22

Linux Hardening - what are you must-haves?

posted
by
Avatar
wop@infosec.pub
in
Avatar
cybersecurity@infosec.pub
8 comments
hidereport

I’m working on a guide focused on securing Linux servers and I’d like to ask you what your essential hardening techniques and tips are? Your feedback would be greatly appreciated

Sort:
HotTopControversialNewOld
Avatar
demesisx@infosec.pub
12 points
*

Here’s how this concept made it onto my radar. This is an obsessively paranoid NixOS config and accompanying article:

https://xeiaso.net/blog/paranoid-nixos-2021-07-18/

Also, for further reference:

There’s a whole subsection of nixpkgs that could be helpful for a hardening guide:

https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix

Also, there are a few articles walking us through hardening Nix:

https://dataswamp.org/~solene/2022-01-13-nixos-hardened.html

On NixOS Discourse:

https://discourse.nixos.org/t/hardening-systemd-services/17147/6

permalink
report
reply
Avatar
vpz@infosec.pub
7 points

There is no one way to secure Linux servers because Linux isn’t one thing due to distribution sprawl. How you do things depends on the distribution. If you want a general guide the CIS Benchmarks are a decent place to start. Then you can make a guide on how to implement them with your target Linux server distribution. Keep in mind this is for the OS and application hardening is just as important, and is an entirely different can of worms. https://downloads.cisecurity.org/#/

permalink
report
reply
Avatar
perviouslyiner@lemm.ee
7 points

Change SSH to only allow certificates not passwords.

permalink
report
reply
Avatar
alex_02@infosec.pub
7 points

For personal homelab, I keep it really simple, and I try to think realistically. Which means, using keys with ssh, setting up ufw and keep as little exposure for ports as possible, fail2ban, only really using user accounts with sudo instead of root, use containers and vms when I can to help keep things contained if I am working on something that might have links or files that are malicious, run something like a PiHole or AdGuard Home, etc.

I do plan on adding pfsense + security onion once I can get the proper hardware that has enough ram, but this is probably the only “overkill” I plan on running.

For stuff like VPS usually just UFW + SSH keys is mostly what I need, but add as I needed.

If I ever end up as a Linux Sysadmin, I would use a much more robust and proper setup for the company which means something like grsec, try to do something like setup a much better EDR/SIEM, rotate ssh keys if possible, etc.

permalink
report
reply
Avatar
edric@lemm.ee
6 points

CIS benchmarks have a guide for most enterprise distros.

permalink
report
reply

cybersecurity

!cybersecurity@infosec.pub

Create post

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

  • Be kind
  • Limit promotional activities
  • Non-cybersecurity posts should be redirected to other communities within infosec.pub.

Enjoy!

Community stats

  • 204

    Monthly active users

  • 617

    Posts

  • 1.3K

    Comments

Community moderators