DISCLAIMER: I AM NOT AN INFOSEC EXPERT. THIS ARTICLE IS MORE OF A MEMO FOR MYSELF. IF YOU LOOSE DATA OR HAVE A BREACH, I BEAR NO RESPONSIBILITY IN IT.
Now, because of all the occasions at which I had to act as a makeshift sysadmin, I did end up reading a number of policies and pick up some advice I wanted to group in a single place, if but for my own memory.
Installation:
- Use SE Linux distro
- Use an intrusion prevention tool, such as Fail2Ban
- Configure primary and secondary DHS
- Switch away from the password-protected SSH to a key-based SSH log-in. Diable root login all together (
/etc/ssh/sshd_config,PermitRootLogin no). Here is an Ubuntu/OpenSSH guide. - Remove network super-service packages
- Disable Telnet and FTP (SFTP should be used)
- use chroot where available, notably for webservers and FTP servers
- encrypt the filesystem
- disable remote root login
- disable
sudo su– all the root actions need to be done with asudo
Audit:
- Once the server has been build, run Lynsis. It will audit your system and suggest additional steps to protect your machine
- Force multi-factor authentification for the roots, especially via SSH. Here is a tutorial from Digital Ocean.
Watching the logs:
- Tools like Cacti, Nagios, Splunk, sysstat to help you to monitor the logs for an intrusion
- Automated log review with messages send upon admin log-in
- Install psacct/acct or similar
- Install an integrity checking tool (Tripwire, AIDe, SamHain, OSSEC)
If you have more than one logging system to watch:
- Snare
- Splunk and Lucene (ElasticSearch) for log search
- LogWatch (guide from Digital Ocean), LogStash, Graylog2, Sawmill