imthenachoman / how-to-secure-a-linux-server Goto Github PK

Need help

In some distributions such as Raspbian, by default a password is not required to use sudo. Obviously this is no good - so I suggest adding a step to ensure that a password is required.

This can be done like so, at least in Raspbian:

sudoedit /etc/sudoers.d/010_pi-nopasswd

Then remove the NO prefix to NOPASSWD, then save & exit.

1. logwatch fails to run as --mailfrom is not a valid flag for logwatch command on debian 9
2. logwatch fails to deliver mail due to message being too long, here is the fix:
   https://blog.dhampir.no/content/exim4-line-length-in-debian-stretch-mail-delivery-failed-returning-message-to-sender

In the guide it says

verify hostname matches IP
UseDNS no

shouldnt this be a yes?

Using Docker can help you secure apps and server

First of all: great guide, I've always been looking for something like that!

In the firewall section, there are some rules mentioned, among others the http rules. I ran into a problem, because I skipped those initially, and got stuck then in the PASD section when trying to install that package. This could be fixed by adding the http rules.

So, perhaps the importance of those rules for the later progress should be mentioned, this could help other users.

Hi, not sure if you know about this, but back in the day, The Linux Documentation Project featured some guides on Linux system administration and also contained a Linux Administrator's Security Guide.

While some of the information is a little, large parts of it are still relevant.

For example, you mention disk encryption. There's a section on file system encryption: https://seifried.org/lasg/filesystem/ and it could be a good starting point.

I agree with your comment in the README:

This guide may appear duplicative/unnecessary because there are countless articles online that tell you how to how to secure Linux but the information is spread across different articles, that cover different things, and in different ways. Who has time to scour through hundreds of articles?

I'm surprised that Google/DuckDuckGo do not rank the better guides on securing a Linux system higher, I would expect something from Red Hat, Canonical or the Linux Documentation Project to appear in the first page of the search results.

Suggesting setting up a backup website that doesn't require going through Github to view.
A free option being Neocities, at minimum this would be nice. Alternatively, a super basic pure HTML/CSS website that hosts this same content. If a website is not desired (although nice imo), a Gitea instance or some other self-hosted similar service would be very nice to have.

CrowdSec can be seen upon as a modern version on Fail2Ban only that it varies in a number of ways; most notably it leverages crowdsourced threat intelligence. This means that - like f2b it can parse local log files (and more, but that's a different story) to detect attacks. Intelligence on attacks is shared (anonymously!) with other users and blocklists based upon crowdsourced threat intelligence is automatically downloaded. Also, CrowdSec is capable of taking more advanced decisions like ressource abuse of various kinds.
Just to emphasize: CrowdSec is free (as in both speech and beer) and open source. I am head of community and an avid used myself. I would advice you to take a look at our docs or watch the talk I did at ShellCon last month if you find is interesting.
This project was built with Fail2Ban in mind; the founders have great respect for it and admire the guys who started the project a lot. So the idea has always been to build something that acknowledges this heritage.

Let me know what you think and reach out if you have any questions. I'll be happy to help you out as much as I can.

Sadly, systemd seems to assume /proc is mounted with hidepid set to its default value in order to function properly.
See:

• https://bugzilla.redhat.com/show_bug.cgi?id=1130796
• https://lists.freedesktop.org/archives/systemd-devel/2012-October/006860.html

Considering the widespread use of systemd nowadays, I suppose you might want to add a notice for its user.

Thanks for this How-To guide, I'm happy this project exists!

A lot of linux servers are headless (no keyboard/mouse/monitor), and therefore have less sources for good entropy as there is no human interaction beyond ssh. There have been cases of headless servers generating predictable ssh keys after boot. [1]

Thus it can be reasoned that security can be increased by setting up additional sources for entropy. A simple sudo apt-get install rng-tools on debian-based distro's already adds value, but there might be more tools available.

I suggest adding this as a section to the guide.

