On Tue, Jun 27, 2017 at 07:53:02PM -0400, Kevin Cozens via talk wrote: > On 2017-06-27 07:37 PM, Truth Hacker via talk wrote: > >I am starting to go down the road to harden a Linux server, I am using > >the Ubuntu server image as my starting point. > [snip] > >Q: What service should I consider disabling from starting automatically. > > Disable any service you won't need for what you are going to be doing with > the machine. :) > > >I am reading up on iptable and also know about ufw, but not sure how > >to setup a good firewall, like what to block and not. > > It depends on the extent to which you want to harden the machine. One way to > set up a firewall is deny everything by default then open the holes for the > services you need. firewalld is also a firewall related package I've been > running across lately. > > Install logwatch and have it send the logs to you on a daily basis. > Use fail2ban to automatically firewall any machine who fails too many times > to login via SSH. > > You may also want to "chmod 711 /etc", FWIW.
How well does that work out? So regular users (and services not running as root) can't resolve dns anymore (can't read nsswitch.conf or resolv.conf). That sounds inconvinient. > If you are really serious about hardening a machine read up on SELinux. -- Len Sorensen --- Talk Mailing List [email protected] https://gtalug.org/mailman/listinfo/talk
