 |
Post AxgsIm5pYhlW064VRw by [email protected] |
 |
More posts by [email protected] |
|
Post #AxfROIb9F0gcLCAb8i by [email protected] |
|
1 likes, 1 repeats |
|
|
|
I have to rebuild a server again and so I've got a buncha heterodox hot tak… |
|
|
|
Post #AxgqxFYTEuP53AdkZ6 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
More hits than I was expecting! Ok, here we go.1. Don't install sudo. Inste… |
|
|
|
Post #AxgqxFgyjHD1TYcXpI by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@zwol how would you do something like tracking per-user connections and actions? |
|
|
|
Post #AxgqxFnMLYJTnLbdlw by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@raito I haven't needed those myself since 1999. If I did, the first thing… |
|
|
|
Post #AxgqxHR6FHhCstCtM0 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
2. Closely related to 1: If you can swing it such that root is the _only_ accou… |
|
|
|
Post #AxgqxHuWTtEQM8yODQ by [email protected] |
|
0 likes, 0 repeats |
|
|
|
3. A really good reason to separate /usr and /home is that you can then mount /… |
|
|
|
Post #AxgqxITGOj1M5tE8Mi by [email protected] |
|
0 likes, 0 repeats |
|
|
|
4. Turn off memory overcommit. |
|
|
|
Post #AxgqxJ5Y6Ne60d8i2a by [email protected] |
|
0 likes, 0 repeats |
|
|
|
5. Moving ssh to a nonstandard port _probably_ isn't worth the hassle. I n… |
|
|
|
Post #AxgqxJeI1DR1kNOSBs by [email protected] |
|
0 likes, 0 repeats |
|
|
|
6. fail2ban is most definitely worth it, but other firewalling has a good chanc… |
|
|
|
Post #AxgqxKAY5HEtMQUDTM by [email protected] |
|
0 likes, 0 repeats |
|
|
|
7. The biggest single thing you can do to protect yourself against privilege es… |
|
|
|
Post #AxgqxKiE44B52sF6xs by [email protected] |
|
0 likes, 0 repeats |
|
|
|
8. Closely related to 7: The sheer complexity of Linux's various "mand… |
|
|
|
Post #AxgqxLE89RhMdpAah6 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
9. Don't bother with "secure boot" or with encrypted disks. The o… |
|
|
|
Post #AxgqxLhYO3Ea74w5YW by [email protected] |
|
0 likes, 0 repeats |
|
|
|
10. You need remote system monitoring, but you probably don't need it to be… |
|
|
|
Post #AxgqxMC2YhcXddCR4i by [email protected] |
|
0 likes, 0 repeats |
|
|
|
11. Find a way to put the system configuration under version control. However, … |
|
|
|
Post #AxgqxMjMYoH9Iyn30y by [email protected] |
|
0 likes, 0 repeats |
|
|
|
12. Containers are massively overrated. You can get 90% of the same inter-serv… |
|
|
|
Post #AxgqxNAevK6sfdYqYq by [email protected] |
|
0 likes, 1 repeats |
|
|
|
13. I call this the Highlander Principle of Software Package Management: There … |
|
|
|
Post #AxgqxOFeuDhg1QuLzc by [email protected] |
|
0 likes, 0 repeats |
|
|
|
13a. The Highlander Principle has three important corollaries:- If you insist o… |
|
|
|
Post #AxgqxP8bbveilqcEdc by [email protected] |
|
0 likes, 0 repeats |
|
|
|
Resuming the thread. Can I think of 36 more hot takes about server administrati… |
|
|
|
Post #AxgqxPo57ipgqU1MHo by [email protected] |
|
0 likes, 0 repeats |
|
|
|
14. You should definitely have an automated process scanning your logfiles and … |
|
|
|
Post #AxgqxQRQlQJAoWQmcS by [email protected] |
|
0 likes, 0 repeats |
|
|
|
15. Remember I said my goal is to do as little maintenance work as possible? So… |
|
|
|
Post #AxgqxRAS42Jx49UjnE by [email protected] |
|
0 likes, 0 repeats |
|
|
|
16. You're probably thinking, but what if I actually do need the fancy new … |
|
|
|
Post #AxgqxT8kjK9NBSiPQG by [email protected] |
|
0 likes, 0 repeats |
|
|
|
17. Make your servers automatically patch themselves. Since you're using a … |
|
|
|
Post #AxgqxTcAxvgaeiTuHg by [email protected] |
|
0 likes, 0 repeats |
|
|
|
18. You need an NTP daemon. For people who aren't running a time _server_, … |
|
|
|
Post #AxgqxU4BHo5U3ZaGw4 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
19. Most Unixes come with a bunch of off-the-shelf services that you probably _… |
|
|
|
Post #AxgqxUZjOVKBdQLT72 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
20. However, you should make sure you _do_ have 'dig', 'ping',… |
|
|
|
Post #AxgqxV9BGhgHPMvmMq by [email protected] |
|
0 likes, 0 repeats |
|
|
|
21. This is more of a "Unix shell usability" hot take than a "sy… |
|
|
|
Post #AxgqxVmWuP9lNPLChU by [email protected] |
|
0 likes, 0 repeats |
|
|
|
22. You gotta have automated data backups. You knew that already. But: those da… |
|
|
|
Post #AxgqxXdO1N1z7d4vj6 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
23. You should _not_ be backing up the OS. Instead, you should be prepared to r… |
|
|
|
Post #AxgqxYCTut6UsTUxQe by [email protected] |
|
0 likes, 0 repeats |
|
|
|
24. It's an incredible pain in the ass to set up, but consider setting up b… |
