Home | News | Download | Packages | Forum | Wiki | Github

Setting up a server

(Christian Lund Hansen) #1

Hi! :slight_smile:

A few months ago I bought a thinkcentre m73 and now I want to use it as a fileserver. I don’t know much about setting up server so I’ll need some help.

Mostly, I’ll be using the server for ssh-stuff like weechat and sshfs. I have installed a 2TB disk but don’t know where to go from here. I have access to the server via ssh and plan on the following things:

  1. Disable root
  2. Installing sshguard

The server is already behind a firewall via the router, but there might be other suggestions for making the system more secure. So these are my thoughts:

Should I

  1. use the LTS-kernel?
  2. setup an firewall on the server?
  3. is hdparm a good idea, or should I use something else?
  4. Should I make it install updates automatically or should I keep it in mind to do it regularly?

Any suggestions are welcome :slight_smile:

(Erin) #2
  1. possibly
  2. yes
  3. possibly
  4. manage them manually

Security is not a simple subject and it depends on what you are trying to achieve and where the server is. It should be in the DMZ with nothing running that is not necessary. Look online for SSH hardening techniques and use complex passwords for machine accounts. If the machine is accessible from the 'Net and is on your personal network, greater care is needed as a server hack likely means access to everything else behind the firewall. A simple thing to do is use non-standard ports, i.e. not 22 for SSH but 11111 instead.

(Christian Lund Hansen) #3

I know :slight_smile: That’s why I’m asking.

The server is at where I live and I guess I just needs some basics to get me started. I was suggesting sshguard for hardening, nothing is running which is not needed and the server is accessible from the net. I am currently using a non-starndard port for ssh.

(John Peach) #4

Using a non-standard port for anything is not necessarily going to provide you with much - any port-scanner will find it. If you can restrict ssh to a particular subnet or, even better, make it passwordless and restrict it to keys, that is much safer.

(Edmond Dantes ) #5

In regard of @johnpeach’s suggestions, I wanted to link a nice article I found sone time ago, about 2-factor auth with PAM on OpenSSH. Here’s another Linux-specific one.

OP may also want to configure iptables so as to reject any packet with a tcp-reset or icmp-proto/port-unreacheable ctstate, as well as any connection with an invalid ctstatus; other options like --hitcount --rcheck can be used to drop suspicious packets.
Restricting input to the range of valid IPs in your country (normally one doesn’t connect to his/her server so often from an abroad country) is another wise maneveur. Fail2ban or sshguard are kind of obliged choices in these cases, thus to prevent malicious hacking.

Routee could be configured to open up only selected ports to the internal server’s IP, rather than setting the latter as HostDMZ

(Christian Lund Hansen) #6

Those are great suggestions :smiley: Thank you!