new deploy: 2022-09-12T10:31:15+00:00

This commit is contained in:
Aravinth Manivannan 2022-09-12 10:31:15 +00:00
parent c80f0fc69e
commit 4dc57a13ad
16 changed files with 237 additions and 167 deletions

View file

@ -405,10 +405,9 @@ but knowing how to do it manually using industry standard
technologies always helps!</p>
<p>We will be using the following technologies to deploy our website:</p>
<ol>
<li>GNU/Linux server(Debian)</li>
<li>Nginx (webs server)</li>
<li>Let's Encrypt (for HTTPS)</li>
<li>Gitea (but any Git hosting works)</li>
<li><a href="https://debian.org">GNU/Linux server(Debian)</a></li>
<li><a href="https://www.nginx.com/">Nginx</a> (webs server)</li>
<li><a href="https://letsencrypt.org/">Let's Encrypt</a> (for HTTPS)</li>
</ol>
<p>Let's get started!</p>
<h2 id="1-setup-debian-gnu-linux">1. Setup Debian GNU/Linux<a class="zola-anchor" href="#1-setup-debian-gnu-linux" aria-label="Anchor link for: 1-setup-debian-gnu-linux"
@ -439,25 +438,32 @@ from a lower-privileged account. Let's make our account sudo capable:</p>
><span class="anchor-icon">#</span></a
>
</h3>
<p>Uncomplicated Firewall(<code>ufw</code>) is a popular firewall that is easy to
set up and maintain. For most installations, this should be enough.
System administrators use firewalls to open only the ports that they
think should receive traffic from external networks. Without it, all
ports will be open, causing a security nightmare.</p>
<p><a href="https://wiki.ubuntu.com/UncomplicatedFirewall">Uncomplicated
Firewall(<code>ufw</code>)</a> is a
popular firewall that is easy to set up and maintain. For most
installations, this should be enough. System administrators use
firewalls to open only the ports that they think should receive traffic
from external networks. Without it, all ports will be open, causing a
security nightmare.</p>
<p>We will require standard SSH (22), and the standard web ports (80 and
443). A comprehensive list of services and the list of ports the listen
on is available at `/etc/services.</p>
<pre data-lang="bash $ sudo apt update && apt upgrade # update system $ sudo apt" style="background-color:#2b303b;color:#c0c5ce;" class="language-bash $ sudo apt update && apt upgrade # update system $ sudo apt "><code class="language-bash $ sudo apt update && apt upgrade # update system $ sudo apt" data-lang="bash $ sudo apt update && apt upgrade # update system $ sudo apt"><span>install ufw # we are using `ufw` for the firewall
</span><span>$ sudo ufw allow ssh # allow SSH traffic on port 22, required to log into the server
</span><span>$ sudo ufw enable # deploy firewall
on is available at <code>/etc/services</code>.</p>
<pre data-lang="bash" style="background-color:#2b303b;color:#c0c5ce;" class="language-bash "><code class="language-bash" data-lang="bash"><span style="color:#bf616a;">$</span><span> sudo apt update &amp;&amp; </span><span style="color:#bf616a;">apt</span><span> upgrade </span><span style="color:#65737e;"># update system
</span><span style="color:#bf616a;">$</span><span> sudo apt install ufw </span><span style="color:#65737e;"># we are using `ufw` for the firewall
</span><span style="color:#bf616a;">$</span><span> sudo ufw allow ssh </span><span style="color:#65737e;"># allow SSH traffic on port 22, required to log into the server
</span><span style="color:#bf616a;">$</span><span> sudo ufw enable </span><span style="color:#65737e;"># deploy firewall
</span></code></pre>
<h3 id="1-3-secure-ssh">1.3) Secure SSH<a class="zola-anchor" href="#1-3-secure-ssh" aria-label="Anchor link for: 1-3-secure-ssh"
><span class="anchor-icon">#</span></a
>
</h3>
<p>SSH allows remote access to our servers over secure, encrypted
channels. By default, users can log in with their password
using SSH. But password authentication is susceptible to brute force attacks, so we should disable password logins on our server and only allow public-key authentication only.</p>
<p>SSH allows remote access to our servers over secure, encrypted channels.
By default, users can log in with their password using SSH. But password
authentication <a href="https://wiki.archlinux.org/title/OpenSSH#Protecting_against_brute_force_attacks">is susceptible to brute force
attacks</a>,
so we should <a href="https://wiki.archlinux.org/title/OpenSSH#Force_public_key_authentication">disable password logins on our server and only allow
public-key authentication
only</a>.</p>
<h3 id="1-3-1-generate-key-pair">1.3.1) Generate key pair<a class="zola-anchor" href="#1-3-1-generate-key-pair" aria-label="Anchor link for: 1-3-1-generate-key-pair"
><span class="anchor-icon">#</span></a
>
@ -525,7 +531,10 @@ the server, let's disable password authentication on the server:</p>
><span class="anchor-icon">#</span></a
>
</h3>
<p>We will be using <code>fail2ban</code> for intrusion prevention by blackiisting entities (users, bots, etc.) based on failed login attempts.</p>
<p>We will be using
<a href="https://www.fail2ban.org/wiki/index.php/Main_Page"><code>fail2ban</code></a> for
intrusion prevention by blacklisting entities (users, bots, etc.) based
on failed login attempts.</p>
<h4 id="1-3-1-install-fail2ban">1.3.1) Install <code>fail2ban</code><a class="zola-anchor" href="#1-3-1-install-fail2ban" aria-label="Anchor link for: 1-3-1-install-fail2ban"
><span class="anchor-icon">#</span></a
>
@ -709,7 +718,8 @@ authority to get our SSL certificates.</p>
will have to log in every three months and renew the
certificate. If you fail or forget it, your visitors will see security
warnings on your website.</p>
<p>Thankfully, Let's Encrypt provides automation through <code>certbot</code></p>
<p>Thankfully, there is a way to automate this process through
<a href="https://certbot.eff.org/"><code>certbot</code></a></p>
<h4 id="2-3-1-install-certbot">2.3.1) Install <code>certbot</code>:<a class="zola-anchor" href="#2-3-1-install-certbot" aria-label="Anchor link for: 2-3-1-install-certbot"
><span class="anchor-icon">#</span></a
>
@ -760,7 +770,7 @@ you.</p>
<a class="blog__post-tag" href="/tags/jamstack">#JAMStack</a>
<a class="blog__post-tag" href="/tags/git">#git</a>
<a class="blog__post-tag" href="/tags/lets-encrypt">#lets-encrypt</a>
<a class="blog__post-tag" href="/tags/self-hosting">#self-hosting</a>

