New server check list?

  • 7
    Ssh settings, kernel hardening, user permissions

    Luckily Ansible can automate that :)
  • 5
    Haven't wrapped my head Around ansible got any resources I could use?
  • 9
    One of the biggest things to do is SSH. Either use SSH keys or limit the connection to only your home IP.

    The first one is recommended as you may need to access your server from other locations.

    Next user permissions.

    If you are running a service on it then limit the service only to the folder it will work in. Anything outside should be forbidden.

    Oh yeah setup a firewall and deny all incoming packets except the ones you use.
  • 2

    sysctl settings / limits should be mentioned in addition to the other stuff

    OH. And don't forget SystemD... You need to set everything there if your distro uses it.
  • 2
    Or serverless 😉
  • 2
    @dan-pud That works, but knowing how to set up a server is a must for most developers. Also, it's expensive and sometimes very limiting. But it has its use cases
  • 1
    @dan-pud but that isn't as much fun :(
  • 1
    @nitehound I've learned it through trial and error, perhaps this one helps:

    And then go to the heading 'Create and Run Your First Network Ansible Playbook'
  • 8
    Also setup fail2ban for SSH
  • 1
    molly-guard, don't want to end up rebooting the server instead of your local machine
  • 0
    Also help yourself and setup a minimal system with all the common things you need and appropriate hardening, make a template of it somehow, reuse that for new systems.
    You can even do this when working with ansible, just leave the things out you want ansible to handle, but there are still things you'll have to do on that systems, like enabling ssh and adding your ansible public key, you're hopefully using. You could go further and bootstrap bare metal too automagically too, but that'll need other tools
  • 0
    Change ssh port
  • 0
    @PaszaVonPomiot That is just security through obfuscation and mostly useless, as a simple port scan reveals your ssh service in seconds. :/
  • 1
    Agree it's a good thing to know. However 99% of the time it's unnecessary. In my experience it's also cheaper. Taking into account total cost of ownership, not just compute time is something most people don't include when saying it's more expensive.
  • 0
    @dan-pud What do you mean with costs of ownership? Maintenance?
  • 1
    Most expensive thing is usually people's time. Would you rather a 100k engineer look after a bunch of servers or be building new features into your products to increase your products value?
    When you're Facebook, Netflix, etc. it makes sense to employ teams of people to do that. But for most companies it's far better business value to employ developers and use a serverless architecture.
    Most people only look at 'per request' and don't factor in the cost (engineers time) to look after servers. That's total cost of ownership
  • 0
    @dan-pud Sure, that makes sense. Though want to be doing PDF conversion with Open Office, how would you do that? Of course there are cases when "server less" is useful and possible cheaper than maintaining plain old servers, but let's say that a small company wants to hire a developer/engineer/fullstack. That person better know how to configure a server.
  • 0
    There is a REST API that will do that for you:
    That's the point of serverless! There is no business value in writing that code yourself. Use a service. (Unless pdf conversion is your business)
    It's like agile. Do the things that provide business value.
  • 1
    @dan-pud It might not be wise to use an service like that for sensible data....
Add Comment