[GTALUG] Linux hardening question
Myles Braithwaite
me at mylesbraithwaite.com
Wed Jun 28 10:16:37 EDT 2017
On Tue, Jun 27, 2017 at 7:37 PM, Truth Hacker via talk <talk at gtalug.org> wrote:
> Hi All,
>
> I am starting to go down the road to harden a Linux server, I am using
> the Ubuntu server image as my starting point.
>
> I searched a few articles and compiled a list of things to do, so far
> the stuff is a bit dated. So I was wondering if anyone has stuff ideas
> to help me harden my system which I plan to use to host my website
> using a VPS host.
>
> So far I've got step for the following:
>
> SSH / No root login, public key login
> Using DenyHost to reduce brute force password hacking
> Block port scanning
> Disable PING response
> Closing unused ports
>
> Q: What service should I consider disabling from starting automatically.
>
> Q: What program should I remove like (telnet) from my system.
>
> I am reading up on iptable and also know about ufw, but not sure how
> to setup a good firewall, like what to block and not.
>
> Any other ideas or checklist would be appreciated.
I use to follow the [My First 10 Minutes On A Server][0], but found it
too annoying to follow a "checklist" so I converted it to [an Ansible
playbook][1].
I now use dev-sec's [Hardening Framework][2] as it does everything I want.
I find this stuff extremely boring so automating the work is a big +1 for me.
For firewall, I use UFW as it's while documented and easy to use.
[0]: https://www.codelitt.com/blog/my-first-10-minutes-on-a-server-primer-for-securing-ubuntu/
[1]: https://github.com/myles/2016-10-11-ansible/tree/master/1-getting-started/examples/01-first-ten-minutes
[2]: http://dev-sec.io/
More information about the talk
mailing list