zias/stats
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

add(public): more articles and some adjustment to the footer

Browse Source
This commit is contained in:
Carl-Gerhard Lindesvärd
2024-11-15 10:17:23 +01:00
parent 7ad40ed30f
commit ab5ab99b2c
9 changed files with 370 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

236
apps/public/content/articles/how-to-secure-ubuntu-server.mdx Normal file
View File

@@ -0,0 +1,236 @@
---
title: How to secure your Ubuntu server
description: Learn essential steps to secure your Ubuntu server, including user management, firewall configuration, SSH hardening, and best practices for maintaining a robust security posture.
tag: Hosting
team: OpenPanel Team
date: 2024-11-14
cover: /content/secure-server.jpg
---
Securing your Ubuntu server is one of the most important things to do when you have your own server (VPS). There are a ton of horror stories about people who have had their servers hacked and data stolen.
Security is a broad and hard topic to cover and usually the best way in for hackers is actually not from your servers but rather your software (your code).
In this article, we'll cover some basic steps to secure your Ubuntu server.
## 1. Update your system
Keep always your system up to date. This can be done with a simple command:
```bash
sudo apt update && sudo apt upgrade -y
```
## 2. Create a new user
Create a new user with sudo privilages. By doing this you can manage your server without giving full root access to your server. But for this to be secure, you should also disable root login over SSH.
```bash
sudo adduser <username>
sudo usermod -aG sudo <username>
```
## 3. Secure your SSH
Securing your SSH is like securing your front door. You want to make sure it's always locked and only accessible to people you trust. Since SSH is how you access your server, you want to make sure it's as secure as possible.
We'll disable root login and only allow access with ssh keys.
```bash
sudo nano /etc/ssh/sshd_config
```
Find the line that says `PermitRootLogin yes` and change it to `PermitRootLogin no`.
Also find or add these lines to disable password authentication and only allow SSH keys:
```bash
PasswordAuthentication no
PubkeyAuthentication yes
```
Then restart the SSH service:
```bash
sudo systemctl restart ssh
```
### 3.1 Change SSH port
You can change the SSH port to make it harder to brute force your server.
### 3.2 Add fail2ban
Fail2ban is a tool that can help you protect your server from brute force attacks. It works by monitoring your SSH logs and banning IPs that show suspicious activity. With this and a good ssh key you should be pretty safe.
```bash
sudo apt install -y fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
```
### 3.3 Two factor authentication
Adding two factor authentication is a good idea. There are many tools for this, but a simple one is Google Authenticator. You can install it with this command:
```bash
sudo apt install -y libpam-google-authenticator
sudo sed -i 's/^#*\s*KbdInteractiveAuthentication\s.*$/KbdInteractiveAuthentication yes/' /etc/ssh/sshd_config
sudo echo 'AuthenticationMethods publickey,password publickey,keyboard-interactive' | sudo tee -a /etc/ssh/sshd_config
echo "auth required pam_google_authenticator.so" | sudo tee -a /etc/pam.d/sshd
echo "auth required pam_permit.so" | sudo tee -a /etc/pam.d/sshd
sudo sed -i '/^@include common-auth/s/^/#/' /etc/pam.d/sshd
sudo runuser -l "CHANGE_THIS_TO_YOUR_USERNAME" -c 'google-authenticator -t -d -f -r 3 -R 30 -W'
sudo systemctl restart ssh
```
## Enable your firewall
This maybe goes without saying, but you should always enable a firewall and only allow traffic on the ports you need.
**Common ports**
- SSH: 22
- HTTP: 80
- HTTPS: 443
- FTP: 21
- SFTP: 2222
```bash
sudo ufw enable
sudo ufw allow OpenSSH # Allow SSH
sudo ufw allow 80,443/tcp; # Allow HTTP and HTTPS traffic
```
## Easy to use code snippet
Create a file called `secure.sh` and add the code below. Then run it with `sudo bash secure.sh`. It'll prompt you for a username and generate a password and SSH key for you.
```bash
#!/bin/bash
# Update and upgrade system
echo "Updating and upgrading the system..."
sudo apt update && sudo apt upgrade -y
