Introduction to Cybersecurity Best Practices

As a system administrator, I understand the importance of implementing robust cybersecurity measures to protect virtual machines (VMs) from potential threats. In this blog post, I will outline my approach to cybersecurity, including the tools and configurations I use to secure my VMs. My goal is to provide a comprehensive overview of my cybersecurity strategy, and to inspire readers to evaluate their own security posture and consider implementing similar measures.

Choosing the Right Linux Distribution

When setting up a new VM, I choose a well-established Linux distribution, such as Debian or CentOS Stream. The choice between these two distributions depends on the specific use case. If the VM will be running a user-facing service, I prefer CentOS Stream due to its built-in SELinux support. SELinux provides an additional layer of security by enforcing mandatory access control policies, making it more difficult for attackers to exploit vulnerabilities. For internal services, I opt for Debian, as it is a more straightforward distribution to manage and maintain. However, I must note that CentOS with SELinux can be more troublesome to work with, especially for those who are not familiar with its intricacies.

Configuring the Firewall

I configure nftables manually to define custom rules and ensure the firewall is properly configured. I restrict SSH access to only my IP address using nftables and Proxmox. This is done to reduce the attack surface and prevent unauthorized access to my VMs. Additionally, I utilize Nebula to create a private overlay network, allowing me to SSH into my VMs securely. Nebula provides an additional layer of encryption and authentication, making it more difficult for attackers to intercept or manipulate my SSH connections.

Hardening SSH

To further secure my VMs, I harden the SSH configuration by disabling features like agent forwarding and TCP forwarding. I also set the log level to VERBOSE to monitor SSH activity and limit the number of authentication attempts to prevent brute-force attacks. My SSH configuration includes the following settings:

AllowAgentForwarding no
AllowTcpForwarding no
ClientAliveInterval 300
ClientAliveCountMax 0
HostbasedAuthentication no
LogLevel VERBOSE
MaxAuthTries 3
MaxSessions 2
PermitEmptyPasswords no
PermitRootLogin no
TCPKeepAlive no
X11Forwarding no

AllowUsers admin

These settings are designed to prevent common SSH-based attacks and reduce the risk of unauthorized access to my VMs.

Installing Essential Security Tools

I install a range of essential security tools, including:

• ClamAV: an open-source antivirus engine that scans for malware and other threats
• Freshclam: a tool that updates ClamAV's virus definitions
• Rkhunter: a rootkit detection tool that scans for hidden malware
• Lynis: a security auditing tool that identifies potential vulnerabilities and configuration issues

Each of these tools plays a critical role in maintaining the security and integrity of my VMs. ClamAV and Rkhunter help detect and prevent malware infections, while Lynis provides a comprehensive security audit and identifies potential configuration issues. Snyk and Probely help me identify vulnerabilities in my code and web applications, allowing me to address them before they can be exploited.

Configuring ClamAV and Lynis

I configure ClamAV to scan specific directories and move any detected malware to a quarantine directory. I also set up cron jobs to run ClamAV and Lynis on a regular basis to ensure my VMs remain up-to-date and secure. My ClamAV configuration includes the following settings:

mkdir -p /opt/quarantine
cat <<EOT > /etc/clamav.folders.conf
/home
/usr/local/sbin
/usr/local/bin
/usr/sbin
/usr/bin
EOT

This configuration tells ClamAV to scan the specified directories and move any detected malware to the quarantine directory. I also use Lynis Enterprise to track the security and compliance of my VMs, and to identify potential issues before they become major problems.

Compliance and Security Frameworks

I aim to achieve compliance with NIST SP 800-171 and NIST SP 800-53, and eventually ISO 27001. I use Cisofy/Lynis to evaluate my system's compliance with these frameworks. NIST provides a comprehensive set of guidelines and best practices for cybersecurity, and I find their resources to be invaluable in maintaining the security and integrity of my VMs. By following these frameworks and using tools like Lynis, I can ensure that my VMs meet the highest standards of security and compliance.

Automation and Review

While automation is essential for maintaining a secure environment, it's crucial to review the results regularly. I recommend automating tasks where possible, but also scheduling regular reviews to ensure the automated systems are functioning correctly. This includes reviewing logs, monitoring system performance, and verifying that security tools are functioning as expected. By combining automation with regular review and verification, I can ensure that my VMs remain secure and compliant, even in the face of evolving threats and vulnerabilities.

Conclusion

In conclusion, my approach to cybersecurity involves a combination of well-established Linux distributions, custom firewall configurations, hardened SSH settings, and essential security tools. By considering my approach and adapting it to their specific needs, readers can improve their own cybersecurity posture. I hope that this post has provided valuable insights and inspiration for those looking to improve their cybersecurity, and I encourage readers to reach out if they have any questions or would like to learn more about my approach. Remember, cybersecurity is an ongoing process that requires continuous monitoring and maintenance. By staying vigilant and adapting to new threats and vulnerabilities, we can ensure the security and integrity of our systems and data.