View file

@ -19,10 +19,9 @@ but knowing how to do it manually using industry standard
technologies always helps!&lt;&#x2F;p&gt;
&lt;p&gt;We will be using the following technologies to deploy our website:&lt;&#x2F;p&gt;
&lt;ol&gt;
&lt;li&gt;GNU&#x2F;Linux server(Debian)&lt;&#x2F;li&gt;
&lt;li&gt;Nginx (webs server)&lt;&#x2F;li&gt;
&lt;li&gt;Let&#x27;s Encrypt (for HTTPS)&lt;&#x2F;li&gt;
&lt;li&gt;Gitea (but any Git hosting works)&lt;&#x2F;li&gt;
&lt;li&gt;&lt;a href=&quot;https:&#x2F;&#x2F;debian.org&quot;&gt;GNU&#x2F;Linux server(Debian)&lt;&#x2F;a&gt;&lt;&#x2F;li&gt;
&lt;li&gt;&lt;a href=&quot;https:&#x2F;&#x2F;www.nginx.com&#x2F;&quot;&gt;Nginx&lt;&#x2F;a&gt; (webs server)&lt;&#x2F;li&gt;
&lt;li&gt;&lt;a href=&quot;https:&#x2F;&#x2F;letsencrypt.org&#x2F;&quot;&gt;Let&#x27;s Encrypt&lt;&#x2F;a&gt; (for HTTPS)&lt;&#x2F;li&gt;
&lt;&#x2F;ol&gt;
&lt;p&gt;Let&#x27;s get started!&lt;&#x2F;p&gt;
&lt;h2 id=&quot;1-setup-debian-gnu-linux&quot;&gt;1. Setup Debian GNU&#x2F;Linux&lt;a class=&quot;zola-anchor&quot; href=&quot;#1-setup-debian-gnu-linux&quot; aria-label=&quot;Anchor link for: 1-setup-debian-gnu-linux&quot;
@ -53,25 +52,32 @@ from a lower-privileged account. Let&#x27;s make our account sudo capable:&lt;&#
&gt;&lt;span class=&quot;anchor-icon&quot;&gt;#&lt;&#x2F;span&gt;&lt;&#x2F;a
&gt;
&lt;&#x2F;h3&gt;
&lt;p&gt;Uncomplicated Firewall(&lt;code&gt;ufw&lt;&#x2F;code&gt;) is a popular firewall that is easy to
set up and maintain. For most installations, this should be enough.
System administrators use firewalls to open only the ports that they
think should receive traffic from external networks. Without it, all
ports will be open, causing a security nightmare.&lt;&#x2F;p&gt;
&lt;p&gt;&lt;a href=&quot;https:&#x2F;&#x2F;wiki.ubuntu.com&#x2F;UncomplicatedFirewall&quot;&gt;Uncomplicated
Firewall(&lt;code&gt;ufw&lt;&#x2F;code&gt;)&lt;&#x2F;a&gt; is a
popular firewall that is easy to set up and maintain. For most
installations, this should be enough. System administrators use
firewalls to open only the ports that they think should receive traffic
from external networks. Without it, all ports will be open, causing a
security nightmare.&lt;&#x2F;p&gt;
&lt;p&gt;We will require standard SSH (22), and the standard web ports (80 and
443). A comprehensive list of services and the list of ports the listen
on is available at `&#x2F;etc&#x2F;services.&lt;&#x2F;p&gt;
&lt;pre data-lang=&quot;bash $ sudo apt update &amp;&amp; apt upgrade # update system $ sudo apt&quot; style=&quot;background-color:#2b303b;color:#c0c5ce;&quot; class=&quot;language-bash $ sudo apt update &amp;&amp; apt upgrade # update system $ sudo apt &quot;&gt;&lt;code class=&quot;language-bash $ sudo apt update &amp;&amp; apt upgrade # update system $ sudo apt&quot; data-lang=&quot;bash $ sudo apt update &amp;&amp; apt upgrade # update system $ sudo apt&quot;&gt;&lt;span&gt;install ufw # we are using `ufw` for the firewall
&lt;&#x2F;span&gt;&lt;span&gt;$ sudo ufw allow ssh # allow SSH traffic on port 22, required to log into the server
&lt;&#x2F;span&gt;&lt;span&gt;$ sudo ufw enable # deploy firewall
on is available at &lt;code&gt;&#x2F;etc&#x2F;services&lt;&#x2F;code&gt;.&lt;&#x2F;p&gt;
&lt;pre data-lang=&quot;bash&quot; style=&quot;background-color:#2b303b;color:#c0c5ce;&quot; class=&quot;language-bash &quot;&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span style=&quot;color:#bf616a;&quot;&gt;$&lt;&#x2F;span&gt;&lt;span&gt; sudo apt update &amp;amp;&amp;amp; &lt;&#x2F;span&gt;&lt;span style=&quot;color:#bf616a;&quot;&gt;apt&lt;&#x2F;span&gt;&lt;span&gt; upgrade &lt;&#x2F;span&gt;&lt;span style=&quot;color:#65737e;&quot;&gt;# update system
&lt;&#x2F;span&gt;&lt;span style=&quot;color:#bf616a;&quot;&gt;$&lt;&#x2F;span&gt;&lt;span&gt; sudo apt install ufw &lt;&#x2F;span&gt;&lt;span style=&quot;color:#65737e;&quot;&gt;# we are using `ufw` for the firewall
&lt;&#x2F;span&gt;&lt;span style=&quot;color:#bf616a;&quot;&gt;$&lt;&#x2F;span&gt;&lt;span&gt; sudo ufw allow ssh &lt;&#x2F;span&gt;&lt;span style=&quot;color:#65737e;&quot;&gt;# allow SSH traffic on port 22, required to log into the server
&lt;&#x2F;span&gt;&lt;span style=&quot;color:#bf616a;&quot;&gt;$&lt;&#x2F;span&gt;&lt;span&gt; sudo ufw enable &lt;&#x2F;span&gt;&lt;span style=&quot;color:#65737e;&quot;&gt;# deploy firewall
&lt;&#x2F;span&gt;&lt;&#x2F;code&gt;&lt;&#x2F;pre&gt;
&lt;h3 id=&quot;1-3-secure-ssh&quot;&gt;1.3) Secure SSH&lt;a class=&quot;zola-anchor&quot; href=&quot;#1-3-secure-ssh&quot; aria-label=&quot;Anchor link for: 1-3-secure-ssh&quot;
&gt;&lt;span class=&quot;anchor-icon&quot;&gt;#&lt;&#x2F;span&gt;&lt;&#x2F;a
&gt;
&lt;&#x2F;h3&gt;
&lt;p&gt;SSH allows remote access to our servers over secure, encrypted
channels. By default, users can log in with their password
using SSH. But password authentication is susceptible to brute force attacks, so we should disable password logins on our server and only allow public-key authentication only.&lt;&#x2F;p&gt;
&lt;p&gt;SSH allows remote access to our servers over secure, encrypted channels.
By default, users can log in with their password using SSH. But password
authentication &lt;a href=&quot;https:&#x2F;&#x2F;wiki.archlinux.org&#x2F;title&#x2F;OpenSSH#Protecting_against_brute_force_attacks&quot;&gt;is susceptible to brute force
attacks&lt;&#x2F;a&gt;,
so we should &lt;a href=&quot;https:&#x2F;&#x2F;wiki.archlinux.org&#x2F;title&#x2F;OpenSSH#Force_public_key_authentication&quot;&gt;disable password logins on our server and only allow
public-key authentication
only&lt;&#x2F;a&gt;.&lt;&#x2F;p&gt;
&lt;h3 id=&quot;1-3-1-generate-key-pair&quot;&gt;1.3.1) Generate key pair&lt;a class=&quot;zola-anchor&quot; href=&quot;#1-3-1-generate-key-pair&quot; aria-label=&quot;Anchor link for: 1-3-1-generate-key-pair&quot;
&gt;&lt;span class=&quot;anchor-icon&quot;&gt;#&lt;&#x2F;span&gt;&lt;&#x2F;a
&gt;
@ -139,7 +145,10 @@ the server, let&#x27;s disable password authentication on the server:&lt;&#x2F;p
&gt;&lt;span class=&quot;anchor-icon&quot;&gt;#&lt;&#x2F;span&gt;&lt;&#x2F;a
&gt;
&lt;&#x2F;h3&gt;
&lt;p&gt;We will be using &lt;code&gt;fail2ban&lt;&#x2F;code&gt; for intrusion prevention by blackiisting entities (users, bots, etc.) based on failed login attempts.&lt;&#x2F;p&gt;
&lt;p&gt;We will be using
&lt;a href=&quot;https:&#x2F;&#x2F;www.fail2ban.org&#x2F;wiki&#x2F;index.php&#x2F;Main_Page&quot;&gt;&lt;code&gt;fail2ban&lt;&#x2F;code&gt;&lt;&#x2F;a&gt; for
intrusion prevention by blacklisting entities (users, bots, etc.) based
on failed login attempts.&lt;&#x2F;p&gt;
&lt;h4 id=&quot;1-3-1-install-fail2ban&quot;&gt;1.3.1) Install &lt;code&gt;fail2ban&lt;&#x2F;code&gt;&lt;a class=&quot;zola-anchor&quot; href=&quot;#1-3-1-install-fail2ban&quot; aria-label=&quot;Anchor link for: 1-3-1-install-fail2ban&quot;
&gt;&lt;span class=&quot;anchor-icon&quot;&gt;#&lt;&#x2F;span&gt;&lt;&#x2F;a
&gt;
@ -323,7 +332,8 @@ authority to get our SSL certificates.&lt;&#x2F;p&gt;
will have to log in every three months and renew the
certificate. If you fail or forget it, your visitors will see security
warnings on your website.&lt;&#x2F;p&gt;
&lt;p&gt;Thankfully, Let&#x27;s Encrypt provides automation through &lt;code&gt;certbot&lt;&#x2F;code&gt;&lt;&#x2F;p&gt;
&lt;p&gt;Thankfully, there is a way to automate this process through
&lt;a href=&quot;https:&#x2F;&#x2F;certbot.eff.org&#x2F;&quot;&gt;&lt;code&gt;certbot&lt;&#x2F;code&gt;&lt;&#x2F;a&gt;&lt;&#x2F;p&gt;
&lt;h4 id=&quot;2-3-1-install-certbot&quot;&gt;2.3.1) Install &lt;code&gt;certbot&lt;&#x2F;code&gt;:&lt;a class=&quot;zola-anchor&quot; href=&quot;#2-3-1-install-certbot&quot; aria-label=&quot;Anchor link for: 2-3-1-install-certbot&quot;
&gt;&lt;span class=&quot;anchor-icon&quot;&gt;#&lt;&#x2F;span&gt;&lt;&#x2F;a
&gt;

View file

@ -265,8 +265,8 @@ general development ecosystem" />
>#JAMStack</a
>
<a class="blog__post-tag" href="/tags/git"
>#git</a
<a class="blog__post-tag" href="/tags/lets-encrypt"
>#lets-encrypt</a
>
<a class="blog__post-tag" href="/tags/self-hosting"

File diff suppressed because one or more lines are too long

View file

@ -29,10 +29,10 @@
<loc>https://librepages.org/tags/bare-metal/</loc>
</url>
<url>
<loc>https://librepages.org/tags/git/</loc>
<loc>https://librepages.org/tags/jamstack/</loc>
</url>
<url>
<loc>https://librepages.org/tags/jamstack/</loc>
<loc>https://librepages.org/tags/lets-encrypt/</loc>
</url>
<url>
<loc>https://librepages.org/tags/nginx/</loc>

