Linux Security Hardening: Difference between revisions
Jump to navigation
Jump to search
(Created page with "=Internal= * Linux 7 Security#Subjects") |
No edit summary |
||
| (24 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
=Internal= | =Internal= | ||
* [[Linux | * [[Linux Security#Subjects|Linux Security]] | ||
=Overview= | |||
=Steps= | |||
==Minimal Footprint== | |||
Install a minimal image and add utilities as needed. | |||
==Eliminate Users== | |||
Remove all unneeded users. | |||
==root== | |||
Change the root's password to a long, random one. | |||
==Scan for Services Listening on Ports== | |||
[[Netstat#Scan_Open_Ports_and_Shut_Down_Services|netstat -tupln]] | |||
Eliminate: | |||
* [[Postfix#Service|postfix]] | |||
* [[Chronyd#Stop_the_Daemon_from_Listening|chronyd]] | |||
==sshd== | |||
===Allowed Users=== | |||
Configure sshd to only allow root access [[Sshd_Configuration#Allow_root_Access_only_with_Public_Key|only based on public/private key identification]]. | |||
Alternatively, create a special login user with a random name and a long, random password: | |||
groupadd -g 1200 m3rt50acc | |||
useradd -g 1200 -m -u 1200 m3rt50acc | |||
then [[Sshd_Configuration#Disallow_root_to_Connect|Disallow root to log in at all]]. Possibly add m3rt50acc's public key to authorized_keys. | |||
===sshd Port=== | |||
[[Sshd_Configuration#Change_the_Default_Port|Change the sshd port from 22]]. | |||
===Disable IPV6=== | |||
[[Sshd_Configuration#Prevent_from_Listening_on_IPV6|Prevent the sshd from listing on IPV6]]. | |||
==iptables== | |||
iptables review. | |||
=Incremental Remote Backup System Security Analysis= | |||
{{Internal|Incremental_Remote_Backup_System_Security_Analysis|Incremental Remote Backup System Security Analysis}} | |||
=TODO= | |||
<font color=red> | |||
* Penetration detection. | |||
</font> | |||
Latest revision as of 21:14, 1 March 2021
Internal
Overview
Steps
Minimal Footprint
Install a minimal image and add utilities as needed.
Eliminate Users
Remove all unneeded users.
root
Change the root's password to a long, random one.
Scan for Services Listening on Ports
netstat -tupln
Eliminate:
sshd
Allowed Users
Configure sshd to only allow root access only based on public/private key identification.
Alternatively, create a special login user with a random name and a long, random password:
groupadd -g 1200 m3rt50acc useradd -g 1200 -m -u 1200 m3rt50acc
then Disallow root to log in at all. Possibly add m3rt50acc's public key to authorized_keys.
sshd Port
Disable IPV6
Prevent the sshd from listing on IPV6.
iptables
iptables review.
Incremental Remote Backup System Security Analysis
TODO
- Penetration detection.