@celia Nice overview. I don't have more steps to add, but you might want to check the links in the article. I tried to follow the one to het mozilla observatory and it failed because it is a relative link. It should be an absolute one.
@ewintr Oh my bad! Just fixed and will be live shortly, thanks for pointing it out! :)
@celia This looks like a great checklist I could learn from.
I also tweak my SSH config to disable less secure crypto algorithms. I maintain a personal template SSH server config file so I don't have to think about it anymore. Inspired by https://stribika.github.io/2015/01/04/secure-secure-shell.html (article was last updated in 2017)
@pcrock Thank you, this looks very detailed. I'll probably need a few days to get through this. Off-hand, is ed25519 secure with the default SSH config?
@celia I'm no expert, but from what I can tell, changing the server config protects you from misconfigured SSH clients.
The default ed25519 implementation is probably fine, but if a client requests to use SSH Protocol 1, or a bad key exchange algorithm, then the server needs to deny it.
@celia SSH has too many knobs you can adjust, increasing attack surface. It's decently secure by default I think, but it's also good to enable only what you need.
@celia Pretty solid, really. I guess you could go one step further and run all internet-facing services under nologin accounts / restricted shells or maybe even firejail. Depends on your threat model™, though. Heh.
@celia i would definitelly go for alternative 5 digits ssh port. it will clear all of the automatic port 22 knocking and attacks from the logs. i would also add logcheck with daily log reports. if the package management of chosen distro supports hash signature check, then turn it on. and if you have mostly default installation, turn automatic updates on. especially for security related repo if distro has it. if it will be multiuser machine, then check out chroot and other limiting policies.
@marian_mizik Seems to be conflicting information there. I think it's best left as a privileged port (<1024), than an unprivileged one. Maybe use port knocking instead to hide the open status of the default ssh port.
I'll definitely look at all the other suggestions one by one. Good stuff, thank you! 🙂
@celia maybe add a host based ids like ossec or maybe something like tripwire? remember to make backups, too. while not entirely security related, it's sanity related.
@notcmhobbs Thank you, both of these suggestions are definitely super helpful! It took me a minute to figure out IDS is actually intrusion detection system. 😅
Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.