Головна сторінка Огляд Довідка
Реєстрація Увійти
tBKwtWS
/
server-hardening
1
0
Відгалуження 0
Файли

Non-exhuastive tips and advice on server hardening

Гілка: master
Гілки Теги
server-hardenin...
ZIP TAR.GZ
root 2a9e640bd9 Additional notes & todo's 2 роки тому
etc 5eea6023f2 expanded on subjects 2 роки тому
.gitignore 2a9e640bd9 Additional notes & todo's 2 роки тому
README.md 2a9e640bd9 Additional notes & todo's 2 роки тому

README.md

This is not an exhaustive step-by-step guide to security. Instead, it is to jog the memory of system administrators, who remain solely responsible for their own security. To give them tips, and hints, or reminders. System admins should do they own research and assume articles they find online are out of date.

Hosting party website user control panel

Many hosting companies offer a webgui to their customers, see if you can:

  1. Enable two-factor-authentication to secure this web-portal
  2. Configure and activate the firewall

Debian hardening

Installation

A possible strategy is making multiple filesystems, so logs, homes, or temporary files can't clogg up the system. WIth the added bonus of being able to mount /tmp as noexec, or /usr as read-only

umask

By default users can read files belonging to other users, for isntance in their home directory. If the system is going to be used by multiple peopel taht do not share trust you may consider changing the umask from 022 to 027.

Via login.defs

  1. Edit /etc/login.defs to change the line UMASK 022 to UMASK 027 Example file included: ./etc/login.defs

Via profile

Globally

/etc/profile is read at login so admins can set global defaults without having to edit every user.

  1. Append to /etc/profile: umask 027

Individually

  1. Optionally set it as default for new accounts in /etc/skel/.profile, by appending umask 027 to it
  2. Append umask 027 to any ~/.profile files for users that require this umask

Via pam

  1. apt install libpam-umask
  2. Append session optional pam_umask.so umask=027 to /etc/pam.d/common-session

root account

Do not by default use the root account, instead create your own and escallate privileges only when needed.

  1. Create your user: useradd -m -s /bin/bash USERNAME (Where USERNAME is your username)
  2. Add your new user to the sudo group: usermod -aG sudo USERNAME

ssh

Consider disconnecting inactive users, as disconnected SSH sessions can be hyjakced.

  1. Open /etc/profile
  2. Append TMOUT=1800 for a 30 minute timeout
  3. Append readonly TMOUT to make users unable to edit their timeout
  4. Append export TMOUT

  5. Also append the same to any ~/.profile files for users already created Example:

    TMOUT=1800
readonly TMOUT
export TMOUT

Disable root login and create a group for users who are allowed to login. (There are many bad-faith actors constantly scanning for servers with port 22 open and then try to bruteforce the root password)

  1. Create group: groupadd ssh-user
  2. Add users to the group: usermod -aG ssh-user USERNAME (Where USERNAME is your username)
  3. Open /etc/ssh/sshd_config: nano /etc/ssh/sshd_config
  4. Append to file: AllowGroups ssh-user
  5. Restart the SSH daemon: sudo systemctl restart sshd
  6. Test establishing a connection with your non-root user, only proceed if this works
  7. Edit /etc/ssh/sshd_config again and change #PermitRootLogin prohibit-password to #PermitRootLogin no
  8. Alter Ciphers and keying, Authentication, settings to modern settings and fitting to your case
  9. Consider running the SSH daemon on a non-standard port Example file included: ./etc/ssh/sshd_config

Password Authentication Module: PAM

It might be interesting to look at apt-cache search libpam to find other uses for pam that fit your situation.

Password policy

You can not rely on peolpe using sane and secure passwords, even if they are professionals. Since Debian 12 pam_cracklib.so/libpam-cracklib is no longer used for this.

  1. sudo apt install libpam-pwquality
  2. Read man pam_pwquality for the options
  3. Open /etc/pam.d/common-password and edit the line starting with password requisite pam_pwquality.so to your liking Example file included: ./etc/pam.d/common-password

Authentication

Disable passwordless logins for accounts with no password set.

  1. Set PREVENT_NO_AUTH no to PREVENT_NO_AUTH yes in /etc/login.defs

Limit the amount of time a password can be entered before the login is rejected.

  1. Modify the value for LOGIN_RETRIES in /etc/login.defs Example file included: ./etc/login.defs

fail2ban

TODO

Unattended upgrades

  1. sudo apt install unattended-upgrades apt-listchanges
  2. sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Molly-guard

It is not only about security, but also stability. Molly-guard protects machines from accidental shutdowns/reboots by asking to enter the hostname.

  1. sudo apt install molly-guard

Tripwire

TODO

Netfilter

In case there is no dataenter firewall via its webgui. Or just for improved/redundant security (Imagine if one layer fails or gets compromised)

See: https://git.h0v1n8.nl/tBKwtWS/netfilter-config

Kernel flags

Build flags

Remove all unneeded packages

Any possible attack surface that is not required could be removed.