System Security¶
Overview¶
How do I run DietPi-Software and install optimised software items?
To install any of the DietPi optimised software items listed below run from the command line:
dietpi-software
Choose Browse Software and select one or more items. Finally select Install
.
DietPi will do all the necessary steps to install and start these software items.
To see all the DietPi configurations options, review the DietPi Tools section.
Return to the Optimised Software list
Let’s Encrypt¶
Let’s Encrypt is a free SSL certificate provider. Certbot is the official client to apply Let’s Encrypt SSL certificates to your webserver. This will allow you to have https://
(encrypted and authenticated) access to your websites.
Requirements¶
To use Certbot you need:
- A working Apache, Nginx or Lighttpd webserver
- A URL/domain (e.g.:
mysite.org
). No-IP can be used for a URL/domain that points to your device. - Ports 80 and 443 (TCP) need to be forwarded to your device. This is typically set within your router.
Keep port 80 open for Certbot renewal
Even when you use only HTTPS on port 443, Let’s Encrypt requires port 80 to stay opened for certificate renewals (in your router’s forwarding functionality).
Create and apply your cert¶
Once Certbot has been installed from dietpi-software
, run dietpi-letsencrypt
to configure, create and apply your SSL certificate:
dietpi-letsencrypt
Simply enter the details and settings you require, then select Apply
.
Let’s Encrypt is that simple!
Website: https://letsencrypt.org
Fail2Ban¶
Fail2Ban protects your system from brute-force attacks by banning the source IP address.
We have enabled detection for SSH servers (OpenSSH and Dropbear), however, Fail2Ban also supports additional software.
Source: Lostcontrol
of Fail2ban wiki, GPL
An IP address is by default ban triggered after 3 failed SSH login attempts. Fail2Ban will ban the source IP address for 10 minutes.
The status can be checked with these commands:
fail2ban-client status sshd
fail2ban-client status dropbear
Fail2Ban supports brute-force protection for other software (e.g. Apache, ProFTPD etc).
You can enable/disable these features by modifying the /etc/fail2ban/jail.conf file, and setting enable = true
under the [software] name.