CSEC_PUBLIC/How-To-Secure-A-Linux-Server
1
0
Fork 0
mirror of https://github.com/imthenachoman/How-To-Secure-A-Linux-Server.git synced 2025-12-06 09:12:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update README.md

Browse Source
This commit is contained in:
IMTheNachoMan
2019-03-02 13:40:12 -05:00
parent 6a545f6781
commit ebaf767a17
1 changed files with 52 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
README.md
View File

@@ -365,7 +365,7 @@ We will be using Ed25519 keys which, according to [https://linux-audit.com/](htt
> and check to make sure that only the key(s) you wanted were added. > and check to make sure that only the key(s) you wanted were added.
> ``` > ```
Now would be a good time to [perform any tasks specific to your setup](#prepost-installation). Now would be a good time to [perform any tasks specific to your setup](#prepost-installation-requirements).
([Table of Contents](#table-of-contents)) ([Table of Contents](#table-of-contents))
@@ -441,16 +441,16 @@ SSH is a door into your server. This is especially true if you are opening ports
#### Steps #### Steps
1. Make a backup of `/etc/ssh/sshd_config` and remove default comments to make it easier to read: 1. Make a backup of `/etc/ssh/sshd_config` and remove comments to make it easier to read:
``` bash ``` bash
sudo cp --preserve /etc/ssh/sshd_config /etc/ssh/sshd_config.$(date +"%Y%m%d%H%M%S") sudo cp --preserve /etc/ssh/sshd_config /etc/ssh/sshd_config.$(date +"%Y%m%d%H%M%S")
sudo sed -i -r -e '/^#|^$/ d' /etc/ssh/sshd_config sudo sed -i -r -e '/^#|^$/ d' /etc/ssh/sshd_config
``` ```
1. Edit `/etc/ssh/sshd_config` then **find and edit or add** these settings that should be applied regardless of your configuration/setup: 1. Edit `/etc/ssh/sshd_config` then find and edit or add these settings that should be applied regardless of your configuration/setup:
**Note**: Your `/etc/ssh/sshd_config` file may already have some of these settings/lines. You will want to remove those and replace them with the ones below. **Note**: SSH does not like duplicate contradicting settings. For example, if you have `ChallengeResponseAuthentication no` and then `ChallengeResponseAuthentication yes`, SSH will respect the first one and ignore the second. Your `/etc/ssh/sshd_config` file may already have some of the settings/lines below. To avoid issues you will need to manually go through your `/etc/ssh/sshd_config` file and address any duplicate contradicting settings. (If anyone knows a way to programatically do this I would [love to hear how](#contacting-me).)
``` ```
######################################################################################################## ########################################################################################################
@@ -534,8 +534,6 @@ SSH is a door into your server. This is especially true if you are opening ports
Check `man sshd_config` for more details what these settings mean. Check `man sshd_config` for more details what these settings mean.
1. SSH does not like duplicate contradicting settings. For example, if you have `ChallengeResponseAuthentication no` and then `ChallengeResponseAuthentication yes`, SSH will respect the first one and ignore the second. To avoid issues you will need to manually go through your `/etc/ssh/sshd_config` file and address any duplicate contradicting settings. (If anyone knows a way to programatically do this I would [love to hear how](#contacting-me).)
1. Restart ssh: 1. Restart ssh:
``` bash ``` bash
@@ -1183,9 +1181,6 @@ WIP
sudo ufw allow out https comment 'allow HTTPS traffic out' sudo ufw allow out https comment 'allow HTTPS traffic out'
sudo ufw allow out ftp comment 'allow FTP traffic out' sudo ufw allow out ftp comment 'allow FTP traffic out'
# allow mail to go out
sudo ufw allow out 'Mail submission' comment 'allow mail out'
# allow whois # allow whois
sudo ufw allow out whois comment 'allow whois' sudo ufw allow out whois comment 'allow whois'
@@ -2018,14 +2013,14 @@ As you use your system, and you install and uninstall software, you'll eventuall
#### Debian Based Systems #### Debian Based Systems
On Debian based systems, you can use [`deborphan`](http://freshmeat.sourceforge.net/projects/deborphan/) to find orphaned packages.
##### <a name="orphaned-software-why-not"></a>Why Not ##### <a name="orphaned-software-why-not"></a>Why Not
Keep in mind, `deborphan` finds packages that have **no package dependencies**. That does not mean they are not used. You could very well have a package you use every day that has no dependencies that you wouldn't want to remove. And, if `deborphan` gets anything wrong, then removing critical packages may break your system. Keep in mind, `deborphan` finds packages that have **no package dependencies**. That does not mean they are not used. You could very well have a package you use every day that has no dependencies that you wouldn't want to remove. And, if `deborphan` gets anything wrong, then removing critical packages may break your system.
##### Steps ##### Steps
On Debian based systems, you can use [`deborphan`](http://freshmeat.sourceforge.net/projects/deborphan/) to find orphaned packages.
1. Install `deborphan`. 1. Install `deborphan`.
``` bash ``` bash
@@ -2314,6 +2309,27 @@ There are many guides on-line that cover how to configure Gmail as MTA using STA
sudo service exim4 restart sudo service exim4 restart
``` ```
1. If you're using [UFW](#ufw-uncomplicated-firewall), you'll need to allow outbound traffic on 465. To do this we'll create a custom UFW application profile and then enable it. Create the file `/etc/ufw/applications.d/smtptls`, add this, then run `ufw allow out smtptls comment 'open TLS port 465 for use with SMPT to send e-mails'`:
```
[SMTPTLS]
title=SMTP through TLS
description=This opens up the TLS port 465 for use with SMPT to send e-mails.
ports=465/tcp
```
[For the lazy](#editing-configuration-files---for-the-lazy):
``` bash
cat << EOF | sudo tee /etc/ufw/applications.d/smtptls
[SMTPTLS]
title=SMTP through TLS
description=This opens up the TLS port 465 for use with SMPT to send e-mails.
ports=465/tcp
EOF
ufw allow out smtptls comment 'open TLS port 465 for use with SMPT to send e-mails'
```
1. Add some mail aliases so we can send e-mails to local accounts by adding lines like this to `/etc/aliases`: 1. Add some mail aliases so we can send e-mails to local accounts by adding lines like this to `/etc/aliases`:
``` ```