|
|
|
Post #AxgqxYijywuMUWaii8 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
25. If you're building or specifying a server from the hardware on up: get … |
|
|
|
Post #AxgqxZBSGBsPva1eT2 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
26. Some security hardening tips that don't appear in most security hardeni… |
|
|
|
Post #AxgqxacQvN3ENXei9o by [email protected] |
|
0 likes, 0 repeats |
|
|
|
27. Linux's defaults for how much RAM can get filled up with "dirty pa… |
|
|
|
Post #AxgqxdBFOu5UK5xXhQ by [email protected] |
|
0 likes, 0 repeats |
|
|
|
28. Use a boring, reliable file system. Ideally, use a boring, reliable file sy… |
|
|
|
Post #AxgqxdiDQKSVyLNs5Q by [email protected] |
|
0 likes, 0 repeats |
|
|
|
29. Do not use any file system that doesn't have an offline consistency che… |
|
|
|
Post #AxgqxeD3Zf83VzoV9s by [email protected] |
|
0 likes, 0 repeats |
|
|
|
30. You probably do not want the tsuris of being a sysadmin for people you don&… |
|
|
|
Post #AxgqxenDPE3JK8jNWC by [email protected] |
|
0 likes, 0 repeats |
|
|
|
that feels like a good place to end the thread for this evening, might pick it … |
|
|
|
Post #AxgqyJrYhyt8hU4vTs by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@zwol So true! Unattended patch updates is trivial to turn on on Ubuntu and I&#… |
|
|
|
Post #Axgr0zwbDpYRnBiINs by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@zwol for a server, you have a lot of flexibility with /home because you won… |
|
|
|
Post #Axgr1N4XEUZJWSbSRk by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@zwol I've switched to sshguard on my personal servers, though my OSS web h… |
|
|
|
Post #Axgr1NAuqlflqFaYOO by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@swelljoe Thanks for the tip, I shall look at that for this new build.A lot of … |
|
|
|
Post #Axgr1NGwUMUe8wPMmm by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@zwol I mostly agree with you on everything. And, nothing wrong with fail2ban, … |
|
|
|
Post #Axgr1xXrcvQ4dqbO9w by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@zwol I'd argue there is a good reason for disk encryption, and that is pea… |
|
|
|
Post #Axgr47jAjw5MnivJOC by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@zwol very cool, bookmarked. Not all of this is applicable to me because I use … |
|
|
|
Post #Axgr47pYMDBp7VuPKq by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@alter_kaker I also use virtual servers (cloud-hosted virtual machines, specifi… |
|
|
|
Post #Axgr8eaiUnHrss81iq by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@zwol note that you can do this even if you are not willing to put up with syst… |
|
|
|
Post #Axgr8eg2B1Xa9McH0i by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@ska Good to know, thanks. |
|
|
|
Post #AxgrEPpyGOc1rZ0kYy by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@zwol logging the key fingerprint is definitely a cool idea and then if ssh can… |
|
|
|
Post #AxgrTxc8xoLMxpxJqa by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@ska Right, noexec often won't be possible, but nosuid really should be. |
|
|
|
Post #AxgrTxiAbPAFGWm8Ey by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@zwol Ideally you'd have a small partition hosting all the suid binaries (w… |
|
|
|
Post #AxgrULO8ZXOshLaTLc by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@zwol fwiw, https://blog.ppom.me/en-reaction/ is a cool replacement to fail2ban… |
|
|
|
Post #AxgrULUWBoVL18ZZIG by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@raito oh, that does look very handy, thanks. bookmarked. |
|
|
|
Post #AxgrWiDaf7JC5Cmcoi by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@ck There is that, yeah. In my case the servers are all off in The Cloud and I … |
|
|
|
Post #AxgrZHdHxlL8Ux1tRo by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@zwol I was reading about what that latest compromise of a program named "… |
|
|
|
Post #AxgrZHlRTRrUuEqP9k by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@JdeBPDoes ansible require password-less sudo on deployed servers?@zwol @ska |
|
|
|
Post #AxgrZHst1lohHKKLlA by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@xdej @zwol It's worth bearing in mind that (a) non-interactive shells used… |
|
|
|
Post #AxgrbzM4NLOAgCGVvs by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@zwol one caveat regarding disk encryption is the matter of oppressive governme… |
|
|
|
Post #AxgrbzS60wD2yt5KKG by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@lunarood That's a good point. I use cloud VMs, so I'm at the mercy of … |
|
|
|
Post #Axgrc6hb3hlfSzOIxU by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@zwol Unless password auth is enabled, ssh isn't an attack vector and rando… |
