Submitted 18 hours ago by fishynoob@infosec.pub to cybersecurity@infosec.pub
I have been looking at hardening *nix servers for my lab and maybe carry some of that over to work. CIS benchmarks are something I like doing but that’s barely scratching the surface. What do you do for your servers?
I have Lynis, systemd-analyze, Kernel self protection in mind but I’d love to hear your thoughts. Bonus points for the most paranoid setups!
I’m probably in minority here. My setup is simple, I chose a good OS like Debian or Alpine to run things on, make sure it’s always patched, move sshd to a nonstandard port and harden it.
Port knocking is a cool technique
I have used this with second port for handshake (with no info in heading and 20 second times) and then the final port opens with key exchanged from handshake.
Would you use that on internal LAN connections or only external internet facing connections? I’m not aware (not checked) if any firewalls support it… not sure why?
With knockd you can execute arbitrary commands upon a port knocking sequence. So any application that is configurable via terminal is eligible. Here’s a tutorial of knockd+iptables (1). Alternativly there’s (2).
You can use it wherever, as part of security in depth. It’ll have it’s largest effect on publicly facing interfaces. It does not replace having a proper ssh setup (disabling root, keys only, etc).
Cyber@feddit.uk 16 hours ago
Is this for internal facing servers? Not much more than CIS and the usual Best Practices (no root for SSH, etc)
For a DMZ node, minimal software (ie Arch) and automated defenses like fail2ban, key authentication, etc…
Firewalls with Geo-IP blocking also help, but that’s not technically what you’re asking for.