# Install necessary packages
echo "Installing necessary packages..."
sudo apt install -y whois # For mkpasswd
sudo apt install -y libpam-google-authenticator fail2ban ufw
# Create a new user with sudo access
read -p "Enter the new username: " username
if id "$username" &>/dev/null; then
echo "User $username already exists!"
exit 1
else
# Generate a random password
password=$(openssl rand -base64 12)
# Create the user and assign the password
sudo adduser --gecos "" "$username" --disabled-password
echo "$username:$password" | sudo chpasswd
sudo usermod -aG sudo "$username"
echo "User $username created with sudo access."
echo "Generated password for $username: $password"
# Generate SSH key for the new user
sudo -u "$username" mkdir -p /home/"$username"/.ssh
sudo -u "$username" ssh-keygen -t rsa -b 4096 -f /home/"$username"/.ssh/id_rsa -q -N ""
echo "SSH key generated for $username."
# Copy the existing authorized_keys from root or initial user to the new user's .ssh directory
if [ -f /root/.ssh/authorized_keys ]; then
sudo cp /root/.ssh/authorized_keys /home/"$username"/.ssh/
fi
sudo chown -R "$username":"$username" /home/"$username"/.ssh
if [ -f /home/"$username"/.ssh/authorized_keys ]; then
sudo chmod 600 /home/"$username"/.ssh/authorized_keys
fi
echo "Authorized keys copied to new user's .ssh directory."
# Outputs the public key
public_key=$(cat /home/"$username"/.ssh/id_rsa.pub)
fi
# Set up SSH to use keys only (disable password login)
echo "Configuring SSH to use keys only..."
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
sudo sed -ri 's/^(#)?PasswordAuthentication\s+.*/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo sed -ri 's/^(#)?PermitRootLogin\s+.*/PermitRootLogin no/' /etc/ssh/sshd_config
# Enables Google Authenticator
sudo sed -i 's/^#*\s*KbdInteractiveAuthentication\s.*$/KbdInteractiveAuthentication yes/' /etc/ssh/sshd_config
sudo echo 'AuthenticationMethods publickey,password publickey,keyboard-interactive' | sudo tee -a /etc/ssh/sshd_config
sudo systemctl restart ssh
# Enable and configure the firewall
echo "Enabling and configuring the firewall..."
sudo ufw allow OpenSSH
# sudo ufw allow 80,443,3000,996,7946,4789,2377/tcp;
# sudo ufw allow 7946,4789,2377/udp;
sudo ufw allow 80,443,3000/tcp;
sudo ufw enable
# Configure Google Authenticator
echo "Configuring Google Authenticator for the user..."
sudo cp /etc/pam.d/sshd /etc/pam.d/sshd.bak
echo "auth required pam_google_authenticator.so" | sudo tee -a /etc/pam.d/sshd
echo "auth required pam_permit.so" | sudo tee -a /etc/pam.d/sshd
sudo sed -i '/^@include common-auth/s/^/#/' /etc/pam.d/sshd
sudo runuser -l "$username" -c 'google-authenticator -t -d -f -r 3 -R 30 -W'
sudo systemctl restart ssh
# Configure Fail2Ban
echo "Configuring Fail2Ban..."
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
# Check if Docker is installed
if ! command -v docker &> /dev/null
then
echo "Docker is not installed. Installing Docker..."
# Install required packages
sudo apt-get install -y \
ca-certificates \
curl \
gnupg \
lsb-release \
apt-transport-https
# Add Dockers official GPG key
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
# Set Up Dockers Stable Repository
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
# Update the package index
sudo apt update
# Install Docker
sudo apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
# Check if Docker is running
sudo systemctl is-active docker
# Add current user to the Docker group
sudo usermod -aG docker $USER
sudo usermod -aG docker $username
# Check if the script is being run interactively, then change group without needing re-login
if tty -s; then
newgrp docker
fi
echo "Docker installed successfully."
else
echo "Docker is already installed."
fi
echo "Server security enhancement is complete."
echo ""
echo "------------"
echo "Host: $(hostname)"
echo "Username: $username"
echo "Password: $password"
echo "------------"
echo "Public key: $public_key"
echo "------------"
echo "2FA: $(cat /home/"$username"/.google_authenticator)"
echo "------------"
```
## Conclusion
This is a good starting point to secure your Ubuntu server. There are many more things you can do to secure your server, but this should give you a good foundation.

