Elive for servers

I could agree on that premise but .... first we'd need to define a 'real maintained server'.

Once that's done I'd be glad to hear what exactly you had in mind as security measures above (and eventually integrate that in a script) what is standard delivery on most pre-installed server images that come with i.e virtual servers hosted in the cloud or physically at home for that matter.

If what you're saying were true we'd have been inundated by botnets already, considering the sheer amount of virtual servers on offer and already in use worldwide. :thinking:

Update: improved resources to be 161 MB for 3 websites instead of 171 MB, only one website is 153 MB (with all the other services installed too!)

I would confidently say that is much more stable than any ubuntu or even debian server, also much better tunned ! :slight_smile: so in short it's just a real plain server (better debian than ubuntu) that you select on your host install, and run the tool to improve & feature it, includes also tools to guarantee the uptimes & stability, the non-stop running of the services, includes well configured firewalls / security's, just like well configured apps/services, etc, note that this 'elive-for-servers' doesn't make your server less secure or to require extra securities, in the contrary, it improves your existing setup

Hum, maybe we need a howto on this forum for specifically show how to set up in in the suggested ways :thinking: Let me note this task...

I totally believe that. And this is good!
As I was a trainee in IT, we need to setup a LAMP and use HeidiSQL under windows. Since I was using Linux quite a time, I brought my laptop and got a fully functional server in 5 minutes (the download for 'apt install' wasn't very fast these days). The rest of the class needed up to a whole day for the setup and understanding.

I think there a lot of cases, where you just need a quick 'let it work' solution. And the more stable it is, the more useful.

But what am I doing with a pretty quick server? I want to present it to the world. And here is the danger. When I don't know anything abut the system and configure my router to 'expose host' (means 'forward every not other used port to one host in the LAN' in AVM configuration), nobody can promise any security. And users tend to 'oh, it doesn't work, lets open everything'.
It starts with ssh. If ssh root is allowed or a default/weak password is set for the user admin/www/user/[anything easy guessable], we have a problem.

fail2ban is good against bruteforce. But what f bruteforce is not neccessary, because phpinfo will tell everything we need to exploit without multiple requests?
A firewall is good, but where to draw the line? Whitelist or blacklist? any to any? What services are allowed to the world and what should stay in the subnet?

We have. Even before IoT with unpatchable fridges, tunneling gaming console (see tredo) and smartphones with more data about you, than you are aware of.
At the moment I'm about to play around with PiHole. A small DNS forwarder in the LAN, to filter malare/ads/unwanted traffic. There are some devices, that won't work in my configuration. Sonos, Amazon Echo (partly), Xbox Network gaming ... In my world: Deny everything, look at the protocol and if a service won't work, restart the device, look at the protocol, compare and allow ... But in the real work, I need to make a any-exception for Sonos. I even can't give them a own Hostname via DHCP (my workaround is a CNAME record).

It is more important than ever to understand the system(s) and service(s). But to understand you'll need them to work, to play around. Not everybody can afford a dedicated server or is able/want to build a honeypot.
The Shodan Database is a great start to peek, what I am talking about. We already have the Botnet problem. So I don't want to see Elive-for-Server there as bad example.
I think the work of the people here is to valuable, to get bat publicity just because not talking about the possibility.

If an Elive-for-server will be used in a serious attack, at least we can say: hey, look: we have taken the time to consider plenty of situations. This situation is new/unknown, we will take care of it.

This would be great. At least we're talking not tech here, it is just a more philosophical approach to make the world a better place.

This are only my 2 cent and I don't expect everybody will agree.

1 Like

OK, I can follow your way of thinking but on the whole your worries come down to user idiocy when setting up the router access and opening ports i.e misconfiguring the router itself and subsequently exposing the server without any safeguards --- in a home situation.

You can't offer server software and configurations to the kind of people that try to dry their cat in a microwave and expect it to be secure. :shocked:
That would be an impossible task and frankly, not our responsibility.
OTH, I don't expect many will use a dedicated home-server when virtual solutions are on offer all over the place for practically free. :thinking:
It's not like we're saying:
"Grab that old machine and turn it into a dedicated server using Elive."

