Secure Your Linux Box
Matt’s Guide to Securing a Linux Box for Production.
I won’t get into the weeds on this blog post, but I don’t really care for social media. I much prefer this platform right here. My website, my domain, my kingdom. I hope this encourages someone to learn some HTML, CSS, and maybe dabble in a little bit of DevOps and GitOps. It can be fun for the right person. (Me).
On my Windows development PC, I use the following tools….
GitHub Desktop is a great git wrapper for Windows. Its really easy to create branches, push and pull changes, and anything else Git related.
JekyllRB had a small learning curve, but once I understood how to update and maintain the Ruby Gems and Gemfile it became way easier. I’ve honestly really enjoyed being able to pass in the --livereload
command and watch my changes on a seperate monitor.
Converting images from their original format into a webp format is a bit tedious. I was doing it all in powershell but I’ve started to use the ThioJoe cwebpGUI and its a bit easier I guess. I like that it shows me the cwebp command it generates more than anything. I serve these high-quality but compressed images from an Object Storage bucket into a CDN for distribution.
This cookieless website gets about 2,000 hits per month at the Bunny CDN. I just assume it’s 99.9% bot traffic so really the only person here is me, and that’s perfectly fine with me. I could get away with hosting this site 6 different ways for free, but I enjoy and trust the platform. I use a $5/month Nanode, paired with a $5/month 250GB S3-compatible Object Storage Bucket. As a paying customer, I’m also able to use their DNS Resolvers as my Authoritative Name Servers. Doing all of this on one platform is awesome because they have a Python3 pip package called Linode-CLI that has a huge range of capabilities.
It’s best practice to restrict root access, enforce the use of cryptographic key-pair for ssh access, adjust listening settings on the sshd daemon, and install fail2ban. I’ve done this. But I want to go even further. I’ve setup and enabled the local UFW firewall, setup SSH to be limited to my Tailscale TailNet while still enforcing the SSH Key requirement, installed CrowdSec, a CrowdSec bouncer or four, and finally….
Put my Nanode behind a Cloud Firewall. Yes - I block ICMP traffic before the web server and at the web server.
Security is like an onion, its all done in layers. Feel free to reach out if you need support analyzing your attack vectors and threat models.
GitHub Desktop and GitHub Actions
Matt’s Guide to Securing a Linux Box for Production.
Quick overview of my websites architecture.
One Night in Glacier NP - 2024
Exploring and capturing the scenery in American Truck Simulator, Nebraska DLC
how-to be safe while downloading linux isos.
Exploring South Dakota with the Jacksons.
how I reduced my home page 610 percent.
how-to add oneko.js to the minimal-mistakes jekyll template.
My personal running notes for growing cannabis.
Dealing with CIFS errors between TrueNAS and Debian.
how-to bounce a Juniper JunOS switchport.
how-to fix ‘the list of sources could not be read.’ when using apt.
how-to troubleshoot a home network, by a Network Engineer.
Moving my webserver from OpenLiteSpeed to Caddy
how-to resolve, could not resolve packages.adoptium.net
how-to validate XZ-Utils impact.
How and Why I use Ninite
Manually renewing Certbot on OpenLiteSpeed
Yet Another Benchmark Results
Linux Basics and Core Concepts by Matt F.
how-to Buy and Manage a Web Domain
My Udemy Course Completion Certification.
Scion FRS Service Manual Download and Sources
My Discord Server Widget
How I moved from QUIC.Cloud to BunnyNet CDN.
My High Uptime Plan for 2024.
Personal notes for Magic the Gathering
HTML Hobbiest Webring Landing Page/Post
Method of Procedure for migrating from WordPress to plain HTML.
W900 Tuning Pack DLC Review.
Google Domains is Ending.
Deep dive into OpenLiteSpeed webserver.
how-to resolve my Jekyll/Cloudflare Pages deployment error.
In High School I had one dream that stands out. Own a Porsche by the time I was 26. Looking back, I have no idea where this dream came from; because I was ra...
Personal ramblings about my new town.
Knowledge Filled PDF Bundle
how-to Jellyfun.
ProtonMail Review - 1 Year
how-to manage Pi-Hole.
My new Gaming PC. Its boring but it’ll do.
how-to setup Pi-Hole and Wireguard on Linode.
how-to update the hostname of a Raspberry Pi.
Can a Raspberry Pi Zero host a family VPN Server? Yes.
Logitech G413 Keyboard review.
Razer Huntsman Mini review.
YouTube video cruising through Colorado!
Ramblings about PiAware after one month of operation.
Guide to setup a Raspberry Pi from start to finish!
Guide to configuring the Timezone on a Raspberry Pi.