|
|
@@ -0,0 +1,90 @@
|
|
|
+This is not an exhaustive step by step guide to securirty.
|
|
|
+Instead it is to jog the memory of system administrators, who remain solely responsible for their own security. To give them tips, and hints, or reminders.
|
|
|
+System admins should do they own research and assume articles they find online are out of date.
|
|
|
+
|
|
|
+
|
|
|
+## Hosting party website user control panel
|
|
|
+Many hosting companies offer a webgui to their customers, here see if you can:
|
|
|
+1. Enable two-factor-authentication to secure this web-portal
|
|
|
+1. Configure and activate the firewall
|
|
|
+
|
|
|
+
|
|
|
+# Debian hardening
|
|
|
+## umask
|
|
|
+By default users can read files belonging to other users, for isntance in their home directory.
|
|
|
+If the system is going to be used by multiple peopel taht do not share trust you may consider changing the umask from 022 to 027.
|
|
|
+
|
|
|
+### Via login.defs
|
|
|
+1. Edit `/etc/login.defs` to change the line `UMASK 022` to `UMASK 027`
|
|
|
+Example file included: `./etc/login.defs`
|
|
|
+
|
|
|
+### Via profile
|
|
|
+#### Globally
|
|
|
+1. Append to `/etc/profile`: `umask 027`
|
|
|
+
|
|
|
+#### Individually
|
|
|
+1. Optionally set it as default in `/etc/skel/.profile`, by appending `umask 027` to it
|
|
|
+1. Append `umask 027` to any `~/.profile` files for users that require this umask
|
|
|
+
|
|
|
+### Via pam
|
|
|
+1. `apt install libpam-umask`
|
|
|
+1. Append `session optional pam_umask.so umask=027` to `/etc/pam.d/common-session`
|
|
|
+
|
|
|
+
|
|
|
+## root account
|
|
|
+Do not by default use the root account, instead create your own and escallate privileges only when needed.
|
|
|
+1. Create your user: `useradd -m -s /bin/bash USERNAME` (Where USERNAME is your username)
|
|
|
+1. Add your new user to the sudo group: `usermod -aG sudo USERNAME`
|
|
|
+
|
|
|
+
|
|
|
+## ssh
|
|
|
+Consider disconnecting inactive users, as disconnected SSH sessions can be hyjakced.
|
|
|
+1. Open `/etc/profile`
|
|
|
+1. Append `TMOUT=1800` for a 30 minute timeout
|
|
|
+1. Append `readonly TMOUT` to make users unable to edit their timeout
|
|
|
+1. Append `export TMOUT`
|
|
|
+1. Also append the same to any `~/.profile` files for users already created
|
|
|
+Example:
|
|
|
+```
|
|
|
+TMOUT=1800
|
|
|
+readonly TMOUT
|
|
|
+export TMOUT
|
|
|
+```
|
|
|
+
|
|
|
+Disable root login and create a group for users who are allowed to login. (There are many bad-faith actors constantly scanning for servers with port 22 open and then try to bruteforce the root password)
|
|
|
+1. Create group: `groupadd ssh-user`
|
|
|
+1. Add users to the group: `usermod -aG ssh-user USERNAME` (Where USERNAME is your username)
|
|
|
+1. Open `/etc/ssh/sshd_config`: `nano /etc/ssh/sshd_config`
|
|
|
+1. Append to file: `AllowGroups ssh-user`
|
|
|
+1. Restart the SSH daemon: `sudo systemctl restart sshd`
|
|
|
+1. Test establishing a connection with your non-root user, only proceed if this works
|
|
|
+1. Edit `/etc/ssh/sshd_config` again and change `#PermitRootLogin prohibit-password` to `#PermitRootLogin no`
|
|
|
+1. Alter `Ciphers and keying`, `Authentication`, settings to modern settings and fitting to your case
|
|
|
+1. Consider running the SSH daemon on a non-standard port
|
|
|
+Example file included: `./etc/ssh/sshd_config`
|
|
|
+
|
|
|
+
|
|
|
+## Password Authentication Module: PAM
|
|
|
+It might be interesting to look at `apt-cache search libpam` to find other uses for pam that fit your situation.
|
|
|
+
|
|
|
+### Password policy
|
|
|
+You can not rely on peolpe using sane and secure passwords, even if they are professionals.
|
|
|
+Since Debian 12 `pam_cracklib.so`/`libpam-cracklib` is no longer used for this.
|
|
|
+1. `sudo apt install libpam-pwquality`
|
|
|
+1. Read `man pam_pwquality` for the options
|
|
|
+1. Open `/etc/pam.d/common-password` and edit the line starting with `password requisite pam_pwquality.so` to your liking
|
|
|
+Example file included: `./etc/pam.d/common-password`
|
|
|
+
|
|
|
+## Authentication
|
|
|
+Disable passwordless logins for accounts with no password set.
|
|
|
+1. Set `PREVENT_NO_AUTH no` to `PREVENT_NO_AUTH yes` in `/etc/login.defs`
|
|
|
+
|
|
|
+Limit the amount of time a password can be entered before the login is rejected.
|
|
|
+1. Modify the value for `LOGIN_RETRIES` in `/etc/login.defs`
|
|
|
+Example file included: `./etc/login.defs`
|
|
|
+
|
|
|
+
|
|
|
+## Netfilter
|
|
|
+In case there is no dataenter firewall via its webgui. Or just for improved/redundant security (Imagine if one layer fails or gets compromised)
|
|
|
+
|
|
|
+See: https://git.h0v1n8.nl/tBKwtWS/netfilter-config
|
tBKwtWS
2 years ago