saundersp/scripts
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Added files

Browse Source
This commit is contained in:
saundersp
2023-05-07 20:05:02 +02:00
parent 9521270bfe
commit 20b2cd160f
8 changed files with 981 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
secure_debian_server.md Normal file
View File

@ -0,0 +1,49 @@
# Secure a debian server
## Deny ping response
In the file /etc/ufw/before.rules add the line after "ok icmp codes for INPUT"
> -A ufw-before-input -p icmp --icmp-type echo-request -j DROP
## Restraining SSH default behaviour
In the file /etc/ssh/sshd_config or /etc/sshd_config
> Port $SSH_PORT # Custom SSH port
> AddressFamily inet
> ChallengeResponseAuthentication no
> PasswordAuthentication no
> UsePAM no
> PermitRootLogin no
```bash
# Apply changes
systemctl restart sshd
```
## Enabling security features
In the file /etc/sysctl.conf, uncomment / add the lines :
> net.ipv4.conf.default.rp_filter = 1
> net.ipv4.conf.all.rp_filter = 1
> net.ipv4.conf.all.accept_redirects = 0
> net.ipv6.conf.all.accept_redirects = 0
> net.ipv4.conf.all.send_redirects = 0
> net.ipv4.conf.all.accept_source_route = 0
> net.ipv6.conf.all.accept_source_route = 0
> net.ipv4.conf.all.log_martians = 1
> net.ipv4.conf.all.arp_notify = 1
```bash
# Apply changes
sysctl -p
```
## Prevent IP Spoof
In the file /etc/host.conf, add / change the lines :
> order bind,hosts
> multi on