gofoss.net

We make https://gofoss.net.

The ultimate, free and open source guide to online privacy, data ownership and durable tech.

  • 1 Post
  • 20 Comments
Joined 3 years ago
cake
Cake day: October 8th, 2021

help-circle
  • Below a couple of ideas, some building on what has already been stated. It’s all detailed here:

    Feedback really welcomed, as there’s always something to be learned in server security :)

    General hardening:

    • set up a firewall (ufw)
    • make sure your system time is correct (ntp)
    • enable unattended upgrades
    • limit privileged access (sudo)
    • hide process information (/proc)
    • enforce strict password policy (pam, login.defs)
    • enforce stricter permissions (umask)
    • close all unused ports (check with nmap)
    • install a malware scanner (lmd)
    • install an antivirus (clamav)
    • disable core dumps
    • disable unused kernel modules
    • add legal banner

    SSH:

    • change the port
    • limit the nb of login attempts
    • limit access to admin users
    • enable access logs
    • forbid remote access to root
    • use auth keys with instead of password auth
    • disconnect after inactivity period
    • remove short encryption keys

    MySQL (if applicable):

    • run a hardening script
    • disable remote access
    • prevent unauthorised access to local files
    • create separate users with limited privileges for each app

    Apache (if applicable):

    • enable security modules
    • hide http headers
    • set up modsecurity, a web app firewall

    PHP (if applicable):

    • hide php version in headers
    • disable remote code execution
    • disable potentially harmful functions
    • limit script runtime & memory allocation

    Network security (sysctl):

    • ip spoofing protection
    • ignore icmp broadcasts & redirects
    • disable source paket routing
    • block syn attacks
    • log martians
    • ignore pings

  • Thx for the post & feel free to elaborate. While we can’t please all, we are always open to constructive feedback. To be fair:

    a) we’re a bunch of FOSS idealists. So no affiliate links, sponsorships, crypto-shadiness or any other bullshit on our website

    b) we make it pretty clear none of those services is the panacea. We’re still convinced they’re better than Big Tech/GAFAM

    c) we mention caveats/criticism where deemed necessary, e.g. Mozilla’s conflict of interest, Signal’s privacy flaws, etc.

    d) we always mention a couple of alternatives, so that readers can pick & choose according to their needs



  • gofoss.nettoOpen SourceThe real MVP
    link
    fedilink
    arrow-up
    16
    ·
    3 years ago

    Fun story: originally, this whole construction cone thing was a student joke. VLC has been developed at a French university, which was under construction when the software was created. The students - possibly cheered up by a few drinks - had fun with some construction cones and ended up choosing it as their emblem.











  • You’re right. We’ve pondered this for quite some time, and if you check older commits you’ll even see that we included Conversations at some point. We really like XMPP (and are also a bit nostalgic). In the end, we however decided to favour messengers which provide encryption out of the box, irrespective which client is used, and give XMPP an “honorable mention”. If there is enough interest, or if people contribute, we can still cover the topic in future releases