Revisión actual - 23:03 2 ene 2026

SSH

#Open another port
ufw allow XX

sudo nano /etc/ssh/sshd_config
Port XX #any different to 22, IMPORTANT open port before!
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3
LoginGraceTime 30

#Refrescar 
systemctl daemon-reload && systemctl restart ssh.socket

Si todo funciona con el puerto nuevo nos disponemos a eliminar el 22 de /etc/ssh/sshd_config

Vulnerabilidades sysctl

sudo nano /etc/sysctl.d/99-hardening.conf

Configuración 1, compatible con Docker y servicios web internos

########################################
# SYSTEM HARDENING (DOCKER COMPATIBLE)
########################################

# ─────────── Networking ───────────

# Disable source routing (protection against network attacks)
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Reverse path filtering
# 🔧 CHANGED: from 1 (strict) to 2 (loose)
# Reason: Docker and NAT use asymmetric routing; rp_filter=1 breaks containers
net.ipv4.conf.all.rp_filter = 2
net.ipv4.conf.default.rp_filter = 2

# Do not send ICMP redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Log martian packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

# Ignore ICMP broadcast pings
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Enable TCP SYN cookies (prevents SYN flood attacks)
net.ipv4.tcp_syncookies = 1

# ─────────── Docker / NAT ───────────

# 🔧 CHANGED: IP forwarding must be ENABLED for Docker
# Reason: Docker requires forwarding to expose ports and handle WebSockets
net.ipv4.ip_forward = 1

# ─────────── IPv6 hardening ───────────

# Disable Router Advertisements (if IPv6 is not used)
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.default.accept_ra = 0

# Disable IPv6 redirects
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

# 🔧 ADDED: disable IPv6 forwarding (Docker usually does not need it)
net.ipv6.conf.all.forwarding = 0

# ─────────── Kernel security ───────────

# Restrict access to dmesg (prevents kernel information leaks)
kernel.dmesg_restrict = 1

# Hide kernel pointer addresses (KASLR hardening)
kernel.kptr_restrict = 2

########################################
# END OF HARDENING
########################################

Si en dockershield

net.ipv4.conf.all.secure_redirects is set to '1' (recommended: '0')

net.ipv4.conf.default.secure_redirects is set to '1' (recommended: '0')

y

sysctl net.ipv4.ip_forward

devuelve

net.ipv4.ip_forward = 1

No hacer caso

sudo sysctl --system

Autenticación

Eliminar NOPASSWD

Revisa NOPASSWD en tus usuarios y quítalo según corresponda.

sudo visudo -f /etc/sudoers.d/90-cloud-init-users

Cambia ubuntu ALL=(ALL) NOPASSWD:ALL

Por:

ubuntu ALL=(ALL) ALL

fail2ban

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

[sshd]
enabled = true
mode = aggressive
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

maxretry = 3
findtime = 10m
bantime = -1

[DEFAULT]
# Tiempo máximo de purga de IPs de la base de datos
# 0 = nunca purgar
dbpurgeage = 0

maxretry = 3
findtime = 10m
bantime = -1

sudo fail2ban-client reload
sudo systemctl enable fail2ban

Dockershield

curl -sSL https://raw.githubusercontent.com/adrian13508/dockershield/main/install.sh | bash

Diferencia entre revisiones de «Guía de hardening para servidores»

Adgellida (discusión | contribs.)