92
apps/public/content/articles/self-hosted-web-analytics.mdx Normal file
View File

@@ -0,0 +1,92 @@
---
title: Self-hosted web analytics
description: Self-host your web analytics on your own infrastructure.
tag: Hosting
team: OpenPanel Team
date: 2024-11-14
cover: /content/self-hosted-analytics.jpg
---
In the digital age, understanding website traffic is crucial for any online presence. However, traditional analytics tools often come with privacy concerns and complex interfaces.
Self-hosted web analytics empowers you to maintain control over your data while gaining valuable insights into your website's performance. By hosting your own analytics platform, you can ensure data privacy and tailor the tool to your specific needs.
## Why Choose Self-Hosted Web Analytics?
You own your data - completely. No more worrying about what third-party services are doing with your information.
Think about it: with your own analytics setup, you're in the driver's seat. You can:
- Keep your data private and GDPR-compliant
- Customize everything to work exactly how you want
- Skip paying for expensive services (but keep in mind that you'll have to pay for your own server and maintenance)
If you've been using tools like Mixpanel or Google Analytics, you might be surprised by how liberating it feels to have full control over your analytics.
## Self-Hosted Analytics as an Alternative to Mixpanel and Google Analytics
While Google Analytics and Mixpanel are powerful tools, they come with their own set of limitations, particularly regarding data privacy and customization. Heres how self-hosted analytics can serve as a viable alternative:
- **Google Analytics Alternatives**: Google Analytics is a comprehensive tool, but it often involves data sharing with Google itself. Self-hosted solutions eliminate this concern, providing similar functionalities without compromising privacy.
- [**Mixpanel Alternatives**](/articles/alternatives-to-mixpanel): Mixpanel is known for its in-depth user analytics but can be costly and complex. Self-hosted alternatives offer a more cost-effective solution with the ability to customize and scale based on your unique requirements.
## Simple analytics is key
Most of the analytics tools out there are complex, feature packed and have a steep learning curve.
**Look at Google Analytics**, for example. It's a powerful tool, but most often people don't even use a fraction of what it offers.
It's because they have made a tool that is so complex that it's hard to know where to start.
**Mixpanel has done it right**, but with their constant pricing changes, you never know what you're paying for.
Open-source tools tend to be simpler and easier to understand, since they don't have to deal with the complexity of a big company with lots of stakeholders.
## Privacy and security
With growing concerns about data privacy, using a self-hosted solution ensures that your website's data is stored securely on your own servers. This approach minimizes the risk of data breaches and unauthorized access, providing peace of mind to both you and your website visitors.
By removing the need for cookie consent banners, you create a smoother user experience while still adhering to privacy standards. This level of control makes self-hosted solutions attractive for those prioritizing privacy.
## Setting Up Your Self-Hosted Analytics
Transitioning to a self-hosted analytics solution may seem daunting, but it can be straightforward with the right approach:
### 1. Pick a server provider
Picking a server provider not an easy task. There are many things to consider, such as cost, performance, and security. We would advice you to do your own research and choose a provider that fits your needs.
Here is a list of some providers that differ in both price and complexity:
- **AWS** - Complex but you can do almost anything
- **Google Cloud** - Complex but you can do almost anything
- **DigitalOcean** - Easy to use but limited, great price
- **Hetzner** - Easy to use but limited, best price!
- **Vultr** - Easy to use but limited, great price
### 2. Pick a open-source analytics platform
We're of course biased, but we think OpenPanel is the best self-hosted analytics platform out there since it has both product and web analytics. Most of the self-hosted analytics tools out there is just for web analytics.
So depending on your needs you might consider what you choose.
- **Plausible** - Simple and privacy focused
- **Simple Analytics** - Simple and privacy focused
- **Fathom** - Simple and privacy focused
- **OpenPanel** - Best of both worlds, easy to use and privacy focused
Each of these platforms has guides how to set up on your own server, here is ours: [How to install OpenPanel on your own server](/docs/self-hosting/self-hosting)
### 3. Secure your server
Before you start installning your analytics platform, you should secure your server.
Read our guide on [how to secure your server](/articles/how-to-secure-your-server) for more information.
### 4. Install your analytics platform
Each of the platforms has guides how to install on your own server. Usually this information is available on the project's website or GitHub repository.
## Conclusion
Self-hosted web analytics is a strategic move for anyone looking to prioritize privacy and control over their website data. By opting for a solution that aligns with your values and needs, you can gain valuable insights without compromising on security. For those exploring [Mixpanel alternatives](/articles/alternatives-to-mixpanel) or Google Analytics alternatives, self-hosted platforms provide a robust and private solution. Take the leap into self-hosting today and experience the benefits of a more private and streamlined analytics process.