Sources:

• https://hackaday.com/2017/11/02/what-is-entropy-and-how-do-i-get-more-of-it/
• https://www.2uo.de/myths-about-urandom

Anything in this that can/should be added
https://gist.github.com/lizthegrey/9c21673f33186a9cc775464afbdce820

I've asked this on stackexchange and r/linuxfornoobs but nobody has answered so I'm gonna see if I can get a hit here.

I’m setting up AIDE monitoring on Raspbian. I first tried over ssh but it timed out due to my timeout settings. Then I setup the new AIDE db directly on the RPi command line. I had to overwrite the DB that was created on the first try.

I ran sudo aide.wrapper --check after it successfully initialized and it returned a ton of files with mismatched hashes. Some of the mismatched original hashes were dated 8/30 and but I init'd on 8/31. I have no idea why...I installed AIDE on 8/31 and the system should be clean because it’s like three days old. Is that date based on the original creation of the file?

Two more questions:

1. should I be worried about all these changed hashes?
2. if not, how do I delete the aide database and start afresh? Is it as simple as deleting it via the path /var/lib/aide/aide.db.new

Hi,
I followed your guide and ran into the following problem when using psad -R :

/etc/psad# ufw reload
Firewall reloaded
root@server:/etc/psad# psad -R
[-] psad: pid file /var/run/psad/psadwatchd.pid does not exist for psadwatchd on server
[+] Stopping psad, pid: 1491
[+] Stopping psad_fw_read, pid: 1492
[+] Restarting psad daemons on

In the README it says "If you set PasswordAuthentication yes in /etc/ssh/sshd_config, then SSH won't let you connect without the public key."
It should be "PasswordAuthentication no" instead.

On the SSH server config, it is always a good practice to change the TCP port value from 22 to a random one (example 6222).
This will help avoid bad actors randomly scanning for open default ports.

Then the new SSH port should be allowed in through UFW.

I followed the instructions step by step and it did not work for me at the beginning.

My solution how it works for me:
In the file /etc/ssh/sshd_config I had to add AuthenticationMethods publickey,keyboard-interactive

And I removed the nullok in the file /etc/pam.d/sshd.
But I don't know if this is necessary.

I found this link and testing it with my system https://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/

Also there is Lynis which has built in/updated filters for sysctl testing https://cisofy.com/lynis/

Hi,

Thank you for putting this guide together.

Looking for some assistance with creating custom application profiles for UFW for the software I use on my Pi.

I'm not sure if these ports are all needed or if they need in or out access? Also I would like to restrict access to my lan if the apps dont need wan access?

