Kim Davalos kdavalos@sonic.net wrote:
Curious about what folks due to harden/secure their servers. Specifically I am NOT asking to be told what to do/how to do it.
More interested in hearing about different practices and approaches, e.g., firewall management - iptables/nftables vs something like Check Point, limiting installed packages to what is necessary, closing unused ports, access restrictions, etc.
*Some* of what Michael P previously wrote at much further length regarding the above are also mentioned at nixCraft's ''40 Linux Server Hardening Security Tips [2017 edition]'', https://www.cyberciti.biz/tips/linux-security.html IMHO, I think that the nixCraft article is less complete but better organized than Michael P's extensive prose.
Also, security expert Bruce Schneier has excellent Security writings on his ''Schneier on Security'' blog and essays websites; https://www.schneier.com/ and https://www.schneier.com/essays/ respectively. AAMOF, I found Schneier's blogpost ''Choosing Secure Passwords'' at https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html extremely relevant and even _better_ than tips #8 thru #10 at nixCraft's ''40 Linux Server Hardening Security Tips [2017 edition]''
There are Linux distros specifically designed to Penetration Test ("pen-test") how efficient your/one's Server Security setup really is after-the-fact. Two such pen-testing distros I'm distinctly aware of from previous discussions at SF-LUG.com are Kali Linux -- https://www.kali.org/ -- and The Parrot System -- https://www.parrotsec.org/. Another distro invariably mentioned by others is The Amnesic Incognito Linux System a.k.a., TAILS (https://tails.boum.org/ ), but I get the distinct impression that TAILS (as great as it is) is more for Privacy than it is for Security and Pen-testing.
BTW, SF-LUG is having their next live meeting at SF's Cafe Enchante this Easter Sunday April 1st, from 11am to 1pm; see http://linuxmafia.com/pipermail/sf-lug/2018q1/013112.html
Well, that's my even-briefer two cents. -A
acohen36@sdf.org SDF Public Access UNIX System - http://sdf.org