Hi,

Something like simple yes or no would suffice

Soon enough I'll migrate to online.net
For the moment I only need ssh and http servers and I don't have the possibility and time to tweak the system.

The bare minimum I want to do is:
- leave only the required services (as found in /etc/rc.d)
- leave only ports 22 and 80 open

root login over ssh is going to stay enabled (key based only).
fail2ban will come one day.

Is there anything I should change in Apache configuration or can I leave it as is?

Please just let me know the basic answer. Once I have the possibility, I'll take more serious steps. For the moment I need it quickly up and running.

Thanks in advance!

--
Best regards,
Andrzej Telszewski

Yes, so long as you run a properly configured firewall.

When I self-hosted my website, which I did for about five years, I did so on Slackware. It was rock-solid.

Hi,

Thanks.

Firewall I'm planning to use is as follows (if you have any comments, please do, but it's not strictly the subject of this thread):
IPv6 is going to be disabled at kernel level with ipv6.disable=1

--
Best regards,
Andrzej Telszewski

If you have more than one Domain/Documentroot you'll have to configure NameBasedVirtualHosts.
Even if you have no time, i would consider lxc container for various reasons for the webserver.

Franzen

Hi,

But wouldn't it take time to learn lxc?
I'm just going to serve small static content. If the Apache config is good enough, I'd prefer to run Apache natively.
It'll be single IP / single domain, nothing fancy for now.

I can even run HTTP Server with Python if it's safer choice.

--
Best regards,
Andrzej Telszewski

If you've never used it, yes.

For your setup, a smaller virtual server would also do it at lower costs.
I can't imagine that the python-http-server is safer, run apache.

I'm not sure that fail2ban is useful, at least it is useless against constant attacks on 22nd port (because they come from botnets, not fixed sources. At least this is so for hetzner, don't know know about online.net). I move ssh on port 26 to have clean logs. Also, don't forget to configure sendmail to send root's mail to you.

1 members found this post helpful.

Hi,

I'm migrating from pseudo VPS exactly because the costs were comparable.

And it's investment for the future times, when I'll be utilizing the server for more tasks.
And it has to be running my natural environment, namely Slackware OS

So, based on what you said, I'm going to stick with Apache.

Thanks.

--
Best regards,
Andrzej Telszewski

Hi,

But if botnet fails, say 3 times, you can block it. Unless they run single attack per IP per long period.

For the moment http + ssh and nothing more, exactly because I don't have time to configure stuff properly.

--
Best regards,
Andrzej Telszewski

2-3 attempts from 1 ip with long intervals, indistinguishable from normal use.For example, a hard drive dies and mdadm (if you have a raid) sends mail to root. You have to get it. I do the following trivial configuration:
http://alik.ejik.org/Sendmail_as_a_s...y_local_server
This is far from a real smtp server, but if you whitelist this address on your accepting email server it should work. For security, I block 25 port in the firewall (already blocked in your config) and in /etc/hosts.deny.

I don't believe any distribution is ready for production without ample hardening.
If you aim to only serve static content (as in no PHP or friends) I would suggest looking at the following additions for your Apache configuration:

X-XSS-Protection
X-Frame-Options
X-Content-Type-Options
Content Security Policy
ServerTokens Prod
ServerSignature Off
TraceEnable Off

You can test your implementation at https://securityheaders.io/

I would also recommend installing a WAF (web application firewall) like ModSecurity.
It takes some effort to configure, but it can be immensely powerful against attackers.

As for your firewall, it's a bit simplistic.
Maybe you should consider UFW (Uncomplicated Firewall) as it doesn't require detailed knowledge of iptables and is easy to configure to your needs.

Always be paranoid, examine your logs, and remember that you have a responsibility to protect your visitors to the best of your ability.
Oh, and have fun ;-)

Hi,

It is, but do I really need something more?
Can you give me an example of what could be wrong from the point of view of security?

As a side note, I'm going to be the only user of the system.
It might change later on, but for the moment, I'm commanding

--
Best regards,
Andrzej Telszewski

I know it doesn't answer the question, but if you are not doing this just for learning, and your website is 100% static, you might be better served by AWS.
Put your content in an S3 bucket and serve it from there (+ a CDN to reduce S3 costs if needed).
For static websites there is nothing easier, and there are no servers to configure. You wrote a few times that you don't have the time to be a proper sysadmin, so it is better to not have a server to admin

If you are still going for the server option, I would suggest in general that you subscribe to the official communication channels (mail lists in general) for each project whose software you are using (i.e. stay around here for the OS things, subscribe to Apache mail list, etc)
Also I believe you should reconsider the root login thing, and disable password login completely.


Good luck

or probably use github to serve your pages

Hi,

--
Best regards,
Andrzej Telszewski