Table of Contents

• 1. The Principle of Least Privilege
• 2. Firewall Lockdown (UFW)
• 3. SSH Hardening
• 4. Brute-Force Protection (Fail2Ban)
• 5. Automated Security Updates
• Conclusion

Once you have your Headless Linux Server running CaptureGem, security becomes your primary concern. A recording server is often exposed to the local network or the internet for remote monitoring, making it a target. Follow these steps to harden your rig against unauthorized access.

1. The Principle of Least Privilege

Never run CaptureGem as the root user. If a vulnerability is found in the application or its dependencies, an attacker would gain full control over your server.

1. Create a dedicated user:

   sudo adduser cguser

2. Assign ownership of recording directories:

   sudo chown -R cguser:cguser /opt/capturegem /mnt/recordings

2. Firewall Lockdown (UFW)

The Uncomplicated Firewall (UFW) should be active and configured to block everything except essential traffic.

# Set defaults
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (Only if you need remote console access)
sudo ufw allow 22/tcp

# Allow CaptureGem Monitor API
sudo ufw allow 8080/tcp

# Enable firewall
sudo ufw enable

3. SSH Hardening

If your server is accessible via the internet, standard password authentication is not secure enough.

1. Use SSH Keys: Generate a key on your client machine and use ssh-copy-id to transfer it.
2. Disable Passwords: Edit /etc/ssh/sshd_config:

   PasswordAuthentication no
   PubkeyAuthentication yes
   PermitRootLogin no

3. Restart SSH: sudo systemctl restart ssh

4. Brute-Force Protection (Fail2Ban)

Fail2Ban monitors your system logs for failed login attempts and automatically bans the offending IP addresses at the firewall level.

1. Install: sudo apt install fail2ban
2. Configure: Create /etc/fail2ban/jail.local:

   [sshd]
   enabled = true
   port = 22
   filter = sshd
   logpath = /var/log/auth.log
   maxretry = 3
   bantime = 1h

3. Restart: sudo systemctl restart fail2ban

5. Automated Security Updates

Don’t let your server rot. Enable Unattended Upgrades to ensure security patches are applied automatically without requiring manual intervention.

sudo apt install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades

Conclusion

By following these hardening steps, you significantly reduce the attack surface of your CaptureGem rig. A secure server is a reliable server, ensuring your collection remains private and protected for the long term.

Related guides

• Advanced: CaptureGem Headless Guide (Linux & Windows)
• Running CaptureGem on Linux: The Ultimate Headless Setup
• Hardware-Accelerated Transcoding for Web Streaming
• Archiving to the Cloud: Automating Rclone with CaptureGem

Rate this guide

★ ★ ★ ★ ★ Loading ratings...

Was this guide helpful?

👍 Helpful 👎 Needs work

What was confusing? (optional) Submit details

Comments

Post comment

Loading comments...