Best Practices for Server Security |

Best Practices for Server Security

  • Stop using Chrome! Download the Brave Browser via >>> []
    It's a forked version of Chrome with native ad-blockers and Google's spyware stripped out! Download for Mac, Windows, Android, and Linux!
Welcome to the
Serving the Community since 2016!
Register Now


Original poster
Nov 15, 2019
Would it be beneficial if I were to take a little time to share some Best Practices on keeping your servers secure?

If so, I will write up some basic principles to discuss

* general practices for server procurement
* recommended practices for traffic encryption
* recommended practices to prevent hacks / cracks / etc
* recommended practices to assist in avoiding DDoS attacks
* and much more
  • Like
  • Love
Reactions: 3 users


Apr 21, 2020
I think it would! Write away and maybe it can be added to the wiki
  • Love
  • Like
Reactions: 1 users


May 2, 2018
there is (or at least WAS) in the old wiki.
there is still a bit under the title 'server preparation' but not as much as there should be.
Write away!
talk about sudo users, relinquishing access for root etc etc.

  • Like
Reactions: 1 user


Raffle Winner
Apr 6, 2020
@urgodfather, here is some info I had in another post regarding a person finding a miner on their server. Maybe helpful or useful for you for the server security info page. (y)

Implementing best practices after you rebuild your server is how you prevent it from happening again. I am assuming your server was externally hosted. If you think of your server as a house or building any application that is publicly accessible on your externally hosted server can be considered a possible doorway or attack vector someone can potentially take advantage of to gain access to the server.

1.You want to use a strong ssh password, the best being some sort of randomly generated password using a password manager.

2.You want to make sure that Fail2ban is installed on the server.

3.You want to make sure that you keep the OS up to date by running apt update on the server regularly. I would recommend not any longer than once a month to keep your server protected against out of date packages that may contain vulnerabilities.

4.You want to make sure that you are using PortGuard to limit access to the server for only ports in use by applications.

5.You want to make sure that you are using Watchguard to keep your Docker containers up to date.

6.If you are using 3rd party admin tools, such as webmin you want to check for updates on a regular basis.

If you follow these guidelines it will help protect your server from being compromised.
  • Like
Reactions: 3 users


Jun 20, 2020
I heard that ssl certificate also can help to protect your website from hackers. I am the owner of which works good. The Comodo name is a sign of trust and security in the marketplace.


Nov 17, 2019
Some ideas for connsideration in your writeup. Theres a sticky on one of the forums about enabling 2fa for ssh as well. I added a post to tips and ideas about leaving only the plexguide network and removing the bridge network and all mapped ports from all containers except traefik if you use 443/ssl for all your access needs. For some reason hetzner ubuntu comes with rpc listener turned on, so kill that too.


Project Manager
Jun 7, 2020
I heard that ssl certificate also can help to protect your website from hackers. I am the owner of which works good. The Comodo name is a sign of trust and security in the marketplace.

Server and domain are different

Server security have nothing to do with domain security .

That's Fakt.

Don't install to many bullshit, keep it simple

Read the post before and you will find 99% of the security guide line.

Fail2ban can do so many for the user.

2fa for ssh is also good to use or simple use key protection,

Don't allow unside the ssh-config root login
Chroot login for a seperate user they only can login , the use sudo su ( for root-level access for any installs or updates or what you want )

Bind port 22 over SSH-ServerRecord ( ) to one domain and ReBind it over DNS-Rebind

Well done have fun ( that's for user with higher experience)

Don't do this when you Linux experience is only plexguide install and click click installs ;)


Apr 26, 2019
Yeah...they are gonna have their indexer keys scraped quickly.
Even worse. Some settings exposes plex token or even gmail credentials.
Not the mention command execution on the webapps to gain access to the OS.

In my opinion, this should also be a best practise.
Dont believe programs or configs that tell you your ports are closed and the server is 'safe'.
Test this yourself using shodan, nmap etc,
Last edited:

Recommend NewsGroups

      Up To a 58% Discount!