View file

@ -19,10 +19,9 @@ but knowing how to do it manually using industry standard
technologies always helps!&lt;&#x2F;p&gt;
&lt;p&gt;We will be using the following technologies to deploy our website:&lt;&#x2F;p&gt;
&lt;ol&gt;
&lt;li&gt;GNU&#x2F;Linux server(Debian)&lt;&#x2F;li&gt;
&lt;li&gt;Nginx (webs server)&lt;&#x2F;li&gt;
&lt;li&gt;Let&#x27;s Encrypt (for HTTPS)&lt;&#x2F;li&gt;
&lt;li&gt;Gitea (but any Git hosting works)&lt;&#x2F;li&gt;
&lt;li&gt;&lt;a href=&quot;https:&#x2F;&#x2F;debian.org&quot;&gt;GNU&#x2F;Linux server(Debian)&lt;&#x2F;a&gt;&lt;&#x2F;li&gt;
&lt;li&gt;&lt;a href=&quot;https:&#x2F;&#x2F;www.nginx.com&#x2F;&quot;&gt;Nginx&lt;&#x2F;a&gt; (webs server)&lt;&#x2F;li&gt;
&lt;li&gt;&lt;a href=&quot;https:&#x2F;&#x2F;letsencrypt.org&#x2F;&quot;&gt;Let&#x27;s Encrypt&lt;&#x2F;a&gt; (for HTTPS)&lt;&#x2F;li&gt;
&lt;&#x2F;ol&gt;
&lt;p&gt;Let&#x27;s get started!&lt;&#x2F;p&gt;
&lt;h2 id=&quot;1-setup-debian-gnu-linux&quot;&gt;1. Setup Debian GNU&#x2F;Linux&lt;a class=&quot;zola-anchor&quot; href=&quot;#1-setup-debian-gnu-linux&quot; aria-label=&quot;Anchor link for: 1-setup-debian-gnu-linux&quot;
@ -53,25 +52,32 @@ from a lower-privileged account. Let&#x27;s make our account sudo capable:&lt;&#
&gt;&lt;span class=&quot;anchor-icon&quot;&gt;#&lt;&#x2F;span&gt;&lt;&#x2F;a
&gt;
&lt;&#x2F;h3&gt;
&lt;p&gt;Uncomplicated Firewall(&lt;code&gt;ufw&lt;&#x2F;code&gt;) is a popular firewall that is easy to
set up and maintain. For most installations, this should be enough.
System administrators use firewalls to open only the ports that they
think should receive traffic from external networks. Without it, all
ports will be open, causing a security nightmare.&lt;&#x2F;p&gt;
&lt;p&gt;&lt;a href=&quot;https:&#x2F;&#x2F;wiki.ubuntu.com&#x2F;UncomplicatedFirewall&quot;&gt;Uncomplicated
Firewall(&lt;code&gt;ufw&lt;&#x2F;code&gt;)&lt;&#x2F;a&gt; is a
popular firewall that is easy to set up and maintain. For most
installations, this should be enough. System administrators use
firewalls to open only the ports that they think should receive traffic
from external networks. Without it, all ports will be open, causing a
security nightmare.&lt;&#x2F;p&gt;
&lt;p&gt;We will require standard SSH (22), and the standard web ports (80 and
443). A comprehensive list of services and the list of ports the listen
on is available at `&#x2F;etc&#x2F;services.&lt;&#x2F;p&gt;
&lt;pre data-lang=&quot;bash $ sudo apt update &amp;&amp; apt upgrade # update system $ sudo apt&quot; style=&quot;background-color:#2b303b;color:#c0c5ce;&quot; class=&quot;language-bash $ sudo apt update &amp;&amp; apt upgrade # update system $ sudo apt &quot;&gt;&lt;code class=&quot;language-bash $ sudo apt update &amp;&amp; apt upgrade # update system $ sudo apt&quot; data-lang=&quot;bash $ sudo apt update &amp;&amp; apt upgrade # update system $ sudo apt&quot;&gt;&lt;span&gt;install ufw # we are using `ufw` for the firewall
&lt;&#x2F;span&gt;&lt;span&gt;$ sudo ufw allow ssh # allow SSH traffic on port 22, required to log into the server
&lt;&#x2F;span&gt;&lt;span&gt;$ sudo ufw enable # deploy firewall
on is available at &lt;code&gt;&#x2F;etc&#x2F;services&lt;&#x2F;code&gt;.&lt;&#x2F;p&gt;
&lt;pre data-lang=&quot;bash&quot; style=&quot;background-color:#2b303b;color:#c0c5ce;&quot; class=&quot;language-bash &quot;&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span style=&quot;color:#bf616a;&quot;&gt;$&lt;&#x2F;span&gt;&lt;span&gt; sudo apt update &amp;amp;&amp;amp; &lt;&#x2F;span&gt;&lt;span style=&quot;color:#bf616a;&quot;&gt;apt&lt;&#x2F;span&gt;&lt;span&gt; upgrade &lt;&#x2F;span&gt;&lt;span style=&quot;color:#65737e;&quot;&gt;# update system
&lt;&#x2F;span&gt;&lt;span style=&quot;color:#bf616a;&quot;&gt;$&lt;&#x2F;span&gt;&lt;span&gt; sudo apt install ufw &lt;&#x2F;span&gt;&lt;span style=&quot;color:#65737e;&quot;&gt;# we are using `ufw` for the firewall
&lt;&#x2F;span&gt;&lt;span style=&quot;color:#bf616a;&quot;&gt;$&lt;&#x2F;span&gt;&lt;span&gt; sudo ufw allow ssh &lt;&#x2F;span&gt;&lt;span style=&quot;color:#65737e;&quot;&gt;# allow SSH traffic on port 22, required to log into the server
&lt;&#x2F;span&gt;&lt;span style=&quot;color:#bf616a;&quot;&gt;$&lt;&#x2F;span&gt;&lt;span&gt; sudo ufw enable &lt;&#x2F;span&gt;&lt;span style=&quot;color:#65737e;&quot;&gt;# deploy firewall
&lt;&#x2F;span&gt;&lt;&#x2F;code&gt;&lt;&#x2F;pre&gt;
&lt;h3 id=&quot;1-3-secure-ssh&quot;&gt;1.3) Secure SSH&lt;a class=&quot;zola-anchor&quot; href=&quot;#1-3-secure-ssh&quot; aria-label=&quot;Anchor link for: 1-3-secure-ssh&quot;
&gt;&lt;span class=&quot;anchor-icon&quot;&gt;#&lt;&#x2F;span&gt;&lt;&#x2F;a
&gt;
&lt;&#x2F;h3&gt;
&lt;p&gt;SSH allows remote access to our servers over secure, encrypted
channels. By default, users can log in with their password
using SSH. But password authentication is susceptible to brute force attacks, so we should disable password logins on our server and only allow public-key authentication only.&lt;&#x2F;p&gt;
&lt;p&gt;SSH allows remote access to our servers over secure, encrypted channels.
By default, users can log in with their password using SSH. But password
authentication &lt;a href=&quot;https:&#x2F;&#x2F;wiki.archlinux.org&#x2F;title&#x2F;OpenSSH#Protecting_against_brute_force_attacks&quot;&gt;is susceptible to brute force
attacks&lt;&#x2F;a&gt;,
so we should &lt;a href=&quot;https:&#x2F;&#x2F;wiki.archlinux.org&#x2F;title&#x2F;OpenSSH#Force_public_key_authentication&quot;&gt;disable password logins on our server and only allow
public-key authentication
only&lt;&#x2F;a&gt;.&lt;&#x2F;p&gt;
&lt;h3 id=&quot;1-3-1-generate-key-pair&quot;&gt;1.3.1) Generate key pair&lt;a class=&quot;zola-anchor&quot; href=&quot;#1-3-1-generate-key-pair&quot; aria-label=&quot;Anchor link for: 1-3-1-generate-key-pair&quot;
&gt;&lt;span class=&quot;anchor-icon&quot;&gt;#&lt;&#x2F;span&gt;&lt;&#x2F;a
&gt;
@ -139,7 +145,10 @@ the server, let&#x27;s disable password authentication on the server:&lt;&#x2F;p
&gt;&lt;span class=&quot;anchor-icon&quot;&gt;#&lt;&#x2F;span&gt;&lt;&#x2F;a
&gt;
&lt;&#x2F;h3&gt;
&lt;p&gt;We will be using &lt;code&gt;fail2ban&lt;&#x2F;code&gt; for intrusion prevention by blackiisting entities (users, bots, etc.) based on failed login attempts.&lt;&#x2F;p&gt;
&lt;p&gt;We will be using
&lt;a href=&quot;https:&#x2F;&#x2F;www.fail2ban.org&#x2F;wiki&#x2F;index.php&#x2F;Main_Page&quot;&gt;&lt;code&gt;fail2ban&lt;&#x2F;code&gt;&lt;&#x2F;a&gt; for
intrusion prevention by blacklisting entities (users, bots, etc.) based
on failed login attempts.&lt;&#x2F;p&gt;
&lt;h4 id=&quot;1-3-1-install-fail2ban&quot;&gt;1.3.1) Install &lt;code&gt;fail2ban&lt;&#x2F;code&gt;&lt;a class=&quot;zola-anchor&quot; href=&quot;#1-3-1-install-fail2ban&quot; aria-label=&quot;Anchor link for: 1-3-1-install-fail2ban&quot;
&gt;&lt;span class=&quot;anchor-icon&quot;&gt;#&lt;&#x2F;span&gt;&lt;&#x2F;a
&gt;
@ -323,7 +332,8 @@ authority to get our SSL certificates.&lt;&#x2F;p&gt;
will have to log in every three months and renew the
certificate. If you fail or forget it, your visitors will see security
warnings on your website.&lt;&#x2F;p&gt;
&lt;p&gt;Thankfully, Let&#x27;s Encrypt provides automation through &lt;code&gt;certbot&lt;&#x2F;code&gt;&lt;&#x2F;p&gt;
&lt;p&gt;Thankfully, there is a way to automate this process through
&lt;a href=&quot;https:&#x2F;&#x2F;certbot.eff.org&#x2F;&quot;&gt;&lt;code&gt;certbot&lt;&#x2F;code&gt;&lt;&#x2F;a&gt;&lt;&#x2F;p&gt;
&lt;h4 id=&quot;2-3-1-install-certbot&quot;&gt;2.3.1) Install &lt;code&gt;certbot&lt;&#x2F;code&gt;:&lt;a class=&quot;zola-anchor&quot; href=&quot;#2-3-1-install-certbot&quot; aria-label=&quot;Anchor link for: 2-3-1-install-certbot&quot;
&gt;&lt;span class=&quot;anchor-icon&quot;&gt;#&lt;&#x2F;span&gt;&lt;&#x2F;a
&gt;

View file

@ -259,7 +259,7 @@
<a class="blog__post-tag" href="/tags/JAMStack">#JAMStack</a>
<a class="blog__post-tag" href="/tags/git">#git</a>
<a class="blog__post-tag" href="/tags/lets-encrypt">#lets-encrypt</a>
<a class="blog__post-tag" href="/tags/self-hosting">#self-hosting</a>

