This guide attempts to define a secure, high quality baseline for a Pleroma install. This assumes a completely bare machine. If your machine is not bare, then you need to take care with every step, especially the firewall, to make sure you
are not going to break anything. Instructions will probably work on Ubuntu as
well, however you will probably want to use the native firewall ufw
on that
system. This guide will not teach you in detail how to use a Linux/*nix system, in particular how to use a text editor. Just how to set things up the best.
When you are finished, the Pleroma install guide is here.
Follow the instructions to set up Debian 12 Bookworm. For setup specifics, if you know how I recommend doing a manual partition setup, and making a 1GB log partition at /var/log
. If the logs fill up this will prevent the server from dying.
Remember what the non-root user you set up was. For this guide I will call it user1
.
Login as root.
Install sudo: apt update && apt install sudo
Add your non-root user to sudo: usermod -a -G sudo user1
As mentioned, this is Debian-specific. It will work on Ubuntu but Ubuntu already has a firewall.
Install the firewall: apt install -y nftables
Configure the firewall to allow only SSH and web. Use vi or nano to edit:
/etc/nftables.conf
#!/usr/sbin/nft -f
table inet filter {
chain input {
type filter hook input priority 0;
# Accept established connections
ct state established,related accept
# Allow SSH, HTTP, and HTTPS
tcp dport {ssh, http, https} accept
# Default drop policy
drop
}
chain forward {
type filter hook forward priority filter;
}
chain output {
type filter hook output priority filter;
}
}
Verify there are no errors: nft -c -f /etc/nftables.conf
if there is no
output, then there were no errors.
Flush the existing rules, in case there are any. This will leave your machine open until we enable the new rules:
iptables -F
nft flush ruleset
Restart nftables: systemctl restart nftables
Verify the rules are in place: nft list ruleset
Now your firewall is set up.
To make our machine as secure as possible, we want to require logging in via SSH using a key instead of a password. If you already have a key then you know how to use it so set it up and skip to the next section. I recommend a Yubikey or Nitrokey but this guide will explain how to do it without hardware. This is less secure but doesn't require buying anything.
On your DESKTOP machine NOT your server, go to the console and do: ssh-keygen -t ed25519
and enter a new password to encrypt your key (or just press enter, but this is less secure.) You should get output like:
Generating public/private ed25519 key pair.
Enter file in which to save the key (/root/.ssh/id_ed25519):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_ed25519
Your public key has been saved in /root/.ssh/id_ed25519.pub
The key fingerprint is:
SHA256:KRftpjMHxwaDggoKh1RD7Yljy2MkHE7+nTzmMb/IUyo root@pleroma
The key's randomart image is:
+--[ED25519 256]--+
| .o+. |
|.+ ... . . |
|O + + o + . |
|+B = + B |
|o * = o S * |
| * O + * |
| . + B + . |
| E.+.. + |
| .o... |
+----[SHA256]-----+
Keep track of where the keys are because you will need both.
Dump out the contents of the public key listed above: cat /root/.ssh/id_ed25519.pub
you should get something similar to:
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtNJsfpB33LnswA9YRLsH4NrZq+V4cY+LJVVmDVemIP root@pleroma
Switch back to your new server. On the server, do the following steps:
cd ~
mkdir .ssh
chmod 700 .ssh
touch .ssh/authorized_keys
chmod 600 .ssh/authorized_keys
then using vi or nano, you need to open .ssh/authorized_keys
and paste in the
text from step 2.
now using vi or nano, edit /etc/ssh/sshd_config
and look for a line that
looks like: PasswordAuthentication yes
it might be commented out using a
#
or it might have no
or it might not exist. Make it say no
or add
PasswordAuthentication no
to the bottom of the file. Save and exit the
editor.
Restart SSH: systemctl restart ssh
and DO NOT CLOSE YOUR CURRENT WINDOW.
Open another terminal on your desktop and try to connect again using the private key from step 10 (it calls it "identification"):
ssh -i whateverkeylocation whateveruser@whateverdomain
For example:
ssh -i /root/.ssh/id_ed25519 root@banana.example.net
Make sure you can connect! If you can, then you are safe and can continue. If it fails, then undo the change you made.
todo.