Arch Linux

jojo06

Member

Registered: 2023-11-04

Posts: 340

How to secure a server with default/basic ?

We are interfering with a virgin server. We are bending the rules, etc. The measures I have taken on my current server so far and my questions/worries:

fail2ban (config on the below)
http(80 on listen) but redirecting to https, is it okay ?
about whiteiplist; if i add rule (allow ssh from this ip only, i dont have a static ip ?)
mail server (mailcow) self-signed ssl not trusted by google. but working in https. is it okay ?
`x high severity vulnerabilities` i see in `npm install` is it okay ?
What should Apache limits/protections be?
I converted the `peer` methods to md5 to be able to connect. Is this secure? Or do I only need to convert 1-2 lines?
All email addresses can send emails AS other email addresses. Is this secure?

sudo firewall-cmd --list-services

cockpit dhcpv6-client http https ssh

firewall-cmd --get-active-zones

docker
  interfaces: docker0 br-mailcow
public
  interfaces: enp1s0

sudo firewall-cmd --permanent --list-all

public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: cockpit dhcpv6-client http https ssh
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

sudo firewall-cmd --list-all

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp1s0
  sources: 
  services: cockpit dhcpv6-client http https ssh
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
        rule family="ipv4" source address="some_ip" port port="ssh" protocol="tcp" reject type="icmp-port-unreachable"
        rule family="ipv4" source address="some_ip" port port="ssh" protocol="tcp" reject type="icmp-port-unreachable"
        rule family="ipv4" source address="some_ip" port port="ssh" protocol="tcp" reject type="icmp-port-unreachable"
[rosebud@gangbangers ~]$ systemctl status firewalld

If the IP addresses are necessary and not private, I can specify them. The firewall rules are as follows.

I also want to ask this. I added it with Wheel. Is configuring it so that it doesn't ask for sudo or a password unsafe for the user?

# Allow Apache network connections
sudo setsebool -P httpd_can_network_connect 1
# Fix SSL certificate permissions
sudo chmod 644 /etc/../fullchain.pem

sudo vim /etc/fail2ban/jail.local

```
    [DEFAULT]
    bantime = 3600
    findtime = 600
    maxretry = 5

    [sshd]
    enabled = true
    port = ssh
    logpath = /var/log/secure
    maxretry = 3
    bantime = 3600
```

mail-config:

<VirtualHost *:443>
    ServerName mail.domain.com
    
    SSLEngine on
    SSLCertificateFile /opt/mailcow-dockerized/data/assets/ssl/cert.pem
    SSLCertificateKeyFile /opt/mailcow-dockerized/data/assets/ssl/key.pem
    
    ProxyPreserveHost On
    ProxyPass / [url]https://127.0.0.1:8443/[/url]
    ProxyPassReverse / [url]https://127.0.0.1:8443/[/url]
    
    SSLProxyEngine on
    SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
</VirtualHost>

apache-config:

<VirtualHost *:80>
    ServerName domain.com
    ServerAlias www
    
    # Redirect all HTTP to HTTPS
    RewriteEngine On
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
    
    ErrorLog /var/log/httpd/error.log
    CustomLog /var/log/httpd/access.log combined
</VirtualHost>

<VirtualHost *:443>
    ServerName domain.com
    ServerAlias www

    SSLEngine on
    SSLCertificateFile /etc/l../fullchain.pem
    SSLCertificateKeyFile /etc/../privkey.pem

    SSLProxyEngine On
    SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off

    ProxyPreserveHost On
    
    ProxyPass /api/ http://localhost:5000/api/
    ProxyPassReverse /api/ http://localhost:5000/api/
    
    ProxyPass / http://localhost:3000/
    ProxyPassReverse / http://localhost:3000/

    ErrorLog /var/log/httpd/error.log
    CustomLog /var/log/httpd/access.log combined
</VirtualHost>

The setup and configurations I've followed so far are as follows. Is there anything I've forgotten, need to check, add, or remove? If so, what are they?

