Archlinux is perfect for minimal servers because it does not come with bloatware programs like other OSes (ex. centos, rhel, deb, etc) do and therefore reduces the potential attack surface. One of the biggest benefits due to Arch's rolling release cycle is that you will get security updates within hours, instead of days to months if you're using ubuntu, centos, etc. However, it must be configured in a right manner and great care must be taken on every action.
- Boot into Live ISO and switch to root user (
su
) if not already using - Create root and swap partitions on disk you want to use.
- Open cfdisk using
cfdisk /dev/sdX
and selectdos
label type - Create root partition
- Hit [New]
- Partition Size: (total - swap size) gigabytes
- Select Primary
- Hit [Bootable]
- Create swap partition
- Hit [New]
- Partition Size: (swap size)
- Select Primary
- Hit [Write] and confirm by typing "yes"
- Hit [Quit]
- Create ext4 filesystem on root partition using
mkfs.ext4 /dev/sdX1
- Create and enable swap on swap partition using
mkswap /dev/sdX2 && swapon /dev/sdX2
- Open cfdisk using
- Mount root partition to
/mnt
usingmount /dev/sdX1 /mnt
- Install the base system and kernel with
pacstrap -i /mnt base base-devel linux linux-devel
- Generate fstab with
genfstab -U -p /mnt >> /mnt/etc/fstab
- Chroot into live installation by using
arch-chroot /mnt
- If you want to enable DHCP (dynamic IP)
- Install dhcpcd
pacman -S dhcpcd
- Enable its service
systemctl enable dhcpcd@YOUR_NETWORK_INTERFACE_NAME
- Install dhcpcd
- Set up date+time
- Edit
/etc/locale.gen
with your favourite text editor (install nano withpacman -S nano
, install vi withpacman -S vi
). Uncomment the two lines with your locale (both the UTF-8 and the ISO one). - Run
locale-gen
- Run
echo LANG=en_US.UTF-8 > /etc/locale.conf
- Run
export LANG=en_US.UTF-8
- Run
ln -s /usr/share/zoneinfo/Europe/Amsterdam > /etc/localtime
- Configure hardware clock to UTC
hwclock --systohc --utc
- Edit
- Setup network hostname
echo MY_HOSTNAME > /etc/hostname
- Add a privileged user
- Create user
useradd -m -g users -G wheel,storage,power -s /bin/bash NEW_USERNAME
- Set password
passwd NEW_USERNAME
- Install sudo
pacman -S sudo
- Edit
/etc/sudoers
by executingvisudo
command, orEDITOR=rnano;visudo
- Write the following defaults at the top of the file and modify them to your preferences
Defaults env_reset Defaults editor=/usr/bin/rnano, !env_editor Defaults timestamp_timeout=0 Defaults lecture="never" Defaults insults Defaults requiretty Defaults log_host, log_year, logfile="/var/log/sudo.log"
- Allow the user full access
NEW_USERNAME ALL=(ALL) ALL
- Write the following defaults at the top of the file and modify them to your preferences
- Disable root account or scramble root password
usermod -p ! root
- Create user
- Install ssh server
- Install package by running
pacman -S openssh
- Enable it's service with
systemctl enable sshd.service
- Install package by running
- Install GRUB bootloader
- Install packages with
pacman -S grub os-prober
- Optionally, edit the bootloader configuration in
/etc/default/grub
- Install onto the disk which contains the root partition
grub-install --recheck /dev/sdX
- Generate the configuration file
grub-mkconfig -o /boot/grub/grub.cfg
- Install packages with
- Reboot into OS
- Exit chroot
exit
- Unmount root fs
umount -R /mnt
- Reboot
reboot
- When reboot is completed, a login prompt will appear and SSH will be open on port 22. Make sure to install a firewall (iptables, ufw, whatever) because everything is accessible right now!!
- Exit chroot
- Disable root login by changing it's shell to
/sbin/nologin
or equivalent and runningusermod -p '!' root
and changing PermitRootLogin in/etc/ssh/sshd_config
to no. Make sure to restart openssh withsystemctl restart sshd.service
- Change SSH port from 22 to something else (WARNING: make sure the new port is allowed in firewall!!), this can be done by editing the setting in
/etc/ssh/sshd_config
andsystemctl restart sshd.service
- Install a firewall (iptables, ufw) and block all incoming ports except for the SSH port and whatever you need (80 for http, 443 for https, etc)
- Disable IPv6, more info on the wiki: https://wiki.archlinux.org/index.php/IPv6#Disable_IPv6
- Disable password SSH login and only use asymmetrical login (public key)
- Install antivirus (ClamAV, Maldet)
- Install rootkit prevention: https://wiki.archlinux.org/index.php/Rkhunter
- Stop bruteforce attacks using Fail2ban, Denyhosts, CSF, firewall rate limiting
- Create a snapshot every time before you upgrade the system using
pacman -Syu
because OS updates may break any software. - Disable shell history (
history -c && echo 'unset HISTFILE >> ~/.bash_profile'
)
https://www.reddit.com/r/archlinux/comments/4g7lx1/arch_linux_on_production_server/d2fbfdq/