Would appreciate any help

Thanks

Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 0.0.0.0:37601 0.0.0.0:* users:(("avahi-daemon",pid=375,fd=14))
udp UNCONN 0 0 0.0.0.0:5353 0.0.0.0:* users:(("avahi-daemon",pid=375,fd=12))
udp UNCONN 0 0 0.0.0.0:8999 0.0.0.0:* users:(("qbittorrent-nox",pid=582,fd=29))
udp UNCONN 0 0 192.168.0.28:1900 0.0.0.0:* users:(("qbittorrent-nox",pid=582,fd=35))
udp UNCONN 0 0 127.0.0.1:1900 0.0.0.0:* users:(("qbittorrent-nox",pid=582,fd=33))
udp UNCONN 0 0 0.0.0.0:1900 0.0.0.0:* users:(("qbittorrent-nox",pid=582,fd=32))
udp UNCONN 0 0 127.0.0.1:33651 0.0.0.0:* users:(("qbittorrent-nox",pid=582,fd=19))
udp UNCONN 0 0 127.0.0.1:8125 0.0.0.0:* users:(("netdata",pid=599,fd=18))
udp UNCONN 0 0 127.0.0.1:37898 0.0.0.0:* users:(("qbittorrent-nox",pid=582,fd=34))
udp UNCONN 0 0 127.0.0.1:53 0.0.0.0:* users:(("unbound",pid=708,fd=5))
udp UNCONN 0 0 192.168.0.28:40514 0.0.0.0:* users:(("qbittorrent-nox",pid=582,fd=21))
udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:* users:(("dhcpcd",pid=580,fd=10))
udp UNCONN 0 0 192.168.0.28:6771 0.0.0.0:* users:(("qbittorrent-nox",pid=582,fd=20))
udp UNCONN 0 0 127.0.0.1:6771 0.0.0.0:* users:(("qbittorrent-nox",pid=582,fd=18))
udp UNCONN 0 0 0.0.0.0:6771 0.0.0.0:* users:(("qbittorrent-nox",pid=582,fd=17))
udp UNCONN 0 0 192.168.0.28:36981 0.0.0.0:* users:(("qbittorrent-nox",pid=582,fd=36))
udp UNCONN 0 0 0.0.0.0:32899 0.0.0.0:* users:(("qbittorrent-nox",pid=582,fd=37))
udp UNCONN 0 0 :5353 : users:(("avahi-daemon",pid=375,fd=13))
udp UNCONN 0 0 [::1]:48913 : users:(("qbittorrent-nox",pid=582,fd=24))
udp UNCONN 0 0 :8999 : users:(("qbittorrent-nox",pid=582,fd=30))
udp UNCONN 0 0 [fe80::996:7a13:5297:ad6a]:37676 : users:(("qbittorrent-nox",pid=582,fd=26))
udp UNCONN 0 0 [::1]:8125 : users:(("netdata",pid=599,fd=16))
udp UNCONN 0 0 :32782 : users:(("avahi-daemon",pid=375,fd=15))
udp UNCONN 0 0 :546 : users:(("dhcpcd",pid=580,fd=15))
udp UNCONN 0 0 [::1]:53 : users:(("unbound",pid=708,fd=3))
udp UNCONN 0 0 [fe80::996:7a13:5297:ad6a]:6771 : users:(("qbittorrent-nox",pid=582,fd=25))
udp UNCONN 0 0 [::1]:6771 : users:(("qbittorrent-nox",pid=582,fd=23))
udp UNCONN 0 0 :6771 : users:(("qbittorrent-nox",pid=582,fd=22))
tcp LISTEN 0 20 127.0.0.1:25 0.0.0.0: users:(("exim4",pid=1349,fd=3))
tcp LISTEN 0 128 127.0.0.1:8125 0.0.0.0: users:(("netdata",pid=599,fd=31))
tcp LISTEN 0 128 0.0.0.0:222 0.0.0.0: users:(("sshd",pid=600,fd=3))
tcp LISTEN 0 128 0.0.0.0:19999 0.0.0.0: users:(("netdata",pid=599,fd=4))
tcp LISTEN 0 5 0.0.0.0:8999 0.0.0.0: users:(("qbittorrent-nox",pid=582,fd=28))
tcp LISTEN 0 128 0.0.0.0:80 0.0.0.0:* users:(("lighttpd",pid=695,fd=4))
tcp LISTEN 0 128 0.0.0.0:52050 0.0.0.0:* users:(("MyMediaForAlexa",pid=350,fd=7))
tcp LISTEN 0 128 0.0.0.0:52051 0.0.0.0:* users:(("MyMediaForAlexa",pid=350,fd=3))
tcp LISTEN 0 128 127.0.0.1:53 0.0.0.0:* users:(("unbound",pid=708,fd=6))
tcp LISTEN 0 20 [::1]:25 [::]:* users:(("exim4",pid=1349,fd=4))
tcp LISTEN 0 128 [::1]:8125 [::]:* users:(("netdata",pid=599,fd=30))
tcp LISTEN 0 128 [::]:222 [::]:* users:(("sshd",pid=600,fd=4))
tcp LISTEN 0 128 [::]:19999 [::]:* users:(("netdata",pid=599,fd=5))
tcp LISTEN 0 5 [::]:8999 [::]:* users:(("qbittorrent-nox",pid=582,fd=27))
tcp LISTEN 0 50 :8080 : users:(("qbittorrent-nox",pid=582,fd=40))
tcp LISTEN 0 128 [::]:80 [::]: users:(("lighttpd",pid=695,fd=5))
tcp LISTEN 0 128 [::1]:53 [::]:* users:(("unbound",pid=708,fd=4))

In some systems this bug will occur: sshd will not start at boot if ListenAddress is set. I ran into it myself following this guide. It is a failure of systemd and ssh devs to communicate who will fix it.

