HACKER Q&A
📣 dschuessler

How do you secure your home server?


I am getting into self-hosting and it seems it takes an awful lot of work to secure your general-purpose Linux distribution.[0] I am surprised that the default seems to be to do all of this by hand.

How do you deploy a secure Linux home server? Are there distros that are pre-configured for this purpose? Do you use any Ansible playbooks (or other scripts)? Or do you indeed implement all security measures manually?

[0]: https://github.com/imthenachoman/How-To-Secure-A-Linux-Server

  👤 serf Accepted Answer ✓
I do it manually, and I triple-check it manually.

Once I realized that its a few hours work for a server that's going to be online for years then the work doesn't seem so bad.

If I was making a routine out of setting up these kind of things all-the-time i'd consider some kind of scripted install, but that's not what i've found myself having to do.

👤 simonblack
90% of it is organising which ports you want to open on your router and which machine you will forward those ports to. Then you match those ports by allowing those same ports to be open on the server machine.

I have a raspberry Pi which is dedicated to two jobs only: as a web server and as a UPS controller. My main machine covers ftp and ssh. The router forwards the relevant ports to the relevant server.

There are surprisingly few ports that need to be open between your network and the outside world: ssh, ftp, http, https is pretty much it. Every other port is blocked. This is mine:

    # ufw status
    Status: active
    
    To                         Action      From
    --                         ------      ----
    80                         ALLOW       Anywhere                  
    443                        ALLOW       Anywhere                  
    22                         ALLOW       Anywhere                  
    21                         ALLOW       Anywhere                  
    Anywhere                   ALLOW       202.14.146.0/24           
    3389                       ALLOW       Anywhere                  
    80 (v6)                    ALLOW       Anywhere (v6)             
    443 (v6)                   ALLOW       Anywhere (v6)             
    22 (v6)                    ALLOW       Anywhere (v6)             
    21 (v6)                    ALLOW       Anywhere (v6)             
    3389 (v6)                  ALLOW       Anywhere (v6)
When you organise the ufw firewall on the server don't forget to allow both IP version 4 addresses and IP version 6 addresses

Make a note of what you've done, or bookmark the website URLs of the 'Howto Websites' if you use one of those.

You can use a site-checker to see what your firewall is doing: http://ports.my-addr.com/check-all-open-ports-online.php