Linux Security Hardening: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
Line 29: Line 29:
==sshd==
==sshd==


* Create a special login user with a random name and a long, random password:
Configure sshd to only allow root access based on public/private key identification.
 
Alternatively, create a special login user with a random name and a long, random password:


  groupadd -g 1200 m3rt50acc
  groupadd -g 1200 m3rt50acc
  useradd -g 1200 -m -u 1200 m3rt50acc
  useradd -g 1200 -m -u 1200 m3rt50acc


Possibly add public key to authorized_keys.
Possibly add public key to authorized_keys. Then [[Sshd_Configuration#Disallow_root_to_Connect|Disallow root to log in at all]].
 
* [[Sshd_Configuration#Disallow_root_to_Connect|Disallow root to log in]].


=TODO=
=TODO=

Revision as of 04:38, 22 April 2018

Internal

Overview

Steps

Minimal Footprint

Install a minimal image and add utilities as needed.

Eliminate Users

Remove all unneeded users.

root

Change the root's password to a long, random one.

Scan for Services Listening on Ports

 netstat -tupln

Eliminate:

sshd

Configure sshd to only allow root access based on public/private key identification.

Alternatively, create a special login user with a random name and a long, random password: 

groupadd -g 1200 m3rt50acc
useradd -g 1200 -m -u 1200 m3rt50acc

Possibly add public key to authorized_keys. Then Disallow root to log in at all.

TODO

  • Penetration detection.

Retrieved from "https://kb.novaordis.com/index.php?title=Linux_Security_Hardening&oldid=41269"