Hardening¶
We really do not want arbitrary people hacking into our server. Since we also do not want to spend time on maintaining it, we need a very conservative security configuration. This might complicate other things, but the peace of mind is worth it.
Automatic Security Updates¶
Keeping a system up to date is one of the most important security aspects. We want the system to install updates automatically. Not only security updates. All updates.
sudo apt install unattended-upgrades update-notifier-common
The update-notifier package is only needed for the automatic reboots.
Edit /etc/apt/apt.conf.d/50unattended-upgrades
to look like this:
Unattended-Upgrade::Allowed-Origins {
"${distro_id} stable";
"${distro_id} ${distro_codename}-security";
"${distro_id} ${distro_codename}-updates";
};
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "04:00";
Additionally, /etc/apt/apt.conf.d/10periodic
:
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";
AppArmor¶
sudo apt install apparmor-utils
Check, if it is enabled.
sudo apparmor_status
If you want to write your own AppArmor profiles,
the trick is to use aa-genprof
.
It semi-automatically generates a profile from logging activity.
SSH Configuration¶
First, make sure you have public-key authentication, because now we disable password authentication. To copy your public key from your desktop/laptop, use:
ssh-copy-id username@remotehost
Now we can edit /etc/ssh/sshd_config
:
PasswordAuthentication no
AuthorizedKeysFile %h/.ssh/authorized_keys
Protocol 2
PermitRootLogin no
AllowUsers qznc
Also, rate limiting via firewall.
sudo ufw limit OpenSSH
Prevent IP Spoofing¶
I need to edit ‘/etc/host.conf’, but why?
order bind,hosts
nospoof on
Warning
I do not understand this yet. Why and how does it work?
EtcKeeper¶
Keeping /etc
in version control can be convenient.
It is presented in this hardening chapter,
because looking at history can be interesting in terms of security.
Install and initialize it. It will autocommit daily and in sync with apt.
sudo apt install etckeeper
cd /etc
sudo etckeeper init
sudo etckeeper commit "initial"
Lynis¶
For more hardening tips, install lynis and let it run.
sudo apt install lynis
sudo lynis system audit