View file

@ -252,26 +252,6 @@
</li>
</a>
<li class="tag__item">
<a href="https://librepages.org/tags/git/" class="tag__item-link">
<h2 class="tag__item-title">#git</h2>
<span class="tag__meta">1 entry</span>
</a>
<a class="tag__rss-link" href="https:&#x2F;&#x2F;librepages.org&#x2F;tags&#x2F;git&#x2F;atom.xml" target="_blank" rel="noopener" title="RSS">
<img
src="https://librepages.org/icons/rss.svg?h=f6cd584bdbcd2eb4d1b8b84c9cf083ef45f772167c33fdcee754b35ae8ff4c7d"
class="tag__rss-icon"
alt="RSS icon"
/>
</a>
</li>
</a>
<li class="tag__item">
<a href="https://librepages.org/tags/jamstack/" class="tag__item-link">
<h2 class="tag__item-title">#JAMStack</h2>
@ -292,6 +272,26 @@
</li>
</a>
<li class="tag__item">
<a href="https://librepages.org/tags/lets-encrypt/" class="tag__item-link">
<h2 class="tag__item-title">#lets-encrypt</h2>
<span class="tag__meta">1 entry</span>
</a>
<a class="tag__rss-link" href="https:&#x2F;&#x2F;librepages.org&#x2F;tags&#x2F;lets-encrypt&#x2F;atom.xml" target="_blank" rel="noopener" title="RSS">
<img
src="https://librepages.org/icons/rss.svg?h=f6cd584bdbcd2eb4d1b8b84c9cf083ef45f772167c33fdcee754b35ae8ff4c7d"
class="tag__rss-icon"
alt="RSS icon"
/>
</a>
</li>
</a>
<li class="tag__item">
<a href="https://librepages.org/tags/nginx/" class="tag__item-link">
<h2 class="tag__item-title">#nginx</h2>

View file

@ -19,10 +19,9 @@ but knowing how to do it manually using industry standard
technologies always helps!&lt;&#x2F;p&gt;
&lt;p&gt;We will be using the following technologies to deploy our website:&lt;&#x2F;p&gt;
&lt;ol&gt;
&lt;li&gt;GNU&#x2F;Linux server(Debian)&lt;&#x2F;li&gt;
&lt;li&gt;Nginx (webs server)&lt;&#x2F;li&gt;
&lt;li&gt;Let&#x27;s Encrypt (for HTTPS)&lt;&#x2F;li&gt;
&lt;li&gt;Gitea (but any Git hosting works)&lt;&#x2F;li&gt;
&lt;li&gt;&lt;a href=&quot;https:&#x2F;&#x2F;debian.org&quot;&gt;GNU&#x2F;Linux server(Debian)&lt;&#x2F;a&gt;&lt;&#x2F;li&gt;
&lt;li&gt;&lt;a href=&quot;https:&#x2F;&#x2F;www.nginx.com&#x2F;&quot;&gt;Nginx&lt;&#x2F;a&gt; (webs server)&lt;&#x2F;li&gt;
&lt;li&gt;&lt;a href=&quot;https:&#x2F;&#x2F;letsencrypt.org&#x2F;&quot;&gt;Let&#x27;s Encrypt&lt;&#x2F;a&gt; (for HTTPS)&lt;&#x2F;li&gt;
&lt;&#x2F;ol&gt;
&lt;p&gt;Let&#x27;s get started!&lt;&#x2F;p&gt;
&lt;h2 id=&quot;1-setup-debian-gnu-linux&quot;&gt;1. Setup Debian GNU&#x2F;Linux&lt;a class=&quot;zola-anchor&quot; href=&quot;#1-setup-debian-gnu-linux&quot; aria-label=&quot;Anchor link for: 1-setup-debian-gnu-linux&quot;
@ -53,25 +52,32 @@ from a lower-privileged account. Let&#x27;s make our account sudo capable:&lt;&#
&gt;&lt;span class=&quot;anchor-icon&quot;&gt;#&lt;&#x2F;span&gt;&lt;&#x2F;a
&gt;
&lt;&#x2F;h3&gt;
&lt;p&gt;Uncomplicated Firewall(&lt;code&gt;ufw&lt;&#x2F;code&gt;) is a popular firewall that is easy to
set up and maintain. For most installations, this should be enough.
System administrators use firewalls to open only the ports that they
think should receive traffic from external networks. Without it, all
ports will be open, causing a security nightmare.&lt;&#x2F;p&gt;
&lt;p&gt;&lt;a href=&quot;https:&#x2F;&#x2F;wiki.ubuntu.com&#x2F;UncomplicatedFirewall&quot;&gt;Uncomplicated
Firewall(&lt;code&gt;ufw&lt;&#x2F;code&gt;)&lt;&#x2F;a&gt; is a
popular firewall that is easy to set up and maintain. For most
installations, this should be enough. System administrators use
firewalls to open only the ports that they think should receive traffic
from external networks. Without it, all ports will be open, causing a
security nightmare.&lt;&#x2F;p&gt;
&lt;p&gt;We will require standard SSH (22), and the standard web ports (80 and
443). A comprehensive list of services and the list of ports the listen
on is available at `&#x2F;etc&#x2F;services.&lt;&#x2F;p&gt;
&lt;pre data-lang=&quot;bash $ sudo apt update &amp;&amp; apt upgrade # update system $ sudo apt&quot; style=&quot;background-color:#2b303b;color:#c0c5ce;&quot; class=&quot;language-bash $ sudo apt update &amp;&amp; apt upgrade # update system $ sudo apt &quot;&gt;&lt;code class=&quot;language-bash $ sudo apt update &amp;&amp; apt upgrade # update system $ sudo apt&quot; data-lang=&quot;bash $ sudo apt update &amp;&amp; apt upgrade # update system $ sudo apt&quot;&gt;&lt;span&gt;install ufw # we are using `ufw` for the firewall
&lt;&#x2F;span&gt;&lt;span&gt;$ sudo ufw allow ssh # allow SSH traffic on port 22, required to log into the server
&lt;&#x2F;span&gt;&lt;span&gt;$ sudo ufw enable # deploy firewall
on is available at &lt;code&gt;&#x2F;etc&#x2F;services&lt;&#x2F;code&gt;.&lt;&#x2F;p&gt;
&lt;pre data-lang=&quot;bash&quot; style=&quot;background-color:#2b303b;color:#c0c5ce;&quot; class=&quot;language-bash &quot;&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span style=&quot;color:#bf616a;&quot;&gt;$&lt;&#x2F;span&gt;&lt;span&gt; sudo apt update &amp;amp;&amp;amp; &lt;&#x2F;span&gt;&lt;span style=&quot;color:#bf616a;&quot;&gt;apt&lt;&#x2F;span&gt;&lt;span&gt; upgrade &lt;&#x2F;span&gt;&lt;span style=&quot;color:#65737e;&quot;&gt;# update system
&lt;&#x2F;span&gt;&lt;span style=&quot;color:#bf616a;&quot;&gt;$&lt;&#x2F;span&gt;&lt;span&gt; sudo apt install ufw &lt;&#x2F;span&gt;&lt;span style=&quot;color:#65737e;&quot;&gt;# we are using `ufw` for the firewall
&lt;&#x2F;span&gt;&lt;span style=&quot;color:#bf616a;&quot;&gt;$&lt;&#x2F;span&gt;&lt;span&gt; sudo ufw allow ssh &lt;&#x2F;span&gt;&lt;span style=&quot;color:#65737e;&quot;&gt;# allow SSH traffic on port 22, required to log into the server
&lt;&#x2F;span&gt;&lt;span style=&quot;color:#bf616a;&quot;&gt;$&lt;&#x2F;span&gt;&lt;span&gt; sudo ufw enable &lt;&#x2F;span&gt;&lt;span style=&quot;color:#65737e;&quot;&gt;# deploy firewall
&lt;&#x2F;span&gt;&lt;&#x2F;code&gt;&lt;&#x2F;pre&gt;
&lt;h3 id=&quot;1-3-secure-ssh&quot;&gt;1.3) Secure SSH&lt;a class=&quot;zola-anchor&quot; href=&quot;#1-3-secure-ssh&quot; aria-label=&quot;Anchor link for: 1-3-secure-ssh&quot;
&gt;&lt;span class=&quot;anchor-icon&quot;&gt;#&lt;&#x2F;span&gt;&lt;&#x2F;a
&gt;
&lt;&#x2F;h3&gt;
&lt;p&gt;SSH allows remote access to our servers over secure, encrypted
channels. By default, users can log in with their password
using SSH. But password authentication is susceptible to brute force attacks, so we should disable password logins on our server and only allow public-key authentication only.&lt;&#x2F;p&gt;
&lt;p&gt;SSH allows remote access to our servers over secure, encrypted channels.
By default, users can log in with their password using SSH. But password
authentication &lt;a href=&quot;https:&#x2F;&#x2F;wiki.archlinux.org&#x2F;title&#x2F;OpenSSH#Protecting_against_brute_force_attacks&quot;&gt;is susceptible to brute force
attacks&lt;&#x2F;a&gt;,
so we should &lt;a href=&quot;https:&#x2F;&#x2F;wiki.archlinux.org&#x2F;title&#x2F;OpenSSH#Force_public_key_authentication&quot;&gt;disable password logins on our server and only allow
public-key authentication
only&lt;&#x2F;a&gt;.&lt;&#x2F;p&gt;
&lt;h3 id=&quot;1-3-1-generate-key-pair&quot;&gt;1.3.1) Generate key pair&lt;a class=&quot;zola-anchor&quot; href=&quot;#1-3-1-generate-key-pair&quot; aria-label=&quot;Anchor link for: 1-3-1-generate-key-pair&quot;
&gt;&lt;span class=&quot;anchor-icon&quot;&gt;#&lt;&#x2F;span&gt;&lt;&#x2F;a
&gt;
@ -139,7 +145,10 @@ the server, let&#x27;s disable password authentication on the server:&lt;&#x2F;p
&gt;&lt;span class=&quot;anchor-icon&quot;&gt;#&lt;&#x2F;span&gt;&lt;&#x2F;a
&gt;
&lt;&#x2F;h3&gt;
&lt;p&gt;We will be using &lt;code&gt;fail2ban&lt;&#x2F;code&gt; for intrusion prevention by blackiisting entities (users, bots, etc.) based on failed login attempts.&lt;&#x2F;p&gt;
&lt;p&gt;We will be using
&lt;a href=&quot;https:&#x2F;&#x2F;www.fail2ban.org&#x2F;wiki&#x2F;index.php&#x2F;Main_Page&quot;&gt;&lt;code&gt;fail2ban&lt;&#x2F;code&gt;&lt;&#x2F;a&gt; for
intrusion prevention by blacklisting entities (users, bots, etc.) based
on failed login attempts.&lt;&#x2F;p&gt;
&lt;h4 id=&quot;1-3-1-install-fail2ban&quot;&gt;1.3.1) Install &lt;code&gt;fail2ban&lt;&#x2F;code&gt;&lt;a class=&quot;zola-anchor&quot; href=&quot;#1-3-1-install-fail2ban&quot; aria-label=&quot;Anchor link for: 1-3-1-install-fail2ban&quot;
&gt;&lt;span class=&quot;anchor-icon&quot;&gt;#&lt;&#x2F;span&gt;&lt;&#x2F;a
&gt;
@ -323,7 +332,8 @@ authority to get our SSL certificates.&lt;&#x2F;p&gt;
will have to log in every three months and renew the
certificate. If you fail or forget it, your visitors will see security
warnings on your website.&lt;&#x2F;p&gt;
&lt;p&gt;Thankfully, Let&#x27;s Encrypt provides automation through &lt;code&gt;certbot&lt;&#x2F;code&gt;&lt;&#x2F;p&gt;
&lt;p&gt;Thankfully, there is a way to automate this process through
&lt;a href=&quot;https:&#x2F;&#x2F;certbot.eff.org&#x2F;&quot;&gt;&lt;code&gt;certbot&lt;&#x2F;code&gt;&lt;&#x2F;a&gt;&lt;&#x2F;p&gt;
&lt;h4 id=&quot;2-3-1-install-certbot&quot;&gt;2.3.1) Install &lt;code&gt;certbot&lt;&#x2F;code&gt;:&lt;a class=&quot;zola-anchor&quot; href=&quot;#2-3-1-install-certbot&quot; aria-label=&quot;Anchor link for: 2-3-1-install-certbot&quot;
&gt;&lt;span class=&quot;anchor-icon&quot;&gt;#&lt;&#x2F;span&gt;&lt;&#x2F;a
&gt;

