this post was submitted on 29 Aug 2024
65 points (98.5% liked)

Selfhosted

39964 readers
311 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
65
Suggestions for Improving Linux Server Security: Beyond User Permissions and Groups? (lemy.lol)
submitted 2 months ago by [email protected] to c/[email protected]
36 comments fedilink hide all child comments
 

Hi all,

I found a hobby in trying to secure my Linux server, maybe even beyond reasonable means.

Currently, my system is heavily locked down with user permissions. Every file has a group owner, and every server application has its own user. Each user will only have access to files it is explicitly added to.

My server is only accessible from LAN or VPN (though I've been interested in hosting publicly accessible stuff). I have TLS certs for most everything they can use it (albeit they're self signed certs, which some people don't like), and ssh is only via ssh keys that are passphrase protected.

What are some suggestions for things I can do to further improve my security? It doesn't have to be super useful, as this is also fun for me.

Some things in mind:

  • 2 factor auth for SSH (and maybe all shell sessions if I can)
  • look into firejail, nsjail, etc.
  • look into access control lists
  • network namespace and vlan to prevent server applications from accessing the internal network when they don't need to
  • considering containerization, but so far, I find it not worth foregoing the benefits I get of a single package manager for the entire server

Other questions:

  • Is there a way for me to be "notified" if shell access of any form is gained by someone? Or somehow block all shell access that is not 2FA'd?
  • my system currently secures files on the device. But all applications can see all process PIDs. Do I need to protect against this?

threat model

  • attacker gains shell access
  • attacker influences server application to perform unauthorized actions
  • not in my threat model: physical access
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 2 points 2 months ago* (last edited 2 months ago) (1 children)

There are entire books dating back to the 80's that go into this, that are still fairly valid to this day.

If you want to take things further at your own risk, look into how to use TPM and Secure Boot to your advantage. It's tricky, but worth a delve.

For network security, you're only going to be as effective as the attack hitting you, and self-hosting is not where you want to get tested. Cloudflare is a fine and cheap solution for that. VLANS won't save you, and an on-prem attack won't save you here. Look into Crowdsec.

Disable any wireless comms. Use your BIOS to ensure things like Bluetooth is disabled...you get the idea. Use RFKill to ensure the OS respects the disablement of wireless devices.

At the end of the day, every single OS in existence is only as secure as the attack vectors you allow it to have. Eventually, somebody can get in. Just removing the obvious entry points is the best you can do.

[–] [email protected] 1 points 2 months ago (2 children)

What's the issue with VLAN?

[–] [email protected] 1 points 2 months ago

If you set it up incorrectly you can perform an attack called vlan hoping.

You also need to setup Firewall rules to properly isolate zones

[–] [email protected] 1 points 2 months ago* (last edited 2 months ago) (1 children)

VLANs are for organizing traffic, not authorization of traffic.

Can be pretty easily spoofed by packet.

[–] [email protected] 3 points 2 months ago

Only if you don't set it up correctly. You should set which devices are allowed to set which vlans and then make sure client devices aren't authorized to send or receive tagged packets.

You then combine that with a firewall only needed traffic allowed.