Linux Security Hardening: Difference between revisions
Jump to navigation
Jump to search
(→sshd) |
(→sshd) |
||
| Line 28: | Line 28: | ||
==sshd== | ==sshd== | ||
===Allowed Users=== | |||
Configure sshd to only allow root access [[Sshd_Configuration#Allow_root_Access_only_with_Public_Key|only based on public/private key identification]]. | Configure sshd to only allow root access [[Sshd_Configuration#Allow_root_Access_only_with_Public_Key|only based on public/private key identification]]. | ||
| Line 37: | Line 39: | ||
then [[Sshd_Configuration#Disallow_root_to_Connect|Disallow root to log in at all]]. Possibly add m3rt50acc's public key to authorized_keys. | then [[Sshd_Configuration#Disallow_root_to_Connect|Disallow root to log in at all]]. Possibly add m3rt50acc's public key to authorized_keys. | ||
===sshd Port=== | |||
Change the sshd port from 22. | |||
=TODO= | =TODO= | ||
Revision as of 04:52, 22 April 2018
Internal
Overview
Steps
Minimal Footprint
Install a minimal image and add utilities as needed.
Eliminate Users
Remove all unneeded users.
root
Change the root's password to a long, random one.
Scan for Services Listening on Ports
netstat -tupln
Eliminate:
sshd
Allowed Users
Configure sshd to only allow root access only based on public/private key identification.
Alternatively, create a special login user with a random name and a long, random password:
groupadd -g 1200 m3rt50acc useradd -g 1200 -m -u 1200 m3rt50acc
then Disallow root to log in at all. Possibly add m3rt50acc's public key to authorized_keys.
sshd Port
Change the sshd port from 22.
TODO
- Penetration detection.