See this comment from 2019: https://news.ycombinator.com/item?id=19178938
I will leave you with this line from README.md:
>I am not as knowledgeable about hardening/securing a Linux kernel as I'd like. As much as I hate to admit it, I do not know what all of these settings do.
"Linux Kernel Hardening Checker" (2023), https://news.ycombinator.com/item?id=37709349
Practical & real Example: "Some Robber invade a home, and steal the server (containing IMPORTANT business backups, and ownlife memories and blablabla). Not exist any disk/boot encryption. Robber have start the server on their 'safe zone' and start an bruteforce attack. He have cracked the local password by SSH with from sudoer user 'admin' success, yeah a dummy password, not THE Strong one/primary. He starts SSH session/or physical session with that cracked dummy/panic password with 'admin' sudoer. He starts feeling the server seems too much busy in less than 2 minutes until to freeze.. 'wtf!?! lets reboot and continue steal info..'.. sorry friend. all data and system was destroyed.". Conclusion, the robber cracked the dummy/panic/secondary password, and with this password its associated a script will do delete all files, config, system, boot and after than start charge the RAM and CPU to force robber reboot system.
There might be other instances in the how-to, I didn't read it all.
Use e.g. a current version of `install` to create files atomically with the correct permissions.
Might be possible on other systems with a fingerprint reader and TPM, https://news.ycombinator.com/item?id=36920105
https://www.yubico.com/products/yubikey-bio-series/
(And I'm sure they're not the only company who makes such devices, they're just the one I'm familiar with myself.)
Require a touch to sign, put a password on the key if your paranoid, if you really paranoid disconnect the yubikey when not in use.
The most glaring one is the recommendation to use `rng-tools`, which is not needed anymore for the past couple of years.
It was written 6 years ago, and at that point it probably was not great either?
Patch, backup, use keys for remote access (rather than passwords) and you will win the security game.
It's pretty simple, but everyone hates the basics and would rather obsess over advanced nation state actors and other similar bullshit.
That's like worrying about being bitten by a Black Mamba and not wearing a seat belt while driving a car.
Please stop recommending fail2ban for securing/hardening servers and applications.
It is mentioned even it’s readme that:
> Though Fail2Ban is able to reduce the rate of incorrect authentication attempts, it cannot eliminate the risk presented by weak authentication.
It provides a false sense of security.
fail2ban only makes sense where sane defaults cannot be applied (password auth, no MFA, etc.) in some very special (and justifiable) cases, but regular self-hosters really shouldn’t host these applications. If you are targeted by a serious attacker, fail2ban’s “protection” can be easily bypassed with a large enough botnet, or simply moving on with exploiting another vulnerability/attack vector.
Good security is about having multiple layers of defense. Fail2Ban protection is one of those layers.
You can use the built-in firewall for that (`ufw limit ssh`).
> I've had friends that setup a small VPS and they've been hammered by bots, which can use a lot of resource on a £5/£10 VPS.
`ufw limit ssh` solves this as well, performant, efficient, nothing else needed than the built-in firewall. If you are targeted by a botnet, fail2ban will solve nothing.
> Good security is about having multiple layers of defense. Fail2Ban protection is one of those layers.
Let me quote again the readme of fail2ban: "Set up services to use only two factor, or public/private authentication mechanisms if you really want to protect services."
True defense in depth means choosing effective layers, not putting arbitrary layers on top of each other. Defense in depth doesn't mean every possible layer is good.
You want layers that meaningfully improve your security posture without adding unnecessary complexity or false confidence.
One universal truth I’ve learned on security is that regardless of what you do someone will always very loudly tell you how wrong you are
> the best modern laptops I have found are the Dell Latitude/Precision laptops with an Intel vPro Enterprise CPU. The second best group of laptops I have found are modern Lenovo Thinkpads with Intel vPro Enterprise or AMD Ryzen Pro CPUs. These are relatively easy to acquire and share these common security properties.. [firmware protection, custom CA, memory encryption, SMM mitigation, DRTM, microcode updates]
Run SSH behind some layer. Some people use Wireguard, and that's okay, I prefer spiped [1] because I can run it as an unprivileged user in a fully hardened systemd unit [2], and I can use ProxyCommand in my ssh_config, which makes it transparent: no need to be constantly on a VPN or to turn it on, I just ssh.
This guide recommends two-factor authentication, which IMHO is overkill and lowers your server reliability by using some random pam authentication modules. Also your spiped key (or your wireguard key) can be considered a second factor authentication.
And a second independent layer lowers the probability of being vulnerable to a 0-day vulnerability on SSH [3] or to Jia Tan [4]
fail2ban means you have a daemon running as root parsing random logs and modify your firewall rules... Yikes... [5] If you're concerned about bruteforce bots, they'll go away as soon as SSH behind something. Also with that layer, you don't need to make you firewall dynamic.
[1] https://www.tarsnap.com/spiped.html
[2] https://ruderich.org/simon/notes/systemd-service-hardening
[3] https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion....
[4] https://en.wikipedia.org/wiki/XZ_Utils_backdoor
[5] Yes I know, you can use as a user, and modify the firewall rules with custom script with an SUID. But nobody does this, actually this guide doesn't do this at all, just everything as root!
Spipe/vpn makes it so you cannot just connect via any machine, which sometimes is not helpful.
For example, a large part of this document is IDS-related. There are long parts on AIDE, fail2ban etc. But all these tools do is provide a lot of data. You still need to make useful use of that data. That requires you to actually understand this stuff. That's not a five minute job. Whereas changing to the Mozilla recommended cryptos is trivial. As a beginner who might want to read these tutorials, you won't know the difference.
Some recommendations are a bit exclusive, too. If you run the other run, you likely won't need fail2ban. Just as most people use chrony instead of ntpd these days. And there's nothing on mandatory access control, such as SELinux, rbac or AppArmor or the various eBPF based things that has dominated Linux for the past decade.
Perhaps more useful would be a paragraph or two about how access control works on Linux and the tools to use them, just so you know what you're aiming for. The old school way of deploying server applications on unix is to give every application a unique uid and if possible run them in a chroot. That's trivial and will go a long way, systemd will already have configuration options for it.
It allows you to generate ansible or bash scripts for execution.
If you install OpenScap it comes with built-in policies, but it's always out of sync with the current version of Ubuntu, which is frustrating first time around.
For every version of Ubuntu, the default policies do not work, for e.g. in case of Ubuntu 24.04, I need to download
git clone https://github.com/complianceascode/content.git
cd content/ and ./build_product ubuntu2404 and cd ..
#Run either of the following commands:
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_level1_server --results arf1.xml --report report1.html content/build/ssg-ubuntu2404-ds.xml
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_level2_server --results arf2.xml --report report2.html content/build/ssg-ubuntu2404-ds.xml
shakna•15h ago
[0] https://www.debian.org/doc/manuals/securing-debian-manual/in...
fodmap•15h ago