View file

@ -259,7 +259,7 @@
<a class="blog__post-tag" href="/tags/JAMStack">#JAMStack</a>
<a class="blog__post-tag" href="/tags/git">#git</a>
<a class="blog__post-tag" href="/tags/lets-encrypt">#lets-encrypt</a>
<a class="blog__post-tag" href="/tags/self-hosting">#self-hosting</a>

View file

@ -1,11 +1,11 @@
<?xml version="1.0" encoding="UTF-8"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
<title> - git</title>
<link href="https://librepages.org/tags/git/atom.xml" rel="self" type="application/atom+xml"/>
<title> - lets-encrypt</title>
<link href="https://librepages.org/tags/lets-encrypt/atom.xml" rel="self" type="application/atom+xml"/>
<link href="https://librepages.org"/>
<generator uri="https://www.getzola.org/">Zola</generator>
<updated>2022-09-10T00:00:00+00:00</updated>
<id>https://librepages.org/tags/git/atom.xml</id>
<id>https://librepages.org/tags/lets-encrypt/atom.xml</id>
<entry xml:lang="en">
<title>How to deploy a website WITHOUT LibrePages</title>
<published>2022-09-10T00:00:00+00:00</published>
@ -19,10 +19,9 @@ but knowing how to do it manually using industry standard
technologies always helps!&lt;&#x2F;p&gt;
&lt;p&gt;We will be using the following technologies to deploy our website:&lt;&#x2F;p&gt;
&lt;ol&gt;
&lt;li&gt;GNU&#x2F;Linux server(Debian)&lt;&#x2F;li&gt;
&lt;li&gt;Nginx (webs server)&lt;&#x2F;li&gt;
&lt;li&gt;Let&#x27;s Encrypt (for HTTPS)&lt;&#x2F;li&gt;
&lt;li&gt;Gitea (but any Git hosting works)&lt;&#x2F;li&gt;
&lt;li&gt;&lt;a href=&quot;https:&#x2F;&#x2F;debian.org&quot;&gt;GNU&#x2F;Linux server(Debian)&lt;&#x2F;a&gt;&lt;&#x2F;li&gt;
&lt;li&gt;&lt;a href=&quot;https:&#x2F;&#x2F;www.nginx.com&#x2F;&quot;&gt;Nginx&lt;&#x2F;a&gt; (webs server)&lt;&#x2F;li&gt;
&lt;li&gt;&lt;a href=&quot;https:&#x2F;&#x2F;letsencrypt.org&#x2F;&quot;&gt;Let&#x27;s Encrypt&lt;&#x2F;a&gt; (for HTTPS)&lt;&#x2F;li&gt;
&lt;&#x2F;ol&gt;
&lt;p&gt;Let&#x27;s get started!&lt;&#x2F;p&gt;
&lt;h2 id=&quot;1-setup-debian-gnu-linux&quot;&gt;1. Setup Debian GNU&#x2F;Linux&lt;a class=&quot;zola-anchor&quot; href=&quot;#1-setup-debian-gnu-linux&quot; aria-label=&quot;Anchor link for: 1-setup-debian-gnu-linux&quot;
@ -53,25 +52,32 @@ from a lower-privileged account. Let&#x27;s make our account sudo capable:&lt;&#
&gt;&lt;span class=&quot;anchor-icon&quot;&gt;#&lt;&#x2F;span&gt;&lt;&#x2F;a
&gt;
&lt;&#x2F;h3&gt;
&lt;p&gt;Uncomplicated Firewall(&lt;code&gt;ufw&lt;&#x2F;code&gt;) is a popular firewall that is easy to
set up and maintain. For most installations, this should be enough.
System administrators use firewalls to open only the ports that they
think should receive traffic from external networks. Without it, all
ports will be open, causing a security nightmare.&lt;&#x2F;p&gt;
&lt;p&gt;&lt;a href=&quot;https:&#x2F;&#x2F;wiki.ubuntu.com&#x2F;UncomplicatedFirewall&quot;&gt;Uncomplicated
Firewall(&lt;code&gt;ufw&lt;&#x2F;code&gt;)&lt;&#x2F;a&gt; is a
popular firewall that is easy to set up and maintain. For most
installations, this should be enough. System administrators use
firewalls to open only the ports that they think should receive traffic
from external networks. Without it, all ports will be open, causing a
security nightmare.&lt;&#x2F;p&gt;
&lt;p&gt;We will require standard SSH (22), and the standard web ports (80 and
443). A comprehensive list of services and the list of ports the listen
on is available at `&#x2F;etc&#x2F;services.&lt;&#x2F;p&gt;
&lt;pre data-lang=&quot;bash $ sudo apt update &amp;&amp; apt upgrade # update system $ sudo apt&quot; style=&quot;background-color:#2b303b;color:#c0c5ce;&quot; class=&quot;language-bash $ sudo apt update &amp;&amp; apt upgrade # update system $ sudo apt &quot;&gt;&lt;code class=&quot;language-bash $ sudo apt update &amp;&amp; apt upgrade # update system $ sudo apt&quot; data-lang=&quot;bash $ sudo apt update &amp;&amp; apt upgrade # update system $ sudo apt&quot;&gt;&lt;span&gt;install ufw # we are using `ufw` for the firewall
&lt;&#x2F;span&gt;&lt;span&gt;$ sudo ufw allow ssh # allow SSH traffic on port 22, required to log into the server
&lt;&#x2F;span&gt;&lt;span&gt;$ sudo ufw enable # deploy firewall
on is available at &lt;code&gt;&#x2F;etc&#x2F;services&lt;&#x2F;code&gt;.&lt;&#x2F;p&gt;
&lt;pre data-lang=&quot;bash&quot; style=&quot;background-color:#2b303b;color:#c0c5ce;&quot; class=&quot;language-bash &quot;&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span style=&quot;color:#bf616a;&quot;&gt;$&lt;&#x2F;span&gt;&lt;span&gt; sudo apt update &amp;amp;&amp;amp; &lt;&#x2F;span&gt;&lt;span style=&quot;color:#bf616a;&quot;&gt;apt&lt;&#x2F;span&gt;&lt;span&gt; upgrade &lt;&#x2F;span&gt;&lt;span style=&quot;color:#65737e;&quot;&gt;# update system
&lt;&#x2F;span&gt;&lt;span style=&quot;color:#bf616a;&quot;&gt;$&lt;&#x2F;span&gt;&lt;span&gt; sudo apt install ufw &lt;&#x2F;span&gt;&lt;span style=&quot;color:#65737e;&quot;&gt;# we are using `ufw` for the firewall
&lt;&#x2F;span&gt;&lt;span style=&quot;color:#bf616a;&quot;&gt;$&lt;&#x2F;span&gt;&lt;span&gt; sudo ufw allow ssh &lt;&#x2F;span&gt;&lt;span style=&quot;color:#65737e;&quot;&gt;# allow SSH traffic on port 22, required to log into the server
&lt;&#x2F;span&gt;&lt;span style=&quot;color:#bf616a;&quot;&gt;$&lt;&#x2F;span&gt;&lt;span&gt; sudo ufw enable &lt;&#x2F;span&gt;&lt;span style=&quot;color:#65737e;&quot;&gt;# deploy firewall
&lt;&#x2F;span&gt;&lt;&#x2F;code&gt;&lt;&#x2F;pre&gt;
&lt;h3 id=&quot;1-3-secure-ssh&quot;&gt;1.3) Secure SSH&lt;a class=&quot;zola-anchor&quot; href=&quot;#1-3-secure-ssh&quot; aria-label=&quot;Anchor link for: 1-3-secure-ssh&quot;
&gt;&lt;span class=&quot;anchor-icon&quot;&gt;#&lt;&#x2F;span&gt;&lt;&#x2F;a
&gt;
&lt;&#x2F;h3&gt;
&lt;p&gt;SSH allows remote access to our servers over secure, encrypted
channels. By default, users can log in with their password
using SSH. But password authentication is susceptible to brute force attacks, so we should disable password logins on our server and only allow public-key authentication only.&lt;&#x2F;p&gt;
&lt;p&gt;SSH allows remote access to our servers over secure, encrypted channels.
By default, users can log in with their password using SSH. But password
authentication &lt;a href=&quot;https:&#x2F;&#x2F;wiki.archlinux.org&#x2F;title&#x2F;OpenSSH#Protecting_against_brute_force_attacks&quot;&gt;is susceptible to brute force
attacks&lt;&#x2F;a&gt;,
so we should &lt;a href=&quot;https:&#x2F;&#x2F;wiki.archlinux.org&#x2F;title&#x2F;OpenSSH#Force_public_key_authentication&quot;&gt;disable password logins on our server and only allow
public-key authentication
only&lt;&#x2F;a&gt;.&lt;&#x2F;p&gt;
&lt;h3 id=&quot;1-3-1-generate-key-pair&quot;&gt;1.3.1) Generate key pair&lt;a class=&quot;zola-anchor&quot; href=&quot;#1-3-1-generate-key-pair&quot; aria-label=&quot;Anchor link for: 1-3-1-generate-key-pair&quot;
&gt;&lt;span class=&quot;anchor-icon&quot;&gt;#&lt;&#x2F;span&gt;&lt;&#x2F;a
&gt;
@ -139,7 +145,10 @@ the server, let&#x27;s disable password authentication on the server:&lt;&#x2F;p
&gt;&lt;span class=&quot;anchor-icon&quot;&gt;#&lt;&#x2F;span&gt;&lt;&#x2F;a
&gt;
&lt;&#x2F;h3&gt;
&lt;p&gt;We will be using &lt;code&gt;fail2ban&lt;&#x2F;code&gt; for intrusion prevention by blackiisting entities (users, bots, etc.) based on failed login attempts.&lt;&#x2F;p&gt;
&lt;p&gt;We will be using
&lt;a href=&quot;https:&#x2F;&#x2F;www.fail2ban.org&#x2F;wiki&#x2F;index.php&#x2F;Main_Page&quot;&gt;&lt;code&gt;fail2ban&lt;&#x2F;code&gt;&lt;&#x2F;a&gt; for
intrusion prevention by blacklisting entities (users, bots, etc.) based
on failed login attempts.&lt;&#x2F;p&gt;
&lt;h4 id=&quot;1-3-1-install-fail2ban&quot;&gt;1.3.1) Install &lt;code&gt;fail2ban&lt;&#x2F;code&gt;&lt;a class=&quot;zola-anchor&quot; href=&quot;#1-3-1-install-fail2ban&quot; aria-label=&quot;Anchor link for: 1-3-1-install-fail2ban&quot;
&gt;&lt;span class=&quot;anchor-icon&quot;&gt;#&lt;&#x2F;span&gt;&lt;&#x2F;a
&gt;
@ -323,7 +332,8 @@ authority to get our SSL certificates.&lt;&#x2F;p&gt;
will have to log in every three months and renew the
certificate. If you fail or forget it, your visitors will see security
warnings on your website.&lt;&#x2F;p&gt;
&lt;p&gt;Thankfully, Let&#x27;s Encrypt provides automation through &lt;code&gt;certbot&lt;&#x2F;code&gt;&lt;&#x2F;p&gt;
&lt;p&gt;Thankfully, there is a way to automate this process through
&lt;a href=&quot;https:&#x2F;&#x2F;certbot.eff.org&#x2F;&quot;&gt;&lt;code&gt;certbot&lt;&#x2F;code&gt;&lt;&#x2F;a&gt;&lt;&#x2F;p&gt;
&lt;h4 id=&quot;2-3-1-install-certbot&quot;&gt;2.3.1) Install &lt;code&gt;certbot&lt;&#x2F;code&gt;:&lt;a class=&quot;zola-anchor&quot; href=&quot;#2-3-1-install-certbot&quot; aria-label=&quot;Anchor link for: 2-3-1-install-certbot&quot;
&gt;&lt;span class=&quot;anchor-icon&quot;&gt;#&lt;&#x2F;span&gt;&lt;&#x2F;a
&gt;

