this post was submitted on 10 Feb 2025
741 points (99.3% liked)

linuxmemes

22397 readers
2642 users here now

Hint: :q!

Sister communities:

Community rules (click to expand)

1. Follow the site-wide rules

2. Be civil
  • Understand the difference between a joke and an insult.
  • Do not harrass or attack users for any reason. This includes using blanket terms, like "every user of thing".
  • Don't get baited into back-and-forth insults. We are not animals.
  • Leave remarks of "peasantry" to the PCMR community. If you dislike an OS/service/application, attack the thing you dislike, not the individuals who use it. Some people may not have a choice.
  • Bigotry will not be tolerated.
  • These rules are somewhat loosened when the subject is a public figure. Still, do not attack their person or incite harrassment.
    • 3. Post Linux-related content
  • Including Unix and BSD.
  • Non-Linux content is acceptable as long as it makes a reference to Linux. For example, the poorly made mockery of sudo in Windows.
  • No porn. Even if you watch it on a Linux machine.
    • 4. No recent reposts
  • Everybody uses Arch btw, can't quit Vim, <loves/tolerates/hates> systemd, and wants to interject for a moment. You can stop now.
    • 5. πŸ‡¬πŸ‡§ Language/язык/Sprache
  • This is primarily an English-speaking community. πŸ‡¬πŸ‡§πŸ‡¦πŸ‡ΊπŸ‡ΊπŸ‡Έ
  • Comments written in other languages are allowed.
  • The substance of a post should be comprehensible for people who only speak English.
  • Titles and post bodies written in other languages will be allowed, but only as long as the above rule is observed.
    • Β 

    Please report posts and comments that break these rules!

    Important: never execute code or follow advice that you don't understand or can't verify, especially here. The word of the day is credibility. This is a meme community -- even the most helpful comments might just be shitposts that can damage your system. Be aware, be smart, don't remove France.

    founded 2 years ago
    MODERATORS
    [email protected]
    [email protected]
    [email protected]
    741
    I didn't know you were supposed to disable root user... (linux.community)
    submitted 1 day ago by [email protected] to c/[email protected]
    148 comments fedilink hide all child comments
     

    Background: 15 years of experience in software and apparently spoiled because it was already set up correctly.

    Been practicing doing my own servers, published a test site and 24 hours later, root was compromised.

    Rolled back to the backup before I made it public and now I have a security checklist.

    you are viewing a single comment's thread
    view the rest of the comments
    [–] [email protected] 27 points 15 hours ago (2 children)

    The other poster gave you a lot. If that's too much at once, the really low hanging fruit you want to start with is:

    • Choose an active, secure distro. There's a lot of flavors of Linux out there and they can be fun to try but if you're putting something up publicly it should be running on one that's well maintained and known for security. CentOS and Debian are excellent easy choices for example.

    • Similarly, pick well maintained software with a track record. Nginx and Apache have been around forever and have excellent track records, for example, both for being secure and fixing flaws quickly.

    • If you use Docker, once again keep an eye out for things that are actively maintained. If you decide to use Nginx, there will be five million containers to choose from. DockerHub gives you the tools to make this determination: Download number is a decent proxy for "how many people are using this" and the list of updates tells you how often and how recently it's being updated.

    • Finally, definitely do look at the other poster's notes about SSH. 5 seconds after you put up an SSH server, you'll be getting hit with rogue login attempts.

    • Definitely get a password manager, and it's not just one password per server but one password per service. Your login password to the computer is different from your login to any other things your server is running.

    The rest requires research, but these steps will protect you from the most common threats pretty effectively. The world is full of bots poking at every service they can find, so keeping them out is crucial. You won't be protected from a dedicated, knowledgeable attacker until you do the rest of what the other poster said, and then some, so try not to make too many enemies.

    [–] [email protected] 1 points 1 hour ago

    Thank you!

    [–] [email protected] 6 points 15 hours ago* (last edited 15 hours ago) (1 children)

    The TLDR is here : https://www.digitalocean.com/community/tutorials/recommended-security-measures-to-protect-your-servers

    You won’t be protected from a dedicated, knowledgeable attacker until you do the rest of what the other poster said, and then some,

    You're right I didn't even get to ACME and PKI or TOTP

    https://letsencrypt.org/getting-started/

    https://openbao.org/docs/secrets/pki/

    https://openbao.org/docs/secrets/totp/

    And for bonus points build your own certificate authority to sign it all.

    https://smallstep.com/blog/build-a-tiny-ca-with-raspberry-pi-yubikey/

    [–] [email protected] 1 points 1 hour ago

    Thank you for this! I've got some homework to do!