Saturday, 17 December 2022

Linux Server Security

I'm going back to my roots...

The project focused on Linux server security and system hardening. The main goal was to create a practical security checklist based on industry best practices and to apply some of these measures.

Rather than focusing on a single application, this project combined multiple technologies and security techniques to improve the overall security of Linux servers.

As part of the project, I installed and configured several services and applications:

  • OpenVPN Access Server - configured for secure remote access to Linux system (VPS).
  • Auditd - used for system auditing and monitoring important security-related events.
  • SELinux - configured and tested to improve access control and system security.
  • FreeIPA (kerberos) - deployed centralized authentication and Kerberos-based identity management.
  • Apache HTTP Server - configured using simple Bash automation scripts with additional security improvements. The web server was integrated with:
    • Cloudflare services
    • SSL/TLS encryption
    • SSL Labs testing to verify security configuration and HTTPS implementation.
  • OpenSSL - used for certificate management and basic cryptographic operations.
  • Fail2ban - was configured as a lightweight security tool for monitoring logs and blocking suspicious IP addresses after repeated failed login attempts. I used it to add an extra layer of protection to my Linux server.
  • Cowrie - is an open-source honeypot that simulates SSH and Telnet services to detect and log cyber attacks. I deployed it in a Podman container to observe attacker behavior and collect security data.
  • Wazuh - basic deployment. At this stage, it was mainly about getting familiar with SIEM software. In the future, it will likely become one of the main components of my homelab.

The Linux Security project became an important step towards building a more secure self-hosted environment.

 

Linux security checklist:

  • Secure SSH
  • Disable root
  • Separate network services. One network service per system/vm. It's worth considering containers (with an adequate level of security)
  • Make backup, backup, backup copies... and test them
  • Use protocols for encrypted communication SCP, SSH, RSYNC, SFTP, SSL (VPN, WWW) and data on disks
  • Check listening ports and disable any that are not required
  • Enable blocking after three failed attempts
  • Run fail2ban
  • Enable audit log
  • Manage SELinux
  • Create separate partitions /usr /home /var /var/tmp /tmp also for services and app's WWW, FTP
  • Use built-in kernel options to secure your system
  • Control the number of users with admin privileges and disable when not required
  • Use a central system to manage Kerberos
  • Physical security for servers - disable access to USB/DVD/firewire/thunderbolt from OS and BIOS, flood and fire protection
  • Run redundant links and power supply
  • Disable and remove unused services
  • Disable and remove unused applications
  • Disable autostart of services, applications and containers that are not required
  • Audit and apply security
  • Implement honeypots
  • Externally scan your server for vulnerabilities
  • Regularly update your system and apps
  • Run a kernel audit and secure
  • Block all ports except those necessary in your firewall
  • Make sure that there are no users on the server without passwords
  • Set the system to use login keys and a strong password
  • Set to force password change and enable password history

 
































 

Posted by at

Friday, 15 April 2022

IaC with Ansible

It's a good time to start automating with Ansible.


https://github.com/eklonowol/ansible1


  






Posted by at

Friday, 18 February 2022

Firewall project - PfSense and Zabbix

I started a small project focused on network security, monitoring, and modern firewall solutions. The main goal was to evaluate pfSense as a replacement for my Cisco ASA firewall and to build a flexible platform for future home lab development.

As an open-source enthusiast, I found pfSense to be an excellent solution for both home labs and small to medium-sized businesses. It offers many enterprise-level features without the high cost of commercial firewall appliances.


Cyberoam CR25wiNG (router/firewall)

The original operating system was replaced with pfSense, which became the main router and firewall for the project. The following services were deployed:

  • Router-on-a-Stick VLAN configuration
  • Snort (IDS)
  • Tailscale (VPN)


Dell Wyse 5060 (mini-pc)

A Debian Linux installation was used to provide additional network services, including:
  • AdGuard Home (for local DNS filtering)
  • Syncthing (for secure file synchronisation)


Cisco Catalyst 2960G (managed switch)

The switch was configured with basic VLAN support, while inter-VLAN routing was handled by pfSense. 


Raspberry Pi

A dedicated Raspberry Pi was used to deploy Zabbix Server for infrastructure monitoring.

To create a more realistic test environment, I also connected my Dell R210 II servers and a Windows laptop to the network. This allowed me to monitor multiple systems and services while testing the firewall and network configuration.



By the end of the project, I was convinced that pfSense could successfully replace my Cisco ASA firewall. Many of the technologies tested here later became part of my larger home lab infrastructure and formed the foundation for future networking and security projects.















Posted by at
Subscribe to: Posts (Atom)