I’m working on a guide focused on securing Linux servers and I’d like to ask you what your essential hardening techniques and tips are? Your feedback would be greatly appreciated
Here’s how this concept made it onto my radar. This is an obsessively paranoid NixOS config and accompanying article:
https://xeiaso.net/blog/paranoid-nixos-2021-07-18/
Also, for further reference:
There’s a whole subsection of nixpkgs that could be helpful for a hardening guide:
https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix
Also, there are a few articles walking us through hardening Nix:
https://dataswamp.org/~solene/2022-01-13-nixos-hardened.html
On NixOS Discourse:
https://discourse.nixos.org/t/hardening-systemd-services/17147/6
There is no one way to secure Linux servers because Linux isn’t one thing due to distribution sprawl. How you do things depends on the distribution. If you want a general guide the CIS Benchmarks are a decent place to start. Then you can make a guide on how to implement them with your target Linux server distribution. Keep in mind this is for the OS and application hardening is just as important, and is an entirely different can of worms. https://downloads.cisecurity.org/#/
Change SSH to only allow certificates not passwords.
Not a full list, just some ideas for personal servers.
- Make sure that only the services are exposed that you want to have exposed. For example, a webserver with PHP and mariadb probably does not need to have mariadb reachable from the network.
- Check the default config of all the programs you install. The default is often not the most secure option.
- Have secure authentication on every service on the server. Change all the default passwords.
- DO NOT disable security features like selinux.
- Document your setup, the specific changes you made and make and test backups.
Please be aware that the requirements in a business environment might be different.
For personal homelab, I keep it really simple, and I try to think realistically. Which means, using keys with ssh, setting up ufw and keep as little exposure for ports as possible, fail2ban, only really using user accounts with sudo instead of root, use containers and vms when I can to help keep things contained if I am working on something that might have links or files that are malicious, run something like a PiHole or AdGuard Home, etc.
I do plan on adding pfsense + security onion once I can get the proper hardware that has enough ram, but this is probably the only “overkill” I plan on running.
For stuff like VPS usually just UFW + SSH keys is mostly what I need, but add as I needed.
If I ever end up as a Linux Sysadmin, I would use a much more robust and proper setup for the company which means something like grsec, try to do something like setup a much better EDR/SIEM, rotate ssh keys if possible, etc.
