I have been looking at hardening *nix servers for my lab and maybe carry some of that over to work. CIS benchmarks are something I like doing but that’s barely scratching the surface. What do you do for your servers?
I have Lynis, systemd-analyze, Kernel self protection in mind but I’d love to hear your thoughts. Bonus points for the most paranoid setups!
With knockd you can execute arbitrary commands upon a port knocking sequence. So any application that is configurable via terminal is eligible. Here’s a tutorial of knockd+iptables (1). Alternativly there’s (2) that achieves the same effect in a different way.
You can use it wherever, as part of security in depth. It’s essentially a pre-shared secret.
It’ll have it’s largest effect on publicly facing interfaces. It does not replace having a proper ssh setup (disabling root, disabling password login, etc).
Thanks for the links, I’ll take a look as I’ve never actually played with port knocking.