View file

@ -34,21 +34,21 @@
<meta name="referrer" content="no-referrer-when-downgrade" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>git | LibrePages: JAMstack platform with focus on privacy and speed</title>
<title>lets-encrypt | LibrePages: JAMstack platform with focus on privacy and speed</title>
<meta name="referrer" content="no-referrer-when-downgrade" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<meta name="description" content="git" />
<meta name="description" content="lets-encrypt" />
<meta property="og:title" content="git | LibrePages: JAMstack platform with focus on privacy and speed" />
<meta property="og:title" content="lets-encrypt | LibrePages: JAMstack platform with focus on privacy and speed" />
<meta property="og:type" content="article" />
<meta property="og:url" content="https:&#x2F;&#x2F;librepages.org" />
<meta property="og:description" content="git" />
<meta property="og:description" content="lets-encrypt" />
<meta
property="og:site_name"
content="git | LibrePages: JAMstack platform with focus on privacy and speed"
content="lets-encrypt | LibrePages: JAMstack platform with focus on privacy and speed"
/>
<link
rel="apple-touch-icon"
@ -228,8 +228,8 @@
<div class="blog__container">
<div class="tag__title-container">
<h1 class="tag__title">#git</h1>
<a class="tag__rss-link--single" href="https:&#x2F;&#x2F;librepages.org&#x2F;tags&#x2F;git&#x2F;atom.xml" target="_blank" rel="noopener" title="RSS">
<h1 class="tag__title">#lets-encrypt</h1>
<a class="tag__rss-link--single" href="https:&#x2F;&#x2F;librepages.org&#x2F;tags&#x2F;lets-encrypt&#x2F;atom.xml" target="_blank" rel="noopener" title="RSS">
<img
src="https://librepages.org/icons/rss.svg?h=f6cd584bdbcd2eb4d1b8b84c9cf083ef45f772167c33fdcee754b35ae8ff4c7d"
class="tag__rss-icon--single"
@ -259,7 +259,7 @@
<a class="blog__post-tag" href="/tags/JAMStack">#JAMStack</a>
<a class="blog__post-tag" href="/tags/git">#git</a>
<a class="blog__post-tag" href="/tags/lets-encrypt">#lets-encrypt</a>
<a class="blog__post-tag" href="/tags/self-hosting">#self-hosting</a>

