How-To-Secure-A-Linux-Server
yunohost
How-To-Secure-A-Linux-Server | yunohost | |
---|---|---|
48 | 117 | |
16,718 | 1,915 | |
- | 1.1% | |
4.5 | 9.6 | |
20 days ago | 6 days ago | |
Python | ||
Creative Commons Attribution Share Alike 4.0 | GNU Affero General Public License v3.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
How-To-Secure-A-Linux-Server
- An evolving how-to guide for securing a Linux server
- How to Secure a Linux Server
-
Should I set up my own server?
- own server costs about $5/month. I recommend using docker to deploy hbbr and hbbs. Back up the key in case you need to re-deploy. You do need to secure your Linux server, and this community-driven Github guide has some good tips to get started.
- How-To-Secure-A-Linux-Server: An evolving how-to guide for securing a Linux server.
-
Automating the security hardening of a Linux server
I have been using the How To Secure A Linux Server guide for quite a while and wanted to learn Ansible, so I created two playbooks to automate most of the guides content. The playbooks are still a work in progress.
-
Connecting to docker containers rarely work, including via Caddy (non docker) reverse proxy
If it works, I will then follow the hardening guide I did before (https://github.com/imthenachoman/How-To-Secure-A-Linux-Server) and test after every step
-
Resources to learn backend security from scratch
Maybe these two repos can help you, I've used them both from time to time to look up stuff I have no idea about as a frontend main: https://github.com/imthenachoman/How-To-Secure-A-Linux-Server https://github.com/decalage2/awesome-security-hardening
- Time to start security hardening - been lucky for too long
-
Ask HN: How can a total beginner start with self-hosting
> In short it’s all about control, privacy, and security, in that order.
I am going to strongly urge you to consider changing that order and move *security* to the first priority. I have long run my own servers, it is much easier to setup a server with strong security foundation, than to clean up afterwards.
As a beginner, you should stick to a well known and documented Linux server distribution such as Ubuntu Server LTS or Fedora. Only install the programs you need. Do not install a windowing system on it. Do everything for the server from the command line.
Here are a few blog posts I have bookmarked over the years that I think are geared to beginners:
"My First 5 Minutes On A Server; Or, Essential Security for Linux Servers": An quick walk through of how to do basic server security manually [1]. There was a good Hacker News discussion about this article, most of the response suggests using tools to automate these types of security tasks [2], however the short tutorial will teach you a great deal, and automation mostly only makes sense when you are deploying a number of similar servers. I definitely take a more manual hands-on approach to managing my personal servers compared to the ones I professionally deploy.
"How To Secure A Linux Server": An evolving how-to guide for securing a Linux server that, hopefully, also teaches you a little about security and why it matters. [3]
Both Linode[4] and Digital Ocean[5] have created good sets of Tutorials and documentation that are generally trustworthy and kept up-to-date
Good luck and have fun
[1]: https://sollove.com/2013/03/03/my-first-5-minutes-on-a-serve...
[2]: https://news.ycombinator.com/item?id=5316093
[3]: https://github.com/imthenachoman/How-To-Secure-A-Linux-Serve...
[4]: https://www.linode.com/docs/guides/
[5]: https://www.digitalocean.com/community/tutorials
-
Selfhosting Security for Cloud Providers like Hetzner
I suggest these resources: - Some fundamentals: https://www.cyberciti.biz/tips/linux-security.html - One of the best imho ( exhaustive list ): https://github.com/imthenachoman/How-To-Secure-A-Linux-Server - Ansible playbook to harden security by Jeff Geerling: https://github.com/geerlingguy/ansible-role-security - OAWSP Check list ( targeted for web apps... and honestly a bit overkill ): https://github.com/0xRadi/OWASP-Web-Checklist
yunohost
- Runtipi: Docker-Based Home Server Management
-
Ask HN: Tips to get started on my own server
Pull that old laptop from the closet, the one with the broken screen and keyboard which made you so sad to put it to pasture since it did have plenty of memory and CPU to keep up. Install Debian on the thing followed by Proxmox Virtual Environment (PVE) [1]. Since you have 16GB of RAM in that laptop (or 8 but 16 is nicer) you should be able to run a number of containers [2].
Here's an idea, more or less based on a number of servers I configured for friends and family, based on 8GB Raspberry Pi 4 hardware with 2/4TB USB SSD. Your laptop will offer better performance.
- Create 4 or 5 containers and name them 'auth', 'serve´, 'base', 'backup' and 'mail' (if you want to run your own mail that is, otherwise skip that one). Their functions are:
> auth runs LDAP, Kerberos (if you want that), a central letsencrypt instance which takes care of all your certificate needs and anything else related to authentication and authorisation
> base runs databases, that means Postgresql, Mysql/Mariadb, Redis, RabbitMQ and whatnot - all depending on what you need.