If there is anything else you would like me to share, ask, or mention, please let me know.

Matilde

Member

Registered: 2025-12-21

Posts: 3

Re: How to secure a server with default/basic ?

Use Fail2Ban for all services, enforce HTTPS, avoid SSH whitelist with dynamic IP, use trusted SSL for mail, fix high-severity npm issues, enable Apache security settings, use strong password hashing, prevent email spoofing with SPF/DKIM/DMARC, do not allow passwordless sudo, and limit exposed services on the firewall.

loqs

Member

Registered: 2014-03-06

Posts: 18,724

Re: How to secure a server with default/basic ?

We are interfering with a virgin server.

Does that mean you are configuring a new server? Is the server running Arch Linux? What do you want the server to do at a high level?

We are bending the rules, etc.

What rules? Why are you bending them?

fail2ban (config on the below)

Configuring a whole server in depth is too much for one topic and possibly out of scope for the forum entirely. fail2ban should be a second topic

http(80 on listen) but redirecting to https, is it okay ?

Third topic.

about whiteiplist; if i add rule (allow ssh from this ip only, i dont have a static ip ?)

Whitelist what in where?

mail server (mailcow) self-signed ssl not trusted by google. but working in https. is it okay ?

Fourth topic probably better handled by mailcows support channels.

`x high severity vulnerabilities` i see in `npm install` is it okay ?

Fifth topic

What should Apache limits/protections be?
I converted the `peer` methods to md5 to be able to connect. Is this secure? Or do I only need to convert 1-2 lines?

Back to third topic. No config you provided contains `peer` or `md5` . Is peer relating to a postgresql connection?

All email addresses can send emails AS other email addresses. Is this secure?

Back to topic four.

sudo firewall-cmd --list-services

cockpit dhcpv6-client http https ssh

firewall-cmd --get-active-zones

docker
  interfaces: docker0 br-mailcow
public
  interfaces: enp1s0

sudo firewall-cmd --permanent --list-all

public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: cockpit dhcpv6-client http https ssh
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

sudo firewall-cmd --list-all

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp1s0
  sources: 
  services: cockpit dhcpv6-client http https ssh
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
        rule family="ipv4" source address="some_ip" port port="ssh" protocol="tcp" reject type="icmp-port-unreachable"
        rule family="ipv4" source address="some_ip" port port="ssh" protocol="tcp" reject type="icmp-port-unreachable"
        rule family="ipv4" source address="some_ip" port port="ssh" protocol="tcp" reject type="icmp-port-unreachable"
[rosebud@gangbangers ~]$ systemctl status firewalld

If the IP addresses are necessary and not private, I can specify them. The firewall rules are as follows.

I also want to ask this. I added it with Wheel. Is configuring it so that it doesn't ask for sudo or a password unsafe for the user?

# Allow Apache network connections
sudo setsebool -P httpd_can_network_connect 1
# Fix SSL certificate permissions
sudo chmod 644 /etc/../fullchain.pem

Sixth topic.

Last edited by loqs (Yesterday 15:22:06)

jojo06

Member

Registered: 2023-11-04

Posts: 340

Re: How to secure a server with default/basic ?

Use Fail2Ban for all services, enforce HTTPS, avoid SSH whitelist with dynamic IP, use trusted SSL for mail, fix high-severity npm issues, enable Apache security settings, use strong password hashing, prevent email spoofing with SPF/DKIM/DMARC, do not allow passwordless sudo, and limit exposed services on the firewall.

Thanks. Can you tell me what exactly Fail2Ban config for using all services ? Or just enabling will do ?
Yeah its redirecting to HTTPS.
But i have a dynamic IP on home ?
About SSL for mail, now browser shows okay.
Mid-severity will be no problem ?
What to change in Apache config ?
Strong means salted ? And do you mean in `.env` ?
I have DMARC/DKIM but what is SPF ?

