You are not logged in.
- Topics: Active | Unanswered
#1 2018-06-17 21:23:31
- jag-ster
- Member
- Registered: 2014-02-27
- Posts: 11
[Solved] Suggestions on Hardening Web Server
Howdy y'all!
I know I probably shouldn't be using Archlinux as a webserver but for my purposes I think it will work out (and i really like Arch, been my favorite). I have a VPS with Apache and one client. I don't care as much if this server does get hack, I can set it back up in a day or less and its not running a mail server so. Besides what i listed below, is there anything more I can do to harden this? I don't want to go crazy doing this, just what is practical for a low-end, low traffic web server. I am still learning about security and hardening so I take any advice given. For the record, I have looked into Security, any advice outside this wiki page? Again I don't want to go too far, so I will probably skip kernel hardening. I want to do simple security. I don't want to spend too much work on this; not worth the effort; "enough to get by and a just little more" is my mindset.
Google Authenticator
Changed SSH ports
strong root password
least-privilege user
iptables (soon to implement)
continually hardening Apache
Last edited by jag-ster (2018-06-22 15:20:57)
Offline
#2 2018-06-17 21:50:34
- loafer
- Member
- From: the pub
- Registered: 2009-04-14
- Posts: 1,772
Re: [Solved] Suggestions on Hardening Web Server
MFA is your main protection. Change your privileged passwords often and preferably after each use (although this may not be practicable).
All men have stood for freedom...
For freedom is the man that will turn the world upside down.
Gerrard Winstanley.
Offline
#3 2018-06-17 21:59:15
- ewaller
- Administrator
- From: Pasadena, CA
- Registered: 2009-07-13
- Posts: 19,785
Re: [Solved] Suggestions on Hardening Web Server
I've become a fan of using nginx as a front end exposed to the Internet. Have it serve any static content. Use it is as a proxy server to and have it delegate to a secondary server on a specific port on a private network that is fire-walled from the Internet for any dynamic content. Set up nginx for https, configure a certificate for it (free ones are available from letsencrypt).
Read your logs and read them often.
Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way
Offline
#4 2018-06-17 22:19:28
- Trilby
- Inspector Parrot
- Registered: 2011-11-29
- Posts: 29,525
- Website
Re: [Solved] Suggestions on Hardening Web Server
Some feedback on the steps you've taken so far:
Google Authenticator
I'd argue that's not adding securty, that's just trusting someone else to do it for you (which I'd further argue decreases security).
Changed SSH ports
That really doesn't have a security benefit.
strong root password
This is always a good idea, but should not be particularly relevant for a server. You have disabled remote root login, right? That should be the first thing you do. Also disable password login for all users. Use key login only (perhaps google authenticator takes care of this for you - I wouldn't know, but you should).
least-privilege user
Same as above
iptables (soon to implement)
How soon? Do it now. This is a good security step (perhaps the only one in your list) so why is it waiting to be implemented?
continually hardening Apache
What does this mean? It seems a bit vague.
"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" - Richard Stallman
Offline
#5 2018-06-17 22:33:19
- eschwartz
- Fellow
- Registered: 2014-08-08
- Posts: 4,097
Re: [Solved] Suggestions on Hardening Web Server
https://wiki.archlinux.org/index.php/Us … _server.3F
Nothing wrong with using Arch Linux for a server. Also, many would say Arch is *more* secure than other distros, since you get security updates, including the ones which aren't specifically advertised as such, sooner.
Managing AUR repos The Right Way -- aurpublish (now a standalone tool)
Offline
#6 2018-06-17 23:18:32
- jag-ster
- Member
- Registered: 2014-02-27
- Posts: 11
Re: [Solved] Suggestions on Hardening Web Server
Some feedback on the steps you've taken so far:
jag-ster wrote:Google Authenticator
I'd argue that's not adding securty, that's just trusting someone else to do it for you (which I'd further argue decreases security)
I can somewhat agree with that. I do believe it comes with its own vulnerabilities but my thinking was that adding a multifactor authentication would atleast be better than not.
jag-ster wrote:Changed SSH ports
That really doesn't have a security benefit.
I reckon so. Been some years but i was taught to change it in class and it just been a habit since. i do like changing it anyway just so I have security through obscurity.
jag-ster wrote:strong root password
This is always a good idea, but should not be particularly relevant for a server. You have disabled remote root login, right? That should be the first thing you do. Also disable password login for all users. Use key login only (perhaps google authenticator takes care of this for you - I wouldn't know, but you should).
Thank you, I forgot to change that in the ssh config file. That is now corrected.
jag-ster wrote:iptables (soon to implement)
How soon? Do it now. This is a good security step (perhaps the only one in your list) so why is it waiting to be implemented?
As soon as i can figure out how I got it to work the first time! ... I have a script that fwbulider created but running into problems getting it to work.
jag-ster wrote:continually hardening Apache
What does this mean? It seems a bit vague.
I should better stated it, I'm still researching/learning/going through wikis on how to harden Apache. I have setup Apache before on a VPS but I want to do better this time around.
Offline
#7 2018-06-17 23:21:14
- jag-ster
- Member
- Registered: 2014-02-27
- Posts: 11
Re: [Solved] Suggestions on Hardening Web Server
https://wiki.archlinux.org/index.php/Us … _server.3F
Nothing wrong with using Arch Linux for a server. Also, many would say Arch is *more* secure than other distros, since you get security updates, including the ones which aren't specifically advertised as such, sooner.
Thank you for the link. Didn't really think a rolling release should be a on a live server but this has changed my mind on this subject.
Offline
#8 2018-06-18 01:06:28
- Trilby
- Inspector Parrot
- Registered: 2011-11-29
- Posts: 29,525
- Website
Re: [Solved] Suggestions on Hardening Web Server
Thank you for the link. Didn't really think a rolling release should be a on a live server but this has changed my mind on this subject.
FWIW I run arch on two servers. One is for professional use with 20K users, the other (linked in my profile) is mostly for personal use and tinkering. They both meet their goals very well.
"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" - Richard Stallman
Offline