CSEC_PUBLIC/How-To-Secure-A-Linux-Server
1
0
Fork 0
mirror of https://github.com/imthenachoman/How-To-Secure-A-Linux-Server.git synced 2025-12-06 17:22:53 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update README.md

Browse Source
This commit is contained in:
IMTheNachoMan
2019-02-24 14:06:28 -05:00
parent ff77ee4836
commit fb4a9ed3ee
1 changed files with 31 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
README.md
View File

@@ -4,10 +4,12 @@ An evolving how-to guide for securing a Linux server that, hopefully, also teach
## Table of Contents
- [Table of Contents](#table-of-contents)
- [Introduction](#introduction)
- [Guide Objective](#guide-objective)
- [Why Secure Your Server](#why-secure-your-server)
- [Why Yet Another Guide](#why-yet-another-guide)
- [Official Guides](#official-guides)
- [To Do / To Add](#to-do--to-add)
- [Guide Overview](#guide-overview)
- [About This Guide](#about-this-guide)
@@ -38,7 +40,9 @@ An evolving how-to guide for securing a Linux server that, hopefully, also teach
- [The Danger Zone](#the-danger-zone)
- [Proceed At Your Own Risk](#proceed-at-your-own-risk)
- [The Auditing](#the-auditing)
- [`netstat` (WIP)](#netstat-wip)
- [Lynis - Linux Security Auditing](#lynis---linux-security-auditing)
- [CIS-CAT (WIP)](#cis-cat-wip)
- [The Miscellaneous](#the-miscellaneous)
- [Configure Gmail as MTA](#configure-gmail-as-mta)
- [Separate `iptables` Log File](#separate-iptables-log-file)
@@ -68,7 +72,7 @@ At a high level, the second a device, like a server, is in the public domain --
What's worse is, without good security, you may never know if your server has been compromised. A bad-actor may have gained unauthorized access to your server and copied your data without changing anything so you'd never know. Or your server may have been part of a DDOS attack and you wouldn't know. Look at many of the large scale data breaches in the news -- the companies often did not discover the data leak or intrusion until long after the bad-actors were gone.
Contrary to popular belief, bad-actors don't always want to change something or [lock you out of your data for money](). Sometimes they just want the data on your server for their data warehouses (there is big money in big data) or to covertly use your server for their nefarious purposes.
Contrary to popular belief, bad-actors don't always want to change something or [lock you out of your data for money](https://en.wikipedia.org/wiki/Ransomware). Sometimes they just want the data on your server for their data warehouses (there is big money in big data) or to covertly use your server for their nefarious purposes.
([Table of Contents](#table-of-contents))
@@ -86,6 +90,15 @@ IT automation tools like [Ansible](https://www.ansible.com/), [Chef](https://www
([Table of Contents](#table-of-contents))
### Official Guides
There are many official guides provided by industry leaders and the distributions themselves. It is not practical, and sometimes against copyright, to include everything from those guides. I advise you to also check those guides.
- For distribution specific hardening/security guides, check your distributions documentation.
- The [Center for Internet Security (CIS)](https://www.cisecurity.org/) provides [benchmarks](https://www.cisecurity.org/cis-benchmarks/) that are exhaustive, industry trusted, step-by-step instructions for securing many flavors of Linux. Check their [About Us](https://www.cisecurity.org/about-us/) for details. I personally go through their guides first and then finish it off with what I have in this guide.
([Table of Contents](#table-of-contents))
### To Do / To Add
- [ ] [Custom Jails for Fail2ban](#custom-jails)
@@ -225,6 +238,7 @@ Where applicable, use the expert install option so you have tighter control of w
- Installing core software you'll want like `man`
- Etc...
- Your server will need to be able to send e-mails so you can get important security alerts. If you're not setting up a mail server check [Configure Gmail as MTA](#configure-gmail-as-mta).
- I would also recommend you go through the [CIS Benchmarks](https://www.cisecurity.org/cis-benchmarks/) before you start with this guide.
([Table of Contents](#table-of-contents))
@@ -457,6 +471,9 @@ SSH is a door into your server. This is especially true if you are opening ports
# end settings from https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67 as of 2019-01-01
########################################################################################################
# don't let users set environment variables
PermitUserEnvironment no
# Log sftp level file access (read/write/etc.) that would not be easily logged otherwise.
Subsystem sftp internal-sftp -f AUTHPRIV -l INFO
@@ -486,6 +503,9 @@ SSH is a door into your server. This is especially true if you are opening ports
TCPKeepAlive no
AllowAgentForwarding no
PermitRootLogin no
# don't allow .rhosts or /etc/hosts.equiv
HostbasedAuthentication no
```
1. Then **find and edit or add** these settings, and set values as per your requirements:
@@ -1980,6 +2000,10 @@ On Debian based systems, you can use [`deborphan`](http://freshmeat.sourceforge.
## The Auditing
### `netstat` (WIP)
WIP
### Lynis - Linux Security Auditing
#### Why
@@ -2033,6 +2057,12 @@ From [https://cisofy.com/lynis/](https://cisofy.com/lynis/):
([Table of Contents](#table-of-contents))
### CIS-CAT (WIP)
WIP
([Table of Contents](#table-of-contents))
## The Miscellaneous
### Configure Gmail as MTA