Anyway, there is a simple workaround to it by 'nimishp12':

changing /etc/systemd/system/sshd.service:

After=network.target audit.target
Wants=network.target

to

Requires=multi-user.target
Before=shutdown.target
After=multi-user.target
Wants=multi-user.target

This also solves the problem of using various network.service/targets that may still cause issues just using Before/After network-online.target

Hi! This project is translation friendly? 💬

I'm getting this error message after running sudo psad --fw-analyze

[-] You may just need to add a default logging rule to the
'filter' 'INPUT' chain on haddock. For more information,
see the file "FW_HELP" in the psad sources directory or visit:

http://www.cipherdyne.org/psad/docs/fwconfig.html

I followed the link it gave me and entered these two lines,

# iptables -A INPUT -j LOG
# iptables -A FORWARD -j LOG

but I'm still getting the error.

In the section on adding your public key to the server's ~/.ssh/authorized_keys file, you write:

Or, if you're sure there is nobody listening between the client you're on and your server, you can use ssh-copy-id to transfer and append the public key.

I find this a very confusing warning to give. The entire purpose of SSH (which is presumably the protocol ssh-copy-id uses) is to be resilient to MITM attacks; if for some reason you don't trust the network and/or client enough to be able to transfer something over scp, why would it make any difference whether you were authenticating via password or private key in the first place?

And secondly, even if you were being sniffed, the only thing you're uploading is a public key. That shouldn't be considered private in the first place.

Basically, that clause seems to just confuse the issue of how SSH works and what authorized_keys does. Am I missing something?

You can sign GRUB or whatever bootloader you use and after that the UEFI will check the signature before loading it. The same way you can build a chain e.g. GRUB checkes the OS before loading it, the OS checks the applications before starting them, etc. I am currently researching the topic maybe there is a working solution we could add here. Afaik this should solve the rootkit problem and I guess it would harden the server as well. Would you add it to the description?

Not sure if I'm allowed to link to Reddit on here but this is the comment in a thread I started. It gave me warnings for egrep, fgrep and which being scripts instead of binaries. Haven't verified if they actually are false positives but others have reported the same thing.

the steps are quite long, especially if you need to do it with multiple servers.
an Ansible playbook to auto secure the server will be really awesome.

RFC 8314 recommends that you prefer implicit TLS on port 465 over STARTTLS on 587:

o TLS version 1.2 or greater be used for all traffic between MUAs
and Mail Submission Servers, and also between MUAs and Mail Access
Servers.

o MUAs and Mail Service Providers (MSPs) (a) discourage the use of
cleartext protocols for mail access and mail submission and
(b) deprecate the use of cleartext protocols for these purposes as
soon as practicable.

o Connections to Mail Submission Servers and Mail Access Servers be
made using "Implicit TLS" (as defined below), in preference to
connecting to the "cleartext" port and negotiating TLS using the
STARTTLS command or a similar command.

So I would at least recommend changing the GMail port used. I'm not sure what if any other changes are needed to be made to the document.

Hello,

I am willing to contribute a paragraph on dnf-automatic, which is the dnf counterparts to unattended-upgrades and yast-online-update-configuration for zypper/yast.

Can I propose such paragraph (and could you assign that issue to me while I work on it)?

Two separate questions.

1. Is the NTP setup necessary for Ubuntu versions above 16.04? Or is this no longer needed due to the fact that these versions of Ubuntu come with timesyncd? (sources: Corey Goldberg's comment on this answer https://askubuntu.com/a/641160 and these Digital Ocean articles: https://www.digitalocean.com/community/tutorials/how-to-set-up-time-synchronization-on-ubuntu-20-04 - https://www.digitalocean.com/community/tutorials/how-to-set-up-time-synchronization-on-ubuntu-18-04 - https://www.digitalocean.com/community/tutorials/how-to-set-up-time-synchronization-on-ubuntu-16-04 )

2. If NTP setup is necessary, do we need to disable timesyncd as per the following quote: "Before installing ntpd, you need to turn off timesyncd in order to prevent the two services from conflicting with one another." from this article https://www.digitalocean.com/community/tutorials/how-to-set-up-time-synchronization-on-ubuntu-16-04 ?

