How-To-Secure-A-Linux-Server
picosnitch
How-To-Secure-A-Linux-Server | picosnitch | |
---|---|---|
48 | 33 | |
16,718 | 586 | |
- | - | |
4.5 | 8.6 | |
20 days ago | 4 months ago | |
Python | ||
Creative Commons Attribution Share Alike 4.0 | GNU General Public License v3.0 only |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
How-To-Secure-A-Linux-Server
- An evolving how-to guide for securing a Linux server
- How to Secure a Linux Server
-
Should I set up my own server?
- own server costs about $5/month. I recommend using docker to deploy hbbr and hbbs. Back up the key in case you need to re-deploy. You do need to secure your Linux server, and this community-driven Github guide has some good tips to get started.
- How-To-Secure-A-Linux-Server: An evolving how-to guide for securing a Linux server.
-
Automating the security hardening of a Linux server
I have been using the How To Secure A Linux Server guide for quite a while and wanted to learn Ansible, so I created two playbooks to automate most of the guides content. The playbooks are still a work in progress.
-
Connecting to docker containers rarely work, including via Caddy (non docker) reverse proxy
If it works, I will then follow the hardening guide I did before (https://github.com/imthenachoman/How-To-Secure-A-Linux-Server) and test after every step
-
Resources to learn backend security from scratch
Maybe these two repos can help you, I've used them both from time to time to look up stuff I have no idea about as a frontend main: https://github.com/imthenachoman/How-To-Secure-A-Linux-Server https://github.com/decalage2/awesome-security-hardening
- Time to start security hardening - been lucky for too long
-
Ask HN: How can a total beginner start with self-hosting
> In short itβs all about control, privacy, and security, in that order.
I am going to strongly urge you to consider changing that order and move *security* to the first priority. I have long run my own servers, it is much easier to setup a server with strong security foundation, than to clean up afterwards.
As a beginner, you should stick to a well known and documented Linux server distribution such as Ubuntu Server LTS or Fedora. Only install the programs you need. Do not install a windowing system on it. Do everything for the server from the command line.
Here are a few blog posts I have bookmarked over the years that I think are geared to beginners:
"My First 5 Minutes On A Server; Or, Essential Security for Linux Servers": An quick walk through of how to do basic server security manually [1]. There was a good Hacker News discussion about this article, most of the response suggests using tools to automate these types of security tasks [2], however the short tutorial will teach you a great deal, and automation mostly only makes sense when you are deploying a number of similar servers. I definitely take a more manual hands-on approach to managing my personal servers compared to the ones I professionally deploy.
"How To Secure A Linux Server": An evolving how-to guide for securing a Linux server that, hopefully, also teaches you a little about security and why it matters. [3]
Both Linode[4] and Digital Ocean[5] have created good sets of Tutorials and documentation that are generally trustworthy and kept up-to-date
Good luck and have fun
[1]: https://sollove.com/2013/03/03/my-first-5-minutes-on-a-serve...
[2]: https://news.ycombinator.com/item?id=5316093
[3]: https://github.com/imthenachoman/How-To-Secure-A-Linux-Serve...
[4]: https://www.linode.com/docs/guides/
[5]: https://www.digitalocean.com/community/tutorials
-
Selfhosting Security for Cloud Providers like Hetzner
I suggest these resources: - Some fundamentals: https://www.cyberciti.biz/tips/linux-security.html - One of the best imho ( exhaustive list ): https://github.com/imthenachoman/How-To-Secure-A-Linux-Server - Ansible playbook to harden security by Jeff Geerling: https://github.com/geerlingguy/ansible-role-security - OAWSP Check list ( targeted for web apps... and honestly a bit overkill ): https://github.com/0xRadi/OWASP-Web-Checklist
picosnitch
-
Linux runtime security agent powered by eBPF
Yep, and from my experience too (made a tool that monitors network traffic with eBPF [1]) in addition to those issues there is also a sizable latency hit.
[1] https://github.com/elesiuta/picosnitch
-
Monitor bandwidth usage with bandwhich (and build a snap package of it)
Similar to bandwhich, I recently created a snap of my own bandwidth monitor, picosnitch [1]. However I was only able to get it working with classic confinement (so it can't be published on the store) due to there being no snap interfaces for fanotify or BPF kfuncs.
I already packaged it for nearly every distro, but unfortunately most don't have dash [2] in their repos so the user needs to install it separately, and I was hoping that snap would be an easier solution for that.
[1] https://github.com/elesiuta/picosnitch/blob/master/snap/snap...
[2] https://repology.org/project/python:dash/versions
-
What kind of applications are missing from the Linux ecosystem?
I created picosnitch which can do this
-
gnome-shell Runaway Bandwidth - More in Comments
If you're still having this issue, you can try picosnitch (I recently made it available in copr).
-
Help identifying which process is sending network requests
You can use picosnitch for this, I'm the developer and this is exactly the use case I had in mind when designing it (24/7 monitoring of traffic on a per executable basis, primarily in containerized environments).
-
Little Snitch Mini
I wrote picosnitch [1] which has the same notification and bandwidth monitoring features, however it doesn't block traffic for a couple reasons: avoiding scope creep so I can focus on more reliable detection and do things like hash every executable, which makes it harder to block traffic in a timely fashion.
https://github.com/elesiuta/picosnitch
-
System monitor that lists network usage for each process
I also wrote a program (picosnitch) which is newer than that list and has a bunch of features none of those other tools have, in case you're interested in checking it out!
-
linux security
which basically says launchpad builds the package directly from that repository, which states: This repository is an import of the Git repository at https://github.com/elesiuta/picosnitch.git.
-
Linux software list. Discussion and advice welcome!
picosnitch - monitors and hashes programs that connect to the internet, and can check them with VirusTotal.
-
What's your goto open source network & bandwidth monitors
For Linux, I created picosnitch which does exactly what you're looking for.
What are some alternatives?
authelia - The Single Sign-On Multi-Factor portal for web apps
opensnitch - OpenSnitch is a GNU/Linux interactive application firewall inspired by Little Snitch.
Gitea - Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD
goflow2 - High performance sFlow/IPFIX/NetFlow Collector
docker-socket-proxy - Proxy over your Docker socket to restrict which requests it accepts
ElastiFlow - Network flow analytics (Netflow, sFlow and IPFIX) with the Elastic Stack
PowerDNS - PowerDNS Authoritative, PowerDNS Recursor, dnsdist
conntrack_exporter - Prometheus exporter for tracking network connections
debian-cis - PCI-DSS compliant Debian 10/11/12 hardening
nsntrace - Perform network trace of a single process by using network namespaces.
lynis - Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.
portmaster - π Love Freedom - β Block Mass Surveillance