Diferencia entre revisiones de «Guía de hardening para servidores»
De TechShareRoom wiki
Más acciones
| (No se muestran 8 ediciones intermedias del mismo usuario) | |||
| Línea 1: | Línea 1: | ||
= SSH = | = SSH = | ||
<syntaxhighlight lang="bash "> | <syntaxhighlight lang="bash" copy> | ||
#Open another port | |||
ufw allow XX | |||
</syntaxhighlight> | |||
<syntaxhighlight lang="bash" copy> | |||
sudo nano /etc/ssh/sshd_config | sudo nano /etc/ssh/sshd_config | ||
Port XX #any different to 22, IMPORTANT open port before! | Port XX #any different to 22, IMPORTANT open port before! | ||
| Línea 10: | Línea 15: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
<syntaxhighlight lang="bash "> | <syntaxhighlight lang="bash" copy> | ||
#Refrescar | #Refrescar | ||
systemctl daemon-reload | systemctl daemon-reload && systemctl restart ssh.socket | ||
systemctl restart ssh.socket | |||
</syntaxhighlight> | </syntaxhighlight> | ||
Si todo funciona con el puerto nuevo nos disponemos a eliminar el 22 de /etc/ssh/sshd_config | |||
= Vulnerabilidades sysctl = | = Vulnerabilidades sysctl = | ||
<syntaxhighlight lang="bash "> | <syntaxhighlight lang="bash" copy> | ||
sudo nano /etc/sysctl.d/99-hardening.conf | sudo nano /etc/sysctl.d/99-hardening.conf | ||
</syntaxhighlight> | </syntaxhighlight> | ||
<syntaxhighlight lang="bash "> | = Compatible con Docker y servicios web internos = | ||
<syntaxhighlight lang="bash" copy> | |||
######################################## | |||
# SYSTEM HARDENING (DOCKER COMPATIBLE) | |||
######################################## | |||
# ─────────── Networking ─────────── | # ─────────── Networking ─────────── | ||
# | |||
# Disable source routing (protection against network attacks) | |||
net.ipv4.conf.all.accept_source_route = 0 | net.ipv4.conf.all.accept_source_route = 0 | ||
net.ipv4.conf.default.accept_source_route = 0 | net.ipv4.conf.default.accept_source_route = 0 | ||
# Reverse path filtering ( | # Reverse path filtering | ||
net.ipv4.conf.all.rp_filter = | # 🔧 CHANGED: from 1 (strict) to 2 (loose) | ||
net.ipv4.conf.default.rp_filter = | # Reason: Docker and NAT use asymmetric routing; rp_filter=1 breaks containers | ||
net.ipv4.conf.all.rp_filter = 2 | |||
net.ipv4.conf.default.rp_filter = 2 | |||
# | # Do not send ICMP redirects | ||
net.ipv4.conf.all.send_redirects = 0 | net.ipv4.conf.all.send_redirects = 0 | ||
net.ipv4.conf.default.send_redirects = 0 | net.ipv4.conf.default.send_redirects = 0 | ||
# | # Log martian packets | ||
net.ipv4.conf.all.log_martians = 1 | net.ipv4.conf.all.log_martians = 1 | ||
net.ipv4.conf.default.log_martians = 1 | net.ipv4.conf.default.log_martians = 1 | ||
# | # Ignore ICMP broadcast pings | ||
net.ipv4.icmp_echo_ignore_broadcasts = 1 | net.ipv4.icmp_echo_ignore_broadcasts = 1 | ||
# | # Enable TCP SYN cookies (prevents SYN flood attacks) | ||
net.ipv4.tcp_syncookies = 1 | net.ipv4.tcp_syncookies = 1 | ||
# ─────────── Docker / NAT ─────────── | |||
# 🔧 CHANGED: IP forwarding must be ENABLED for Docker | |||
# Reason: Docker requires forwarding to expose ports and handle WebSockets | |||
net.ipv4.ip_forward = 1 | |||
# ─────────── IPv6 hardening ─────────── | # ─────────── IPv6 hardening ─────────── | ||
# Disable Router Advertisements (if IPv6 is not used) | |||
net.ipv6.conf.all.accept_ra = 0 | net.ipv6.conf.all.accept_ra = 0 | ||
net.ipv6.conf.default.accept_ra = 0 | net.ipv6.conf.default.accept_ra = 0 | ||
# Disable IPv6 redirects | |||
net.ipv6.conf.all.accept_redirects = 0 | net.ipv6.conf.all.accept_redirects = 0 | ||
net.ipv6.conf.default.accept_redirects = 0 | net.ipv6.conf.default.accept_redirects = 0 | ||
# 🔧 ADDED: disable IPv6 forwarding (Docker usually does not need it) | |||
net.ipv6.conf.all.forwarding = 0 | |||
# ─────────── Kernel security ─────────── | # ─────────── Kernel security ─────────── | ||
# | # Restrict access to dmesg (prevents kernel information leaks) | ||
kernel.dmesg_restrict = 1 | kernel.dmesg_restrict = 1 | ||
# Hide kernel pointer addresses (KASLR hardening) | |||
kernel.kptr_restrict = 2 | kernel.kptr_restrict = 2 | ||
######################################## | |||
# END OF HARDENING | |||
######################################## | |||
</syntaxhighlight> | </syntaxhighlight> | ||
| Línea 77: | Línea 107: | ||
No hacer caso | No hacer caso | ||
<syntaxhighlight lang="bash "> | <syntaxhighlight lang="bash" copy> | ||
sudo sysctl --system | sudo sysctl --system | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| Línea 85: | Línea 115: | ||
Revisa NOPASSWD en tus usuarios y quítalo según corresponda. | Revisa NOPASSWD en tus usuarios y quítalo según corresponda. | ||