View file

@ -19,10 +19,9 @@ but knowing how to do it manually using industry standard
technologies always helps!&lt;&#x2F;p&gt;
&lt;p&gt;We will be using the following technologies to deploy our website:&lt;&#x2F;p&gt;
&lt;ol&gt;
&lt;li&gt;GNU&#x2F;Linux server(Debian)&lt;&#x2F;li&gt;
&lt;li&gt;Nginx (webs server)&lt;&#x2F;li&gt;
&lt;li&gt;Let&#x27;s Encrypt (for HTTPS)&lt;&#x2F;li&gt;
&lt;li&gt;Gitea (but any Git hosting works)&lt;&#x2F;li&gt;
&lt;li&gt;&lt;a href=&quot;https:&#x2F;&#x2F;debian.org&quot;&gt;GNU&#x2F;Linux server(Debian)&lt;&#x2F;a&gt;&lt;&#x2F;li&gt;
&lt;li&gt;&lt;a href=&quot;https:&#x2F;&#x2F;www.nginx.com&#x2F;&quot;&gt;Nginx&lt;&#x2F;a&gt; (webs server)&lt;&#x2F;li&gt;
&lt;li&gt;&lt;a href=&quot;https:&#x2F;&#x2F;letsencrypt.org&#x2F;&quot;&gt;Let&#x27;s Encrypt&lt;&#x2F;a&gt; (for HTTPS)&lt;&#x2F;li&gt;
&lt;&#x2F;ol&gt;
&lt;p&gt;Let&#x27;s get started!&lt;&#x2F;p&gt;
&lt;h2 id=&quot;1-setup-debian-gnu-linux&quot;&gt;1. Setup Debian GNU&#x2F;Linux&lt;a class=&quot;zola-anchor&quot; href=&quot;#1-setup-debian-gnu-linux&quot; aria-label=&quot;Anchor link for: 1-setup-debian-gnu-linux&quot;
@ -53,25 +52,32 @@ from a lower-privileged account. Let&#x27;s make our account sudo capable:&lt;&#
&gt;&lt;span class=&quot;anchor-icon&quot;&gt;#&lt;&#x2F;span&gt;&lt;&#x2F;a
&gt;
&lt;&#x2F;h3&gt;
&lt;p&gt;Uncomplicated Firewall(&lt;code&gt;ufw&lt;&#x2F;code&gt;) is a popular firewall that is easy to
set up and maintain. For most installations, this should be enough.
System administrators use firewalls to open only the ports that they
think should receive traffic from external networks. Without it, all
ports will be open, causing a security nightmare.&lt;&#x2F;p&gt;
&lt;p&gt;&lt;a href=&quot;https:&#x2F;&#x2F;wiki.ubuntu.com&#x2F;UncomplicatedFirewall&quot;&gt;Uncomplicated
Firewall(&lt;code&gt;ufw&lt;&#x2F;code&gt;)&lt;&#x2F;a&gt; is a
popular firewall that is easy to set up and maintain. For most
installations, this should be enough. System administrators use
firewalls to open only the ports that they think should receive traffic
from external networks. Without it, all ports will be open, causing a
security nightmare.&lt;&#x2F;p&gt;
&lt;p&gt;We will require standard SSH (22), and the standard web ports (80 and
443). A comprehensive list of services and the list of ports the listen
on is available at `&#x2F;etc&#x2F;services.&lt;&#x2F;p&gt;
&lt;pre data-lang=&quot;bash $ sudo apt update &amp;&amp; apt upgrade # update system $ sudo apt&quot; style=&quot;background-color:#2b303b;color:#c0c5ce;&quot; class=&quot;language-bash $ sudo apt update &amp;&amp; apt upgrade # update system $ sudo apt &quot;&gt;&lt;code class=&quot;language-bash $ sudo apt update &amp;&amp; apt upgrade # update system $ sudo apt&quot; data-lang=&quot;bash $ sudo apt update &amp;&amp; apt upgrade # update system $ sudo apt&quot;&gt;&lt;span&gt;install ufw # we are using `ufw` for the firewall
&lt;&#x2F;span&gt;&lt;span&gt;$ sudo ufw allow ssh # allow SSH traffic on port 22, required to log into the server
&lt;&#x2F;span&gt;&lt;span&gt;$ sudo ufw enable # deploy firewall
on is available at &lt;code&gt;&#x2F;etc&#x2F;services&lt;&#x2F;code&gt;.&lt;&#x2F;p&gt;
&lt;pre data-lang=&quot;bash&quot; style=&quot;background-color:#2b303b;color:#c0c5ce;&quot; class=&quot;language-bash &quot;&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span style=&quot;color:#bf616a;&quot;&gt;$&lt;&#x2F;span&gt;&lt;span&gt; sudo apt update &amp;amp;&amp;amp; &lt;&#x2F;span&gt;&lt;span style=&quot;color:#bf616a;&quot;&gt;apt&lt;&#x2F;span&gt;&lt;span&gt; upgrade &lt;&#x2F;span&gt;&lt;span style=&quot;color:#65737e;&quot;&gt;# update system
&lt;&#x2F;span&gt;&lt;span style=&quot;color:#bf616a;&quot;&gt;$&lt;&#x2F;span&gt;&lt;span&gt; sudo apt install ufw &lt;&#x2F;span&gt;&lt;span style=&quot;color:#65737e;&quot;&gt;# we are using `ufw` for the firewall
&lt;&#x2F;span&gt;&lt;span style=&quot;color:#bf616a;&quot;&gt;$&lt;&#x2F;span&gt;&lt;span&gt; sudo ufw allow ssh &lt;&#x2F;span&gt;&lt;span style=&quot;color:#65737e;&quot;&gt;# allow SSH traffic on port 22, required to log into the server
&lt;&#x2F;span&gt;&lt;span style=&quot;color:#bf616a;&quot;&gt;$&lt;&#x2F;span&gt;&lt;span&gt; sudo ufw enable &lt;&#x2F;span&gt;&lt;span style=&quot;color:#65737e;&quot;&gt;# deploy firewall
&lt;&#x2F;span&gt;&lt;&#x2F;code&gt;&lt;&#x2F;pre&gt;
&lt;h3 id=&quot;1-3-secure-ssh&quot;&gt;1.3) Secure SSH&lt;a class=&quot;zola-anchor&quot; href=&quot;#1-3-secure-ssh&quot; aria-label=&quot;Anchor link for: 1-3-secure-ssh&quot;
&gt;&lt;span class=&quot;anchor-icon&quot;&gt;#&lt;&#x2F;span&gt;&lt;&#x2F;a
&gt;
&lt;&#x2F;h3&gt;
&lt;p&gt;SSH allows remote access to our servers over secure, encrypted
channels. By default, users can log in with their password
using SSH. But password authentication is susceptible to brute force attacks, so we should disable password logins on our server and only allow public-key authentication only.&lt;&#x2F;p&gt;
&lt;p&gt;SSH allows remote access to our servers over secure, encrypted channels.
By default, users can log in with their password using SSH. But password
authentication &lt;a href=&quot;https:&#x2F;&#x2F;wiki.archlinux.org&#x2F;title&#x2F;OpenSSH#Protecting_against_brute_force_attacks&quot;&gt;is susceptible to brute force
attacks&lt;&#x2F;a&gt;,
so we should &lt;a href=&quot;https:&#x2F;&#x2F;wiki.archlinux.org&#x2F;title&#x2F;OpenSSH#Force_public_key_authentication&quot;&gt;disable password logins on our server and only allow
public-key authentication
only&lt;&#x2F;a&gt;.&lt;&#x2F;p&gt;
&lt;h3 id=&quot;1-3-1-generate-key-pair&quot;&gt;1.3.1) Generate key pair&lt;a class=&quot;zola-anchor&quot; href=&quot;#1-3-1-generate-key-pair&quot; aria-label=&quot;Anchor link for: 1-3-1-generate-key-pair&quot;
&gt;&lt;span class=&quot;anchor-icon&quot;&gt;#&lt;&#x2F;span&gt;&lt;&#x2F;a
&gt;
@ -139,7 +145,10 @@ the server, let&#x27;s disable password authentication on the server:&lt;&#x2F;p
&gt;&lt;span class=&quot;anchor-icon&quot;&gt;#&lt;&#x2F;span&gt;&lt;&#x2F;a
&gt;
&lt;&#x2F;h3&gt;
&lt;p&gt;We will be using &lt;code&gt;fail2ban&lt;&#x2F;code&gt; for intrusion prevention by blackiisting entities (users, bots, etc.) based on failed login attempts.&lt;&#x2F;p&gt;
&lt;p&gt;We will be using
&lt;a href=&quot;https:&#x2F;&#x2F;www.fail2ban.org&#x2F;wiki&#x2F;index.php&#x2F;Main_Page&quot;&gt;&lt;code&gt;fail2ban&lt;&#x2F;code&gt;&lt;&#x2F;a&gt; for
intrusion prevention by blacklisting entities (users, bots, etc.) based
on failed login attempts.&lt;&#x2F;p&gt;
&lt;h4 id=&quot;1-3-1-install-fail2ban&quot;&gt;1.3.1) Install &lt;code&gt;fail2ban&lt;&#x2F;code&gt;&lt;a class=&quot;zola-anchor&quot; href=&quot;#1-3-1-install-fail2ban&quot; aria-label=&quot;Anchor link for: 1-3-1-install-fail2ban&quot;
&gt;&lt;span class=&quot;anchor-icon&quot;&gt;#&lt;&#x2F;span&gt;&lt;&#x2F;a
&gt;
@ -323,7 +332,8 @@ authority to get our SSL certificates.&lt;&#x2F;p&gt;
will have to log in every three months and renew the
certificate. If you fail or forget it, your visitors will see security
warnings on your website.&lt;&#x2F;p&gt;
&lt;p&gt;Thankfully, Let&#x27;s Encrypt provides automation through &lt;code&gt;certbot&lt;&#x2F;code&gt;&lt;&#x2F;p&gt;
&lt;p&gt;Thankfully, there is a way to automate this process through
&lt;a href=&quot;https:&#x2F;&#x2F;certbot.eff.org&#x2F;&quot;&gt;&lt;code&gt;certbot&lt;&#x2F;code&gt;&lt;&#x2F;a&gt;&lt;&#x2F;p&gt;
&lt;h4 id=&quot;2-3-1-install-certbot&quot;&gt;2.3.1) Install &lt;code&gt;certbot&lt;&#x2F;code&gt;:&lt;a class=&quot;zola-anchor&quot; href=&quot;#2-3-1-install-certbot&quot; aria-label=&quot;Anchor link for: 2-3-1-install-certbot&quot;
&gt;&lt;span class=&quot;anchor-icon&quot;&gt;#&lt;&#x2F;span&gt;&lt;&#x2F;a
&gt;

View file

@ -259,7 +259,7 @@
<a class="blog__post-tag" href="/tags/JAMStack">#JAMStack</a>
<a class="blog__post-tag" href="/tags/git">#git</a>
<a class="blog__post-tag" href="/tags/lets-encrypt">#lets-encrypt</a>
<a class="blog__post-tag" href="/tags/self-hosting">#self-hosting</a>

