this post was submitted on 29 Aug 2024
65 points (98.5% liked)

Selfhosted

39208 readers
272 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Hi all,

I found a hobby in trying to secure my Linux server, maybe even beyond reasonable means.

Currently, my system is heavily locked down with user permissions. Every file has a group owner, and every server application has its own user. Each user will only have access to files it is explicitly added to.

My server is only accessible from LAN or VPN (though I've been interested in hosting publicly accessible stuff). I have TLS certs for most everything they can use it (albeit they're self signed certs, which some people don't like), and ssh is only via ssh keys that are passphrase protected.

What are some suggestions for things I can do to further improve my security? It doesn't have to be super useful, as this is also fun for me.

Some things in mind:

  • 2 factor auth for SSH (and maybe all shell sessions if I can)
  • look into firejail, nsjail, etc.
  • look into access control lists
  • network namespace and vlan to prevent server applications from accessing the internal network when they don't need to
  • considering containerization, but so far, I find it not worth foregoing the benefits I get of a single package manager for the entire server

Other questions:

  • Is there a way for me to be "notified" if shell access of any form is gained by someone? Or somehow block all shell access that is not 2FA'd?
  • my system currently secures files on the device. But all applications can see all process PIDs. Do I need to protect against this?

threat model

  • attacker gains shell access
  • attacker influences server application to perform unauthorized actions
  • not in my threat model: physical access
you are viewing a single comment's thread
view the rest of the comments
[–] epyon22 6 points 2 weeks ago (2 children)

I would reconsider docker because if a specific application leaks some sort of shell access or system file access you'll be protected out side of container host escalation.

Unrelated to security, I prefer docker because it leaves the server very clean if you remove different apps. Can also save time configuring more complex applications or applications that conflict with system libraries.

Add fail2ban on your list of applications it watches logs for invalid logins and puts them on firewall block rules after so many failed attempts.

[–] [email protected] 2 points 2 weeks ago* (last edited 2 weeks ago)

Docker performs some syscall filtering as well which may reduce the kernel attack surface. It can be pain to set up services this way, but it could help frustrate an attacker moving laterally in the system.

Processes in the container cannot see external processes for example as I think interested the OP.

[–] [email protected] 2 points 2 weeks ago (2 children)

I really wish there was a system wide package manager for docker containers, which would update software in all your containers at once similar to how a typical package manager would.

I did not completely rule out docker, but I wonder if I can obtain most of its benefits without this major con with package management. I mean I know it's possible, since its mostly kernel features, but it would be difficult to simulate and the tooling is probably lacking (maybe nsjail can get me closer).

[–] [email protected] 2 points 2 weeks ago (1 children)

You can have a look at systemd-nspawn and machinectl actually. Sounds like exactly what you're looking for :)

[–] [email protected] 1 points 2 weeks ago (2 children)

I am really interested in systemd-nspawn. Unfortunately I have openRC now (I liked it's simplicity) so can't try out systemd yet.

Is machinectl tied to systemd also?

[–] [email protected] 1 points 2 weeks ago

Yes machinectl is the interface for nspawn

[–] [email protected] 1 points 2 weeks ago* (last edited 2 weeks ago)

You could give bubblewrap a try instead. It is quite similar to systemd-nspawn.