|
|
@@ -1,15 +1,18 @@
|
|
|
-This is not an exhaustive step by step guide to securirty.
|
|
|
-Instead it is to jog the memory of system administrators, who remain solely responsible for their own security. To give them tips, and hints, or reminders.
|
|
|
+This is not an exhaustive step-by-step guide to security.
|
|
|
+Instead, it is to jog the memory of system administrators, who remain solely responsible for their own security. To give them tips, and hints, or reminders.
|
|
|
System admins should do they own research and assume articles they find online are out of date.
|
|
|
|
|
|
|
|
|
## Hosting party website user control panel
|
|
|
-Many hosting companies offer a webgui to their customers, here see if you can:
|
|
|
+Many hosting companies offer a webgui to their customers, see if you can:
|
|
|
1. Enable two-factor-authentication to secure this web-portal
|
|
|
1. Configure and activate the firewall
|
|
|
|
|
|
|
|
|
# Debian hardening
|
|
|
+## Installation
|
|
|
+A possible strategy is making multiple filesystems, so logs, homes, or temporary files can't clogg up the system.
|
|
|
+WIth the added bonus of being able to mount /tmp as noexec, or /usr as read-only
|
|
|
## umask
|
|
|
By default users can read files belonging to other users, for isntance in their home directory.
|
|
|
If the system is going to be used by multiple peopel taht do not share trust you may consider changing the umask from 022 to 027.
|
|
|
@@ -20,10 +23,11 @@ Example file included: `./etc/login.defs`
|
|
|
|
|
|
### Via profile
|
|
|
#### Globally
|
|
|
+`/etc/profile` is read at login so admins can set global defaults without having to edit every user.
|
|
|
1. Append to `/etc/profile`: `umask 027`
|
|
|
|
|
|
#### Individually
|
|
|
-1. Optionally set it as default in `/etc/skel/.profile`, by appending `umask 027` to it
|
|
|
+1. Optionally set it as default for new accounts in `/etc/skel/.profile`, by appending `umask 027` to it
|
|
|
1. Append `umask 027` to any `~/.profile` files for users that require this umask
|
|
|
|
|
|
### Via pam
|
|
|
@@ -83,8 +87,28 @@ Limit the amount of time a password can be entered before the login is rejected.
|
|
|
1. Modify the value for `LOGIN_RETRIES` in `/etc/login.defs`
|
|
|
Example file included: `./etc/login.defs`
|
|
|
|
|
|
+### fail2ban
|
|
|
+TODO
|
|
|
+
|
|
|
+## Unattended upgrades
|
|
|
+1. `sudo apt install unattended-upgrades apt-listchanges`
|
|
|
+1. `sudo nano /etc/apt/apt.conf.d/50unattended-upgrades`
|
|
|
+
|
|
|
+## Molly-guard
|
|
|
+It is not only about security, but also stability. Molly-guard protects machines from accidental shutdowns/reboots by asking to enter the hostname.
|
|
|
+1. `sudo apt install molly-guard`
|
|
|
+
|
|
|
+## Tripwire
|
|
|
+TODO
|
|
|
|
|
|
## Netfilter
|
|
|
In case there is no dataenter firewall via its webgui. Or just for improved/redundant security (Imagine if one layer fails or gets compromised)
|
|
|
|
|
|
See: https://git.h0v1n8.nl/tBKwtWS/netfilter-config
|
|
|
+
|
|
|
+## Kernel flags
|
|
|
+
|
|
|
+## Build flags
|
|
|
+
|
|
|
+## Remove all unneeded packages
|
|
|
+Any possible attack surface that is not required could be removed.
|
root