There is a bug with ssh.server's systemd startup scripts that will prevent SSH from starting at boot if you specify an IP with ListenAddress in /etc/ssh/sshd_config.

See these for more details:

• https://unix.stackexchange.com/questions/499688/ssh-service-will-not-start-at-boot-if-using-listenaddress-in-sshd-config-but-it/499712#499712
• https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590578
• https://bugzilla.mindrot.org/show_bug.cgi?id=2512
• http://forums.debian.net/viewtopic.php?f=5&t=140555

I have not found a fix.

On step 2 of Secure /etc/ssh/sshd_config, a quick and dirty way to find any duplicate parameter is with:

awk '{print $1}' /etc/ssh/sshd_config | sort | uniq -c | grep -v ' 1 '

Consider adding information about not just SELinux as noted in your TODOs, but MAC (Mandatory Access Control) and Linux Security Modules (LSMs) in general.

The Arch wiki seems like a good starting point - and a good source on Linux security overall.

I think the section about UsePrivilegeSeparation can be removed.
I couldnt find this option in the man pages.
According to this release notes:

• This release deprecates the sshd_config UsePrivilegeSeparation
  option, thereby making privilege separation mandatory. Privilege
  separation has been on by default for almost 15 years and
  sandboxing has been on by default for almost the last five.

Hello,

First of all, I want to thank you for this amazing tutorial. I learned a lot thanks to it :)

I followed your instructions to setup Exim4 on a Raspberry Pi server so that it can send mails using a Gmail account I created for this purpose. It has been working well for a while.

But for some reason, it stopped working last week. Looking at /var/log/exim4/mainlog, I can see logs like this each time I try to send a mail:

2019-10-19 15:30:30 1iLooQ-0002aM-3F H=smtp.gmail.com [2a00:1450:400c:c0b::6c] Network is unreachable
2019-10-19 15:30:30 1iLooQ-0002aM-3F ** <MY-GMAIL-ADDRESS> R=smarthost T=remote_smtp_smarthost H=smtp.gmail.com [64.233.184.108] X=TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256 CV=yes DN="C=US,ST=California,L=Mountain View,O=Google LLC,CN=smtp.gmail.com": SMTP error from remote mail server after pipelined MAIL FROM:<gcoter@localhost> SIZE=1410: 530-5.5.1 Authentication Required. Learn more at\n530 5.5.1  https://support.google.com/mail/?p=WantAuthError z13sm8095930wrq.51 - gsmtp
2019-10-19 15:30:32 1iLooS-0002aS-Q9 <= <> R=1iLooQ-0002aM-3F U=Debian-exim P=local S=2021
2019-10-19 15:30:32 1iLooQ-0002aM-3F Completed
2019-10-19 15:30:33 1iLooS-0002aS-Q9 ** <MY-GMAIL-ADDRESS> <gcoter@raspberrypi> R=smarthost T=remote_smtp_smarthost H=smtp.gmail.com [64.233.184.108] X=TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256 CV=yes DN="C=US,ST=California,L=Mountain View,O=Google LLC,CN=smtp.gmail.com": SMTP error from remote mail server after pipelined MAIL FROM:<> SIZE=3101: 530-5.5.1 Authentication Required. Learn more at\n530 5.5.1  https://support.google.com/mail/?p=WantAuthError u68sm10557199wmu.12 - gsmtp
2019-10-19 15:30:33 1iLooS-0002aS-Q9 Frozen (delivery error message)

So it seems like an authentication error. I followed the Google Support link which is written in the logs but it didn't help. Here is what I tried:

• I checked that the current password to access my Google account is the same as the one in /etc/exim4/passwd.client
• I ensured less secure devices were authorized (because I was not using 2FA)
• I re-did all the steps in your tutorial (including the certificate generation, just in case there could be a sort of expiration date) and checked every config files to make sure nothing seemed wrong
• Because nothing above seemed to work and because I know Google is very sensitive about security, I enabled 2FA and created an app password which I put in /etc/exim4/passwd.client

At this point, I don't understand what is wrong. I don't think it comes from the way I configured the server since it has been working for a long time. Is it possible that Google decided to prevent my server from sending mails?

