Merge pull request #46 from davmann/master

Update README.md
2025-12-06 09:12:47 +01:00 · 2020-01-12 16:42:24 -05:00
parent b0eb781482 03b7139b32
commit d12afb4ba2
1 changed files with 25 additions and 25 deletions
--- a/README.md
+++ b/README.md
@@ -449,7 +449,7 @@ SSH is a door into your server. This is especially true if you are opening ports
 1. Make a backup of OpenSSH server's configuration file `/etc/ssh/sshd_config` and remove comments to make it easier to read:

    ``` bash
-    sudo cp --preserve /etc/ssh/sshd_config /etc/ssh/sshd_config.$(date +"%Y%m%d%H%M%S")
+    sudo cp --preserve /etc/ssh/sshd_config /etc/ssh/sshd_config-COPY-$(date +"%Y%m%d%H%M%S")
    sudo sed -i -r -e '/^#|^$/ d' /etc/ssh/sshd_config
    ```

@@ -602,7 +602,7 @@ The Diffie-Hellman algorithm is used by SSH to establish a secure connection. Th
 1. Make a backup of SSH's moduli file `/etc/ssh/moduli`:

    ``` bash
-    sudo cp --preserve /etc/ssh/moduli /etc/ssh/moduli.$(date +"%Y%m%d%H%M%S")
+    sudo cp --preserve /etc/ssh/moduli /etc/ssh/moduli-COPY-$(date +"%Y%m%d%H%M%S")
    ```

 1. Remove short moduli:
@@ -721,7 +721,7 @@ What we will do is tell the server's SSH PAM configuration to ask the user for t
 1. Make a backup of PAM's SSH configuration file `/etc/pam.d/sshd`:

    ``` bash
-    sudo cp --preserve /etc/pam.d/sshd /etc/pam.d/sshd.$(date +"%Y%m%d%H%M%S")
+    sudo cp --preserve /etc/pam.d/sshd /etc/pam.d/sshd-COPY-$(date +"%Y%m%d%H%M%S")
    ```

 1. Now we need to enable it as an authentication method for SSH by adding this line to `/etc/pam.d/sshd`:
@@ -798,7 +798,7 @@ sudo lets accounts run commands as other accounts, including **root**. We want t
 1. Make a backup of the sudo's configuration file `/etc/sudoers`:

    ``` bash
-    sudo cp --preserve /etc/sudoers /etc/sudoers.$(date +"%Y%m%d%H%M%S")
+    sudo cp --preserve /etc/sudoers /etc/sudoers-COPY-$(date +"%Y%m%d%H%M%S")
    ```

 1. Edit sudo's configuration file `/etc/sudoers`:
@@ -850,7 +850,7 @@ NTP stands for Network Time Protocol. In the context of this guide, an NTP clien
 1. Make a backup of the NTP client's configuration file `/etc/ntp.conf`:

    ``` bash
-    sudo cp --preserve /etc/ntp.conf /etc/ntp.conf.$(date +"%Y%m%d%H%M%S")
+    sudo cp --preserve /etc/ntp.conf /etc/ntp.conf-COPY-$(date +"%Y%m%d%H%M%S")
    ```

 1. The default configuration, at least on Debian, is already pretty secure. The only thing we'll want to make sure is we're the `pool` directive and not any `server` directives. The `pool` directive allows the NTP client to stop using a server if it is unresponsive or serving bad time. Do this by commenting out all `server` directives and adding the below to `/etc/ntp.conf`.
@@ -956,7 +956,7 @@ To quote https://linux-audit.com/linux-system-hardening-adding-hidepid-to-proc/:
 1. Make a backup of `/etc/fstab`:

    ``` bash
-    sudo cp --preserve /etc/fstab /etc/fstab.$(date +"%Y%m%d%H%M%S")
+    sudo cp --preserve /etc/fstab /etc/fstab-COPY-$(date +"%Y%m%d%H%M%S")
    ```

 1. Add this line to `/etc/fstab` to have `/proc` mounted with `hidepid=2`:
@@ -1010,7 +1010,7 @@ When there is a need to set or change an account password, the password task of
 1. Make a backup of PAM's password configuration file `/etc/pam.d/common-password`:

    ``` bash
-    sudo cp --preserve /etc/pam.d/common-password /etc/pam.d/common-password.$(date +"%Y%m%d%H%M%S")
+    sudo cp --preserve /etc/pam.d/common-password /etc/pam.d/common-password-COPY-$(date +"%Y%m%d%H%M%S")
    ```

 1. Tell PAM to use libpam-pwquality to enforce strong passwords by editing the file `/etc/pam.d/common-password` and change the line that starts like this:
@@ -1529,7 +1529,7 @@ And, since we're already using [UFW](#ufw-uncomplicated-firewall) so we'll follo
 1. Make a backup of psad's configuration file `/etc/psad/psad.conf`:

