I have been looking at hardening *nix servers for my lab and maybe carry some of that over to work. CIS benchmarks are something I like doing but that’s barely scratching the surface. What do you do for your servers?

I have Lynis, systemd-analyze, Kernel self protection in mind but I’d love to hear your thoughts. Bonus points for the most paranoid setups!

    • HorreC@lemmy.world
      3·
      3 days ago

      I have used this with second port for handshake (with no info in heading and 20 second times) and then the final port opens with key exchanged from handshake.

    • SayCyberOnceMore@feddit.uk
      2·
      3 days ago

      Would you use that on internal LAN connections or only external internet facing connections? I’m not aware (not checked) if any firewalls support it… not sure why?

      • iii@mander.xyz
        3·
        3 days ago

        With knockd you can execute arbitrary commands upon a port knocking sequence. So any application that is configurable via terminal is eligible. Here’s a tutorial of knockd+iptables (1). Alternativly there’s (2) that achieves the same effect in a different way.

        You can use it wherever, as part of security in depth. It’s essentially a pre-shared secret.

        It’ll have it’s largest effect on publicly facing interfaces. It does not replace having a proper ssh setup (disabling root, disabling password login, etc).