Server hardening for beginners

mrm · September 19, 2021, 6:10am

Setting up a new server, heard the cool kids talk about “server hardening,” but didn’t know what that meant?

Server hardening involves configuring the operating system and any running applications such that unauthorized access to your computers and network is more difficult.

Network setup

Make sure your router has up to date firmware. Your manufacturer may have stopped supporting it, but it may run open source firmware (like OpenWRT, tomato, or Merlin). If your router needs replacing, consider something like IPFire, which is open-source router software that runs on pretty much any computer with 2 ethernet ports.
Make sure your router has uPnP disabled, and don’t expose ports.
If possible, only expose your systems via a VPN, like tailscale. In other words, don’t simply port-forward your PhotoStructure port to your public IP address: see this post for more details.

Server setup on a Synology device

Synology has a “security advisor” that you should run, configure, and follow.

Server setup on Linux

First and foremost, back up any important files you have on your server.

Assuming your Linux server is running Ubuntu, look into installing the following packages:

`unattended-upgrades`

sudo apt-get install unattended-upgrades
dpkg-reconfigure -plow unattended-upgrades

this will apply security updates to your server periodically and automatically, but keep in mind that you’ll still need to manually reboot your server to apply kernel updates.

`lynis`

sudo apt-get install lynis
lynis audit system

Running this will list a series of steps that you’ll need to do, including ssh hardening. Be sure to disable root logins, change your ssh port, and disable non-key-based authentication. Make sure you understand the impacts of any changes you make before you make them and find that you’ve locked yourself out of your own server!

Re-run lynis audit system to verify that you’ve made things better.

Misc intrusion deflection and detection

sudo apt-get install fail2ban rkhunter debsums 
rkhunter --check
debsums -s

Got backups?

Seriously. Have backups. At least one copy must be offline. Ideally one or more copies are in different physical places.

Have more time?

There are several good tutorials out there: just make sure you have a system backup first, and understand the impact of whatever command you’re running.

How to secure a Linux server (long and detailed!)
Essential Security for Linux Servers (quite short, replicates much of this post)
How to add extra security to your Synology NAS

Got any other suggestions?

Excellent: please leave a comment!

tkohhh · January 25, 2022, 11:27pm

For anyone using Unraid, this guide is a good place to start for hardening your Unraid server: Unraid | Unraid Security Best Practices

whoisdsmith · August 2, 2022, 8:20pm

I initially came to this forum to get a little more knowlege on PS (which I have!)

I’d just like to say that you are one of the first Developers I’ve come across that documents everything very thorough and clear enough that everything is easily understandable.

What’s even better to me is your posts on here about other things that aren’t just about the software itself. So far today I’ve learned more about cache and now servers.

Thank You!