{"id":24449143,"url":"https://github.com/codeniko/server-security","last_synced_at":"2026-04-24T18:06:16.905Z","repository":{"id":186105817,"uuid":"664857017","full_name":"codeniko/server-security","owner":"codeniko","description":null,"archived":false,"fork":false,"pushed_at":"2023-07-10T23:05:27.000Z","size":3,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-12-29T21:26:34.576Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/codeniko.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2023-07-10T23:04:08.000Z","updated_at":"2023-07-10T23:05:32.000Z","dependencies_parsed_at":null,"dependency_job_id":"51ad0f7c-1ed5-44be-aa17-8741b1e7d579","html_url":"https://github.com/codeniko/server-security","commit_stats":null,"previous_names":["codeniko/server-security"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/codeniko/server-security","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/codeniko%2Fserver-security","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/codeniko%2Fserver-security/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/codeniko%2Fserver-security/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/codeniko%2Fserver-security/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/codeniko","download_url":"https://codeload.github.com/codeniko/server-security/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/codeniko%2Fserver-security/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32234786,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-24T13:21:15.438Z","status":"ssl_error","status_checked_at":"2026-04-24T13:21:15.005Z","response_time":64,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-01-21T00:37:20.222Z","updated_at":"2026-04-24T18:06:11.890Z","avatar_url":"https://github.com/codeniko.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Server setup scripts\n\n### Setup a unix server\nFollow these steps to setup a unix server and the projects. The script here specifically is for Debian linux distro with SystemD but can work for any linux distro with slight modifications. Dont add private github ssh keys into the server and access any repos directly. If the server ever gets compromised, you risk the attacker gaining access to the repos on github and possibly deleting them.\n\nGit clone repo into user's home directory and then run the setup command.\n\n```shell\nsudo ./setup/debian-node-server-setup.sh\n```\n\nThis will install update all latest packages for debian, download a `sshd_config` file to use later after you add the the public keys for password-less SSH.\n\n### Setup SSH with SSL identity keys (passwordless SSH)\nYou'll need a pair of public and private RSA keys on your computer. If you don't have any, you can generate a pair by running a terminal on your Mac or Unix computer and running `ssh-keygen -t rsa -b 4096 -C EMAIL` replacing EMAIL with your email address. If you have keys already, or after generating a pair, copy the entire contents of the public key and paste it into `/home/debian/.ssh/authorized_keys`. If there are multiple keys, put them each on on their own line.\n\nIf you don't have the `authorized_keys` or the `.ssh` directory, create it and change the permission to 600 for the file, and 700 for the directory.\n```shell\nmkdir -p ~/.ssh\ntouch ~/.ssh/authorized_keys\nchmod 700 ~/.ssh\nchmod 600 ~/.ssh/authorized_keys\n```\n\n#### Test that SSH with the keys work\nRestart the sshd service by running `sudo systemctl restart ssh`\n\nNext you want to test that you can SSH into the server with your private key. From your macbook, run `ssh -i PRIVATE_KEY_FILE debian@IP` replacing PRIVATE_KEY_FILE with the location of your private RSA key, and IP with the server's IP. If all is well, continue to next section to disable passwords with SSH.\n\n#### Finish setup and disable SSHing with passwords\nPasswords are insecure and there are bots scouring the internet for open port 22s to try to break in. They use dictionary attacks with random usernames to try to guess the passwords and this is just non-stop. Disable SSH login with passwords and you won't have any problems.\n\nThe included debian-node-server-setup.sh script should have downloaded a `sshd_config` file. Simply move it into the right spot and restart to apply the new config. We'll also make a backup of the original just in case. The config is one [I made myself and reuse for my own projects](https://gist.githubusercontent.com/codeniko/0337f460f6c25e977ca3308f668d6d21/raw/sshd_config)\n```shell\nsudo cp sshd_config{,.backup}\nsudo mv sshd_config /etc/ssh/sshd_config\nsudo systemctl restart ssh\n```\n\nWhile staying signed in with your current SSH session incase anything goes wrong, you want to open a new terminal on your computer and attempt to ssh in again. If all is well, you're done. If not, bring back the backup and restart the service again.\n\n### Firewall rules (iptables)\nWhen the setup script is run, the firewall rules and service files are moved to `/root/` directory to use by the system. The script enables a service to then apply these firewall rules on every boot. \n\nAs of time of writing, the firewall rules block all incoming traffic except for SSH (port 22), HTTP (port 80), HTTPS (port 443), and several SMTP protocols to allow pinging the servers.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcodeniko%2Fserver-security","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcodeniko%2Fserver-security","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcodeniko%2Fserver-security/lists"}