Tips for securing a Linux box
I typically run an Ansible Hardening Playbook on any new Linux installation. After that, there are a few more things I do.
For SSH, I'll make sure
- password authentication is disabled
- root user is denied
- no X11 forwarding
- no keyboard-interactive auth is enabled
- restrict SSH to a specific username
If it's a VM, I'll also make sure I allow only my IP access to port 22. I also typically install Tailscale, so my ACLs will let me get in that way, too. The rest of the world has no reason to talk to my server on port 22.
In addition to the host firewall running the VM, I make sure to setup nftables on each Linux box. The rules I use aren't complicated, I essentially:
- allow Tailscale UDP
- rate limit ICMP
- allow SSH from my IP
For a VM, there aren't many firewall rules you need. I don't usually bother with fail2ban because the ports aren't exposed to the public.
As for disk encryption, my VMs always run on a ZFS mirrored pool with AES encryption. Because, managing encryption keys for each VM, and booting LUKs, etc, can be a pain. VMs are usually ephemeral.
I've written about my backups briefly in the post about backup cli tools, but I'll touch on it again. I mainly use restic for backups. I often backup files to another local disk, or external drive, in addition to offsite backups. For offsite backups, I'll use backblaze or my fileserver at a datacenter. I like backblaze because they use Reed-Solomon Erasure Coding.
The Computerphile has some good videos about erasure coding if you're interested.
And, Mary Wootters has a good series on Algebraic Coding Theory.
Back to securing a Linux box!
I also use tools like auditd and AppArmor. If it's a RHEL/CentOS Stream VM, I'll use SELinux. Everyone should be using one of the Linux Security Modules (LSM).
I use gocryptfs to secure some of my config files/folders. That way, my environment variables aren't just sitting there, naked and afraid.
I'll usually install ClamAV if it's not exposing any services to the internet. But, if the VM is exposing services to the public internet, I'll install SentinelOne with Vigilance Managed Detection and Response (MDR). With SentinelOne, if something comes up, one of the experts from SentinelOne responds and handles the response.
In conclusion, I try to make it so no one can reach the computer. But, if they can reach the computer, I make it so they need the correct username and SSH key. And even when they have those, I make it difficult to do anything else. Finally, if they delete everything, I'll have an untouched backup I can restore.
Questions? Comments? Concerns? Send me an email.