|
|
|
Post #Axgrc6nyfys7mmNOu8 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@dalias Precisely. |
|
|
|
Post #Axgrgh7Hc53vYtapQO by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@swelljoe I like small. |
|
|
|
Post #AxgrkDN697FET4fXLE by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@JdeBP @ska Oddly enough, I was _just_ looking at some software that demands th… |
|
|
|
Post #Axgrp2DB49yBItKKtE by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@zwol I'm not truly convinced it's worth it, but I have a script (using… |
|
|
|
Post #Axgrp2KGdndnesdzwO by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@_hic_haec_hoc I might do that as defense-in-depth if I had someone *targeting*… |
|
|
|
Post #AxgrrzVxYAjFo8WQ4W by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@zwol This one is interesting to me because remote logins to root are disallowe… |
|
|
|
Post #AxgrrzdP6UgSBE0Mfw by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@zygmyd I have not had to have this conversation with a corporate security depa… |
|
|
|
Post #Axgrs067NjeVcHRIQq by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@zygmyd (I am opposed to SSH certificates myself, but in a "I wish they ha… |
|
|
|
Post #AxgrvfQs9m8KgNtZnU by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@zwol Can you convey this to the infosec world? I get it for daily drivers, but… |
|
|
|
Post #AxgrvfXFm3En0Asfk8 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@reid I am not sure how to convey it to the infosec world any louder than by, u… |
|
|
|
Post #Axgrwb3ptaAXPjYzwW by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@zwol My main use case for containers, and I'll contain systemd-nspawn, jai… |
|
|
|
Post #Axgs4BdYIy0Ksbt9rk by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@zwol This year I've watched attackers send HTTP requests to the IDENT port… |
|
|
|
Post #Axgs4BjZwYpDBIhyG8 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@JdeBP @ska I would guess that moving SSH to a *random* port, somewhere above t… |
|
|
|
Post #AxgsDNHGOYrLaXqPGC by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@zwol i’m looking forward to replacing fail2ban with sshd’s built-in PerSou… |
|
|
|
Post #AxgsIm5pYhlW064VRw by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@zwol excellent thread!This also mirrors many thoughts/conclusions I've bee… |
|
|
|
Post #AxgzRj1T2jJElOFIy8 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@zwol I would add a caveat to that one, which is that encrypted disks raises th… |
|
|
|
Post #AxgzSETu53TWKYmx60 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@zwol @JdeBP Obviously the solution is to have automation moving sshd to a rand… |
|
|
|
Post #AxgzSvZNsYPPy0gR6m by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@zwol I went by that philosophy (moving SSH off the default port is not worth t… |
|
|
|
Post #AxgzUY8FzRipr7lhLc by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@zwol Throwing in some data: I've never seen a nonstandard port successfull… |
|
|
|
Post #AxgzgYQOjCIyEpyguu by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@zwol (The advice I usually give to people is "forget about the port, just… |
|
|
|
Post #AxiMe9lZvcu9Hofdcu by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@zwol Sorry, going to have to disagree here. I'd rather run ZFS and not hav… |
|
|
|
Post #AxiMe9rxXu0bbbejZY by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@pertho @zwol Yeah, a lot of these are great, but this one is flat wrong.Ive be… |
|
|
|
Post #AxiMfHvx32nKuG3uVs by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@zwol Unless your system clock drifts more than a Nissan Silvia S15, you don… |
|
|
|
Post #AxiMfI32cgSxGFNZZ2 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@ska @zwol Indeed. One can get away with SNTP and a simple tree rather than mo… |
|
|
|
Post #AxiMfIBu5jYThjWeNU by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@JdeBP @ska Indeed, you _can_ often get away with SNTP and periodic polling. Ho… |
|
|
|
Post #AxiMfIJLe3Vg4p0ayu by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@JdeBP @ska It might be that if you add clockspeed to the periodic polling that… |
|
|
|
Post #AxiMfIPjGKc8ObzgvY by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@zwol @JdeBP I didn't rewrite djb's clockspeed because it was difficult… |
|
|
|
Post #AxiMfIWSrI0AjV94QS by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@ska @JdeBP That's a really interesting question. I'll have to carve ou… |
|
|
|
Post #AxiMfIdCSFOD4OIRvM by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@zwol @JdeBP sure, will do! |
|
|
|
Post #AxiMiKI6jwDx5PsG9I by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@lanodan see take #29 |