    ``` bash
-    sudo cp --preserve /etc/psad/psad.conf /etc/psad/psad.conf.$(date +"%Y%m%d%H%M%S")
+    sudo cp --preserve /etc/psad/psad.conf /etc/psad/psad.conf-COPY-$(date +"%Y%m%d%H%M%S")
    ```

 1. Review and update configuration options in `/etc/psad/psad.conf`. Pay special attention to these:
@@ -1549,8 +1549,8 @@ And, since we're already using [UFW](#ufw-uncomplicated-firewall) so we'll follo
    Make backups:

    ``` bash
-    sudo cp --preserve /etc/ufw/before.rules /etc/ufw/before.rules.$(date +"%Y%m%d%H%M%S")
-    sudo cp --preserve /etc/ufw/before6.rules /etc/ufw/before6.rules.$(date +"%Y%m%d%H%M%S")
+    sudo cp --preserve /etc/ufw/before.rules /etc/ufw/before.rules-COPY-$(date +"%Y%m%d%H%M%S")
+    sudo cp --preserve /etc/ufw/before6.rules /etc/ufw/before6.rules-COPY-$(date +"%Y%m%d%H%M%S")
    ```

    Edit the files:
@@ -1834,7 +1834,7 @@ WIP
 1. Make a backup of AIDE's defaults file:

    ``` bash
-    sudo cp -p /etc/default/aide /etc/default/aide.$(date +"%Y%m%d%H%M%S")
+    sudo cp -p /etc/default/aide /etc/default/aide-COPY-$(date +"%Y%m%d%H%M%S")
    ```

 1. Go through `/etc/default/aide` and set AIDE's defaults per your requirements. If you want AIDE to run daily and e-mail you, be sure to set `CRON_DAILY_RUN` to `yes`.
@@ -1842,7 +1842,7 @@ WIP
 1. Make a backup of AIDE's configuration files:

    ``` bash
-    sudo cp -pr /etc/aide /etc/aide.$(date +"%Y%m%d%H%M%S")
+    sudo cp -pr /etc/aide /etc/aide-COPY-$(date +"%Y%m%d%H%M%S")
    ```

 1. On Debian based systems:
@@ -1850,7 +1850,7 @@ WIP
    - AIDE's configuration files are in `/etc/aide/aide.conf.d/`.
    - You'll want to go through AIDE's documentation and the configuration files in to set them per your requirements.
    - If you want new settings, to monitor a new folder for example, you'll want to add them to `/etc/aide/aide.conf` or `/etc/aide/aide.conf.d/`.
-    - Take a backup of the stock configuration files: `sudo cp -pr /etc/aide /etc/aide.$(date +"%Y%m%d%H%M%S")`.
+    - Take a backup of the stock configuration files: `sudo cp -pr /etc/aide /etc/aide-COPY-$(date +"%Y%m%d%H%M%S")`.

 1. Create a new database, and install it.
    
@@ -2054,7 +2054,7 @@ WIP
 1. Make a backup of `clamav-freshclam`'s configuration file `/etc/clamav/freshclam.conf`:

    ``` bash
-    sudo cp --preserve /etc/clamav/freshclam.conf /etc/clamav/freshclam.conf.$(date +"%Y%m%d%H%M%S")
+    sudo cp --preserve /etc/clamav/freshclam.conf /etc/clamav/freshclam.conf-COPY-$(date +"%Y%m%d%H%M%S")
    ```
    
 1. `clamav-freshclam`'s default settings are probably good enough but if you want to change them, you can either edit the file `/etc/clamav/freshclam.conf` or use `dpkg-reconfigure`:
@@ -2104,7 +2104,7 @@ WIP
 1. Make a backup of `clamav-daemon`'s configuration file `/etc/clamav/clamd.conf`:

    ``` bash
-    sudo cp --preserve /etc/clamav/clamd.conf /etc/clamav/clamd.conf.$(date +"%Y%m%d%H%M%S")
+    sudo cp --preserve /etc/clamav/clamd.conf /etc/clamav/clamd.conf-COPY-$(date +"%Y%m%d%H%M%S")
    ```
    
 1. You can change `clamav-daemon`'s settings by editing the file `/etc/clamav/clamd.conf` or useing `dpkg-reconfigure`:
@@ -2158,7 +2158,7 @@ WIP
 1. Make a backup of rkhunter' defaults file:

    ``` bash
-    sudo cp -p /etc/default/rkhunter /etc/default/rkhunter.$(date +"%Y%m%d%H%M%S")
+    sudo cp -p /etc/default/rkhunter /etc/default/rkhunter-COPY-$(date +"%Y%m%d%H%M%S")
    ```

