Before You Start
Identify Your Principles
Before you start you will want to identify what your Principles are. What is your threat model? Some things to think about:
- Why do you want to secure your server?
- How much security do you want or not want?
- How much convenience are you willing to compromise for security and vice-versa?
- What are the threats you want to protect against? What are the specifics to your situation? For example:
- Is physical access to your server/network a possible attack vector?
- Will you be opening ports on your router so you can access your server from outside your home?
- Will you be hosting a file share on your server that will be mounted on a desktop class machine? What is the possibility of the desktop machine getting infected and, in turn, infecting the server?
- Do you have a means of recovering if your security implementation locks you out of your own server? For example, you disabled root login or password protected GRUB.
These are just a few things to think about. Before you start securing your server you will want to understand what you’re trying to protect against and why so you know what you need to do.
Picking A Linux Distribution
This guide is intended to be distribution agnostic so users can use any distribution they want. With that said, there are a few things to keep in mind:
You want a distribution that…
- …is stable. Unless you like debugging issues at 2 AM, you don’t want an unattended upgrade, or a manual package/system update, to render your server inoperable. But this also means you’re okay with not running the latest, greatest, bleeding edge software.
- …stays up-to-date with security patches. You can secure everything on your server, but if the core OS or applications you’re running have known vulnerabilities, you’ll never be safe.
- …you’re familiar with. If you don’t know Linux, I would advise you play around with one before you try to secure it. You should be comfortable with it and know your way around, like how to install software, where configuration files are, etc…
- …is well supported. Even the most seasoned admin needs help every now and then. Having a place to go for help will save your sanity.
Installing Linux is out-of-scope for this guide because each distribution does it differently and the installation instructions are usually well documented. If you need help, start with your distribution’s documentation. Regardless of the distribution, the high-level process usually goes like so:
- download the ISO
- burn/copy/transfer it to your install medium (e.g. a CD or USB stick)
- boot your server from your install medium
- follow the prompts to install
Where applicable, use the expert install option so you have tighter control of what is running on your server. Only install what you absolutely need. I, personally, do not install anything other than SSH. Also, tick the Disk Encryption option.
Pre/Post Installation Requirements
- If you’re opening ports on your router so you can access your server from the outside, disable the port forwarding until your system is up and secured.
- Unless you’re doing everything physically connected to your server, you’ll need remote access so be sure SSH works.
- Keep your system up-to-date (i.e.
sudo apt update && sudo apt upgradeon Debian based systems).
- Make sure you perform any tasks specific to your setup like:
- Configuring network
- Configuring mount points in
- Creating the initial user accounts
- Installing core software you’ll want like
- Your server will need to be able to send e-mails so you can get important security alerts. If you’re not setting up a mail server check Gmail and Exim4 As MTA With Implicit TLS.
- I would also recommend you go through the CIS Benchmarks before you start with this guide.
Other Important Notes
- This guide is being written and tested on Debian. Most things below should work on other distributions. If you find something that does not, please contact me. The main thing that separates each distribution will be its package management system. Since I use Debian, I will provide the appropriate
aptcommands that should work on all Debian based distributions.
- File paths and settings also may differ slightly – check with your distribution’s documentation if you have issues.
- Read the whole guide before you start. Your use-case and/or principals may call for not doing something or for changing the order.
- Do not blindly copy-and-paste without understanding what you’re pasting. Some commands will need to be modified for your needs before they’ll work – usernames for example.