this post was submitted on 19 Oct 2023
2 points (100.0% liked)

Self-Hosted Main

515 readers
1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

For Example

We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Also include hints and tips for less technical readers.

Useful Lists

founded 1 year ago
MODERATORS
 

I am back with another published article.

Ideogram.ai: penguin in a server room covered in ice and snow, whole picture made out of green matrix style lines of code, cinematic

Please be kind! I am a self-taught Linux user and by no means an expert. My goal with this guide is to help newcomers to Linux have an easier and more secure start.

To all the experts out there, please be kind and do share your tips and observations. I am happy to keep updating the article to make the self-hosting world more secure.

https://nerdyarticles.com/debian-server-essentials-setup-configure-and-hardening-your-system/

you are viewing a single comment's thread
view the rest of the comments
[–] Daniel15@alien.top 1 points 1 year ago (2 children)

Nice work!

Some small pieces of feedback:

  • You can disable the root user during installation, by leaving the root password blank. The installer explains this in the text at the top of the page. If you do this, root will be disabled and sudo will be installed automatically
  • If you really want to control which users can SSH in, it's recommended to create a group and use AllowGroups, rather than allowing individual users via AllowUsers. Note that once you disable PasswordAuthentication, the only users that can SSH in are users that have keys in authorized_keys, so you don't really need to use AllowUsers or AllowGroups.
  • Disabling IPv6 is unnecessary. If you don't want to use it, then just... don't use it? You should ideally always have IPv6 enabled for connections to the internet though. It's generally faster due to better routing (see Google's latency impact data: https://www.google.com/intl/en/ipv6/statistics.html#tab=per-country-ipv6-adoption), and more future-proof.
  • You may want to consider CrowdSec instead of fail2ban. It's more efficient and they have a shared list of known bad IPs that you can use.
[–] sexyshingle@alien.top 1 points 1 year ago

You may want to consider CrowdSec instead of fail2ban. It's more efficient and they have a shared list of known bad IPs that you can use.

interesting, I'll have to check out Crowdsec

[–] shishlikcharif@alien.top 1 points 1 year ago (1 children)

Hi Daniel15. Is it recommended to disable the root user for a server during installation as you suggested? Are there never any tasks which must (or should) be executed as root for server setup or maintenance? I just built my first (Debian) server, so quite new to it all. Thanks.

[–] DrH0rrible@alien.top 1 points 1 year ago (1 children)

You can do almost everything with sudo. Some thing are easier when done as the root user (such as setting cron jobs that need root permissions), but it should never be a necessity.

If you really do need root user, you can still enable root temporarily and disable it again.

[–] Daniel15@alien.top 1 points 1 year ago

Anything that you absolutely must do as root can be done using sudo -i which will give you a root shell.