I've got a PiHole (and an Elivized RaspberryPi server in the DMZ for testing ) at home and it works quite nice but then I don't have a Sonos device or an Xbox in the (W)LAN anymore. :smiley:
I stumbled across a nice non-tech Howto for a PiHole BTW:

these quotes can even be used as "testimonials" for the future page for elive-for-servers downloads :slight_smile:

these are good questions, and I think they are also useful for that future page / description, so there's some notes:

  • installation asks you if you want to disable password-based logins on ssh (so use only ssh-keys), and also asks if you want to change the port
  • phpinfo is not enabled by default, also nginx tokens (nginx version / info etc) are disabled
  • firewall is included and input ports closed by default, DURING the installation of services on elive-for-servers, the needed ports for these services are then configured to be open (so yeah, all working by default but only enabled for the wanted things)

yeah of course, but in the end is a "practical tool that sets up everything for you in the best way in 5 minutes", but that's the start; the user wants a server, this is a good option to install a server, since this point everything else is up on them, alternatively, if the user would have installed the server in a basic debian/ubuntu/whatever, the setup will be less tunned, less secured, etc... so in the end is a win-win for the user no matter what :thinking: IMHO

yes that's important to clarify: elive-for-servers can make your life easier, can tune your server, can secure it a bit more, can make it more protected... but then (again) everything is up on them, they need to know that if anything goes bad is their fault, because elive-for-servers (even if there was a bug in the tool or misconfiguration) just made the setup easier and better for them

well, can be good for playing and learning to use home-servers, or also: you can use your own computer running on elive to enable a website or email service, using this tool :happy: (I remember when in the past we used to install a small webserver just for share files among other people on IRC lol)

we can :thinking: the setup is pretty quite light !

Yes, it should offer that opportunity but should also have the user setup a pasword based user access (and test if it's open from another machine!) first. Else we'll risk having a noob (who's already in a twilight zone) coming to the forum and asking how to i.e get into his now locked AWS.

There's so much overwhelming and unclear (to a noob at fitrst usage) info that there's a high chance that info (like changed port and key) wasn't remembered or noted.

I have certain misgivings about setting up WordPress in the user space and wouldn't mind if @LupusE shared his thoughts on that.

  1. Setting up WP in user-space (including PHP and SQL server) that is also a defacto root user (through sudo or su) is IMO the same as setting up in /root.... a liability.

  2. Doing that creates a HTTPS port access there to /home/$USER, whereas Nginx still has the HTTP port in use for /var/www/html/ ..... meaning unnecessary double point of entry option.

A pro side is that it's easier to copy files or changes to a ssh accessible user than it is to root-only file systems ....... but OTOH that extra step is meant as a security measure in the first place.

A penny for your thoughts. :thinking:

As always, you'll get my full approval of that.

It is difficult. I agree in general, but there are possibilities.
The webroot as chroot and use a port above 1024? This will increase the security and the complexibillity.
I don't think anybody will be bothered about klick http://[ip]:46352 ... In fact AVM (german vendor for SOHO routers) does exact this. Using some ports in the higher range, to not interfere with any service.

Let's say we'll try to support TLS/SSL. The ACME for Lets Encrypt can run as user, but need to be provided on port 80 ... Self signed? Leads to unessacary approvals in the browser.

Providing a service and keep it simple is heavy stuff.

just checking the code in order to improve it, I just noticed that this question is only asked when there's already ssh keys enabled for login :slight_smile: , otherwise yeah is a complex topic for the noob if has not already them, also the hostings today already saves your ssh keys just like github does it for use it in your things

not really, as said before, that question is only shown in the case is a suggestion to improve, we need to remember that this tool is for improve existing servers (somebody which installed a plain debian for example or had already an existing one), so they should be experienced and everything like lack of knowledge in configuring things is their responsibility (otherwise, don't use servers), but of course all info are needed, so if you find any missing info just tell me to include it (I think the last time you tried it it was a much beta version)

the easiest and handiest way to play or try it is from a vultr / digitalocean account on which you start a machine base ready in 1 minute and it only costs the time you use it (full time = 6 bucks per month, so nothing)

who said that? the WP, PHP and all that is run from userspace :slight_smile: , that's why from user is good, nothing rooted, everything user-isolated as much as possible

hum not sure to understand, we should check if the actual way is configured has this kind of issue, but I don't think so everything is isolated and directed to its own space

well, again I don't think there's a security issue, also; you can run the tool with --install=wordpress multiple times and It will install extra Wordpress websites in different user's homes (different websites) while that, without necessarily requiring more resources, i just tested that the other day :slight_smile: (yes, another good feature to note)

for now included in the README.md file and to not forget in the future :slight_smile:

By that I mean:
Standard 'nginx' is set up using '/var/www/html/' open to port 80 (http) whereas the WP install uses 443 (https) with entry point where-ever WP is set up i.e /home/WP (or something like that ..... my little Elive server isn't running ATM)

Depending on how this is configured by default by Elive (or the base install) ....... it's fairly easy to move around in /home/* (and find a user with 'sudo' abilities) compared to /var/www/html/ that's walled in by 'root' ownership.

you should try the (very updated) tool again

yes a plain install of nginx will set this directory by default, lets call it "un-configured", but if you also install Wordpress in the same time or later, this default nginx dir is removed since becomes useless, so the new place is in userspace, etc...

there's not users with sudo capabilities :thinking: