For setting the box up securely, Lynis will give you a lot of hints: https://cisofy.com/lynis/ . It scans the current config and tells you what you must do to secure the box. It might even be in the standard repositories (sudo apt-get install lynis).
SELinux is a great tool for keeping different parts of the OS segregated. If you're new to it, install the policycoreutils-gui package and it will give you several graphical interfaces to make it easier to see everything. Boolean values will be your best friend.
Lynis is a tool that will analyze your system and give general security and consistency recommendations. Since you're talking about securing SSH, this tool has a whole list of SSH configurations that it will check and inform you which ones you should tighten up. https://cisofy.com/lynis/
Download the tarball and decompress/extract. Change into the lynis directory and run sudo ./lynis audit system
This tutorial goes through 25 items on how to make a server more secure. http://www.tecmint.com/linux-server-hardening-security-tips/
This askubuntu question will make sure no russians are logging into your server. http://askubuntu.com/questions/2271/how-to-harden-an-ssh-server
This Lynis is a tool that you can use to test your server for weaknesses.
The answer when it comes to security always is: That depends.
Who or what do you want to secure your services from?
In case you'd be targetted by a state actor, an APT or similar you'll most likely don't stand a chance. And defending against those kind of threats requires counting in other attack vectors and way more in-depth security configuration as well as active log monitoring, SIEM solutions, etc. (In that case we'd be talking about kernel configuration, service sandboxing, and a team of people that monitors your infra)
For the more general threats:
If your config is decent and you use common sense you'll get far. 2FA is what'd instantly stop most botnets.
If you want a deeper look into your system security you could take a look at something like Lynis - which is one of the more accessible tools to asses system security
If you want to go a real-long way you can take a look here but be cautious as this requires deeper linux understanding. This guide includes things that can result in a broken system.
​
So the basic steps:
I previously used Lynis to do a complete Linux audit. It works pretty well.
​
After the scan, the result is stored in /var/log/lynis.log
. You can get the warning with grep Warning /var/log/lynis.log
or the remediation suggestions with grep Suggestion /var/log/lynis.log
. It's quite easy to use.
Lynis, formerly cisofy, is a good tool to ensure you are applying security best practices. There are lots of plugins, so look for one for each service you run on a server.
It won’t make changes itself, but it gives you direction on ways to harden the system.
Just building on this OP, you need to figure out what you want to keep secure. There are no silver bullets, just mitigations that, stacked on top of each other, can stop certain kinds of attacks.
Fwiw, you can make Manjaro significantly more secure than it comes stock. A hardened kernel, good firewall rules, SELinux or other mandatory access control system, Secure Boot, disk encryption, etc. Maybe check out lynis and its recommendations?
If you need to do more security sensitive stuff only some of the time, you can still make Qubes' idea of disposable VMs a reality in basically any distro these days thanks to KVM. Just bring up a VM, do your stuff, then delete it. It's not quite as smooth as Qubes and it's harder to get things like USB and network firewalling configured correctly, but it's not impossible.
Try > https://cisofy.com/lynis
>Lynis is a battle-tested security tool for systems running Linux, macOS, or Unix-based operating system. It performs an extensive health scan of your systems to support system hardening and compliance testing. The project is open source software with the GPL license and available since 2007
If it isn't going to be used as a server, luks and a good firewall will cover 99% of your worries. ArpON service, from the blackarch repo, is good to protect against man in the middle attacks. Depending on level of paranoia check out linux-grsec or linux-pax kernels. Check out https://cisofy.com/lynis/
One easy place to start is to use a tool like Lynis and additionally get any relevant OpenSCAP policies.
The act of going through those things will open a portal to this whole world.
But to stay super basic, you have to think about 1) your surface area, and 2) attack vectors against that surface area. And never discount lateral travel in your DC; e.g. if you don't expose 22 to the internet and use weak passwords, that won't save you when your fish tank temp monitor is compromised and the attack comes from inside your LAN.
If you put in the yum security updates, you're probably in good shape. Use Lynis or Suricata if you want to scan your own system for problems, and use nmap to see what sort of network access you're allowing. CIS benchmarks are also a good place to find hardening tips.
CIS: https://www.cisecurity.org/cis-benchmarks/
Suricata: https://suricata-ids.org/download/
Lynis: https://cisofy.com/lynis/
Thanks for the reference...I'll check it out. Today I was playing with Lynis a bit, which fits into the "posture checking" category. The freeware version (search "Lynis" in Brew) works pretty well out of the box. However I think to meet some of these compliance requirements, I'll need to to phone home, so I maybe be looking at the pro version, or something similar. Thanks again.
