this post was submitted on 05 Nov 2023
14 points (100.0% liked)

cybersecurity

64 readers
1 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

Enjoy!

founded 1 year ago
MODERATORS
 

I'm working on a guide focused on securing Linux servers and I'd like to ask you what your essential hardening techniques and tips are? Your feedback would be greatly appreciated

top 7 comments
sorted by: hot top controversial new old
[–] perviouslyiner@lemm.ee 6 points 1 year ago

Change SSH to only allow certificates not passwords.

[–] demesisx@infosec.pub 6 points 1 year ago* (last edited 1 year ago)

Here’s how this concept made it onto my radar. This is an obsessively paranoid NixOS config and accompanying article:

https://xeiaso.net/blog/paranoid-nixos-2021-07-18/

Also, for further reference:

There’s a whole subsection of nixpkgs that could be helpful for a hardening guide:

https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix

Also, there are a few articles walking us through hardening Nix:

https://dataswamp.org/~solene/2022-01-13-nixos-hardened.html

On NixOS Discourse:

https://discourse.nixos.org/t/hardening-systemd-services/17147/6

[–] boblin@infosec.pub 5 points 1 year ago

The CIS benchmarks for Linux are a good start. There are some off the shelf tools that let you run those, notably linux-bench. Another tool in a similar fashion is lynis. You can also use eBPF tools like callander to examine your workload behaviour and help tighten your seccomp policies.

Once you've established a baseline for your system, you'll next want to harden your environment. This means network scans, OWASP, etc. As far as off the shelf tools go, OpenVAS is quite popular even in Enterprise environments.

Finally there's the continuous security tasks. Continuous package updates, runtime security, log analysis, etc. There are some free tools that cover part of this like Security Onion, but if the price is right a SaaS tool can save you a lot of time.

[–] scytale@lemm.ee 5 points 1 year ago

CIS benchmarks have a guide for most enterprise distros.

[–] vpz@infosec.pub 5 points 1 year ago

There is no one way to secure Linux servers because Linux isn’t one thing due to distribution sprawl. How you do things depends on the distribution. If you want a general guide the CIS Benchmarks are a decent place to start. Then you can make a guide on how to implement them with your target Linux server distribution. Keep in mind this is for the OS and application hardening is just as important, and is an entirely different can of worms. https://downloads.cisecurity.org/#/

[–] cron@feddit.de 3 points 1 year ago

Not a full list, just some ideas for personal servers.

  • Make sure that only the services are exposed that you want to have exposed. For example, a webserver with PHP and mariadb probably does not need to have mariadb reachable from the network.
  • Check the default config of all the programs you install. The default is often not the most secure option.
  • Have secure authentication on every service on the server. Change all the default passwords.
  • DO NOT disable security features like selinux.
  • Document your setup, the specific changes you made and make and test backups.

Please be aware that the requirements in a business environment might be different.

[–] hojqux9x2sZg@infosec.pub 3 points 1 year ago* (last edited 1 year ago)

Hardening depends on your threat model and needs of the client. Have the system do what it is supposed to do nothing more or less. I pretty much use this as a guide line depending on client needs.

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/pdf/security_guide/red_hat_enterprise_linux-7-security_guide-en-us.pdf