Ask HN: How to properly secure a server?

[Qision]

Hi,

I started playing around with a small VPS. To learn about security I followed a tutorial on Github [1] in which they talk about a lot of tools. I understand that ssh, ufw and fail2ban are the most important but for example should I use PSAD or CrowdSec?

Basically I want to self host services and run web apps, so how can I know how much security do I need?

Thanks for your help

[1]: https://github.com/imthenachoman/How-To-Secure-A-Linux-Server

[sarcasmatwork]

>should I use PSAD or CrowdSec?

Use a free solution, never used these. Are they even current?

  -ssh is a way to access the server (pub key is preferred way)
  -ufw is a frontend to iptables
  -fail2ban blocks based on regex rules. (needs tweaking)

For web, you'll need port 80, 443 open, and a port for ssh, default is 22. I would change ssh port to something higher as there are many bots that scan all of these known ports.

Monitor your logs, and check for activity. access.log, syslog etc.

[Philippe_H]

CrowdSec scans also firewall logs like PSAD and much more applicative logs types than fail2ban. That being said I use tailscale to ssh to my servers.

[Qision]

Sorry for answering late, hope you will see my comment.

Is it necessary to add a vpn connexion to a server on top of the ssh one? Here is someone else asking the same question: https://news.ycombinator.com/item?id=35957349

I would be interested to have your feedback.

[elmerfud]

It's difficult to answer your question without much more detailed analysis of your use case. I looked over this document and i seriously question at the beginning when it talks about using ansible to apply their policies and they tell you to turn on allowing root logins for ssh. Nothing else after that in the document seemed suspect but simply saying that that's something you should do seems very wrong to me. You should never allow a root to login directly over ssh.

A lot of the other things in the document aren't wrong but in my opinion aren't necessary except in certain use cases. The use case that they describe in their system is a desktop class machine hanging its butt out on the internet. Although they continually refer to it as a server, their use case clearly defines it as a desktop class machine.

One thing that i do it disagree with their assessment on is that ssh keys are automatically better than using ssh with passwords. While keys do have benefits the kind of thinking that says they are better than passwords leads to mistakes being made which can end up with your key leaking. Either method is only as good as the human security placed around it.

Overall i would not recommend having ssh exposed to the internet. Using a wire guard based vpn to be able to access your machine(a) provides a much better layer of security that exposing ssh.

There is just a lot of principles around security as it relates to your use case. One thing to keep in mind is that you're only vulnerable on the things that you expose. Reducing attack surface is one of the most basic things that you can do and one of the most beneficial. Why run five services when one service could be sufficient? Why have a service listening on anything but loopback if it is not required to listen on anything but loopback. Little things like that can reduce your exposure. Because ultimately security is layers. Yes you should have a firewall locally run on the system blocking parts and you should have a firewall run on your network blocking access to things that should not be accessed. What happens when one or both of those firewalls are misconfigured? This is where having services only running and listening on non-loopback ips when they are required reduces that exposure greatly.

One other thing to review would be the nist guidelines for how the dod secures their systems. Most operating systems will have a security hardening package to apply those guidelines. The problem is about 80-90% of the guidelines are good general security best practices the remaining 10-20% are obnoxious compliance things. For example fips is largely about compliance rather than security. It has some security benefits but because it requires algorithms be certified for compliance it is always out of date for the best algorithms.