You might take a look at Lynis, which does automated security assessments like that.
You could also look at the OpenSCAP tools for Linux, which have templates based on the NIST hardening requirements to show which controls are in place and which aren't. They're a pain to customize, but provide a good starting place for auditing tools.
There are quite a few things you can do as there are different levels of hardening you may wish to Please search for it. but dont get scared off. To get you started here are couple of things I've done. Go at your pace.
editing the /etc/ssh/sshd_config file to remove root from accessing via ssh, removing password access & using keys only, change default ssh port
disabling any open ports that are unneeded (use something sshguard or fail2ban
use a firewall
carefully allow sudo to do only the absolute necessry things
be mindful of how you secure wordpress or any other similar apps
and run lynis to check the security at a deeper level ( https://cisofy.com/lynis/ )
virtual barriers is what? I will definetively make a diagram over the network.
By lynis I mean https://cisofy.com/lynis/
I have an VPN and port 443 open to public, something to worry about?
So I've just installed Lynis and run a lynis audit system
...
* Consider hardening system services [BOOT-5264] - Details : Run '/usr/bin/systemd-analyze security SERVICE' for each service https://cisofy.com/lynis/controls/BOOT-5264/
Almost ALL of them are "UNSAFE". How can an Ubuntu server be that bad from a fresh install?!
Then the link leads to...
>A new discovery!
>
>Oops, looks like this control is not listed yet in the database.
>
>Want to help the community and get this control added? Share your discovery and we will add the information.
​
Excuse me while I go set fire to my homelab and concentrate on gardening instead...
Disabled it's not, you can access it if you set a password on the first hand (I highly recommand to set it tough (sudo passwd root
, it's a requirement to access recovery mode to solve issues in case of)
If you happen to use cron (certbot does for ex.), setup an email server so that in case of jobs that failed it will send an email automatically to let you know
Using Fail2Ban is a great thing, as to restrict SSH auth to only keypairs and not passwords.
And I suggest you to run Lynis as it's a more in depth security audit
Can just say, that it won't work that way: e.g. super-secure and hardened OS can be hacked via some public available vulnerable web-app.
As general recommendation: for linux-like OS just use Lynis and try to follow instructions that seem sane to you. And follow security recommendations for particular apps deployed.
The repo managers are checking for malware in the main repos so you don't have to. Why would you scan files in realtime that have already been checked by a large community?
That said, you can never be too safe. I also was once a nervous Windows user. Here's what I do:
Great stuff dat720,
I don't see any that will determine which OS (CentOS or Ubuntu) and take action appropriate for the OS listed but I'll definitely have a look at those for ideas as well as scripts that work for Ubuntu.
I am familiar with CIS and will be referring to the benchmarks in my course as well as to tools like Lynis:
​
Thanks again.
It's an important question, what I do is follow the guides that are generated by https://cisofy.com/lynis/#introduction after running this on your server.
It will basically (after you install some secondary tools that will be suggested to you) run some scans and audits on your system.
I agree with rkhunter, consider tripwire,
Anti-virus:
ClamAV or a commercial alternative
Rootkit detection:
Chkrootkit, Rootkit Hunter, OSSEC
Malware detection:
LMD
Run this audit on your Linux box https://cisofy.com/lynis/ It's a basic automatic audit for servers.
Also security is relative.
In lots of cases some sort of script to go back and check your settings is a good place to start.
Lynis is an open source security auditing tool https://cisofy.com/lynis/
Microsoft Baseline Security Analyzer 2.3 http://www.microsoft.com/en-us/download/details.aspx?id=7558
Check out auditd, which is a user space utility for managing and logging using kernel file and syscall audit capabilities.
http://security.blogoverflow.com/2013/01/a-brief-introduction-to-auditd/
If you're looking for a configuration audit, check out lynix.
Why go for boring documents, while there are tools out there which help you to do it faster? First, get the low hanging fruit solved, then start reading up a little bit more about the more advanced areas.
Just following a checklist is not always best, you still have to make an informed decision on what to harden. That's why there is not a "best" guide, as you have to combine tips from several of them, to ensure you have a good and safe running system.
Disclaimer: I'm the author of Lynis, an auditing tool for Linux systems. It's open source and free to use. Never hurts to try, right? :)
BTW you can allow access with only your IP address on SSH/SFTP with this addition to iptables: iptables -A INPUT -p tcp -s Your_Ip_Goes_here -m tcp --dport 22 -j ACCEPT
You may also want to check out Lynis. It will scan your system and give you some tips on what you can change to secure your system.
Unfortunately, since your server was hacked you must reinstall/reimage it.