Ok no passwordless sudo. Its not safe for pc neither than i guess ?
Exposed services ?

@loqs

Does that mean you are configuring a new server? Is the server running Arch Linux? What do you want the server to do at a high level?

Yes it will be new. Which operating system is more suitable for a secure server? I want to make it secure with basics. Or as much as i can do.

What rules? Why are you bending them?

sudo setsebool -P httpd_can_network_connect 1
This is an example. And if you don't do this, it won't be accessible. You have to compromise. But I want it to be secure.

Whitelist what in where?

ssh as i told.

Back to third topic. No config you provided contains `peer` or `md5` . Is peer relating to a postgresql connection?

Yeah. These are different questions. Apache limitations and psql connection types.

If it's more appropriate in terms of forum rules and order to open 6 different topics, then of course I'll open 6 different topics. But I think it will be too long and too complicated and will clutter up the forum. I think it's too many requests for help for just one person.
Like I said, it's not some kind of “deep”/depth security. I'm talking about a “simple” and default setup. For example, Fail2Ban wasn't on my mind. Install it, enable it. Done

If there is no serious threat in the configurations, then it's fine! But if there are a few settings that could be improved (limits, protections), then it can be said. Can we call it a minor tweak? I'm not looking for deep security.

---

As for the Mailcow and Apache forums... The LSWS forum was a complete disaster and a terrible experience. Even though an authorized person was involved, they couldn't even help with the Reverse Proxy. To date, the only platform I've found that truly knows anything about technology/pc/server/cyber is the Arch Linux forum.

I understand your request. And it should be exactly as you say. But I guess that's not how it really is

loqs

Member

Registered: 2014-03-06

Posts: 18,724

Re: How to secure a server with default/basic ?

What do you want the server to do at a high level?

Is the server only intended to run mailcow if so why would it also run apache and postgresql?

seth

Member

From: Don't DM me only for attention

Registered: 2012-09-03

Posts: 71,526

Re: How to secure a server with default/basic ?

If it's more appropriate in terms of forum rules and order to open 6 different topics

https://wiki.archlinux.org/title/Genera … ow_to_post
Also https://terms.archlinux.org/docs/code-o … -vampirism

I think it's too many requests for help for just one person.

And you think that changes when you stuff it into one omnibus thread?

For example, Fail2Ban wasn't on my mind.

For a WAN facing ssh server, do not even think about that before completely understanding at least https://wiki.archlinux.org/title/OpenSSH#Protection - there related articles, fail2ban is discussed in https://wiki.archlinux.org/title/Fail2ban
Mind you to *understand* that, not "look at it".

The problem when running a webserver is the server configuration and typically all the crap you're gonna install (nodejs, wordpress etc., let alone custom bugs in your own php and java scripts) because that's the easiest thing to fuck up that will then get attacked.

sudo setsebool -P httpd_can_network_connect 1
This is an example. And if you don't do this, it won't be accessible.

WHAT! THE! FUCK!
This isn't "bending the rules", this is dumb, stupid - and factually wrong.
If you find yourself "having" to  do that you need to walk all the way back to the branch that got you on the that path and then veer the other direction.

For a brief context:
https://serverfault.com/questions/10204 … p-on-selin
And that's also one of the first ddg results (I made sure this isn't influenced by my google profile) - the fact that you haven't found or not understood that tells me that, despite facing the situation, you've not spent even 3 minutes on researching it.

Stop this. Now!
If your plan is to ask three random people on the internet two or three questions and then run a server (that afaiu allows financial transactions) by next week and just winging it, YOU WILL GO BANKRUPT!
Setup a local server, then figure how to attack it, then figure how to prevent that and make an honest assessment whether you want to invest a lot of time and effort in studying this and if not, abandon your current plan and see whether you can achieve this without having to manage a server yourself.

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

jojo06

Member

Registered: 2023-11-04

Posts: 340

Re: How to secure a server with default/basic ?

