advice for little server

[majoron]

Hello,
I'm going to install linux on a server, and I have decided to go for Gentoo, which is my favourite distro for many reasons.
But my experience with servers is limited, so I would like to ask for suggestions from more experienced people.
Some requirements:

• X
  
• MySQL
  
• Apache
  
• Django
  
• Java
  
• Security: It is NOT going to provide a critical service. Security will not be the most important thing, not at all. Still, of course, we want a reasonable level of security.
  

Things that I would like to get opinions about:

• kernel options
  
• Recommended profile. Hardened? I would say no, but I'm not really sure...
  
• Other important components: logging system(?), bootloader(Grub?), filesystems (ext4?), ...
  
• USE flags
  
• Some simple security suggestions?
  

Another thing I would like to know (I'm sure there must be some documents around, but I don't find what I'm looking for) is: a recommended policy of system upgrades for servers. Do you know some kind of "official" link for that?

TIA.

Best regards
_________________
Computers are like air conditioners, they stop working properly if you open Windows

[schorsch_76]

My recommendation:
-X
-Java
+Security
+fail2ban
+shorewall
+hardened profile
+regular backup
+rkhunter
+chkrootkit
+wiretrap
+openvpn

If you design the server from the begin, not with respect to security, you will for sure get hacked (and deserve to get hacked) and the server be misused. In Germany you can get really trouble if _your_ server is used as a spam sending machine. [1]

Some points to consider:
* SSH not on default port
* long and secure passwrds
* SSH better use keyfile instead of password
* Disallow root to login, only by regular user and su
* Maybe allow ssh only via VPN

[1] http://serverzeit.de/tutorials/admins-haften

[majoron]

[frostschutz]

[1clue]

Speaking about ports, I'd say for sure go above 5000, and preferably above 10,000. I'd do that for every remote terminal connection, and/or a VPN.

It does nothing with respect to a serious attempt, but most of the generic port scanning of non-named sites happens port 1-5000, because that's where the common standard services are. The higher you go, the less likely that somebody will "accidentally" stumble on your port.

+1 on no root login by remote, and +1 on requiring a key for ssh.

With regards to Java, Oracle (and Sun before them) have a pretty bad track record for security problems. That said, I'd recommend using the oracle version above others. It seems that the Open Source community strongly dislikes Java and most don't take it seriously. I'm skeptical about their devotion to security fixes in that regard. As well, Oracle is the reference standard, so it's likely to be more universally compatible with apps.

[szatox]

I would not change standard ports becouse standards were introduced to make things easier to manage, remember, use, etc. And it's a really poor design in terms of security as it's security by obscurity, and rather poor one. If someone can get your user's private key and root password changing port is not going to stop him. If he can't, changing port makes no difference anyway.
So:
* Disable login on root (at least password login)
* prefferably disable user login with password as well - but this might be hard to do in real life case. Well, at least it's reasonable as long as people know at least abit about passwords. Show them some easy way to get unbreakable password (4-5 words is a good password, first letters from 10 word-long sentence will do fine too). Oh, and if you make passwords expire, you may be sure they will either chose weak passwords or write them down.
* fail2ban
* block on firewall everything except ports you actually WANT to be visible from outside world. Policy drop, then whitelist ssh, vpn, http/https and you're probably done.
* separating weird stuff with virtual machines might be a good idea. Qemu allows you run several such machines with network interfaces bridged together with phisical NIC, so every single virtual server would have it's own IP (and MAC)

filesystem: ext is nice, well tested etc, but IMO lacks checksums which potentialy puts you at risk of silent data corruption. This is something that needs some more digging into before saing whether or not it is an issue enough. Yes, sure, disks are supposed to keep their content, but you know, shit happens. Question is "how often" and "what a downside would be"
I do use ext myself, however with server I'd expect more storage.

[1clue]

I've never really understood the reasoning behind that.

Yes, if all you're doing is changing ports then it's really a terrible security measure. But obscuring an outward facing port through which the public is not invited certainly can't hurt anything provided the other measures are taken as well.

EVERY ssh server I've ever had exposed on the standard port for any length of time has had brute force attacks. None of the high-numbered ports I've used have had them. While disabling root login and demanding a key definitely will make a huge difference, it also helps if the bad guys don't know the thing is there in the first place.

Whether or not the brute force attacks can be successful is important, but given the choice I'd rather not pay for the bandwidth being used by some joker trying to break in.

So, just to put things into perspective, let's say a strong password policy is worth a dollar, and requiring a key is worth a dollar fifty in security terms. The nonstandard port might only be worth a nickel, but 2.55 is more than 2.50, and it's one line of the file you're editing anyway. It takes an extra 20 seconds to change it.

[Anon-E-moose]

If possible with things like ssh it would be better to simply block out IP addresses that you know won't be used.

If one is in the US, does one really expect to access their machine from Russia, Saudi Arabia, Mexico, Europe, etc.

For me, I keep it open for local machines, but closed to outside access.
And when I have traveled then I try and find out what provider they have where I'm traveling and only open those IP range(s)
_________________
PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland

[schorsch_76]

[NeddySeagoon]

rkhunter and chkrootkit may find rootkits - your only option then is to reinstall.

Have a look at tripwire - you need to store the signatures on another system.
Hardend is good - it makes attackers find an easier box to break into, which is really the object of security.

Any suffciently determinded attacker will find a way in.

Security is in layers.
Stopping them getting in.
Limiting the damage when they get in
Stoppimg them phoning home once they are in.

Hardened, with more than the default partions, allows things to be mounted with -o ro,nodev,noexec ... and so on ... not all on the same partition.
e.g. /home and /tmp can both be -o noexec,nodev
There are other useful no options
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[majoron]

Thank you very much for the interesting discussion and suggestions.
Now, I'm digesting and deciding.

Best regards
_________________
Computers are like air conditioners, they stop working properly if you open Windows

[majoron]

Thank you, schorsch_76, for the reply.