yanis/wevia-brain
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
wevia-brain/knowledge/deep/linux-hardening.md
Yanis Mahboub b86aed20b3 Wave 143: Router 6051L — reinit after corrupt objects
2026-04-12 23:01:36 +02:00

3.5 KiB
Executable File
Raw Permalink Blame History

Linux Server Hardening — Checklist Complète

1. SSH Hardening

# /etc/ssh/sshd_config
Port 49222                          # Port non-standard
PermitRootLogin prohibit-password   # Root uniquement par clé
PasswordAuthentication no           # Clés SSH uniquement
PubkeyAuthentication yes
MaxAuthTries 3
MaxSessions 3
ClientAliveInterval 300
ClientAliveCountMax 2
AllowUsers deploy admin             # Whitelist d'utilisateurs
Protocol 2

# Regénérer les clés host
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""

2. Firewall (UFW)

ufw default deny incoming
ufw default allow outgoing
ufw allow 49222/tcp comment "SSH"
ufw allow 80/tcp comment "HTTP"
ufw allow 443/tcp comment "HTTPS"
ufw allow from 89.167.40.150 comment "WEVADS"
ufw enable
ufw status verbose

3. Fail2ban

# /etc/fail2ban/jail.local
[sshd]
enabled = true
port = 49222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600
findtime = 600

[apache-auth]
enabled = true
port = http,https
logpath = /var/log/apache2/error.log
maxretry = 5

# Vérifier les bans
fail2ban-client status sshd

4. Automatic Security Updates

apt install unattended-upgrades
dpkg-reconfigure -plow unattended-upgrades

# /etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";
};
Unattended-Upgrade::Automatic-Reboot "false";
Unattended-Upgrade::Mail "admin@weval-consulting.com";

5. Kernel Hardening

# /etc/sysctl.d/99-hardening.conf
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
kernel.randomize_va_space = 2
fs.suid_dumpable = 0
kernel.core_uses_pid = 1

# Appliquer
sysctl -p /etc/sysctl.d/99-hardening.conf

6. File Permissions Audit

# Trouver les fichiers SUID/SGID (potentiels vecteurs d'attaque)
find / -perm -4000 -type f 2>/dev/null
find / -perm -2000 -type f 2>/dev/null

# Trouver les fichiers world-writable
find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null
find / -xdev -type f -perm -0002 2>/dev/null

# Vérifier les fichiers sans propriétaire
find / -xdev \( -nouser -o -nogroup \) 2>/dev/null

7. Logging & Monitoring

# Centraliser les logs
apt install rsyslog
# Configurer envoi vers SIEM si disponible

# Audit des connexions
last -10               # Dernières connexions
lastb -10              # Tentatives échouées
who                    # Qui est connecté maintenant
w                      # Activité des utilisateurs connectés

# Monitoring temps réel
journalctl -f          # Tous les logs en temps réel
tail -f /var/log/auth.log  # Logs d'authentification

8. Backup 3-2-1

# 3 copies des données
# 2 supports différents (disk + remote)
# 1 copie hors-site

# Backup quotidien vers serveur distant
rsync -avz --delete /opt/wevads/ backup@remote:/backups/wevads/
rsync -avz --delete /var/www/ backup@remote:/backups/www/

# Backup PostgreSQL
pg_dump -Fc -Z9 dbname > /backup/db/$(date +%Y%m%d).dump
find /backup/db/ -name "*.dump" -mtime +30 -delete  # Garder 30 jours

# Vérifier les backups (CRITIQUE — un backup non testé n'est pas un backup)
pg_restore -l /backup/db/latest.dump  # Vérifier l'intégrité
Reference in New Issue View Git Blame Copy Permalink