Revisión del 13:49 27 dic 2025

Cambiar puerto ssh

sudo nano /etc/ssh/sshd_config
Port XX #any different to 22, IMPORTANT open port before!
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3
LoginGraceTime 30

#Refrescar 
systemctl daemon-reload
systemctl restart ssh.socket

Vulnerabilidades sysctl

sudo nano /etc/sysctl.d/99-hardening.conf

# ─────────── Networking ───────────
# Evitar source routing (protección contra ataques de red)
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Reverse path filtering (prevención spoofing)
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# No enviar ICMP redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Logear paquetes martianos
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

# Evitar que respondan a pings broadcast
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Habilitar TCP SYN cookies (previene SYN flood)
net.ipv4.tcp_syncookies = 1

# ─────────── IPv6 hardening ───────────
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.default.accept_ra = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

# ─────────── Kernel security ───────────
# Deshabilitar IP forwarding (si no es router)
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0

# ─────────── Otros ───────────
# Logging y audit
kernel.dmesg_restrict = 1
kernel.kptr_restrict = 2

Si en dockershield

net.ipv4.conf.all.secure_redirects is set to '1' (recommended: '0')

net.ipv4.conf.default.secure_redirects is set to '1' (recommended: '0')

y

sysctl net.ipv4.ip_forward

devuelve

net.ipv4.ip_forward = 1

No hacer caso

sudo sysctl --system

Diferencia entre revisiones de «Guía de hardening para servidores»

Adgellida (discusión | contribs.)

Revisión del 13:49 27 dic 2025

Cambiar puerto ssh

Vulnerabilidades sysctl