
Securing your Linux web server - dlanced
https://medium.com/@dbclin/securing-your-linux-web-server-2be683c223eb
======
gmemstr
No mention of restricting access to keypairs and removing access via password
login? This is the #1 thing I do with all servers I deploy.

~~~
vinceguidry
At the top of the article it's mentioned that the blog post is an excerpt from
a book.

------
Sir_Cmpwn
I have a little checklist I use to cover the basics:

[https://drewdevault.com/new-server.html](https://drewdevault.com/new-
server.html)

~~~
rodolphoarruda
I'm a generalist project manager.

When you say "Disable password login via ssh", what is going to be the login
method from this point onwards? Via a personal certificate? Tks

~~~
brobinson
You should be using public key authentication:
[https://www.digitalocean.com/community/tutorials/how-to-
set-...](https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-
keys--2)

If you insist on using passwords, make sure you at least install something
like fail2ban or denyhosts to block the compromised machines which are
hammering your server trying to guess passwords. Clients can see which
authentication methods are allowed so they know which machines to attack
(i.e., yours, if you allow passwords).

~~~
MertsA
Or for something even cleaner than a program trying to parse plaintext logs
you can use a PAM module.
[https://wiki.archlinux.org/index.php/Pam_abl](https://wiki.archlinux.org/index.php/Pam_abl)

~~~
adfskjldsjfk
How would you compare it with fail2ban?

------
snowwrestler
Here are the basics of users and groups!

And now, here's containerization and complicated awk commands!

I get that it's Chapter 9 in a book, so there is missing context. But I'm also
wondering why users and groups seem to be getting intro'd in Chapter 9. And
why the author thinks that a person who is learning about users and groups is
in any position to consider containers.

------
HankB99
A minor nit, I suppose. Formatting of cli commands has mangled them to the
point they cannot be used. For example

# dpkg — list

will not work. The correct command is

dpkg --list

I suppose I'm particularly sensitive to this because I ran into a problem
copying some commands from a terminal window into a Google Document and then
copying/pasting them back to the command line. Google Docs had changed some of
the spaces to something that looked like a space (both in the doc and in the
shell) but was not and caused inexplicable error messages.

Anyway... I prefer stuff where I can copy/past directly to a terminal window
and have it work as the author expected.

------
sonaltr
One of the things that I'm super happy about is that for basic stuff I don't
need to manage servers (static sites / web apps hosted on S3 etc., FaaS for
basic Code) and when I do need to have full on servers, I can use something
like GKE/EKS/AKE to just deploy containers and not manage the underlying
infrastructure.

It's super awesome when working on personal projects! (although in a way I did
enjoy doing all that in the first place)

------
jimmies
I am so glad nowadays to get websites for my hobby projects going, I just have
to do a Github page, and don't have to worry about all that stuff (and don't
have to pay, either). Github pages + Static content generators are among the
best advancements in the recent years.

~~~
throwawayReply
Back in the day we used to call that "Shared hosting" and it was looked down
on by the in-crowd.

~~~
dspillett
In my experience shared hosting was looked down upon (and still is) not
because we were high-and-mighty better-than-thou you-know-nothing toffee-nosed
snobs about the entire idea[1], but because of the many (the majority?) of
hosts who were absolutely terrible at security (and stability, and performance
both generally & through silly levels of over-selling, and everything else,
but security is most important).

In this case the hosting is by a company with the technical skills and
infrastructure to properly secure and support the service, not some
inexperienced kid living with his parents who thinks a simple cPanel
installation (that never gets updated for some reason he doesn't notice or
can't be bothered to diagnose) is a great almost-zero-effort way to sell
hosting to make a bit of extra pocket money over the school/college/other
holidays.

Also the lack of control made using certain things impossible, you were
usually held back on an old version of mySQL & PHP, and little else to if you
wanted to use postgres or python or anything other you were stuck. That is the
same here of course: this probably gives you even less control because it is
not trying to be shared hosting it is a hosting-platform-as-a-service.

[1] I may actually be a high-and-mighty better-than-thou you-know-nothing
toffee-nosed snob, but that is beside the point here!

~~~
jimmies
Years ago someone I used to know ;-) used to upload php scripts to traverse
the ".." dir to shared hosts. You can do that with 9 out of 10 smaller shared
hosts. It was hillarious. There is a whole lot less of attack surface when it
comes to static content generators.

------
holri
The old advice to have separate machines for isolation is still valid in
spectre and meltdown times.

------
frabbit
In case anyone else was wondering: "Shipyard" is a mothballed Docker compose
project
[https://github.com/shipyard/shipyard](https://github.com/shipyard/shipyard)

~~~
frabbit
Meh, sorry. I meant this as a reply to a comment downthread which referenced
[https://www.codelitt.com/blog/my-first-10-minutes-on-a-
serve...](https://www.codelitt.com/blog/my-first-10-minutes-on-a-server-
primer-for-securing-ubuntu/)

------
jlgaddis
Is that the entire chapter? Seems a little... "thin", I suppose.

------
entelechy0
My go to:

[http://www.codelitt.com/blog/my-first-10-minutes-on-a-
server...](http://www.codelitt.com/blog/my-first-10-minutes-on-a-server-
primer-for-securing-ubuntu/)

