|
|
@@ -154,8 +154,9 @@ Manual (default, alternative 1):
|
|
|
|
|
|
Using systemd-resolved (alternative 2):
|
|
|
|
|
|
-1. (Optional) In `/etc/systemd/resolved.conf`, set `DNS` to a space separated list of DNS servers.
|
|
|
- If not set, this will just use the DNS servers specified by the network config.
|
|
|
+1. Configure `/etc/systemd/resolved.conf`
|
|
|
+ - `DNS`: A space-separated list of DNS servers.
|
|
|
+ - `Domains`: A space-separated list of search domains.
|
|
|
1. (Optional) If you're hosting a DNS server on this machine, set `DNSStubListener=no` to avoid binding to port 53.
|
|
|
1. Enable and start `systemd-resolved.service`.
|
|
|
1. Point `/etc/resolv.conf` to the one generated by systemd: `ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf`
|
|
|
@@ -165,10 +166,10 @@ Using systemd-resolved (alternative 2):
|
|
|
|
|
|
1. Set the timezone: `timedatectl set-timezone Europe/Oslo`
|
|
|
1. Enable network time: `timedatectl set-ntp true`
|
|
|
-1. In `/etc/systemd/timesyncd.conf`, set `NTP` to some server (e.g. `ntp.justervesenet.no`).
|
|
|
- If not set, this will use the NTP servers specified by the network config.
|
|
|
+1. Configure `/etc/systemd/timesyncd.conf`:
|
|
|
+ - `NTP`: A space-separated list of NTP servers.
|
|
|
1. Restart `systemd-timesyncd`.
|
|
|
-1. Check status works: `timedatectl` and `timedatectl timesync-status`
|
|
|
+1. Check status works: `timedatectl` and `timedatectl timesync-status` (check which servers are used)
|
|
|
|
|
|
#### Firewall
|
|
|
|
|
|
@@ -180,6 +181,7 @@ Using systemd-resolved (alternative 2):
|
|
|
|
|
|
1. Make sure IPv6 and NDP is configured securely:
|
|
|
- If IPv6 and NDP is enabled and accepting RAs on insecure (i.e. public-facing) interfaces, the server may autoconfigure itself for those interfaces.
|
|
|
+ - ifupdown with `inet6 static` does not use autoconfiguration.
|
|
|
- By configuration: Disable "Accept-RA" on interfaces that should not autoconfigure themselves. It's typically enabled by default.
|
|
|
- By firewalling (not recommended if avoidable): Block ICMPv6/NDP on untrusted interfaces so that the host can't autoconfigure itself. This prevents all IPv6 configuration for the interface, but may be required in some cases.
|
|
|
1. Reboot and make sure everything still works.
|
|
|
@@ -217,7 +219,7 @@ Everything here is optional.
|
|
|
- Install `debsums` and run it after upgrading to check deb checksums.
|
|
|
- Install `debsecan` to get automatically alerted when new vulnerabilities are discovered and security updates are available.
|
|
|
- Google Authenticator 2FA:
|
|
|
- - Recommended for public-facing servers.
|
|
|
+ - Potentially useful for public-facing servers.
|
|
|
- **TODO**
|
|
|
- Install and run Lynis security auditor:
|
|
|
- Install: `apt install lynis`
|
Håvard O. Nordstrand