Another one of those items you suddenly think "I should maybe document what I do..." A quick run-down of several of the items that I do when setting up a new system of my own that are maybe useful for helping to secure your own systems if you're slinging them on the Internet or a work-based network.
I'm assuming Debian-based systems here in my instructions, so all paths and installation methods are based on that distribution but the methods are similar for other linux distributions. I'd also welcome input from my buddies in the security industry who attack surfaces like this with digital hammers. If you know caveats or better ways please get in touch.
A warning before you begin the process - some of the configuration options here can lock you out of systems if you incorrectly key values or only part-configure systems. Make sure you have a decent connection to your box and tick off each of the steps, understanding what they do first!
If you're allowing SSH access to your system, Fail2Ban is a must-have. It automatically locks out access to your system if it sees repeated attempts to brute-force accounts with the wrong password.
Most security breaches revolve around privilege escalation and the program ninja
is a good way of automatically detecting these.
There is a little bit of setup to create the groups and settings once you've installed the program. Remember to note down the GID of the ninja group when you create it as you'll need that later on...
Restart ninja and you will now be provided with an additional access protection layer. You will have to add any user that requires sudo access to the ninja group otherwise they will not be allowed to elevate privileges.
If someone is going to smash into your system it's going to take time ( you hope ) and they're going to want a backdoor to go back and forth more easily. A rootkit is a malicious program or series of programs that sit on your machine and make it operate in ways that it isn't meant to potentially masking what it's doing at the same time. Quite often you find that programs have been modified to leak passwords or credentials or generally do things you don't want.
A good program to monitor changes to your system is rkhunter which can be set up to mail you daily logs of system checks.
To install and update the definitions:
Don't forget you will need to add execution permission to the shell script:
Another key ingredient is having an idea of update path. This is often a tricky one depending on how critically you are locked to specific versions of software. If you're free to grab the latest security fixes on a stable branch you can configure automatic updates thus:
Add in the unattended package system:
Now you need to configure the automatic updates option:
This configuration will allow daily automatic updates for you.
As with all things, securing systems isn't just a static activity that's undertaken once - It's wise to have something analysing logs on your network to pick up on trends or linked activity. The steps I've outlined are just some of those I have on my "new system checklist" pad. I'm sure if I got into it further I'd find more things I regularly undertake...
Proton Pack Build
OpenVPN Quick Setup