Linux Security Hardening: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
No edit summary
 
(14 intermediate revisions by the same user not shown)
Line 1: Line 1:
=Internal=
=Internal=


* [[Linux 7 Security#Subjects|Linux Security]]
* [[Linux Security#Subjects|Linux Security]]


=Overview=
=Overview=
Line 26: Line 26:


* [[Postfix#Service|postfix]]
* [[Postfix#Service|postfix]]
* [[Chronyd#Stop_the_Daemon_from_Listening|chronyd]]


==sshd==
==sshd==


* Create a special login user with a random name and a long, random password:
===Allowed Users===
 
Configure sshd to only allow root access [[Sshd_Configuration#Allow_root_Access_only_with_Public_Key|only based on public/private key identification]].
 
Alternatively, create a special login user with a random name and a long, random password:


  groupadd -g 1200 m3rt50acc
  groupadd -g 1200 m3rt50acc
  useradd -g 1200 -m -u 1200 m3rt50acc
  useradd -g 1200 -m -u 1200 m3rt50acc


* [[Sshd_Configuration#Disallow_root_to_Connect|Disallow root to log in]].
then [[Sshd_Configuration#Disallow_root_to_Connect|Disallow root to log in at all]]. Possibly add m3rt50acc's public key to authorized_keys.
 
===sshd Port===
 
[[Sshd_Configuration#Change_the_Default_Port|Change the sshd port from 22]].
 
===Disable IPV6===
 
 
[[Sshd_Configuration#Prevent_from_Listening_on_IPV6|Prevent the sshd from listing on IPV6]].
 
==iptables==
 
iptables review.
 
=Incremental Remote Backup System Security Analysis=
 
{{Internal|Incremental_Remote_Backup_System_Security_Analysis|Incremental Remote Backup System Security Analysis}}


=TODO=
=TODO=

Latest revision as of 21:14, 1 March 2021

Internal

Overview

Steps

Minimal Footprint

Install a minimal image and add utilities as needed.

Eliminate Users

Remove all unneeded users.

root

Change the root's password to a long, random one.

Scan for Services Listening on Ports

 netstat -tupln

Eliminate:

sshd

Allowed Users

Configure sshd to only allow root access only based on public/private key identification.

Alternatively, create a special login user with a random name and a long, random password:

groupadd -g 1200 m3rt50acc
useradd -g 1200 -m -u 1200 m3rt50acc

then Disallow root to log in at all. Possibly add m3rt50acc's public key to authorized_keys.

sshd Port

Change the sshd port from 22.

Disable IPV6

Prevent the sshd from listing on IPV6.

iptables

iptables review.

Incremental Remote Backup System Security Analysis

Incremental Remote Backup System Security Analysis

TODO

  • Penetration detection.