Best Practices for Server Security | PlexGuide.com

Best Practices for Server Security

  • Stop using Chrome! Download the Brave Browser via >>> [Brave.com]
    It's a forked version of Chrome with native ad-blockers and Google's spyware stripped out! Download for Mac, Windows, Android, and Linux!
Welcome to the PlexGuide.com
Serving the Community since 2016!
Register Now

urgodfather

Citizen
Original poster
Nov 15, 2019
10
16
Would it be beneficial if I were to take a little time to share some Best Practices on keeping your servers secure?

If so, I will write up some basic principles to discuss

* general practices for server procurement
* recommended practices for traffic encryption
* recommended practices to prevent hacks / cracks / etc
* recommended practices to assist in avoiding DDoS attacks
* and much more
 
  • Like
  • Love
Reactions: 3 users

MP-JT

Citizen+
Staff
Donor
Apr 21, 2020
26
17
I think it would! Write away and maybe it can be added to the wiki
 
  • Love
  • Like
Reactions: 1 users

DeadPool

Elite
Staff
May 2, 2018
213
74
there is (or at least WAS) in the old wiki.
there is still a bit under the title 'server preparation' but not as much as there should be.
Write away!
talk about sudo users, relinquishing access for root etc etc.


dP
 
  • Like
Reactions: 1 user

FiveO

Citizen+
Raffle Winner
Apr 6, 2020
20
21
@urgodfather, here is some info I had in another post regarding a person finding a miner on their server. Maybe helpful or useful for you for the server security info page. (y)

Implementing best practices after you rebuild your server is how you prevent it from happening again. I am assuming your server was externally hosted. If you think of your server as a house or building any application that is publicly accessible on your externally hosted server can be considered a possible doorway or attack vector someone can potentially take advantage of to gain access to the server.

1.You want to use a strong ssh password, the best being some sort of randomly generated password using a password manager.

2.You want to make sure that Fail2ban is installed on the server.

3.You want to make sure that you keep the OS up to date by running apt update on the server regularly. I would recommend not any longer than once a month to keep your server protected against out of date packages that may contain vulnerabilities.

4.You want to make sure that you are using PortGuard to limit access to the server for only ports in use by applications.

5.You want to make sure that you are using Watchguard to keep your Docker containers up to date.

6.If you are using 3rd party admin tools, such as webmin you want to check for updates on a regular basis.

If you follow these guidelines it will help protect your server from being compromised.
 
  • Like
Reactions: 3 users

xressa

Citizen
Jun 20, 2020
6
0
I heard that ssl certificate also can help to protect your website from hackers. I am the owner of ssls.com which works good. The Comodo name is a sign of trust and security in the marketplace.
 

Edrock200

MVP
Staff
Nov 17, 2019
543
195
Some ideas for connsideration in your writeup. Theres a sticky on one of the forums about enabling 2fa for ssh as well. I added a post to tips and ideas about leaving only the plexguide network and removing the bridge network and all mapped ports from all containers except traefik if you use 443/ssl for all your access needs. For some reason hetzner ubuntu comes with rpc listener turned on, so kill that too.
 

doob

Administrator
Project Manager
Jun 7, 2020
851
448
I heard that ssl certificate also can help to protect your website from hackers. I am the owner of ssls.com which works good. The Comodo name is a sign of trust and security in the marketplace.
First

Server and domain are different

Server security have nothing to do with domain security .

That's Fakt.

Don't install to many bullshit, keep it simple

Read the post before and you will find 99% of the security guide line.

Fail2ban can do so many for the user.

2fa for ssh is also good to use or simple use key protection,

Don't allow unside the ssh-config root login
Chroot login for a seperate user they only can login , the use sudo su ( for root-level access for any installs or updates or what you want )

Bind port 22 over SSH-ServerRecord ( Cloudflare.com ) to one domain and ReBind it over DNS-Rebind

Well done have fun ( that's for user with higher experience)

Don't do this when you Linux experience is only plexguide install and click click installs ;)
 

PonsterManda

Experienced
Staff
Apr 26, 2019
72
43
Yeah...they are gonna have their indexer keys scraped quickly.
Even worse. Some settings exposes plex token or even gmail credentials.
Not the mention command execution on the webapps to gain access to the OS.

In my opinion, this should also be a best practise.
Dont believe programs or configs that tell you your ports are closed and the server is 'safe'.
Test this yourself using shodan, nmap etc,
 
Last edited:

Recommend NewsGroups

      Up To a 58% Discount!

Trending