How to setup your linux server
1 like488 views
This document provides guidance on setting up a Linux server at home. It discusses reasons you may need a home server, such as for storage, routing, or hosting personal projects. It then offers recommendations for hardware, distributions, partitioning, encryption, disabling unnecessary services, software updates, logging, security practices, network configuration, SSH hardening, configuration security, user setup, and kernel settings. The goal is to have a secure home server for various uses.
How to setup your linux server
- 1. How to setup How to setup your Linux Serveryour Linux Server Marian HackMan MarinovMarian HackMan Marinov <[email protected]><[email protected]> Chief System ArchitectChief System Architect SiteGroundSiteGround
- 2. Who am I?Who am I?Who am I?Who am I? ❖ Chief System Architect of Siteground.com ❖ Sysadmin since 1996 ❖ Organizer of OpenFest, BG Perl Workshops, LUG-BG and similar :) ❖ Teaching Network Security and Linux System Administration at Sofia University
- 3. ❖ Storage - pics, docs, music and movies You DO NEED home ServerYou DO NEED home Server
- 4. ❖ Storage - pics, docs, music and movies ❖ If you are a network nerd, maybe for a Router and a good Firewall You DO NEED home ServerYou DO NEED home Server
- 5. ❖ Storage - pics, docs, music and movies ❖ If you are a network nerd, maybe for a Router and a good Firewall ❖ For load-balancing and failover of multiple ISPs You DO NEED home ServerYou DO NEED home Server
- 6. ❖ Storage - pics, docs, music and movies ❖ If you are a network nerd, maybe for a Router and a good Firewall ❖ For load-balancing and failover of multiple ISPs ❖ For hosting your home projects ❖ For home automation and statistics You DO NEED home ServerYou DO NEED home Server
- 7. ❖ Storage - FreeNAS (based on FreeBSD) - OpenMediaVault (based on Debian Linux) - Rockstor (based on CentOS) - Amahi (based on Fedora) What distribution?What distribution? Filesystems: ZFS BtrFS Ext4
- 8. ❖ Router - FreeBSD - Debian Stable - CentOS - Ubuntu LTS What distribution?What distribution? Note: Run the Linuxes with kernels newer then 4.5
- 9. ❖ General Purpose - Debian Stable - CentOS - Ubuntu LTS What distribution?What distribution? Note: Run the Linuxes with kernels newer then 4.5
- 10. ❖ Mini ITX box HardwareHardware
- 11. ❖ Mini ITX box ❖ Desktop case HardwareHardware
- 12. ❖ Mini ITX box ❖ Desktop case ❖ Rack-mountable HardwareHardware
- 13. ❖ HW RAID controller ❖ SW RAID ❖ LVM mirror ❖ ZFS/BtrFS ❖ SATA vs. SSD vs. NVMe 100MB/s 540MB/s 2200MB/s StorageStorage Note: If you are using SSDs, switch your I/O scheduler to none
- 14. ❖ Separate HW RAID devices ❖ Separate SW RAID devices ❖ All disks are Physical Volumes(LVM) PartitioningPartitioning
- 15. ❖ Single partition for boot - usually around 300-400MB ❖ Separate partition for the OS - around 100-150GB ❖ One partition for important stuff ❖ One partition for everything else PartitioningPartitioning
- 16. ❖ Should you encrypt all disks? ❖ Should you encrypt only some partitions? ❖ Should you encrypt only certain dirs? ❖ How to remotely input your passwords, when the server is rebooted? EncryptionEncryption LUKS vs. eCryptfs
- 17. ❖ Should you encrypt all disks? ❖ Should you encrypt only some partitions? ❖ Should you encrypt only certain dirs? ❖ How to remotely input your passwords, when the server is rebooted? - put SSHD with your key in the initrd EncryptionEncryption LUKS vs. eCryptfs
- 18. ❖ Default installations always have a lot of installed and running services ❖ Remove everything that you are not going to use immediately ❖ Disable the services that you don't need on boot Disable servicesDisable services
- 19. ❖ Remove all software that will not be used initially on this machine ❖ it is strange for a server to have bluetooth or WiFi ❖ Reducing the software, reduces the attack surface that the machine has ❖ Upgrade to the latest possible kernel SoftwareSoftware
- 20. ❖ If the distribution allows, enable auto update for security updates ONLY ❖ Add all additional repositories that I will generally need (EPEL/PPA type repos) SoftwareSoftware
- 21. ❖ Configure logs for debugging your services ❖ Configure logrotate for all logs ❖ This ensures that you will not fill up your drives with logs Logs & logrotateLogs & logrotate
- 22. ❖ If you have a big machine, try to separate services in different VMs/Containers ❖ Follow the security guidelines for any service that you are running on the machine SecuritySecurity
- 23. ❖ Firewall the machine from the Internet ❖ Allow only traffic to local services that you trust ❖ Allow incoming traffic that was requested (related connections) ❖ Allow outgoing traffic only to services that you have configured (this way you protect the Internet from your self) NetworkNetwork
- 24. ❖ Disable forwarding if the machine will not be a router ❖ If it is a router: ❖ allow forwarding only to/from your own network ❖ add MAC filters per-client (so you will know which machine is abusing your network) ❖ install network monitoring software like IP audit and arpwatch NetworkNetwork
- 25. ❖ Disable password authentication ❖ Disable PAM ❖ Disable Kerberos ❖ Disable GSSAPI ❖ Allow only SSH 2.0 protocol ❖ Use only large RSA keys 4096 and higher ❖ Use privilege separation SSHSSH
- 26. ❖ When the service allows, always chroot the service ❖ By default many service configs are world readable, fix that ❖ Remove all kernel modules that you are not going to use. YES DELETE THEM. Someone may try to abuse the kernel module autoloader to load them - DCCP for example Secure configurationsSecure configurations
- 27. ❖ If you need to secure additional users on the machine, I suggest you use ecryptfs on top of what you already have. ❖ Verify the permissions of the running apps ❖ Use ssh-agents User setupUser setup
- 28. ❖ crashkernel=256M ❖ panic=5 ❖ hardlockup_panic=1 ❖ panic_on_oops=1 ❖ panic_on_unrecovered_nmi=1 ❖ unknown_nmi_panic=1 ❖ nmi_watchdog=panic,1 ❖ consoleblank=0 Kernel setupKernel setup
- 29. THANK YOUTHANK YOUTHANK YOUTHANK YOU Marian HackMan Marinov <[email protected]>