-
Notifications
You must be signed in to change notification settings - Fork 9
Bare minimum
pyllyukko edited this page Mar 28, 2021
·
5 revisions
Just some ideas about what should be bare minimum hardening on any given Linux installation. In addition to keeping it fully patched at all times that is!! :)
- TCP wrappers
- IP stack hardening (
sysctl.conf
) - Disable IPv6 if not needed
What should it do? Just some ideas...
- Set FORWARD chain's policy to DROP
- Allow loopback traffic 127.0.0.1 <-> 127.0.0.1
- Disallow ICMP timestamp requests & responses
- Some rate limiting?
- Drop INVALID packets
- IPv6
- SSH hardening
- Make sure NTP is running
-
su
/sudo
?
- avahi-daemon
- cups
- Lock down system accounts
- Create
ftpusers
- Disable unnecessary shells
TMOUT
- Configure
securetty
- Configure
/etc/#.access
||/etc/security/access.conf
- Restrict at & cron
- Tweak password policy
- Improve password hashing & rounds
- Enable password complexity checking through passwdqc or cracklib when the distro is using PAM
Disable stuff with /etc/modprobe.d/
.
-
fstab
hardening
- System accounting (sysstat)
- Auditing
- CA certs
-
ulimit
? - Disable core dumps
- Create legal banners if needed
- Consider log retention time
- Enable YAMA