@loqs
Its a web app lets say.

@seth
I believe its more clear and tidy this way. Its all about basic configuration after all. Because i dont want any special or hard/depth things. Just casual installation.
Like I said, I had to consult here. But if you think it will be safer, I can install Arch. It's currently in the draft stage.

For a WAN facing ssh server, do not even think about that before completely understanding at least https://wiki.archlinux.org/title/OpenSSH#Protection - there related articles, fail2ban is discussed in https://wiki.archlinux.org/title/Fail2ban
Mind you to *understand* that, not "look at it".

I dont know what im missing. But im reading them now: `https://wiki.mozilla.org/Security/Guidelines/OpenSSH` `https://www.ssh-audit.com/hardening_guides.html`

The problem when running a webserver is the server configuration and typically all the crap you're gonna install (nodejs, wordpress etc., let alone custom bugs in your own php and java scripts) because that's the easiest thing to fuck up that will then get attacked.

That's exactly why I'm asking here. Neither the internet nor any AI mentions these. I have no other avenues for research. So why did you call these packages `crap`? I haven't installed WordPress or PHP.

And that's also one of the first ddg results (I made sure this isn't influenced by my google profile) - the fact that you haven't found or not understood that tells me that, despite facing the situation, you've not spent even 3 minutes on researching it.

Of course, you're disable a rule, but I thought that was normal. Im reading that now.
*See ? AI, the teachers I asked, my coleagues; none of them mentioned that this was such a critical issue. In fact, they said: “If it's not connected to the internet, the protection is already geared towards that, so of course you need to adjust it.”

If your plan is to ask three random people on the internet two or three questions and then run a server (that afaiu allows financial transactions) by next week and just winging it, YOU WILL GO BANKRUPT!

I won't have a primary bank account there. So I can regularly transfer the incoming money to my own (local) bank. (Money to be deposited in an online foreign bank)
I can do this every day, and I can even set up a recurring payment. If I get attacked and all the money I earned in one day is withdrawn, that's not a problem for me.
There were no users until now. Likewise, there are no monetary transactions at present. There had been no issues whatsoever until this latest React2Shell incident.
I understand your worry and being responsible. And I really really appreciated your honesty. Im worried and stressed too

And while mention:
Unfortunately, I have no choice but to set up a server. And I'm learning by doing it anyway. I have 16 hours free. Yes, I have plenty of time and motivation. I started by taking some courses on Udemy. But it was too far removed from real life I'm normally quite curious about cybersecurity and find it interesting. But I couldn't find any resources or anything else.

Also, as I said before, when I look at the people working here, they are definitely in a worse situation than me. But there was no problem. Because the foundation seems solid. They don't get support from abroad, and the level of the people working here is obvious. So even if I wanted to go into debt and take out a loan to hire a cybersecurity specialist right now, believe me, there are no people here who know what we're talking about. I talked with them, i know them.

Is there anyone I can get support from online in this way, or can you recommend a course/documentation?

seth

Member

From: Don't DM me only for attention

Registered: 2012-09-03

Posts: 71,526

Re: How to secure a server with default/basic ?

I believe its more clear and tidy this way.

No, it is you abusing the forum in an effort to setup (and ultimately maintain?) a server for you.
Omnibus threads that serve your specific task chain are of almost no use for anyone else (and typically TGN because maintenance by definition never ends)

So why did you call these packages `crap`?

because that's the easiest thing to fuck up that will then get attacked

WordPress is afaik still the by far most widespread CMS and thus also constant subject to attacks because it has bugs because that's the nature of software.
The problem arises because their target audience is of the nature to install it, add random plugins they find, fiddle with it until it shows the content they want to see somehow and then are too scared to ever touch it again, resulting in never applying the CVE relevant patches and eventually get infiltrated and start to send me (and everyone else I don't care about) spam mails (or nowadays maybe also just mine bitcoins)

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc