Hardening

Defense in depth: SSH, firewalls, mandatory access control, and audit.

Topics

Topic Description

SSH Hardening

Key-based auth, disable root, port changes, fail2ban

Firewall

firewalld, nftables, zones, services, rich rules

SELinux

Contexts, booleans, troubleshooting, custom policies

AppArmor

Profiles, enforcement modes, creating profiles

Audit Framework

auditd rules, ausearch, aureport, compliance

CIS Benchmarks

Automated hardening, compliance scanning

Hardening Priorities

  1. SSH — Disable password auth, use keys, restrict users

  2. Firewall — Default deny, explicit allows

  3. Updates — Automated security patches

  4. MAC — SELinux/AppArmor enforcement

  5. Audit — Log everything, alert on anomalies

  6. Users — Principle of least privilege

Quick Wins

SSH Hardening

# {path-ssh}/sshd_config
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AllowUsers <username>

Firewall (firewalld)

firewall-cmd --set-default-zone=drop
firewall-cmd --zone=drop --add-service=ssh --permanent
firewall-cmd --reload

Automatic Updates

  • Arch

  • RHEL

  • Debian

# Use pacman hooks or unattended-upgrades-like solutions
dnf install dnf-automatic
systemctl enable --now dnf-automatic-install.timer
apt install unattended-upgrades
dpkg-reconfigure -plow unattended-upgrades