how to setup your linux server
TRANSCRIPT
How to setup your Linux Server
Marian HackMan Marinov
Chief System ArchitectSiteGround
Who am I?
Chief System Architect of Siteground.com Sysadmin since 1996 Organizer of OpenFest, BG Perl Workshops,LUG-BG and similar :) Teaching Network Security and Linux SystemAdministration at Sofia University
Storage - pics, docs, music and movies
You DO NEED home Server
Storage - pics, docs, music and movies If you are a network nerd, maybe for a Router and a good Firewall
You DO NEED home Server
Storage - pics, docs, music and movies If you are a network nerd, maybe for a Router and a good Firewall For load-balancing and failover of multiple ISPs
You DO NEED home Server
Storage - pics, docs, music and movies If you are a network nerd, maybe for a Router and a good Firewall For load-balancing and failover of multiple ISPs For hosting your home projects For home automation and statistics
You DO NEED home Server
Storage - FreeNAS (based on FreeBSD) - OpenMediaVault (based on Debian Linux) - Rockstor (based on CentOS) - Amahi (based on Fedora)
What distribution?
Filesystems:ZFSBtrFSExt4
Router - FreeBSD - Debian Stable - CentOS - Ubuntu LTS
What distribution?
Note: Run the Linuxes with kernels newer then 4.5
General Purpose - Debian Stable - CentOS - Ubuntu LTS
What distribution?
Note: Run the Linuxes with kernels newer then 4.5
Mini ITX box
Hardware
Mini ITX box Desktop case
Hardware
Mini ITX box Desktop case Rack-mountable
Hardware
HW RAID controller SW RAID LVM mirror ZFS/BtrFS
SATA vs. SSD vs. NVMe 100MB/s 540MB/s 2200MB/s
Storage
Note: If you are using SSDs, switch your I/O scheduler to none
Separate HW RAID devices Separate SW RAID devices All disks are Physical Volumes(LVM)
Partitioning
Single partition for boot - usually around 300-400MB Separate partition for the OS - around 100-150GB One partition for important stuff One partition for everything else
Partitioning
Should you encrypt all disks? Should you encrypt only some partitions? Should you encrypt only certain dirs?
How to remotely input your passwords, when the server is rebooted?
Encryption
LUKS vs. eCryptfs
Should you encrypt all disks? Should you encrypt only some partitions? Should you encrypt only certain dirs?
How to remotely input your passwords, when the server is rebooted? - put SSHD with your key in the initrd
Encryption
LUKS vs. eCryptfs
Default installations always have a lot of installed and running services Remove everything that you are not going to use immediately Disable the services that you don't need on boot
Disable services
Remove all software that will not be used initially on this machine it is strange for a server to have bluetooth or WiFi Reducing the software, reduces the attack surface that the machine has Upgrade to the latest possible kernel
Software
If the distribution allows, enable auto update for security updates ONLY Add all additional repositories that I will generally need (EPEL/PPA type repos)
Software
Configure logs for debugging your services Configure logrotate for all logs This ensures that you will not fill up your drives with logs
Logs & logrotate
If you have a big machine, try to separate services in different VMs/Containers Follow the security guidelines for any service that you are running on the machine
Security
Firewall the machine from the Internet Allow only traffic to local services that you trust Allow incoming traffic that was requested (related connections) Allow outgoing traffic only to services that you have configured (this way you protect the Internet from your self)
Network
Disable forwarding if the machine will not be a router If it is a router: allow forwarding only to/from your own network add MAC filters per-client (so you will know which machine is abusing your network) install network monitoring software like IP audit and arpwatch
Network
Disable password authentication Disable PAM Disable Kerberos Disable GSSAPI Allow only SSH 2.0 protocol Use only large RSA keys 4096 and higher Use privilege separation
SSH
When the service allows, always chroot the service By default many service configs are world readable, fix that Remove all kernel modules that you are not going to use. YES DELETE THEM. Someone may try to abuse the kernel module autoloader to load them - DCCP for example
Secure configurations
If you need to secure additional users on the machine, I suggest you use ecryptfs on top of what you already have. Verify the permissions of the running apps Use ssh-agents
User setup
crashkernel=256M panic=5 hardlockup_panic=1 panic_on_oops=1 panic_on_unrecovered_nmi=1 unknown_nmi_panic=1 nmi_watchdog=panic,1 consoleblank=0
Kernel setup
THANK YOU
Marian HackMan Marinov