Links:

1. https://www.cisecurity.org/cis-benchmarks/
2. https://cisofy.com/lynis/

Checking auth.log and noticed:

sshd[58017]: rexec line 21: Deprecated option UsePrivilegeSeparation

Quick search comes up with: https://www.openssh.com/txt/release-7.5

This release deprecates the sshd_config UsePrivilegeSeparation
option, thereby making privilege separation mandatory. Privilege
separation has been on by default for almost 15 years and
sandboxing has been on by default for almost the last five.

I think it might be a good idea to emphasize that the sshusers group should also be added to the sudoers file.

I followed all the steps, get the SSH connection to work but pretty much couldn't do anything on the server until I realized these.

It would be nice to put it there, so ther will be less friction to newcomers on the subject.

Hi

May you please publish this valuable document Under some copyleft and specially Free Culture license (such as CC0, CC-BY, CC-BY-SA)?

@imthenachoman Not seeing another way to contact you to say "Thank you" for this guide, so I thought I'd post my thanks as a comment issue :)

I appreciate the time you've put into this!

It's not as configurable, but it might be worth mentioning? It's a one-command install on Debian systems:

sudo apt install sshguard

USEREMAIL mispelled as USRMAIL

MAILPROV uses smtp.google.com instead of smtp.gmail.com and I'm not sure if the port is supposed to be here either

USERLOC is unused

cat <<EOF> .msmtprc assumes you are running the command inside /root I think.

MAILPORT variable is referenced but never defined

The table of contents link in the README.md file that goes to the MSMTP section doesn't work.

It may be good to note that there is a way to enter your password from command line interactive standard input without having to ever type it out in a command line command otherwise, because commands can get logged in .bash_history for example as noted here https://wiki.archlinux.org/title/msmtp

It also maybe should be noted to not store the MSMTP script in a file if you want to avoid having your password / the PWDEMAIL stored in a file in plain text.

If you aren't going to use OAuth, you need to set up an app password for your gmail account. You can't just use your main password. The process for doing so can be found here https://caupo.ee/blog/2020/07/05/how-to-install-msmtp-to-debian-10-for-sending-emails-with-gmail/

I had some trouble with the GPG stuff, but I forget what exactly.

There quite possibly could be more errors, because as of 5 hours ago, I didn't have any experience with any of this, and I don't know what many of the commands in the MSMTP setup script are doing.

It would be good to at least note that the script is broken and any caveats in the meantime if no one wants to spend the time to implement all of the changes right now. I spent a lot of extra time investigating why things weren't working before realizing that the config said smtp.google.com instead of smtp.gmail.com

I also think it would be good to mention that people can install either msmtp or Exim4. (I think this is the case, right?). With no context about any of this stuff, it took me a bit to realize this.

Thank you Nacho Man and everyone who has put this repo together 🙂

Once I learned the setup, I'm never going back.

http://cipherdyne.org/fwknop/

I recently put together some notes for myself for using LXD, if there's interest I can clean them up a bit more and make a pull request.

