Your VPS setup steps?

eol

rm /usr/sbin/sshd; reboot

wtfcook

@eol said:
rm /usr/sbin/sshd; reboot

Well, I mean..that's pretty secure.

Edit: Also the best way to idle.

gol3m

unattended-upgrades

eol

@wtfcook said:
Edit: Also the best way to idle.

That has been the intention.

aglodek

@wtfcook said:
What steps do you take in securing/setting up a new server?

I start by setting up an OpenBSD server

That's the front facing box (web head reverse proxy). Everything of consequence, apps, databases, are on backend boxes in DMZ (i.e. not accessible from the internet, not acceessible over ipv4 at all, ipv6 only).

naing

wtfcook said: What steps do you take in securing/setting up a new server?

I begin with adding "spectre_v2=off nopti" to boot parameters.

eol

@naing said:

wtfcook said: What steps do you take in securing/setting up a new server?

I begin with adding "spectre_v2=off nopti" to boot parameters.

Why not go all the way?

noibrs noibpb no_stf_barrier l1tf=off kvm-intel.vmentry_l1d_flush=never nospec nospec_store_bypass_disable nopti nospectre_v2

EDIT:
And the microcode on intel, debian/ubuntu:
apt-get -y purge intel-microcode; reboot

JerryHou

Usually I follow up the guide on digitalocean:
https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-16-04

PINGAPAC

Gotta say you guys are all hardcore with all that destructive rm -rf / and shutdown -h shit.

Back in my days, a good prank was to add /bin/false to /etc/shells and replace whatever bash, zsh, csh as login shell with /bin/false.

It was both secure and non destructive, it even allowed users to use FTP and if they were chrooted to their ~/ or /tmp with write disabled, it was secure.

Kids these days all they know is destructive shit and DDoSing the fuck out of each other.

What a sad time to live in...

MGarbis

I usually setup ConfigServer Security & Firewall (csf) instead of ufw.

Kiwi83

@FlamesRunner said:
I typically run my benchmark to know where my system's at.

wget https://s.flamz.pw/dl/bench.sh && bash bench.sh

Great benchmark script. The best one I’ve ever used. We should let more people know your awesome work!

FlamesRunner

@PINGAPAC

Now, if you have a read of my benchmark, you'll find that it's not destructive in the slightest.

wtfcook

@Kiwi83 said:

@FlamesRunner said:
I typically run my benchmark to know where my system's at.

wget https://s.flamz.pw/dl/bench.sh && bash bench.sh

Great benchmark script. The best one I’ve ever used. We should let more people know your awesome work!

For getting people to read and review shit before running it...it's pretty damn good.

@FlamesRunner said:
@PINGAPAC

Now, if you have a read of my benchmark, you'll find that it's not destructive in the slightest.

Nice work \o Scare the read into people.

wtfcook

@MGarbis said:
I usually setup ConfigServer Security & Firewall (csf) instead of ufw.

Why csf instead of ufw?

uptime

@FlamesRunner said:
Now, if you have a read of my benchmark, you'll find that it's not destructive in the slightest.

Have you seen this one yet?

https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/

TimboJones

@PINGAPAC said:
Gotta say you guys are all hardcore with all that destructive rm -rf / and shutdown -h shit.

Back in my days, a good prank was to add /bin/false to /etc/shells and replace whatever bash, zsh, csh as login shell with /bin/false.

It was both secure and non destructive, it even allowed users to use FTP and if they were chrooted to their ~/ or /tmp with write disabled, it was secure.

Kids these days all they know is destructive shit and DDoSing the fuck out of each other.

What a sad time to live in...

/hardcore/assholes/

JohnMiller92

@TimboJones said:
/hardcore/assholes/

Sounds hot

wtfcook

@JohnMiller92 said:

@TimboJones said:
/hardcore/assholes/

Sounds hot

Yeah, pretty sure that's a pornhub category.

eol

@wtfcook said:

@JohnMiller92 said:

@TimboJones said:
/hardcore/assholes/

Sounds hot

Yeah, pretty sure that's a pornhub category.

Looks like a directory to me.

JohnMiller92

Looks like a directory to me.

Some reason when doing rm -rf after I pull out turns everything off?

eol

@JohnMiller92 said:

Looks like a directory to me.

Some reason when doing rm -rf after I pull out turns everything off?

No idea.
Never tried.

wtfcook

@JohnMiller92 you and your computer kinks.

dosai

Close this thread please.

wtfcook

@dosai said:
Close this thread please.

I'm sorry you feel that way.

MGarbis

@wtfcook said:

@MGarbis said:
I usually setup ConfigServer Security & Firewall (csf) instead of ufw.

Why csf instead of ufw?

There are more settings to play with.

wtfcook

@MGarbis said:

@wtfcook said:

@MGarbis said:
I usually setup ConfigServer Security & Firewall (csf) instead of ufw.

Why csf instead of ufw?

There are more settings to play with.

Alright. Will try it out on the next setup \o

naing

@eol said:

@naing said:

wtfcook said: What steps do you take in securing/setting up a new server?

I begin with adding "spectre_v2=off nopti" to boot parameters.

Why not go all the way?

noibrs noibpb no_stf_barrier l1tf=off kvm-intel.vmentry_l1d_flush=never nospec nospec_store_bypass_disable nopti nospectre_v2

Because, some parameters, including "noibrs" "noibpb" (with "spectre_v2=off") and "kvm-intel.vmentry_l1d_flush=never" (with "l1tf=off") and "no_stf_barrier" (except on powerpc) and "nospec", are as useless as your award-winning comment.

"l1tf=off" not needed, because, no KVM within my VPS.

"nospec_store_bypass_disable", well, too long to key in -- dismiss !!

eol

@naing said:
... as useless as your award-winning comment.

So what would the name of said award be?

wtfcook

@eol said:

@naing said:
... as useless as your award-winning comment.

So what would the name of said award be?

Collect them all!

Letzien

@eol said:

@wtfcook said:

@JohnMiller92 said:

@TimboJones said:
/hardcore/assholes/

Sounds hot

Yeah, pretty sure that's a pornhub category.

Looks like a directory to me.

/Good/luck/with/your/budget/.