[GTALUG] Linux hardening question
Blaise Alleyne
email+libre at blaise.ca
Thu Jun 29 09:32:59 EDT 2017
On 27/06/17 07:37 PM, Truth Hacker via talk wrote:
> Hi All,
>
> I am starting to go down the road to harden a Linux server, I am using
> the Ubuntu server image as my starting point.
>
> I searched a few articles and compiled a list of things to do, so far
> the stuff is a bit dated. So I was wondering if anyone has stuff ideas
> to help me harden my system which I plan to use to host my website
> using a VPS host.
>
> So far I've got step for the following:
>
> SSH / No root login, public key login
>
I don't disable root login, I actually use it frequently. But I disable
PasswordAuthentication (occasionally, on some servers, whitelisting some users
who are allowed to use PasswordAuthentication using 'Match user').
I certainly disable PasswordAuthentication for root, but I allow root login with
a keypair.
fail2ban, as others have mentioned, I always enable too. Though it's nice to
whitelist some of your own IPs if they're steady, as a few times a year
otherwise I found legit users getting themselves banned (using a different
computer, or forgetting a password, and thinking keys were setup when they
weren't, typo in the username, etc.). Whitelisting the office IP address has
stopped my co-workers from tripping fail2ban :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://gtalug.org/pipermail/talk/attachments/20170629/c4fe1e0d/attachment.sig>
More information about the talk
mailing list