As the title says. Got a server with 1tb worth of space. I currently have a freenas server running at home and i’d like to backup some of the important stuff to this new server. Before i do that i want to make sure the server is completely secure before i start putting personal stuff on it.
I’ve successfully setup rsync to use ssh in freenas to dump data onto the server. When generating the key for the freenas user i set the passphrase as empty which i’m guessing is not a big deal since the key won’t be moving anywhere.
I’ve disabled root. I thought about setting up authentication keys instead of using passwords to login but i’m scared that if i loose the key i’ll be fucked, is it a big deal if i dont do this?
Should I also setup fail2ban or am i just being paranoid?
Is there anything else i need to do and make sure is set before i start transferring stuff?
There’s not much you can do to a cloud server. If one of your virtual neighbours gets breached and manages to escape isolation (unlikely, but that has happened) your data is also compromised regardless of your setup. …Unless you rented a dedicated personal physical server, but I’m assuming you’re not.
What you can do is use keys instead of passwords like you said… blacklisting ip services ain’t really needed at that point anymore. Good practice is to just encrypt your files before uploading.
All other security measures is the service providers job.
It is a dedicated server so i’m guessing there’s nothing else i can do?
I’ve closed all ports apart from 22 so it’s literally closed off from everything now.
Should i install rootkit/log scanners as well?
Have you installed fail2ban? It’s not a bad option for your system if you’re concerned about intrusion attempts.
i’m trying to set it up now. it’s not banning my ip address when i’m testing it out or sending me an email. Email works though because it sends me an email when i reload the service
Sounds pretty solid. You could further restrict the ssh process itself with selinux (or apparmor, but I have no clue how that works), but that might be over the top.
Yeah, I’m typically happy with fail2ban, disallowing root login and enforcing ssh keys.
@Baz That sounds interesting. Might as well look into it and see what it does.
@SgtAwesomesauce Seems to be working now. Keep getting emails now since China wants a piece of my server. I heard that the chinese bots hammer on your server but dam this is a lot of attempts, didn’t realise the full extent of it. I can see why you disable root user since most of them use root to try to login.
I think i’ll set up a rootkit and log scanner just in case since the server will hold personal data like pictures.
As long as it’s got a public IP, yes
A good thing to do would be to encrypt the data before running rsync, for example using encfs in --reverse mode.
That way if your server is breached your data is a lot less compromised
I’m not familiar with Kimsufi, but a VPN tunnel is a good idea if the traffic is only between your home and the vps. Then you can just drop any public traffic and not worry about it.
@risk I’ll have to look into that, from the quick google i’ve done i don’t know how to implement that with freenas yet
@oO.o I’ve got openVPN on my home router so i can i access my data directly. The server is literally just for backup so and if i do need access i can just use ssh
I would personally still set up a site-to-site tunnel if your bandwidth allows it, but SSH will totally work if you’re more comfortable with that.