-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 06/17/2014 02:09 PM, Zack Weinberg wrote:
Tor relays get pounded on by the script kiddies -- a degree of hardening is appropriate. I don't know if there are any stock Puppet "tighten security" modules but these are the things that I remember
I don't have any Puppet modules or Chef recipes, but I do have a Git repo of some basic hardened Ubuntu config files (v12.04 and v14.04) that might be a good place to start: https://github.com/virtadpt/ubuntu-hardening
- install fail2ban and ufw; firewall incoming traffic to ports other than 9001, 9030, and 22 (ssh) (I don't think the marginal benefit of moving ssh to a nonstandard port is worth the hassle).
I do both on some of my machines and it's helped a lot. It definitely cut down on the "portscan the box, resume pounding on SSH like woodpeckers on meth."
- install logcheck and nullmailer; set /etc/nullmailer/adminaddr and /etc/nullmailer/remotes to values assigned in Puppet configuration; symlink /etc/nullmailer/helohost to /etc/hostname. (ufw and sshd will emit a great deal of chatter due to people knocking on the machine. I have custom ignore.d.server files to shut them up - basically I've set it to mail me only on *successful* logins. Let me know if you want 'em.)
I'm curious; never used nullmailer before though I do use logcheck pretty heavily.
- install unattended-upgrades and configure it to auto-upgrade everything. Unfortunately, the unattended-upgrades documentation is at pains to avoid explaining how to do that; this is what I have in
`sudo dpkg-reconfigure -plow unattended-upgrades` - -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ Sometimes the only thing more dangerous than a question is an answer. -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJTohRaAAoJED1np1pUQ8RksAEP/i+6F5xN7c5igxBauTVO8wQ9 sDh6R3RHjWZeKDLbFruM4JuEE/GpV9HrugNelx7rkE3XxXw/yeanExlrFKh045sw jU1PiHYbSx0kpSi3BBWpf3ty2abUf8dPA0iMX+/S+cfG3XKw2/Aq4FRqjZ1OanXV GMbn2y75dEDihD8EcFaWhYBaWWZH4un2mMpf++lrUGaAdszD954/gSytFcZva/5E q/aZm+cumOtBrxq/XpokxlPgLtXau2q51RD/8J0PFTIHbC8jyXpnIrug5jxN9K9a kyZg1Qkfqqr9Q05U4sMeiAwDxeRQH2plpc/AloDXtcgxPTu932GhXcnYDY9e7wY4 WWEvGDZdaG2Kzm4XBote/vd6YcpCwNNC8bO3NdGCkEZPfEO9jsYXVtsNH0RdbT6s ZaNVO1hIeBxmPlNa1PlKoHY8pq3rfL7qn4OcZN2u7dc+ciu31Ccr8q0KSgOL5JTR DiLygwQQ72akU8CUjdkHhcNEO1CHL3htq0wglXeg4bw+K547oWJkWrsPkEanVuEq p5P0Dt1Mk6lktwmm93Rxpx2LBuAxlE11BSn+1zYx2JhguWBinIhKF9445x77g0xJ dic3EZUR+ds7n4/OjPk+9xtGw/vKlm12X4/8r94VlqRcoubRnAQFlKkNyZ0ABmYX bmsGL/zY2yoTanTu9b+K =DBov -----END PGP SIGNATURE-----