Hardening Nethserver on a VPS

NethServer Version: 7.9.2009

Hi,

I’ve been trying to read up on Fail2ban, Threat Shield, Suricata.
But, as they say, I can’t see the wood for the trees.
What is applicable/best practice for a Nethserver with NextCloud (calendar, contacts, file sharing), matrix and jitsi?
The 2 main users will mostly work from 2 different locations, but sometimes are elsewhere. But Matrix/Jitsi will be used to communicate with clients as well.

Any advice on this is highly appreciated.

Groeten,
René

  • Check services to only open the ones really needed to red
  • Fail2ban is very important, threat shield and suricata is more suited for internal LAN and maybe too much for a VPS, especially suricata needs much RAM
  • Nextcloud provides security apps AFAIK and some hardening docs.
  • As regards Matrix check out their latest advisories in the changelog.

EDIT:

3 Likes

Also increase your space and keep a frequent backup policy. This is most helpful on an eventual aftermath, in case you can pinpoint when a bad dude broke into your installation. This will ease a lot of job of configuration, “only” to restore manually the missing data thereafter.

3 Likes

Yes, in my notes I put a reminder to ask about that. I set up the network using the wiki.
I know I read somewhere to disable all services that are not needed (but can’t find it anymore) and I don’t know what services I can safely disable. In my VM the following services are active:

name Access
chronyd green
dnsmasq green
httpd green red
httpd-admin green red
jitsi(custom green red
sshd green red
synapse(custom) red green
Are these all needed?

I’ll make sure to use Fail2ban! And put the other two on my list of things to maybe test out sometimes in the future :grinning:

Ah, some more reading to do :nerd_face:

Will do :+1:

Thanks!

1 Like

Yes! Thank you!

Backup is high on the list of must haves. And I already read about the necessity to have a recent backup of the configuration :nerd_face:

I also posted a question about backup options a week ago. Have you got any ideas about that?

A habit of me is not to permit root login on ssh at all.

Rather a user (can be user from the account provider) with sudo rights.
And only log in with a ssh-key with the (local) private-key password protected/encrypted.

Maybe a bit over cautious. :crazy_face:

1 Like

I reach my VPS over SSH port forwarding so I don’t need to open httpd-admin (old server manager) to red and to allow to access cockpit (new server manager) from WAN in the system settings.

1 Like