Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How to setup your linux server

250 views

Published on

Basic tips about your home/office linux server

Published in: Engineering
  • Be the first to comment

  • Be the first to like this

How to setup your linux server

  1. 1. How to setup How to setup  your Linux Serveryour Linux Server Marian HackMan MarinovMarian HackMan Marinov <mm@siteground.com><mm@siteground.com> Chief System ArchitectChief System Architect SiteGroundSiteGround
  2. 2. Who am I?Who am I?Who am I?Who am I? ❖ Chief System Architect of Siteground.com ❖ Sysadmin since 1996 ❖ Organizer of OpenFest, BG Perl Workshops, LUG-BG and similar :) ❖ Teaching Network Security and Linux System Administration at Sofia University
  3. 3. ❖ Storage - pics, docs, music and movies You DO NEED home ServerYou DO NEED home Server
  4. 4. ❖ Storage - pics, docs, music and movies ❖ If you are a network nerd, maybe for a Router and a good Firewall You DO NEED home ServerYou DO NEED home Server
  5. 5. ❖ Storage - pics, docs, music and movies ❖ If you are a network nerd, maybe for a Router and a good Firewall ❖ For load-balancing and failover of multiple ISPs You DO NEED home ServerYou DO NEED home Server
  6. 6. ❖ Storage - pics, docs, music and movies ❖ If you are a network nerd, maybe for a Router and a good Firewall ❖ For load-balancing and failover of multiple ISPs ❖ For hosting your home projects ❖ For home automation and statistics You DO NEED home ServerYou DO NEED home Server
  7. 7. ❖ Storage - FreeNAS (based on FreeBSD) - OpenMediaVault (based on Debian Linux) - Rockstor (based on CentOS) - Amahi (based on Fedora) What distribution?What distribution? Filesystems: ZFS BtrFS Ext4
  8. 8. ❖ Router - FreeBSD - Debian Stable - CentOS - Ubuntu LTS What distribution?What distribution? Note: Run the Linuxes with kernels newer then 4.5
  9. 9. ❖ General Purpose - Debian Stable - CentOS - Ubuntu LTS What distribution?What distribution? Note: Run the Linuxes with kernels newer then 4.5
  10. 10. ❖ Mini ITX box HardwareHardware
  11. 11. ❖ Mini ITX box ❖ Desktop case HardwareHardware
  12. 12. ❖ Mini ITX box ❖ Desktop case ❖ Rack-mountable HardwareHardware
  13. 13. ❖ HW RAID controller ❖ SW RAID ❖ LVM mirror ❖ ZFS/BtrFS ❖ SATA vs. SSD vs. NVMe 100MB/s 540MB/s 2200MB/s StorageStorage Note: If you are using SSDs, switch your I/O scheduler to none
  14. 14. ❖ Separate HW RAID devices ❖ Separate SW RAID devices ❖ All disks are Physical Volumes(LVM) PartitioningPartitioning
  15. 15. ❖ Single partition for boot - usually around 300-400MB ❖ Separate partition for the OS - around 100-150GB ❖ One partition for important stuff ❖ One partition for everything else PartitioningPartitioning
  16. 16. ❖ Should you encrypt all disks? ❖ Should you encrypt only some partitions? ❖ Should you encrypt only certain dirs? ❖ How to remotely input your passwords, when the server is rebooted? EncryptionEncryption LUKS vs. eCryptfs
  17. 17. ❖ Should you encrypt all disks? ❖ Should you encrypt only some partitions? ❖ Should you encrypt only certain dirs? ❖ How to remotely input your passwords, when the server is rebooted? - put SSHD with your key in the initrd EncryptionEncryption LUKS vs. eCryptfs
  18. 18. ❖ Default installations always have a lot of installed and running services ❖ Remove everything that you are not going to use immediately ❖ Disable the services that you don't need on boot Disable servicesDisable services
  19. 19. ❖ Remove all software that will not be used initially on this machine ❖ it is strange for a server to have bluetooth or WiFi ❖ Reducing the software, reduces the attack surface that the machine has ❖ Upgrade to the latest possible kernel SoftwareSoftware
  20. 20. ❖ If the distribution allows, enable auto update for security updates ONLY ❖ Add all additional repositories that I will generally need (EPEL/PPA type repos) SoftwareSoftware
  21. 21. ❖ Configure logs for debugging your services ❖ Configure logrotate for all logs ❖ This ensures that you will not fill up your drives with logs Logs & logrotateLogs & logrotate
  22. 22. ❖ If you have a big machine, try to separate services in different VMs/Containers ❖ Follow the security guidelines for any service that you are running on the machine SecuritySecurity
  23. 23. ❖ Firewall the machine from the Internet ❖ Allow only traffic to local services that you trust ❖ Allow incoming traffic that was requested (related connections) ❖ Allow outgoing traffic only to services that you have configured (this way you protect the Internet from your self) NetworkNetwork
  24. 24. ❖ Disable forwarding if the machine will not be a router ❖ If it is a router: ❖ allow forwarding only to/from your own network ❖ add MAC filters per-client (so you will know which machine is abusing your network) ❖ install network monitoring software like IP audit and arpwatch NetworkNetwork
  25. 25. ❖ Disable password authentication ❖ Disable PAM ❖ Disable Kerberos ❖ Disable GSSAPI ❖ Allow only SSH 2.0 protocol ❖ Use only large RSA keys 4096 and higher ❖ Use privilege separation SSHSSH
  26. 26. ❖ When the service allows, always chroot the service ❖ By default many service configs are world readable, fix that ❖ Remove all kernel modules that you are not going to use. YES DELETE THEM. Someone may try to abuse the kernel module autoloader to load them - DCCP for example Secure configurationsSecure configurations
  27. 27. ❖ If you need to secure additional users on the machine, I suggest you use ecryptfs on top of what you already have. ❖ Verify the permissions of the running apps ❖ Use ssh-agents User setupUser setup
  28. 28. ❖ crashkernel=256M ❖ panic=5 ❖ hardlockup_panic=1 ❖ panic_on_oops=1 ❖ panic_on_unrecovered_nmi=1 ❖ unknown_nmi_panic=1 ❖ nmi_watchdog=panic,1 ❖ consoleblank=0 Kernel setupKernel setup
  29. 29. THANK YOUTHANK YOUTHANK YOUTHANK YOU Marian HackMan Marinov <mm@siteground.com>

×