Linux Security
π» To-do π»
Stuff that I found, but never read/used yet.
- π Grub (Linux bootloader) to reset the root password
- β BIOS and UEFI firmwares allow a boot Password
-
grub2-mkpasswd-pbkdf2
(generate a hash to add to configuration) - Ubuntu
- Encryption systems
- many modern Linux distributions ship with LUKS (Linux Unified Key Setup)
-
sudo cryptsetup -y -v luksFormat device
-
sudo cryptsetup luksOpen device name
-
sudo cryptsetup luksOpen --type luks device name
-
sudo cryptsetup luksDump device
-
sudo mount /dev/mapper/name dest
- linux-securite
-
apparmor (
aa-status
, shipped with many linux distros, application profiles to define which resources they can access) - SELinuxProject (enforce access control on processes/files, labels, policy rules between labeled)
- Disable root account (
/sbin/nologin
) +service (www-data
) - Strong password policy
- Use LTS
- https://ubuntu.com/about/release-cycle
- https://access.redhat.com/support/policy/updates/errata/
- Protection_ring
- Exec Shield
-
unattended-upgrades
, read HT2TB notes
- LXC
Upgrade packages.
$ sudo apt update
$ sudo apt upgrade
$ sudo apt-get dist-upgrade
Disable ssh
login for root/..., and change the default port.
$ sudo vim /etc/ssh/sshd_config
$ sudo systemctl restart sshd
Install a firewall.
$ sudo apt install fail2ban
$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
$ sudo vim /etc/fail2ban/jail.local
Random
- Remove/Disable unused apps/services/...
- NTP, Syslog
- password policy and account lock
- rootkis: chkrootkit, rkhunter
- Hardening: Lynis