README.md

Description

Universal maintenance tips

Table of contents

1. Installation instructions
   1. Firewall
   2. SSH
   3. Podman
   4. DynDNS
   5. E-Mail to send notifications
2. Maintenance Tips
3. Security Tips

Installation instructions

Firewall

• FirewallD
  • Easy to maintain with its config files
  • Supported by Podman since v4.0 with netavark
• Fail2Ban
  • Rate limit against attacks
  • FirewallD support

SSH

• OpenSSH
  • By default, firewallD has ssh on port 22 enabled. Please change the port to avoid attacks.

  • <!-- /etc/firewalld/services/ssh-custom.xml -->
    <?xml version="1.0" encoding="utf-8"?>
    <service>
        <short>SSH Custom</short>
        <description>Service for the custom ssh port.</description>
        <port protocol="tcp" port="9999"/>
    </service>

  • firewall-offline-cmd --remove-service-from-zone ssh
    firewall-offline-cmd --zone=public --add-service ssh-custom
    systemctl start firewalld.service
    # TEST YOUR SSH ACCESS BY OPENING A NEW CONNECTION!
    systemctl enable --now firewalld.service

Podman

Successor of docker. Compatible with docker. Better security. Designed to run rootless. Has a docker API layer with the podman-docker package.

• Installation
• Podman Rootless
• reboot
• loginctl enable-linger username to keep he services running, even after a logout.

DynDNS

• Pod

E-Mail to send notifications

• SMTP gateway

Maintenance Tips

1. Bash autocompletion
2. Health status of the storage
   1. Automatic email if problems happen
3. RAID health
   1. Automatic email if problems happen
   2. Prefer filesystem native RAID support like RAID 1 on BTRFS
   3. Send an email if an error happens
      • https://aur.archlinux.org/packages/journalcheck
      • https://github.com/lynix/journalcheck
4. Filesystem health (Example BTRFS & btrfsmaintenance)
   1. Automatic email if problems happen
5. Autoupdater of this project
6. Notification about system updates
7. Notification about failed systemd services
   1. Notification script
   2. Do the same for the rootless user (~/.config/systemd/user/service.d/toplevel-override.conf etc.)
8. Auto-Update and prune container images systemctl --user enable --now podman-auto-update.timer
9. Displaying information & updatable packages on (ssh) login
   1. Example motd generation files.
      1. Needs package lm_sensors
10. Web-based server interface Cockpit
11. Backup ESP partition
    • Don't use a RAID. The ESP partition is modified by the UEFI and the bootloader for the boot counter. UEFI and Bootloader don't understand a RAID and will turn it async.

Security Tips

1. Podman.io
2. Podman.io - Tutorials
3. Podman.io - Documentation
4. Docker Wiki
5. Docker Security
6. Docker Secrets
7. Generate SSL config
8. Test website for security
   1. SSL Labs
   2. Geekflare