|
|
|
Post #AxiMinuOcf5AwZ0kM4 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@zwol Just use Ceph with BlueStore and get multi-device redundancy and end to e… |
|
|
|
Post #AxiMlMLTYgcmKItbV2 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@zwol i'm really upset about the linux ext4 maintainer theodore ts'o em… |
|
|
|
Post #AxiMlMRrAxjEe5shRg by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@hipsterelectron he's been like that for decades. there are *many* reasons … |
|
|
|
Post #AxiMlMZehxy12HWvbM by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@zwol @hipsterelectron What is a non-ext4 Linux file system that is good? I'… |
|
|
|
Post #AxiMll9HLAirFiNiSW by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@amy @zwol It really likes to have a minimum of 3 nodes in the cluster but you … |
|
|
|
Post #AxiMlmW0GAUhUU1NWC by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@amy @zwol And this is a personal setup but used for projects with serious reli… |
|
|
|
Post #AxiMmECTKNVZM16Axk by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@azonenberg Ceph looks like massive overkill for individual server installs but… |
|
|
|
Post #AxiMmEIUxyKRehuzM8 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@zwol @azonenberg i have lots of conflicting ideas about filesystem design and … |
|
|
|
Post #AxiMmEOWbZ9JxOjnkW by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@hipsterelectron @azonenberg I sometimes think the right thing would be to go f… |
|
|
|
Post #AxiMmEUuDqFmHBithA by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@zwol @azonenberg the only way we support filesystem objects for build tasks in… |
|
|
|
Post #AxiMn8gBL6Y0WNQh2u by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@pertho...until you hit a fun kernel bug, making your (zfs root) system unboota… |
|
|
|
Post #AxiMq8VIRsMGqTlcu0 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@ska @zwol A truly universally portable #clockspeed is probably impossible. It… |
|
|
|
Post #AxiMrrykrIV2ApNAAq by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@lanodan zpool scrub *does not* repair, or even validate, the on-disk data stru… |
|
|
|
Post #AxiMs2DIo44tuqFvEm by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@zwol Which disk encryption are we talking about? I'm fairly certain off-th… |
|
|
|
Post #AxiMs2KONhkWGpZaHw by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@jssfr Ugh, fuck, it doesn't? I coulda sworn it did (based on the very con… |
|
|
|
Post #AxiMs2Q42cHoYQE784 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@zwol Might wanna edit the post for those who don't see the replies :-).Oth… |
|
|
|
Post #AxiMsGlUhjkN2wMQTY by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@zwol @ska It's still wrong, though, because it conflates clock discipline … |
|
|
|
Post #AxiMuPrRrAXHpvAYim by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@jssfr Done. |
|
|
|
Post #AxiMvaOw9c6YodOJuq by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@JdeBP That article doesn't seem to be about anything like what you said it… |
|
|
|
Post #AxiMxxkeJFojoXgEfQ by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@zwol @jssfr it only started recently offering it, before it was dm_integrity+d… |
|
|
|
Post #AxiMxyy9mWDTaj0XMO by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@JdeBP @zwol @ska it kind of depends on what your time-related requirements loo… |
|
|
|
Post #AxiN4zzyLx8coKCd5E by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@feoh Yup! (But see #15, and also the proximate cause for me reinstalling this … |
|
|
|
Post #AxiN6A4kN9jqLyzSWO by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@zwol chrony can have issues with being a large amount ahead or behind, which c… |
|
|
|
Post #AxiNB1XXXEcRKRmCgq by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@lanodan I dunno about ext4—haven't used it for anything but offline back… |
|
|
|
Post #AxijlI7RZNt2AGGjjc by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@zwol That reminds me of a thing I learnt with ~blood~ data loss last year: ext… |
|
|
|
Post #AxlS3pX0rmMRIqnb0q by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@nuintari @pertho I do mostly work on Linux, but the time ZFS blew up on me, in… |
|
|
|
Post #AxlS3pfWM9ANjEmOH2 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@nuintari @pertho PS. No argument from me re btrfs. |
|
|
|
Post #AxlS3plXzjzG1vbCfQ by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@zwol @pertho It's ZFS with a whole lotta features no one actually needs, m… |
|
|
|
Post #AxlS4Q1lAwLWUdSew4 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@nuintari @pertho can we please not turn this thread into a licensing flamewar … |
