I have been looking at hardening *nix servers for my lab and maybe carry some of that over to work. CIS benchmarks are something I like doing but that’s barely scratching the surface. What do you do for your servers?

I have Lynis, systemd-analyze, Kernel self protection in mind but I’d love to hear your thoughts. Bonus points for the most paranoid setups!

  • SayCyberOnceMore@feddit.uk
    4·
    2 days ago

    Is this for internal facing servers? Not much more than CIS and the usual Best Practices (no root for SSH, etc)

    For a DMZ node, minimal software (ie Arch) and automated defenses like fail2ban, key authentication, etc…

    Firewalls with Geo-IP blocking also help, but that’s not technically what you’re asking for.

    • HorreC@lemmy.world
      3·
      2 days ago

      I have used this with second port for handshake (with no info in heading and 20 second times) and then the final port opens with key exchanged from handshake.

    • SayCyberOnceMore@feddit.uk
      2·
      2 days ago

      Would you use that on internal LAN connections or only external internet facing connections? I’m not aware (not checked) if any firewalls support it… not sure why?

      • iii@mander.xyz
        3·
        2 days ago

        With knockd you can execute arbitrary commands upon a port knocking sequence. So any application that is configurable via terminal is eligible. Here’s a tutorial of knockd+iptables (1). Alternativly there’s (2) that achieves the same effect in a different way.

        You can use it wherever, as part of security in depth. It’s essentially a pre-shared secret.

        It’ll have it’s largest effect on publicly facing interfaces. It does not replace having a proper ssh setup (disabling root, disabling password login, etc).

  • dotslashme@infosec.pub
    31·
    2 days ago

    I’m probably in minority here. My setup is simple, I chose a good OS like Debian or Alpine to run things on, make sure it’s always patched, move sshd to a nonstandard port and harden it.