What are your methods to harden *nix servers? (infosec.pub)

submitted 1 month ago by fishynoob@infosec.pub to c/cybersecurity@infosec.pub

8 comments fedilink hide all child comments

I have been looking at hardening *nix servers for my lab and maybe carry some of that over to work. CIS benchmarks are something I like doing but that's barely scratching the surface. What do you do for your servers?

I have Lynis, systemd-analyze, Kernel self protection in mind but I'd love to hear your thoughts. Bonus points for the most paranoid setups!

you are viewing a single comment's thread
view the rest of the comments

[-] Cyber@feddit.uk 2 points 1 month ago

Would you use that on internal LAN connections or only external internet facing connections? I'm not aware (not checked) if any firewalls support it... not sure why?

[-] iii@mander.xyz 3 points 1 month ago* (last edited 1 month ago)

With knockd you can execute arbitrary commands upon a port knocking sequence. So any application that is configurable via terminal is eligible. Here's a tutorial of knockd+iptables (1). Alternativly there's (2) that achieves the same effect in a different way.

You can use it wherever, as part of security in depth. It's essentially a pre-shared secret.

It'll have it's largest effect on publicly facing interfaces. It does not replace having a proper ssh setup (disabling root, disabling password login, etc).

[-] Cyber@feddit.uk 2 points 1 month ago

Thanks for the links, I'll take a look as I've never actually played with port knocking.

this post was submitted on 19 Apr 2025

5 points (77.8% liked)

cybersecurity

4387 readers

12 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

Be kind
Limit promotional activities
Non-cybersecurity posts should be redirected to other communities within infosec.pub.

Enjoy!

founded 2 years ago

MODERATORS

shellsharks@infosec.pub

tweedge@infosec.pub