Linux Security Hardening: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
Line 26: Line 26:


* [[Postfix#Service|postfix]]
* [[Postfix#Service|postfix]]
* [[chronyd#Service|chronyd]]


==sshd==
==sshd==

Revision as of 05:12, 22 April 2018

Internal

Overview

Steps

Minimal Footprint

Install a minimal image and add utilities as needed.

Eliminate Users

Remove all unneeded users.

root

Change the root's password to a long, random one.

Scan for Services Listening on Ports

 netstat -tupln

Eliminate:

sshd

Allowed Users

Configure sshd to only allow root access only based on public/private key identification.

Alternatively, create a special login user with a random name and a long, random password:

groupadd -g 1200 m3rt50acc
useradd -g 1200 -m -u 1200 m3rt50acc

then Disallow root to log in at all. Possibly add m3rt50acc's public key to authorized_keys.

sshd Port

Change the sshd port from 22.

Disable IPV6

Prevent the sshd from listing on IPV6.

TODO

  • Penetration detection.