-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/24/2014 4:09 PM, Libertas wrote: > I thought I'd share an initial draft of doc/HARDENING. Please > share any opinions or contributions you have. This was written in a > little more than an hour, so it's still a work in progress. > However, in the spirit of prototyping before polishing, I thought > I'd share early.
Thank you for sharing. There may be mixed opinions about using a resource like this but the NSA's Guide to the Secure Configuration of Red Hat enterprise Linux 5 [0] covers a great deal of areas that can apply to other distros. Much of it appears to be included in the debian documentation (which I believe the .pdf also references). One might consider fwknop [1] to require single packet authentication (SPA) before the target ssh port is opened for you and and only for a few seconds. Sure, moving your ssh to a non-standard port makes for clean logs but having the port closed to all unless validated through SPA can present a significant hurdle for a more dedicated adversary. I've heard of a lot of people using fail2ban but not csf [2] however nobody has really weighed in on why. There are ways of integrating fwknop with csf. I'd be happy to share more info by request. Also let us not forget astandard access restriction layers like tcpwrappers, and pam + /etc/security/access.conf for ssh. [0] https://www.nsa.gov/ia/_files/os/redhat/NSA_RHEL_5_GUIDE_v4.2.pdf [1] https://www.cipherdyne.org/fwknop/ [2] http://configserver.com/cp/csf.html (http link because of invalid ssl cert) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) iQIcBAEBAgAGBQJUdRSwAAoJEN+MkWRY9DUsNH4P/1qooQgSvFu0ppN5e9OJEt72 M0M1XylF+rlqMfMFBKkbH3ef6v7i3dnuSBeIPhAzGOajvL8P1ji0eMK/2O0Bwe1a ufbzutcrc9UBgE1GOjlXIhTSoaQgG0KzNRrtbRzkTiBIGrAazpZZPR9sxbNmRQ9/ 21mvbQ7hdqaq0g51/HCn88wJETYHzilPJ9u3BPNZ6knEMd3WeW0RDp5iaC0itw3s NF7X4lQFP13WxQz8JLKBrvcMuZYRd5oz08VP+EhHjeTE9LkGsRve0gwk706tOrOl yzdQQc6ftYyb3kQfvA65stYSSfB+/4EQVtz2vJGozeAz6HybSy5RAcw7zo39cOLA VMsc78CVTDn7sQWLq6qAa5d0DEwQw/CXi70zMw/eBnn5vZ5DpIoAKguE/NHiY9yp pENJMNcVA5Rs1byN2AoHq9y2UtNmADKK/V89NNtwj7zT4lv4YyA6h9p2BztQlXkm jTm730h6wpdW35QchU/tsGypexxio4o1i+MitvIwqcp5SiaS+wJVgFjxQ9sZIos5 r8Hr/sZKva8i1CWRYhH+k/cXdp6/1ec1AD8AEDLQD2yMQvFpvZ0vdHKswuqkvZIu VcKRcE5g9ux+BcmLDG27aeM96ltVFqRmkT0ZvMlLAuyhljio2wFWiKtWv7KYXUaD XH/2lUc87Igpvs5EpNGT =f1un -----END PGP SIGNATURE----- _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
