Logo

Securing user accounts

  • Introduction
    • What?
    • Why?
    • How?
  • Configuring sudo
    • Adding users to the sudo group
    • Setting up sudo for only certain delegated privileges
    • Host aliases
    • Preventing users from using shell escapes
    • Preventing users from using other dangerous programs
    • Preventing abuse via user’s shell scripts
  • Disabling root access
    • Disabling the root login shell
    • Disabling root SSH login
    • Disabling root using PAM
    • Resources
  • Locking home directories
    • Red Hat and CentOS
    • Debian and Ubuntu
      • useradd
      • adduser
  • Configuring password complexity
    • Pwquality
    • Resources
  • Configuring other password requirements
    • Password expiration
    • Password history
    • Resources
  • Dangers of the lxd group
    • Resources

Audit services

  • Introduction
    • What?
    • Why?
    • How?
  • Auditing system services with systemctl
    • Candidates for removal
    • Stop and disable
  • Auditing network services with netstat
    • Resources
  • Auditing network services with nmap
    • Port states
    • Scan types

Firewalls

  • Introduction
    • What?
    • Why?
    • How?
    • Notes
  • iptables
    • The four components of iptables
    • Install and enable IPTables
    • Chains
    • Rules
      • Status command
      • Deleting a rule
      • Inserting a rule
      • Saving the rules
      • Stop/Restart
    • Usage
      • SSH
      • OpenVPN
      • SMTP Secure Sockets Layer
  • UFW
    • Installation
    • Control
    • Usage
      • SSH
      • Nginx HTTP
      • Nginx HTTPS
      • Logging
      • OpenVPN
  • NFTables
    • Basic idea
    • kernel
    • Configuration files
    • SSHguard
  • FirewallD
    • Install and enable FirewallD
    • Zones
    • Ports and services
    • Creating rulesets
    • Usage examples
      • OpenVPN
      • SMTP
    • Disable FirewallD
  • FireHOL
    • Installation
    • Configuration (example)
  • Packet filtering
    • Configuration resources
  • Fail2ban
    • Installation
    • Configuration
    • Test
    • Usage
    • Note for Apache
  • SSHguard
  • Web Application Firewall WAF
    • mod_security
  • Port spoofing

Encryption technologies

  • Introduction
    • What?
    • Why?
    • How?
    • Notes
  • GNU Privacy Guard
    • Using GPG
    • Encrypting files with GPG
      • Symmetric
      • Asymmetric
  • OpenVPN
    • Installation
    • Server configuration
      • Assign static IP addresses
      • Firewall server
      • Start the OpenVPN server
    • Client configurations
      • Firewall client
      • Fire it up!
  • strongSwan
    • Configuration resources
  • Installing SSH
    • openSSH server
      • Control
    • Filtering
    • openSSH client
    • Resources
  • Harden ssh server
    • Configuration file
    • Additional security
  • Key management
    • Generate a key
    • Copy key to server
    • Connect
    • Changing passphrase
  • Jumping hosts
    • ForwardAgent
      • Configuration
      • Security problem
    • ProxyCommand
      • Configuration
    • ProxyJump
      • Configuration

Virtual network computing (VNC)

  • Introduction
    • What?
    • Why?
    • How?
    • Notes
  • TigerVNC
    • Installation
    • Configuration
    • Firewall
    • Control
    • Clients
    • Configuration resources
  • TightVNC
    • Installation
    • Configuration
    • Firewall
    • Control
    • Clients
    • Configuration resources
  • Securing sessions
    • TLS
    • X509
    • SSH

Access control

  • Introduction
    • What?
    • Why?
    • How?
  • Discretionary access control (DAC)
    • Using chown
    • Using chmod
      • Symbolic
      • Numerical
    • Using SUID and SGID
      • Finding SUID or SGID files
      • Preventing SUID and SGID usage on a partition
    • Using extended file attributes to protect sensitive files
    • Securing system configuration files
  • Access control lists (ACL) and shared directory management (SDM)
    • Creating an ACL
    • Creating an inherited ACL for a directory
    • Using an ACL mask
    • Preventing the loss of ACLs during a backup
    • User groups
    • Creating a shared directory
  • Mandatory access control (MAC)
    • SELinux
    • AppArmor

Public key infrastructure (PKI)

  • Introduction
    • What?
    • Why?
    • How?
    • Notes
  • Problems
    • X.509 standard
    • Technical
    • Economical
    • Juridical
    • Social
    • Privacy and security
    • Alternatives
    • Resources
  • Internal PKI
    • Master Certificate Authority (CA)
    • Server key
    • Client keys
    • Diffie-Hellman parameters
    • Copy keys
    • Security improvement
  • Pluggable Authentication Modules (PAM)
    • Passwords
    • SSH
      • Deny access
      • Allow access
    • SASL
  • Let’s Encrypt
    • Installation certbot
    • Get SSL certificate
    • Verification
    • Firewall
    • Auto renewal
    • Configuration resources
  • TLS/SSL
    • Installation
    • Configuration
    • Generating keys
    • Configuration resources

Logfiles

  • Introduction
    • What?
    • Why?
    • How?
    • Notes
  • Syslog
    • Setting it up
    • Server
      • Installation
      • Configuration
    • Clients
    • Configuration resources
  • log commands
    • Less, more and zmore
    • Grep and zgrep
    • Tail
    • Last and lastb
    • dmesg
  • Path of a common intruder
    • Scenario
    • Important events for reconstructing an attack
  • Logrotate
    • Installation
    • Configuration
  • Centralised logging
    • Why?
    • Why not?
    • How?
    • Which one?
    • Future considerations

Guards! Guards!

  • Introduction
    • What?
    • Why?
    • How?
    • Notes
  • Samhain
    • Problems
    • Download
    • Verification
    • Simple configuration stand-alone
    • Configuration for watching logins, mounts and rootkits
    • Configuration for stealth
    • Build
    • Installation
    • Customisation
    • Initialisation
    • Usage
    • Update baseline
    • Start daemon
  • Maltrail

Incidents

  • Introduction
    • What?
    • Why?
    • How?
    • Notes
  • Preventing incidents
  • Using git for configuration management
  • Implementing a backup plan
    • Incremental backups
    • Simple script
  • Using bootable recovery media

Troubleshooting

  • Overview
    • What?
    • Why?
    • How?
  • Authentication error
    • Bypassing verification (not recommended)
    • HostKeyAlias
    • CheckHostIP
  • Connection refused
Hardening Linux server
  • Ty Myrddin Home
  • Unseen University
  • Improbability Blog
  • About
  • Contact
Unseen University, 2024, with a forest garden fostered by /ut7.