View file

@ -19,10 +19,9 @@ but knowing how to do it manually using industry standard
technologies always helps!&lt;&#x2F;p&gt;
&lt;p&gt;We will be using the following technologies to deploy our website:&lt;&#x2F;p&gt;
&lt;ol&gt;
&lt;li&gt;GNU&#x2F;Linux server(Debian)&lt;&#x2F;li&gt;
&lt;li&gt;Nginx (webs server)&lt;&#x2F;li&gt;
&lt;li&gt;Let&#x27;s Encrypt (for HTTPS)&lt;&#x2F;li&gt;
&lt;li&gt;Gitea (but any Git hosting works)&lt;&#x2F;li&gt;
&lt;li&gt;&lt;a href=&quot;https:&#x2F;&#x2F;debian.org&quot;&gt;GNU&#x2F;Linux server(Debian)&lt;&#x2F;a&gt;&lt;&#x2F;li&gt;
&lt;li&gt;&lt;a href=&quot;https:&#x2F;&#x2F;www.nginx.com&#x2F;&quot;&gt;Nginx&lt;&#x2F;a&gt; (webs server)&lt;&#x2F;li&gt;
&lt;li&gt;&lt;a href=&quot;https:&#x2F;&#x2F;letsencrypt.org&#x2F;&quot;&gt;Let&#x27;s Encrypt&lt;&#x2F;a&gt; (for HTTPS)&lt;&#x2F;li&gt;
&lt;&#x2F;ol&gt;
&lt;p&gt;Let&#x27;s get started!&lt;&#x2F;p&gt;
&lt;h2 id=&quot;1-setup-debian-gnu-linux&quot;&gt;1. Setup Debian GNU&#x2F;Linux&lt;a class=&quot;zola-anchor&quot; href=&quot;#1-setup-debian-gnu-linux&quot; aria-label=&quot;Anchor link for: 1-setup-debian-gnu-linux&quot;
@ -53,25 +52,32 @@ from a lower-privileged account. Let&#x27;s make our account sudo capable:&lt;&#
&gt;&lt;span class=&quot;anchor-icon&quot;&gt;#&lt;&#x2F;span&gt;&lt;&#x2F;a
&gt;
&lt;&#x2F;h3&gt;
&lt;p&gt;Uncomplicated Firewall(&lt;code&gt;ufw&lt;&#x2F;code&gt;) is a popular firewall that is easy to
set up and maintain. For most installations, this should be enough.
System administrators use firewalls to open only the ports that they
think should receive traffic from external networks. Without it, all
ports will be open, causing a security nightmare.&lt;&#x2F;p&gt;
&lt;p&gt;&lt;a href=&quot;https:&#x2F;&#x2F;wiki.ubuntu.com&#x2F;UncomplicatedFirewall&quot;&gt;Uncomplicated
Firewall(&lt;code&gt;ufw&lt;&#x2F;code&gt;)&lt;&#x2F;a&gt; is a
popular firewall that is easy to set up and maintain. For most
installations, this should be enough. System administrators use
firewalls to open only the ports that they think should receive traffic
from external networks. Without it, all ports will be open, causing a
security nightmare.&lt;&#x2F;p&gt;
&lt;p&gt;We will require standard SSH (22), and the standard web ports (80 and
443). A comprehensive list of services and the list of ports the listen
on is available at `&#x2F;etc&#x2F;services.&lt;&#x2F;p&gt;
&lt;pre data-lang=&quot;bash $ sudo apt update &amp;&amp; apt upgrade # update system $ sudo apt&quot; style=&quot;background-color:#2b303b;color:#c0c5ce;&quot; class=&quot;language-bash $ sudo apt update &amp;&amp; apt upgrade # update system $ sudo apt &quot;&gt;&lt;code class=&quot;language-bash $ sudo apt update &amp;&amp; apt upgrade # update system $ sudo apt&quot; data-lang=&quot;bash $ sudo apt update &amp;&amp; apt upgrade # update system $ sudo apt&quot;&gt;&lt;span&gt;install ufw # we are using `ufw` for the firewall
&lt;&#x2F;span&gt;&lt;span&gt;$ sudo ufw allow ssh # allow SSH traffic on port 22, required to log into the server
&lt;&#x2F;span&gt;&lt;span&gt;$ sudo ufw enable # deploy firewall
on is available at &lt;code&gt;&#x2F;etc&#x2F;services&lt;&#x2F;code&gt;.&lt;&#x2F;p&gt;
&lt;pre data-lang=&quot;bash&quot; style=&quot;background-color:#2b303b;color:#c0c5ce;&quot; class=&quot;language-bash &quot;&gt;&lt;code class=&quot;language-bash&quot; data-lang=&quot;bash&quot;&gt;&lt;span style=&quot;color:#bf616a;&quot;&gt;$&lt;&#x2F;span&gt;&lt;span&gt; sudo apt update &amp;amp;&amp;amp; &lt;&#x2F;span&gt;&lt;span style=&quot;color:#bf616a;&quot;&gt;apt&lt;&#x2F;span&gt;&lt;span&gt; upgrade &lt;&#x2F;span&gt;&lt;span style=&quot;color:#65737e;&quot;&gt;# update system
&lt;&#x2F;span&gt;&lt;span style=&quot;color:#bf616a;&quot;&gt;$&lt;&#x2F;span&gt;&lt;span&gt; sudo apt install ufw &lt;&#x2F;span&gt;&lt;span style=&quot;color:#65737e;&quot;&gt;# we are using `ufw` for the firewall
&lt;&#x2F;span&gt;&lt;span style=&quot;color:#bf616a;&quot;&gt;$&lt;&#x2F;span&gt;&lt;span&gt; sudo ufw allow ssh &lt;&#x2F;span&gt;&lt;span style=&quot;color:#65737e;&quot;&gt;# allow SSH traffic on port 22, required to log into the server
&lt;&#x2F;span&gt;&lt;span style=&quot;color:#bf616a;&quot;&gt;$&lt;&#x2F;span&gt;&lt;span&gt; sudo ufw enable &lt;&#x2F;span&gt;&lt;span style=&quot;color:#65737e;&quot;&gt;# deploy firewall
&lt;&#x2F;span&gt;&lt;&#x2F;code&gt;&lt;&#x2F;pre&gt;
&lt;h3 id=&quot;1-3-secure-ssh&quot;&gt;1.3) Secure SSH&lt;a class=&quot;zola-anchor&quot; href=&quot;#1-3-secure-ssh&quot; aria-label=&quot;Anchor link for: 1-3-secure-ssh&quot;
&gt;&lt;span class=&quot;anchor-icon&quot;&gt;#&lt;&#x2F;span&gt;&lt;&#x2F;a
&gt;
&lt;&#x2F;h3&gt;
&lt;p&gt;SSH allows remote access to our servers over secure, encrypted
channels. By default, users can log in with their password
using SSH. But password authentication is susceptible to brute force attacks, so we should disable password logins on our server and only allow public-key authentication only.&lt;&#x2F;p&gt;
&lt;p&gt;SSH allows remote access to our servers over secure, encrypted channels.
By default, users can log in with their password using SSH. But password
authentication &lt;a href=&quot;https:&#x2F;&#x2F;wiki.archlinux.org&#x2F;title&#x2F;OpenSSH#Protecting_against_brute_force_attacks&quot;&gt;is susceptible to brute force
attacks&lt;&#x2F;a&gt;,
so we should &lt;a href=&quot;https:&#x2F;&#x2F;wiki.archlinux.org&#x2F;title&#x2F;OpenSSH#Force_public_key_authentication&quot;&gt;disable password logins on our server and only allow
public-key authentication
only&lt;&#x2F;a&gt;.&lt;&#x2F;p&gt;
&lt;h3 id=&quot;1-3-1-generate-key-pair&quot;&gt;1.3.1) Generate key pair&lt;a class=&quot;zola-anchor&quot; href=&quot;#1-3-1-generate-key-pair&quot; aria-label=&quot;Anchor link for: 1-3-1-generate-key-pair&quot;
&gt;&lt;span class=&quot;anchor-icon&quot;&gt;#&lt;&#x2F;span&gt;&lt;&#x2F;a
&gt;
@ -139,7 +145,10 @@ the server, let&#x27;s disable password authentication on the server:&lt;&#x2F;p
&gt;&lt;span class=&quot;anchor-icon&quot;&gt;#&lt;&#x2F;span&gt;&lt;&#x2F;a
&gt;
&lt;&#x2F;h3&gt;
&lt;p&gt;We will be using &lt;code&gt;fail2ban&lt;&#x2F;code&gt; for intrusion prevention by blackiisting entities (users, bots, etc.) based on failed login attempts.&lt;&#x2F;p&gt;
&lt;p&gt;We will be using
&lt;a href=&quot;https:&#x2F;&#x2F;www.fail2ban.org&#x2F;wiki&#x2F;index.php&#x2F;Main_Page&quot;&gt;&lt;code&gt;fail2ban&lt;&#x2F;code&gt;&lt;&#x2F;a&gt; for
intrusion prevention by blacklisting entities (users, bots, etc.) based
on failed login attempts.&lt;&#x2F;p&gt;
&lt;h4 id=&quot;1-3-1-install-fail2ban&quot;&gt;1.3.1) Install &lt;code&gt;fail2ban&lt;&#x2F;code&gt;&lt;a class=&quot;zola-anchor&quot; href=&quot;#1-3-1-install-fail2ban&quot; aria-label=&quot;Anchor link for: 1-3-1-install-fail2ban&quot;
&gt;&lt;span class=&quot;anchor-icon&quot;&gt;#&lt;&#x2F;span&gt;&lt;&#x2F;a
&gt;
@ -323,7 +332,8 @@ authority to get our SSL certificates.&lt;&#x2F;p&gt;
will have to log in every three months and renew the
certificate. If you fail or forget it, your visitors will see security
warnings on your website.&lt;&#x2F;p&gt;
&lt;p&gt;Thankfully, Let&#x27;s Encrypt provides automation through &lt;code&gt;certbot&lt;&#x2F;code&gt;&lt;&#x2F;p&gt;
&lt;p&gt;Thankfully, there is a way to automate this process through
&lt;a href=&quot;https:&#x2F;&#x2F;certbot.eff.org&#x2F;&quot;&gt;&lt;code&gt;certbot&lt;&#x2F;code&gt;&lt;&#x2F;a&gt;&lt;&#x2F;p&gt;
&lt;h4 id=&quot;2-3-1-install-certbot&quot;&gt;2.3.1) Install &lt;code&gt;certbot&lt;&#x2F;code&gt;:&lt;a class=&quot;zola-anchor&quot; href=&quot;#2-3-1-install-certbot&quot; aria-label=&quot;Anchor link for: 2-3-1-install-certbot&quot;
&gt;&lt;span class=&quot;anchor-icon&quot;&gt;#&lt;&#x2F;span&gt;&lt;&#x2F;a
&gt;

View file

@ -259,7 +259,7 @@
<a class="blog__post-tag" href="/tags/JAMStack">#JAMStack</a>
<a class="blog__post-tag" href="/tags/git">#git</a>
<a class="blog__post-tag" href="/tags/lets-encrypt">#lets-encrypt</a>
<a class="blog__post-tag" href="/tags/self-hosting">#self-hosting</a>