-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/24/2014 4:09 PM, Libertas wrote:
I thought I'd share an initial draft of doc/HARDENING. Please share any opinions or contributions you have. This was written in a little more than an hour, so it's still a work in progress. However, in the spirit of prototyping before polishing, I thought I'd share early.
Thank you for sharing.
There may be mixed opinions about using a resource like this but the NSA's Guide to the Secure Configuration of Red Hat enterprise Linux 5 [0] covers a great deal of areas that can apply to other distros. Much of it appears to be included in the debian documentation (which I believe the .pdf also references).
One might consider fwknop [1] to require single packet authentication (SPA) before the target ssh port is opened for you and and only for a few seconds. Sure, moving your ssh to a non-standard port makes for clean logs but having the port closed to all unless validated through SPA can present a significant hurdle for a more dedicated adversary.
I've heard of a lot of people using fail2ban but not csf [2] however nobody has really weighed in on why. There are ways of integrating fwknop with csf. I'd be happy to share more info by request.
Also let us not forget astandard access restriction layers like tcpwrappers, and pam + /etc/security/access.conf for ssh.
[0] https://www.nsa.gov/ia/_files/os/redhat/NSA_RHEL_5_GUIDE_v4.2.pdf [1] https://www.cipherdyne.org/fwknop/ [2] http://configserver.com/cp/csf.html (http link because of invalid ssl cert)