# Server Hardening

Wie sichern wir unseren Server (Host) ab, auf dem BFFH läuft und verhindern Angriffe? Auf dieser Seite finden sich Ansätze für ein stabiles, sicheres Setup in einer Linux-Umgebung.

## Offene Ports prüfen

```
netstat -an | grep LISTEN | grep -v LISTENING
```

## Unattended Upgrades  


Automatische Updates per apt

```bash
sudo apt update
sudo apt upgrade -y
sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure -plow unattended-upgrades
```

## Fail2ban

Basiert auf [https://www.digitalocean.com/community/tutorials/how-to-protect-an-nginx-server-with-fail2ban-on-ubuntu-20-04](https://www.digitalocean.com/community/tutorials/how-to-protect-an-nginx-server-with-fail2ban-on-ubuntu-20-04)

```bash
sudo apt install fail2ban
sudo systemctl enable fail2ban.service
```

```bash
cd /etc/fail2ban/
sudo cp jail.conf jail.local
```

```bash
sudo vim /etc/fail2ban/jail.local
```

```ini
[DEFAULT]
. . .
findtime = 10m
maxretry = 5
. . .
```

```bash
sudo vim /etc/fail2ban/jail.d/defaults-debian.conf
```

```ini
[DEFAULT]
banaction = nftables
banaction_allports = nftables[type=allports]
backend = systemd

[sshd]
enabled = true
```

```bash
sudo systemctl restart fail2ban.service
```