Linux Security

From miki
Revision as of 05:42, 8 June 2016 by Mip (talk | contribs) (→‎SSH)
Jump to navigation Jump to search

Anything about security on linux. When topics are already covered in other pages, give links to them.

Setting umask

Default setting for umask on Ubuntu / Debian is 022, meaning all created files / folders are by default world readable.

To change the defaults (see [1]) to 027:

Add to /etc/sudoers: 

Defaults umask = 0027
Defaults umask_override

Edit /etc/login.defs: 

UMASK       027

Firewall

With UFW

TBC

With iptables

List the firewall rules 

iptables -L

Stop the firewall: 

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

Server hardening

Assume server name is myserver.org.

SSH

PasswordAuthentication

Disable password authentication since it is prone to brute-force attacks. Edit /etc/ssh/sshd_config: 

PasswordAuthentication no
DebianBanner

Test if sshd sends a banner [2]: 

nc myserver.org ssh
# SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u2
# ^C

Edit /etc/ssh/sshd_config, and add the line: 

DebianBanner no

Restart and verify the banner: 

service sshd restart
nc myserver.org ssh
# SSH-2.0-OpenSSH_6.7p1
Retrieved from "https://miki.immie.org/mediawiki/index.php?title=Linux_Security&oldid=8282"