 1. rkhunter's configuration file is `/etc/rkhunter.conf`. Instead of making changes to it, create and use the file `/etc/rkhunter.conf.local` instead:
@@ -2265,7 +2265,7 @@ WIP
 1. Make a backup of chkrootkit's configuration file `/etc/chkrootkit.conf`:

    ``` bash
-    sudo cp --preserve /etc/chkrootkit.conf /etc/chkrootkit.conf.$(date +"%Y%m%d%H%M%S")
+    sudo cp --preserve /etc/chkrootkit.conf /etc/chkrootkit.conf-COPY-$(date +"%Y%m%d%H%M%S")
    ```

 1. You want chkrootkit to run every day and e-mail you the result.
@@ -2348,7 +2348,7 @@ logwatch's configuration file `/usr/share/logwatch/default.conf/logwatch.conf` s
 1. Make a backup of logwatch's daily cron file `/etc/cron.daily/00logwatch` and unset the execute bit:

    ``` bash
-    sudo cp --preserve /etc/cron.daily/00logwatch /etc/cron.daily/00logwatch.$(date +"%Y%m%d%H%M%S")
+    sudo cp --preserve /etc/cron.daily/00logwatch /etc/cron.daily/00logwatch-COPY-$(date +"%Y%m%d%H%M%S")
    sudo chmod -x /etc/cron.daily/00logwatch.*
    ```

@@ -2666,7 +2666,7 @@ If you forget the password, you'll have to go through [some work](https://www.cy
 1. Make a backup of GRUB's configuration file `/etc/grub.d/10_linux` that we'll be modifying and unset the execute bit so `update-grub` doesn't try to run it:

    ``` bash
-    sudo cp --preserve /etc/grub.d/10_linux /etc/grub.d/10_linux.$(date +"%Y%m%d%H%M%S")
+    sudo cp --preserve /etc/grub.d/10_linux /etc/grub.d/10_linux-COPY-$(date +"%Y%m%d%H%M%S")
    sudo chmod a-x /etc/grub.d/10_linux.*
    ```

@@ -2783,10 +2783,10 @@ In order to explain how umask works I'd have to explain how Linux file/folder pe
 1. Make a backup of files we'll be editing:

    ``` bash
-    sudo cp --preserve /etc/profile /etc/profile.$(date +"%Y%m%d%H%M%S")
-    sudo cp --preserve /etc/bash.bashrc /etc/bash.bashrc.$(date +"%Y%m%d%H%M%S")
-    sudo cp --preserve /etc/login.defs /etc/login.defs.$(date +"%Y%m%d%H%M%S")
-    sudo cp --preserve /root/.bashrc /root/.bashrc.$(date +"%Y%m%d%H%M%S")
+    sudo cp --preserve /etc/profile /etc/profile-COPY-$(date +"%Y%m%d%H%M%S")
+    sudo cp --preserve /etc/bash.bashrc /etc/bash.bashrc-COPY-$(date +"%Y%m%d%H%M%S")
+    sudo cp --preserve /etc/login.defs /etc/login.defs-COPY-$(date +"%Y%m%d%H%M%S")
+    sudo cp --preserve /root/.bashrc /root/.bashrc-COPY-$(date +"%Y%m%d%H%M%S")
    ```

 1. Set default umask for **non-root** accounts to **0027** by adding this line to `/etc/profile` and `/etc/bash.bashrc`:
@@ -2942,7 +2942,7 @@ Also, as discussed in [issue #29](https://github.com/imthenachoman/How-To-Secure
 1. Make a backup of `/etc/exim4/passwd.client`:

    ``` bash
-    sudo cp --preserve /etc/exim4/passwd.client /etc/exim4/passwd.client.$(date +"%Y%m%d%H%M%S")
+    sudo cp --preserve /etc/exim4/passwd.client /etc/exim4/passwd.client-COPY-$(date +"%Y%m%d%H%M%S")
    ```

 1. Add a line like this to `/etc/exim4/passwd.client`
@@ -3026,7 +3026,7 @@ Also, as discussed in [issue #29](https://github.com/imthenachoman/How-To-Secure
 1. Make a backup of exim4's configuration file `/etc/exim4/exim4.conf.template`:

    ``` bash
-    sudo cp --preserve /etc/exim4/exim4.conf.template /etc/exim4/exim4.conf.template.$(date +"%Y%m%d%H%M%S")
+    sudo cp --preserve /etc/exim4/exim4.conf.template /etc/exim4/exim4.conf.template-COPY-$(date +"%Y%m%d%H%M%S")
    ```

 1. Add the below to `/etc/exim4/exim4.conf.template` after the `.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS ... .endif` block: