{"id":19818945,"url":"https://github.com/kmotoko/server-guideline","last_synced_at":"2026-05-18T06:04:18.649Z","repository":{"id":163451019,"uuid":"184742822","full_name":"kmotoko/server-guideline","owner":"kmotoko","description":"To-Do's and best practices for Linux web/database server","archived":false,"fork":false,"pushed_at":"2020-03-16T19:16:35.000Z","size":92,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-02-28T20:02:28.607Z","etag":null,"topics":["debian","guidelines","hardening","mysql","security","ubuntu"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"cc-by-4.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kmotoko.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-05-03T11:16:17.000Z","updated_at":"2024-12-21T14:55:10.000Z","dependencies_parsed_at":null,"dependency_job_id":"427fddf7-1276-44f9-b6a0-652f7958dd05","html_url":"https://github.com/kmotoko/server-guideline","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/kmotoko/server-guideline","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kmotoko%2Fserver-guideline","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kmotoko%2Fserver-guideline/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kmotoko%2Fserver-guideline/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kmotoko%2Fserver-guideline/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kmotoko","download_url":"https://codeload.github.com/kmotoko/server-guideline/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kmotoko%2Fserver-guideline/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":262470461,"owners_count":23316501,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["debian","guidelines","hardening","mysql","security","ubuntu"],"created_at":"2024-11-12T10:17:22.367Z","updated_at":"2025-09-19T17:49:24.875Z","avatar_url":"https://github.com/kmotoko.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"Follow this order when configuring a server:\n1. Do everything in `intro/` folder.\n2. Do everything in `networking/` folder.\n3. Do everything in `os/` folder.\n4. Do `ssh` in `services/` folder.\n5. Do appropriate service in `services/` folder.\n\n## Work in Progress\n+ In SSH daemon config: `AllowStreamLocalForwarding no  # it does not exist in the man page`.\n+ SSH: 2fa implementation.\n+ IP spoofing protection: check nsswitch config (could not find corresponding key at this time).\n+ Sysctl config: Fine tune the mentioned variables.\n+ DMARC: Check how to implement a DMARC record.\n+ Updates: Unattended upgrades for security patches (or should it be unattended?).\n+ iptables: Rate limiting and cloudflare dilemma, since they do not forward client IPs.\n+ iptables: Only allow http/https connections from cloudflare.\n+ iptables: Limit logging, martians.\n+ Nginx and Gunicorn setup and config.\n+ Logwatch and Tiger, lynis etc... or any other HIDS.\n+ Zabbix: Subdomain, ssl, lets encrypt docs.\n+ Zabbix: Zabbix agent in the client machine.\n+ Zabbix: Apache security.\n+ Zabbix: Check https://www.zabbix.com/documentation/4.0/manual/installation/requirements/best_practices\n+ Check IDSs: Lynis, ossec, tiger, tripwire, aide, snort.\n+ Check InputTCPServerStreamDriverPermittedPeer options for rysylog server and ActionSendStreamDriverPermittedPeer option in rsyslog client.\n+ Replace wazuh with ossec.\n+ OpenVPN 2-factor auth.\n+ Postfix and logwatch mail sending config.\n+ Password expiration config to be added to the password quality.\n+ For the password quality section: Not clear if it is needed to set `/etc/security/pwquality.conf`.\n+ Add references.\n\n## Determine and disable running services\nCheck network services: `sudo ss -atpu`. Check system services and daemons: `sudo systemctl list-units --all`\n\n## Useful Commands\n```shell\nhostname -A  # display all FQDN\nhostname -I  # display all network addresses of the host\nnetstat -i  # show network interfaces\ngrep -rHin \"string to be searched\" /where/to/search  # search all text files for a string\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkmotoko%2Fserver-guideline","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkmotoko%2Fserver-guideline","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkmotoko%2Fserver-guideline/lists"}