Guía de hardening para servidores
De TechShareRoom wiki
Más acciones
SSH
#Open another port
ufw allow XXsudo nano /etc/ssh/sshd_config
Port XX #any different to 22, IMPORTANT open port before!
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3
LoginGraceTime 30#Refrescar
systemctl daemon-reload && systemctl restart ssh.socketSi todo funciona con el puerto nuevo nos disponemos a eliminar el 22 de /etc/ssh/sshd_config
Vulnerabilidades sysctl
sudo nano /etc/sysctl.d/99-hardening.confConfiguración 1, compatible con Docker y servicios web internos
########################################
# SYSTEM HARDENING (DOCKER COMPATIBLE)
########################################
# ─────────── Networking ───────────
# Disable source routing (protection against network attacks)
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Reverse path filtering
# 🔧 CHANGED: from 1 (strict) to 2 (loose)
# Reason: Docker and NAT use asymmetric routing; rp_filter=1 breaks containers
net.ipv4.conf.all.rp_filter = 2
net.ipv4.conf.default.rp_filter = 2
# Do not send ICMP redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Log martian packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
# Ignore ICMP broadcast pings
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Enable TCP SYN cookies (prevents SYN flood attacks)
net.ipv4.tcp_syncookies = 1
# ─────────── Docker / NAT ───────────
# 🔧 CHANGED: IP forwarding must be ENABLED for Docker
# Reason: Docker requires forwarding to expose ports and handle WebSockets
net.ipv4.ip_forward = 1
# ─────────── IPv6 hardening ───────────
# Disable Router Advertisements (if IPv6 is not used)
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.default.accept_ra = 0
# Disable IPv6 redirects
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
# 🔧 ADDED: disable IPv6 forwarding (Docker usually does not need it)
net.ipv6.conf.all.forwarding = 0
# ─────────── Kernel security ───────────
# Restrict access to dmesg (prevents kernel information leaks)
kernel.dmesg_restrict = 1
# Hide kernel pointer addresses (KASLR hardening)
kernel.kptr_restrict = 2
########################################
# END OF HARDENING
########################################Si en dockershield
net.ipv4.conf.all.secure_redirects is set to '1' (recommended: '0')
net.ipv4.conf.default.secure_redirects is set to '1' (recommended: '0')
y
sysctl net.ipv4.ip_forward
devuelve
net.ipv4.ip_forward = 1
No hacer caso
sudo sysctl --systemAutenticación
Eliminar NOPASSWD
Revisa NOPASSWD en tus usuarios y quítalo según corresponda.
sudo visudo -f /etc/sudoers.d/90-cloud-init-usersCambia ubuntu ALL=(ALL) NOPASSWD:ALL
Por:
ubuntu ALL=(ALL) ALL
fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local[sshd]
enabled = true
mode = aggressive
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
maxretry = 3
findtime = 10m
bantime = -1
[DEFAULT]
# Tiempo máximo de purga de IPs de la base de datos
# 0 = nunca purgar
dbpurgeage = 0
maxretry = 3
findtime = 10m
bantime = -1sudo fail2ban-client reload
sudo systemctl enable fail2ban