CSEC_PUBLIC/How-To-Secure-A-Linux-Server
1
0
Fork 0
mirror of https://github.com/imthenachoman/How-To-Secure-A-Linux-Server.git synced 2025-12-06 09:12:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update README.md

Browse Source
This commit is contained in:
IMTheNachoMan
2019-03-02 13:40:12 -05:00
parent 6a545f6781
commit ebaf767a17
1 changed files with 52 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
README.md
View File

@@ -365,7 +365,7 @@ We will be using Ed25519 keys which, according to [https://linux-audit.com/](htt
> and check to make sure that only the key(s) you wanted were added.
> ```
Now would be a good time to [perform any tasks specific to your setup](#prepost-installation).
Now would be a good time to [perform any tasks specific to your setup](#prepost-installation-requirements).
([Table of Contents](#table-of-contents))
@@ -441,16 +441,16 @@ SSH is a door into your server. This is especially true if you are opening ports
#### Steps
1. Make a backup of `/etc/ssh/sshd_config` and remove default comments to make it easier to read:
1. Make a backup of `/etc/ssh/sshd_config` and remove comments to make it easier to read:
``` bash
sudo cp --preserve /etc/ssh/sshd_config /etc/ssh/sshd_config.$(date +"%Y%m%d%H%M%S")
sudo sed -i -r -e '/^#|^$/ d' /etc/ssh/sshd_config
```
1. Edit `/etc/ssh/sshd_config` then **find and edit or add** these settings that should be applied regardless of your configuration/setup:
1. Edit `/etc/ssh/sshd_config` then find and edit or add these settings that should be applied regardless of your configuration/setup:
**Note**: Your `/etc/ssh/sshd_config` file may already have some of these settings/lines. You will want to remove those and replace them with the ones below.
**Note**: SSH does not like duplicate contradicting settings. For example, if you have `ChallengeResponseAuthentication no` and then `ChallengeResponseAuthentication yes`, SSH will respect the first one and ignore the second. Your `/etc/ssh/sshd_config` file may already have some of the settings/lines below. To avoid issues you will need to manually go through your `/etc/ssh/sshd_config` file and address any duplicate contradicting settings. (If anyone knows a way to programatically do this I would [love to hear how](#contacting-me).)
```
########################################################################################################
@@ -534,8 +534,6 @@ SSH is a door into your server. This is especially true if you are opening ports
Check `man sshd_config` for more details what these settings mean.
1. SSH does not like duplicate contradicting settings. For example, if you have `ChallengeResponseAuthentication no` and then `ChallengeResponseAuthentication yes`, SSH will respect the first one and ignore the second. To avoid issues you will need to manually go through your `/etc/ssh/sshd_config` file and address any duplicate contradicting settings. (If anyone knows a way to programatically do this I would [love to hear how](#contacting-me).)
1. Restart ssh:
``` bash
@@ -1183,9 +1181,6 @@ WIP
sudo ufw allow out https comment 'allow HTTPS traffic out'
sudo ufw allow out ftp comment 'allow FTP traffic out'
# allow mail to go out
sudo ufw allow out 'Mail submission' comment 'allow mail out'
# allow whois
sudo ufw allow out whois comment 'allow whois'
@@ -2018,14 +2013,14 @@ As you use your system, and you install and uninstall software, you'll eventuall
#### Debian Based Systems
On Debian based systems, you can use [`deborphan`](http://freshmeat.sourceforge.net/projects/deborphan/) to find orphaned packages.
##### <a name="orphaned-software-why-not"></a>Why Not
Keep in mind, `deborphan` finds packages that have **no package dependencies**. That does not mean they are not used. You could very well have a package you use every day that has no dependencies that you wouldn't want to remove. And, if `deborphan` gets anything wrong, then removing critical packages may break your system.
##### Steps
On Debian based systems, you can use [`deborphan`](http://freshmeat.sourceforge.net/projects/deborphan/) to find orphaned packages.
1. Install `deborphan`.
``` bash
@@ -2314,6 +2309,27 @@ There are many guides on-line that cover how to configure Gmail as MTA using STA
sudo service exim4 restart
```
1. If you're using [UFW](#ufw-uncomplicated-firewall), you'll need to allow outbound traffic on 465. To do this we'll create a custom UFW application profile and then enable it. Create the file `/etc/ufw/applications.d/smtptls`, add this, then run `ufw allow out smtptls comment 'open TLS port 465 for use with SMPT to send e-mails'`:
```
[SMTPTLS]
title=SMTP through TLS
description=This opens up the TLS port 465 for use with SMPT to send e-mails.
ports=465/tcp
```
[For the lazy](#editing-configuration-files---for-the-lazy):
``` bash
cat << EOF | sudo tee /etc/ufw/applications.d/smtptls
[SMTPTLS]
title=SMTP through TLS
description=This opens up the TLS port 465 for use with SMPT to send e-mails.
ports=465/tcp
EOF
ufw allow out smtptls comment 'open TLS port 465 for use with SMPT to send e-mails'
```
1. Add some mail aliases so we can send e-mails to local accounts by adding lines like this to `/etc/aliases`:
```