> serve runs services, that means nginx or another web server which is used as a reverse proxy for the other web-related things you want to run: 'cloud' services like Nextcloud with everything that comes with it (e.g. Collaboraoffice or Onlyoffice to replace whatever web-based office things you currently use), communications services like XMPP, application-specific proxies like Invidious/Nitter/Libreddit, media services like Peertube/Airsonic/Ampache, a Wiki like Bookstack, search services like SearxNG, etc. - the size of your server is the limit.
> backup runs Proxmox Backup Server and is used to backup everything to some external drive and to some outside repository.
> mail runs mail services, only if you want to run those. I always say 'do it' but many people have an irrational fear of running their own mail services. That fear is not grounded in truth, running mail is not hard and offers many advantages over hosted solutions.
While it is possible to separate all the mentioned services out into their own containers I think this adds needless complexity for little to no gain. Separating out database services makes sense since those can end up quite taxing and as such might well be moved to their own hardware in some (possibly not too distant) future. Separating out authentication services makes sense since that lowers the attack surface compared to running them together with externally available services. The same goes for mail services which is why I put those in their own container.
Once you've got this up and running you can create a few more containers to play around with. If you just want to try out services something like Yunohost [3] or Caprover [4] can come in handy but I do not see these as viable alternatives to installing and running services which you intend to keep around for a long time.
Of course you can do most of this on a VPS as well but I prefer to keep thing in-house - the fewer dependencies, the better.
[1] https://proxmox.com/en/
[2] containers perform better and take less memory than VMs but if VMs are your thing that is possible as well
[3] https://yunohost.org
[4] https://caprover.com/
-
Simplifying Open-Source: Need Your Insights on an App-Store-Like Tool for Easy Deployment
Yunohost is one of those mature projects, that's fully open source.
-
Best home OS?
YunoHost, although not Docker-based, is still nice and quite mature.
-
RPi 4 Build Recommendations (NAS/VPN/Seedbox/etc)
If you want something like that, then CasaOS is pretty great and i can recommend it, especially for a beginner. There is also Cosmos and Tipi. Yunuhost too but a bit different approach. Oh and Umbrel is a thing...
-
The latest umbrelOS release brings a redesigned app store for self-hosted apps
However you quickly reach the limits of what Umbrel can do, its very basic in its abilities. Of course it depends all on what you (or anyone else) wants to do with it. There is also CasaOS which is very similar to Umbrel but last i compared, Casa offered a bit more features like for example adding your own docker projects easily. There is also Tipi which i must admit i havent taken a closer look at yet. And there is Yunohost which i guess aims at a similar audience but achieves these things differently, still worth mentioning tho.
- Avete un "homelab"? Avete convertito la famiglia all'utilizzo del vostro server domestico?
-
Sandstorm: Open-source platform for self-hosting web app
This looks exciting and definitely something to look out for as an option fkr self-hosting.
Similiar and a little bit more mature is also YunoHost, https://yunohost.org/, or for professional environments, UCS https://www.univention.com/.
- My selfhosted Backup Solution
-
Need simple tutorial for getting remote-access nextcloud setup with HTTPS
I use https://yunohost.org on my Pi, mostly for monitoring other stuff but you can get Nextcloud running just fine with it!
What are some alternatives?
authelia - The Single Sign-On Multi-Factor portal for web apps
CasaOS - CasaOS - A simple, easy-to-use, elegant open-source Personal Cloud system.
Gitea - Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD
umbrel - A beautiful home server OS for self-hosting with an app store. Buy a pre-built Umbrel Home with umbrelOS, or install on a Raspberry Pi 4, Pi 5, any Ubuntu/Debian system, or a VPS.
docker-socket-proxy - Proxy over your Docker socket to restrict which requests it accepts
OpenMediaVault - openmediavault is the next generation network attached storage (NAS) solution based on Debian Linux. Thanks to the modular design of the framework it can be enhanced via plugins. openmediavault is primarily designed to be used in home environments or small home offices.
PowerDNS - PowerDNS Authoritative, PowerDNS Recursor, dnsdist
awesome-docker - :whale: A curated list of Docker resources and projects
debian-cis - PCI-DSS compliant Debian 10/11/12 hardening
Sandstorm - Sandstorm is a self-hostable web productivity suite. It's implemented as a security-hardened web app package manager.
lynis - Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.
Nextcloud - ☁️ Nextcloud server, a safe home for all your data