server/hero.jpg" description = "When you setup your own self-hosted server, you shouldn't sacrifice security. But it's not easy to do when you don't know how to start; thankfully you can read this article and fend of hackers now !" date = "2019-01-16T22:25:20Z" displayInList = true +++
Introduction
So you want to self-host ? Great ideal. Over the past years, many people have started to understand the importance of owning your own data, and not letting three-letter agency and publicity compagnies have access to all your information. It's even more important as we could be entering a data-based economy, on top or in place of our labor-based economy. But it's not really the goal of this article.
I'm going to write this guide for me, as futur reference. It's not meant to be a definitive guide, but mearly a guide for some practices that people recommended or wrote about on the internet. I hope it might help someone, one day ! I assume people reading it will know how to use the terminal in Linux.
So, the first question we need to ask ourselves is, who are we protecting ourselves against ? The basis of security is knowing who wants your bits. Actually, it kind of applies to a lot of situations, war or playing poker. Reading The Art Of War by Sun Ze is actually a great read for any sysadmin. But I digress. For the purpose of this guide, I'll try to defend myself againt someone with the same capacities as me : a script kiddie with access to open-source tools, a knowledge of known 0-days, automated port scanners, and someone who's pissed at me. I'm not going to defend myself against people with a shitload of money, or three letter agencies.
So, the second question is, what are my protecting ? For my purpose, I'll be hosting a personnal blog, along with a few self-hosted services, namely a NextCloud instance, and a Pleroma/Mastodon instance. How important is this data, and how much effort am I ready to put into keeping it safe ? I'll be kind of anoyed but not much more, as I suspect I'll have a backup in place. Most of the important information, i.e NextCloud data, will be encrypted client-side, so if someone gains access to it, they won't learn much.
What's the box I'm running ?
The server it self is a Debian, running on a AMD processor, 8Gb of RAM and 5To de storage. It's on a 1Gpbs/200Mb fiber.
Most of the hardrives are salvaged from old computers, and are actually 500Gb. They are brought into a 1To drive for services and web content. The reste is composed of 2To for personnal storage duplicated to the other 2To in RAID for access speeds.
Step-by-step
Security is based on layers, and I'm gonna think about my box as layers too. The first layer will be physical. Let's say someone has access to your computer, for example someone breaks into your home and steal your server. The second one will be networking. Someone accessing your computer from the internet. The third one will be the filesystem. Someone who has planted a malware in software you're using, or trusted software gone roge.
Physicial security
For the physical security, it's behind a few locked doors for what's that worth, and it has intrusion detection, which powers it off. I really liked this MrRobot episode where the computer explodes, but I'm pretty sure that's illegal. I also don't want to kill anyone moving my PC by accident...
Also have a plan in case of a fire : what will you loose ? Plan ahead, and have a TarSnap backup or a drive at a friend's you can access.
And, maybe it might be difficult, but what happens when you get killed by a bus ? Your familly might want to access your data, but you maybe don't want to show them everything ? Maybe just a few pictures ? Myself I don't really care, all of the important content I want to share is open to the internet already.
I also have a raspberry pi in another location with a 1To storage for backups. I plan on fitting 5To of storage into 1To, but I fhink I'll explain that in another blog post...
As for the installation of the server, it was done from a USB key plugged directly into the computer. The Linux image was dowloaded from debian's website. The GPG signature of the file was also verified.
Partitions and VM ?
Security from the internet
The internet, a.k.a the Big Cloud of Hate is a bad place. It has a lot of robots and people who will try to attack any IP adress and find something. Thankfully, most of the time, it's low intensity and can be defeated with simple tools.
Most of the following instructions will assume that you are on a Debian 9.0 system. I use debian because it's a widely used, well maintained and funded project. It's not gonna go bust in a few days. That's also security.
The commands will be compiled in a script that you will be able to run on your computer to secure it automagically, but I really recommend you do it by hand at least once to learn, and understand what is happening. If it breaks, you must know what to fix and how.
First, we're gonna open a ssh connection to the server. It's important to know that this will be crucial information when setting up the firewall, as I have learned a few times too much. The user will need to have sudo rights.
Once we're on the server, we're gonna start by upgrading everything to the last version.
sudo apt-get update && sudo apt-get dist-upgrade && sudo apt-get clean
We are upgrading the package list, updating the distribution, and removing any junk left around.
Then, we will install a few tools to make things easier during the setup. It's more of a personnal preference.
sudo apt-get install vim zsh git
vim is a text editor, zsh is a shell and git is a versionning tool.
// setup oh my zsh
Setting up the networking
If you can, you should change your default DNS servers to more privacy-respecting alternatives. I use the ones provided by FDN, but you're free to use any other.
For that, you need to edit /etc/resolv.conf
and add the following lines at the start of the file :
nameserver 80.67.169.12
nameserver 80.67.169.40
nameserver 2001:910:800::12
nameserver 2001:910:800::40
// install fail2ban
Insider security
Installing the services
Backups !
- https://cloudpro.zone/index.php/2018/01/18/debian-9-3-server-setup-guide-part-1/ // This is great
- https://www.sans.org/score/checklists/linux
- https://www.debian.org/doc/manuals/securing-debian-howto/
- https://wiki.archlinux.org/index.php/Security
- https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-iptables-on-ubuntu-14-04
- http://etutorials.org/Linux+systems/red+hat+linux+bible+fedora+enterprise+edition/Part+III+Administering+Red+Hat+Linux/Chapter+14+Computer+Security+Issues/Guarding+Your+Computer+with+PortSentry/
- https://engineering.videoblocks.com/web-architecture-101-a3224e126947?ref=abhimanyu&gi=2093e8df5744
- https://www.cyberciti.biz/tips/linux-security.html
- http://www.ipdeny.com/ipblocks/
- https://www.rackaid.com/blog/server-security-tips/
- https://www.ossramblings.com/whitelisting-ipaddress-with-iptables-ipset
- https://www.process.st/server-security/
- https://drwho.virtadpt.net/archive/2018-01-14/making-offline-backups-of-a-linux-machine-using-backblaze
- https://drwho.virtadpt.net/archive/2016-11-13/fully-remote-backups-of-websites
- https://github.com/virtadpt/ubuntu-hardening
- https://wiki.archlinux.org/index.php/Logwatch
- https://en.wikipedia.org/wiki/Advanced_Intrusion_Detection_Environment
- https://github.com/ioerror/duraconf
- https://www.ibm.com/developerworks/linux/tutorials/l-harden-server/index.html
- https://github.com/lfit/itpol/blob/master/linux-workstation-security.md