<syntaxhighlight lang="bash "> | <syntaxhighlight lang="bash" copy> | ||
sudo visudo -f /etc/sudoers.d/90-cloud-init-users | sudo visudo -f /etc/sudoers.d/90-cloud-init-users | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| Línea 97: | Línea 127: | ||
== fail2ban == | == fail2ban == | ||
<syntaxhighlight lang="bash "> | <syntaxhighlight lang="bash" copy> | ||
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local | sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local | ||
sudo nano /etc/fail2ban/jail.local | sudo nano /etc/fail2ban/jail.local | ||
</syntaxhighlight> | </syntaxhighlight> | ||
<syntaxhighlight lang="bash "> | <syntaxhighlight lang="bash" copy> | ||
[sshd] | [sshd] | ||
enabled = true | enabled = true | ||
| Línea 109: | Línea 139: | ||
logpath = %(sshd_log)s | logpath = %(sshd_log)s | ||
backend = %(sshd_backend)s | backend = %(sshd_backend)s | ||
maxretry = 3 | |||
findtime = 10m | |||
bantime = -1 | |||
[DEFAULT] | |||
# Tiempo máximo de purga de IPs de la base de datos | |||
# 0 = nunca purgar | |||
dbpurgeage = 0 | |||
maxretry = 3 | maxretry = 3 | ||
| Línea 115: | Línea 154: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
<syntaxhighlight lang="bash "> | <syntaxhighlight lang="bash" copy> | ||
sudo fail2ban-client reload | sudo fail2ban-client reload | ||
sudo systemctl enable fail2ban | |||
</syntaxhighlight> | |||
= Dockershield = | |||
<syntaxhighlight lang="bash" copy> | |||
curl -sSL https://raw.githubusercontent.com/adrian13508/dockershield/main/install.sh | bash | |||
</syntaxhighlight> | </syntaxhighlight> | ||
Revisión actual - 21:38 14 feb 2026
SSH
#Open another port
ufw allow XXsudo nano /etc/ssh/sshd_config
Port XX #any different to 22, IMPORTANT open port before!
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3
LoginGraceTime 30#Refrescar
systemctl daemon-reload && systemctl restart ssh.socketSi todo funciona con el puerto nuevo nos disponemos a eliminar el 22 de /etc/ssh/sshd_config
Vulnerabilidades sysctl
sudo nano /etc/sysctl.d/99-hardening.confCompatible con Docker y servicios web internos
########################################
# SYSTEM HARDENING (DOCKER COMPATIBLE)
########################################
# ─────────── Networking ───────────
# Disable source routing (protection against network attacks)
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Reverse path filtering
# 🔧 CHANGED: from 1 (strict) to 2 (loose)
# Reason: Docker and NAT use asymmetric routing; rp_filter=1 breaks containers
net.ipv4.conf.all.rp_filter = 2
net.ipv4.conf.default.rp_filter = 2
# Do not send ICMP redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Log martian packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
# Ignore ICMP broadcast pings
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Enable TCP SYN cookies (prevents SYN flood attacks)
net.ipv4.tcp_syncookies = 1
# ─────────── Docker / NAT ───────────
# 🔧 CHANGED: IP forwarding must be ENABLED for Docker
# Reason: Docker requires forwarding to expose ports and handle WebSockets
net.ipv4.ip_forward = 1
# ─────────── IPv6 hardening ───────────
# Disable Router Advertisements (if IPv6 is not used)
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.default.accept_ra = 0
# Disable IPv6 redirects
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
# 🔧 ADDED: disable IPv6 forwarding (Docker usually does not need it)
net.ipv6.conf.all.forwarding = 0
# ─────────── Kernel security ───────────
# Restrict access to dmesg (prevents kernel information leaks)
kernel.dmesg_restrict = 1
# Hide kernel pointer addresses (KASLR hardening)
kernel.kptr_restrict = 2
########################################
# END OF HARDENING
########################################Si en dockershield
net.ipv4.conf.all.secure_redirects is set to '1' (recommended: '0')
net.ipv4.conf.default.secure_redirects is set to '1' (recommended: '0')
y
sysctl net.ipv4.ip_forward
devuelve
net.ipv4.ip_forward = 1
No hacer caso
sudo sysctl --systemAutenticación
Eliminar NOPASSWD
Revisa NOPASSWD en tus usuarios y quítalo según corresponda.
sudo visudo -f /etc/sudoers.d/90-cloud-init-usersCambia ubuntu ALL=(ALL) NOPASSWD:ALL
Por:
ubuntu ALL=(ALL) ALL
fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local[sshd]
enabled = true
mode = aggressive
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
maxretry = 3
findtime = 10m
bantime = -1
[DEFAULT]
# Tiempo máximo de purga de IPs de la base de datos
# 0 = nunca purgar
dbpurgeage = 0
maxretry = 3
findtime = 10m
bantime = -1sudo fail2ban-client reload
sudo systemctl enable fail2banDockershield
curl -sSL https://raw.githubusercontent.com/adrian13508/dockershield/main/install.sh | bash