What are your methods to harden *nix servers?
from fishynoob@infosec.pub to cybersecurity@infosec.pub on 19 Apr 05:42
https://infosec.pub/post/26893336

I have been looking at hardening *nix servers for my lab and maybe carry some of that over to work. CIS benchmarks are something I like doing but that’s barely scratching the surface. What do you do for your servers?

I have Lynis, systemd-analyze, Kernel self protection in mind but I’d love to hear your thoughts. Bonus points for the most paranoid setups!

#cybersecurity

threaded - newest

iii@mander.xyz on 19 Apr 05:48 next collapse

Port knocking is a cool technique

HorreC@lemmy.world on 19 Apr 05:56 next collapse

I have used this with second port for handshake (with no info in heading and 20 second times) and then the final port opens with key exchanged from handshake.

Cyber@feddit.uk on 19 Apr 07:22 collapse

Would you use that on internal LAN connections or only external internet facing connections? I’m not aware (not checked) if any firewalls support it… not sure why?

iii@mander.xyz on 19 Apr 09:24 collapse

With knockd you can execute arbitrary commands upon a port knocking sequence. So any application that is configurable via terminal is eligible. Here’s a tutorial of knockd+iptables (1). Alternativly there’s (2) that achieves the same effect in a different way.

You can use it wherever, as part of security in depth. It’s essentially a pre-shared secret.

It’ll have it’s largest effect on publicly facing interfaces. It does not replace having a proper ssh setup (disabling root, disabling password login, etc).

Cyber@feddit.uk on 19 Apr 19:35 collapse

Thanks for the links, I’ll take a look as I’ve never actually played with port knocking.

Cyber@feddit.uk on 19 Apr 07:31 next collapse

Is this for internal facing servers? Not much more than CIS and the usual Best Practices (no root for SSH, etc)

For a DMZ node, minimal software (ie Arch) and automated defenses like fail2ban, key authentication, etc…

Firewalls with Geo-IP blocking also help, but that’s not technically what you’re asking for.

dotslashme@infosec.pub on 19 Apr 07:35 collapse

I’m probably in minority here. My setup is simple, I chose a good OS like Debian or Alpine to run things on, make sure it’s always patched, move sshd to a nonstandard port and harden it.