How do you protect a linux host?

I personally prefer sshguard to fail2ban.
But normally firewall wise, I block all incoming traffic other than for services and IP addresses that need to get access.
Also I generally use a bastion host in front of my servers, so that you can't access them from anywhere other than the bastion.
 
- SSH only allows generic users, no root
- SSH keys only, no passwords
- Sudoers list, extra users get limited permission sets
- Fail2Ban - for banning repeated attempts / geographic style blocking
- Port Knocking (obscure, but a favourite of mine) --> provide the secret "handshake" --> confirm identity --> open port for short period so I can connect --> auto close it after said period
- Firewall - block inbound traffic, allow only what I need
- Network level, allow only my remote static IP to connect in to the network (or VPN only)
- SELinux
 
Last edited:
Aide
Remote syslog servers tied into some kind of alerting system like splunk
 
- Disable remote root access
- Only allow ssh keys. Password disabled.
- sshd locked down to only allow connections from a jump host
- All logs send to Splunk and monitored 24x7
- Carbon Black agents loaded to monitor hosts
- If linux server needs to be external facing then it has to go in the DMZ with locked down firewall rules.
 
Select hardware that uses PS/2 ports for keyboard
Remove all wireless and bluetooth hardware
Epoxy all network, USB and firewire ports
Leave only VGA and PS/2 ports accessible
Put in a SABS certified safe with dual (or even triple) locks and lock it up
Ensure that safe is installed in the level 5 security zone of a national keypoint
Assign keys to the safe to 2 or more people
 
RonSwanson said:
Select hardware that uses PS/2 ports for keyboard
Remove all wireless and bluetooth hardware
Epoxy all network, USB and firewire ports
Leave only VGA and PS/2 ports accessible
Put in a SABS certified safe with dual (or even triple) locks and lock it up
Ensure that safe is installed in the level 5 security zone of a national keypoint
Assign keys to the safe to 2 or more people
Click to expand...
./forgets the hardware, and throws away that last pesky ps2 keyboard that was lying on the shelf
 
ssh key login only
maldet, rkunter, chrootkit installed and scheduled to run
fail2ban
clamd
tripwire or similar (tiger also good)
iptables setup to only allow specific incoming/outgoing ports (i.e. one's i'm running services on)
more recently dockerizing apps so intrusions have a harder time.

I also remove shell access for almost all of the accounts on the box.
harden /tmp /var/tmp and other common tmp folders for non executable access.

You can run tools like lynis to let you know what needs to be done also.

I usually setup what i need using ansible, then point the scripts at the server(s) to "harden".
 
RonSwanson said:
Select hardware that uses PS/2 ports for keyboard
Remove all wireless and bluetooth hardware
Epoxy all network, USB and firewire ports
Leave only VGA and PS/2 ports accessible
Put in a SABS certified safe with dual (or even triple) locks and lock it up
Ensure that safe is installed in the level 5 security zone of a national keypoint
Assign keys to the safe to 2 or more people
Click to expand...
Overkill
 
RonSwanson said:
Select hardware that uses PS/2 ports for keyboard
Remove all wireless and bluetooth hardware
Epoxy all network, USB and firewire ports
Leave only VGA and PS/2 ports accessible
Put in a SABS certified safe with dual (or even triple) locks and lock it up
Ensure that safe is installed in the level 5 security zone of a national keypoint
Assign keys to the safe to 2 or more people
Click to expand...
This is definitely security best practice. I have mine safely stowed in the Nkandla chicken coop.
 
RonSwanson said:
Select hardware that uses PS/2 ports for keyboard
Remove all wireless and bluetooth hardware
Epoxy all network, USB and firewire ports
Leave only VGA and PS/2 ports accessible
Put in a SABS certified safe with dual (or even triple) locks and lock it up
Ensure that safe is installed in the level 5 security zone of a national keypoint
Assign keys to the safe to 2 or more people
Click to expand...
No Faraday Cage?
 
I recently discovered Teleport through this cool looking dude
Christian Lempa
https://github.com/xcad2k a.k.a The Digital Life on YouTube
Avatar

What is Teleport​

Teleport is a Certificate Authority and an Access Plane for your infrastructure. With Teleport you can:

  • Set up Single Sign-On and have one place to access your SSH servers, Kubernetes, Databases, Desktops, and Web Apps.
  • Use your favorite programming language to define access policies to your infrastructure.
  • Share and record interactive sessions across all environments.




 
Anthro said:
I recently discovered Teleport through this cool looking dude
Christian Lempa
https://github.com/xcad2k a.k.a The Digital Life on YouTube
Avatar

What is Teleport​

Teleport is a Certificate Authority and an Access Plane for your infrastructure. With Teleport you can:

  • Set up Single Sign-On and have one place to access your SSH servers, Kubernetes, Databases, Desktops, and Web Apps.
  • Use your favorite programming language to define access policies to your infrastructure.
  • Share and record interactive sessions across all environments.




Click to expand...
That is neat - a heavier version of rport.io!

Edit: nee sies! He has a Sophos video on his channel. I need latex protection to watch that...
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X