GitHub - andmalc/notes

Branches Tags

Name		Name	Last commit message	Last commit date
Latest commit History 122 Commits
config		config
db		db
distros		distros
editors		editors
files		files
gen		gen
hardware		hardware
log		log
media		media
network		network
old		old
os		os
prog		prog
virt		virt
.gitignore		.gitignore
.stignore		.stignore
chezmoi		chezmoi
console		console
fish		fish
git		git
gnupg		gnupg
grep-utils		grep-utils
irc		irc
kitty		kitty
less		less
markdown-notes.md		markdown-notes.md
security		security
shell		shell
ssh		ssh
ssl		ssl
sudo		sudo
tmux		tmux
users		users
zellij		zellij

Repository files navigation

Docs {{{1



Tools {{{1


User Access {{{1

Dealing with automated SSH password-guessing
https://lwn.net/Articles/704089/


	login restrictions
		in /etc/pam.d/
			su 
				Only members of wheel can su to root:
				auth required pam_wheel.so group=wheel debug 
				
		file permissions
			umask
				examples
					022 - default (files are 644, dirs 751).  
					027 - group can list & read files, no access for others
				Set in PAM login.def and later in /etc/profile/, /etc/zshrc, or 
				in user configs, and also via adduser from settings in /etc/skel/.
            Leave user group name 'username' - this prevents group access 
                to personal info (eg by adding to a 'user' group).
            Set DIR_MODE in /etc/adduser.conf to 0750 to remove default 
				world-readable 0755.  If a web server should read 
				~/public_html 
				for personal web page sharing, change DIR_MODE to 0751.
		ssh
			keychain 
				add to .zlogin:
					keychain ~/.ssh/id_dsa
					. ~/.keychain/<hostname>-sh				  	

					

		gpg -  protect memory of program from being read
			chown root /usr/bin/gpg
			chmod u+s /usr/bin/gpg

Groups
	adm
		reads logs
	staff
		junior admins
		could give access to /usr/local


Network Security {{{1


Port scanning
    nmap <IP address pattern>
        check open ports
            nmap -sT -PT your.external.ip.address	
        what program listening on port?
            lsof -i tcp:<port>

firewall policies (from Securing Debian)
	* incoming connections are allowed only to local services by allowed machines.
	* outgoing connections are only allowed to services used by your system (DNS, web browsing, pop, email....) [33]
	* the forward rule denies everything (unless you are protecting other systems, see below).
	* all other incoming or outgoing connections are denied.

	ports to open
		80, 443 (secure web, imap etc.)


OpenSSL  {{{1

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_OpenSSL.html


Security Scan/Auditing {{{1

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/chap-system_auditing.html


Security Auditing
    https://linux-audit.com/lynis/

OpenVAS
http://www.openvas.org/

Tripwire 
    policies - twpol.txt determine which directories to snapshot and rules for identifying
        violations
    tripwire
        --init	create snapshot
        --check 
    edit config and policies
        generate config files
            twadmin --print-cfgfile > twcfg.txt
            twadmin --print-polfile > twpol.txt
    edit, and resign pol and cfg
        twadmin --create-cfgfile --cfgfile /etc/tripwire/tw.cfg \ 
          --site-keyfile site_key etc/tripwire/twcfg.txt
        twadmin --create-polfile --cfgfile /etc/tripwire/tw.cfg \
          --site-keyfile /etc/tripwire/site_key /etc/tripwire/twpol.txt