I found a hobby in trying to secure my Linux server, maybe even beyond reasonable means.
Currently, my system is heavily locked down with user permissions. Every file has a group owner, and every server application has its own user. Each user will only have access to files it is explicitly added to.
My server is only accessible from LAN or VPN (though I’ve been interested in hosting publicly accessible stuff). I have TLS certs for most everything they can use it (albeit they’re self signed certs, which some people don’t like), and ssh is only via ssh keys that are passphrase protected.
What are some suggestions for things I can do to further improve my security? It doesn’t have to be super useful, as this is also fun for me.
Some things in mind:
2 factor auth for SSH (and maybe all shell sessions if I can)
look into firejail, nsjail, etc.
look into access control lists
network namespace and vlan to prevent server applications from accessing the internal network when they don’t need to
considering containerization, but so far, I find it not worth foregoing the benefits I get of a single package manager for the entire server
Other questions:
Is there a way for me to be “notified” if shell access of any form is gained by someone? Or somehow block all shell access that is not 2FA’d?
my system currently secures files on the device. But all applications can see all process PIDs. Do I need to protect against this?
threat model
attacker gains shell access
attacker influences server application to perform unauthorized actions
Maybe not 100% in the subject, but I just deployed a Wazuh instance to let me know how any of my hosts, containers and computers may have vulnerabilities. I found a crap load of holes in my services, and I’m halfway through squashing all of them.
If this is a hobby, that’s sure to keep you entertained for quite some time.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !selfhosted@lemmy.world
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.
Rules:
Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
Resources:
selfh.st Newsletter and index of selfhosted software and apps
Maybe not 100% in the subject, but I just deployed a Wazuh instance to let me know how any of my hosts, containers and computers may have vulnerabilities. I found a crap load of holes in my services, and I’m halfway through squashing all of them.
If this is a hobby, that’s sure to keep you entertained for quite some time.