My reasons for using LXD came down to:

• Don't need the scaling capabilities of Docker
• Not all programs have trusted and well maintained Docker images available, and maintaining a pipeline to build your own is overkill for a personal home server
• LXD creates containers that are unprivileged by default and confined with apparmor, so it is relatively easy to do securely and only a few extra steps on top of installing packages normally
• You can setup Docker inside of LXD for added security

My notes:

Main references

• https://linuxcontainers.org/lxd/getting-started-cli/
• https://wiki.archlinux.org/index.php/LXD
• https://www.digitalocean.com/community/tutorials/how-to-set-up-and-use-lxd-on-ubuntu-16-04

setup

sudo snap install lxd
lxd init
accept defaults to everything (don't need ip6 though, can disable later with lxc network set lxdbr0 ipv6.address none)

create container

lxc launch ubuntu:20.04 <container name>

disable autostart

lxc config set <container name> boot.autostart false

list containers (note container ip, interface is the internal name inside container)

lxc list

run commands in container or enter interactive shell

lxc exec <container name> -- [command to run in container]
lxc exec <container name> -- sudo --login --user ubuntu
lxc exec <container name> bash

forward traffic

<server local interface> := probably enp34s0, check with 'ip link show' on host
<server local ip> := self explanatory
<server port> := port you want to forward from host to container
<container ip:port> := get ip from lxc list, port that is listening inside container
sudo iptables -t nat -I PREROUTING -i <server local interface> -p TCP -d <server local ip> --dport <server port> -j DNAT --to-destination <container ip:port> -m comment --comment "forward to container"

list iptables rules

sudo iptables -t nat -L PREROUTING

make rules persist across reboots

sudo apt install iptables-persistent
sudo netfilter-persistent save

devices and mounts

https://www.cyberciti.biz/faq/how-to-add-or-mount-directory-in-lxd-linux-container/
https://askubuntu.com/questions/610513/how-do-i-share-a-directory-between-an-lxc-container-and-the-host
https://github.com/lxc/lxd#can-i-bind-mount-my-home-directory-in-a-container
https://github.com/lxc/lxd/blob/master/doc/userns-idmap.md

check devices

lxc config device show <container name>

mount (read only by default)

lxc config device add <container name> <device name> disk source=<path on host> path=<path on container>

mount (add write permission)

use command 'id' to check uid and gid on host and container (all probably 1000)
lxc config set <container name> raw.idmap "both 1000 1000"

remove mount

lxc config device remove <container name> <device name>

restart container

lxc restart <container name>

ways to check containers (and make sure they are unprivileged)

lxc config show --expanded <container name> | grep privileged
ps -ef | grep <process in container> # make sure not running as root
lxc config get <container name> security.privileged # If that shows "true", then the container is privileged, otherwise it is not
lxc list security.privileged=true # check all at once

Add hint to test SSH config with a second terminal session otherwise a lock-out will happen.

When trying to follow the AIDE part of the tutorial, on Debian GNU/Linux 11 (bullseye), it gives an error because the configuration files are not created nor on /etc/default or /etc/aide.
On Ubuntu's Help page, in this article, they suggest installign aide-common for 14.04+ versions of Ubuntu.
With this package installed, I could continue with the guide.
I hope this helps to improve the guide.
Thanks for the nice job there!
Regards,
Mannix

Using Ubuntu 18.04 when running the command
sudo fail2ban-client add sshd

I receive the error message:
name 'noduplicates' is not defined

The config file is exactly as described in the guide. All previous fail2ban commands ran successfully with no warnings.

A bad-actor who has gained access to an account without sudo privileges can still try to login as such with su.

Here's an article about limiting who can use of su: https://www.cyberciti.biz/tips/restrict-the-use-of-su-command.html

The article tells you to add users, who you want to be able to use su, to the wheel group, and editing the PAM config file at /etc/pam.d/su appropriately. However at least in Ubuntu I had to add these users to the root group instead, so the steps needed might vary between distros.

Hi,

First of all thanks for this guide! I was really needed something like this.

I'm having issues with the aide setup, I think that aide.wrapper is no longer provided. I'm getting a sudo: aide.wrapper: command not found.

Instead I was able to check the config with sudo aide -c /etc/aide/aide.conf -C which is more verbose but works correctly.

Best,

Please pardon if this has been discussed before or if this blog has been debunked, but I'm asking just in case. I can remove this thread. Oddly enough, there is/was another article on it that outlines more of these perceived flaws but I can no longer find it. I bring this up in the first place just in case the blog points out things that we can 'patch' ourselves.

Don't we need those?