GuestNo new alerts

VPS Security Checklist

- General218
 
Just some random items I've thought of, I might update this list on the future.

MariaDB needs to be setup with secure install and a restricted database user created for each individual application (e.g. Gosora) which you're planning on running. You may want to generate a random password (complete with symbols) for this with some sort of tool.

A restricted user account should be setup for each individual application. Although, you could probably get away with one, but that's not ideal.

You should make sure that only ports you want open are open and not ones like your database.

You probably want to chown all the files to the restricted user account.

You probably want to chgrp all the files to a restricted group account. More on this later.

You probably want to set the file permissions on the application files such that only the restricted user account (and root, because root breaks every rule) can access it. Especially, config/config.json which holds your database credentials.

systemd unit files can be useful in barring access to certain subsystems on a more granular level.

You want to be running the latest version of Go, MariaDB and just about everything else on the server. Go / database releases are usually much less frequent than other things which can be resolved with a couple of commands, although even those only tend to have updates once a week or so.

This isn't PHP, so please don't put Gosora in any sort of /www/ or /public_html/ folder. That will only make things less secure and will likely give away your database credentials.

You likely want to go through your logs every now and then to look for traces of suspicious activity and errors. Don't be surprised, if you discover many bots looking for Wordpress or trying to exploit programs you don't use, these bots are everywhere and randomly hit servers trying to find one they can break into.

Go is actually quite secure, if it's up-to-date, so a lot of these things are "just to be safe", but better to be safe than sorry.

Note: Docker might help with some of these things by reducing all the MariaDB installation, configuration, user account configuration, etc. down to a few commands and automatically hiding away things from ports, although you would need some knowledge on Docker administration.

This should be coming in the near future, although it remains to be seen when exactly.
 
Tweaked the grammar, added a paragraph about monitoring logs, added a line about generating random passwords and added a line about user groups.