-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On 06/17/2014 02:09 PM, Zack Weinberg wrote:
Tor relays get pounded on by the script kiddies -- a degree of hardening is appropriate. I don't know if there are any stock Puppet "tighten security" modules but these are the things that I remember
I don't have any Puppet modules or Chef recipes, but I do have a Git repo of some basic hardened Ubuntu config files (v12.04 and v14.04) that might be a good place to start:
https://github.com/virtadpt/ubuntu-hardening
- install fail2ban and ufw; firewall incoming traffic to ports
other than 9001, 9030, and 22 (ssh) (I don't think the marginal benefit of moving ssh to a nonstandard port is worth the hassle).
I do both on some of my machines and it's helped a lot. It definitely cut down on the "portscan the box, resume pounding on SSH like woodpeckers on meth."
- install logcheck and nullmailer; set /etc/nullmailer/adminaddr
and /etc/nullmailer/remotes to values assigned in Puppet configuration; symlink /etc/nullmailer/helohost to /etc/hostname. (ufw and sshd will emit a great deal of chatter due to people knocking on the machine. I have custom ignore.d.server files to shut them up - basically I've set it to mail me only on *successful* logins. Let me know if you want 'em.)
I'm curious; never used nullmailer before though I do use logcheck pretty heavily.
- install unattended-upgrades and configure it to auto-upgrade
everything. Unfortunately, the unattended-upgrades documentation is at pains to avoid explaining how to do that; this is what I have in
`sudo dpkg-reconfigure -plow unattended-upgrades`
- -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/
PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/
Sometimes the only thing more dangerous than a question is an answer.