Temporary SSH access on Linux servers

A while ago it was requested that developers should be able to login, upon request, on our production servers via SSH. Normally this is restricted to SysOps and DevOps operators. Developers have their DTA(P) to do their thing, but nevertheless management decided that they need CLI access to our live systems. Needless to say, we…

Continue Reading

Fail2Ban config on Ubuntu 18.04

I can be a very happy camper when I’m configuring something new and it ‘just works’ and does its job as expected and more. See the previous post on Fail2Ban. Creating a new jail and making the most important service hacker proof is a matter if minutes. Of course finetuning it to my liking can…

Continue Reading

OSSEC active response vs Fail2Ban

Let’s have a proper look at Fail2Ban on Ubuntu 18.0.4. Last week I was rather pleased with the replacement of CSF / LFD with UFW and OSSEC active response. It seems really rock solid. While configuring and testing, I discovered one big downside of OSSEC active response though: it only works for SSH and not…

Continue Reading

Replacing CSF / LFD with UFW and OSSEC

UFW and OSSEC active response. In my quest to see if I would like to replace Debian with all of its third party tooling with more up-to-date Ubuntu servers (also with third party tooling), I’ll dedicate the next couple of posts to cross off this list. Starting at the top, today I’ll be replacing CSF…

Continue Reading

Linux security system scans

Roaming around the internet you’ll discover A LOT of systems and services that can check your systems for security holes and improvements. These scans can help you a lot by giving you more insight in your security. I’ve already mentioned some before, but always keep searching for alternatives. In the last couple of months I’ve…

Continue Reading

CSF / LFD regular expressions

In my last post I talked about two additions on my existing CSF / LFD configurations. The first one was a more transparent approach to the login failure deamon. The second one is regular expressions to stop malicious IPs that aren’t being stopped via the build-in mechanism. Simply put: not all attacks are recognized as…

Continue Reading

CSF / LFD brute force settings

Not too long ago I wrote about being pretty happy with CSF / LFD as a replacement for my firewalld or ufw firewall. Using it for a while now, there are two additions I want to make. The first addition is a more granular and universal approach to the brute force mechanism (the LFD part,…

Continue Reading

CSF / LFD Firewall and Security on Debian 9

For my work I had to setup a DirectAdmin server (which was a great pain to setup perfect) and I was bothered by enormous amounts of brute force attempts, mostly on Exim ports. First thing on the agenda was of course look for a way to block these fuckers and in comes the CSF /LFD…

Continue Reading

Security headers in HTML site

I’ve written about the wonderful mechanism of securing your WordPress site a bit more with Security Headers before. I still think it’s pretty awesome, all these small things to make your site a bit more secure. Well, now I needed these headers for a one page HTML site. It’s definitely not hard but you just…

Continue Reading

SELinux deep dive

At the start of my Linux adventure, I’ve read a lot about installing software xyz and then of course tried it myself. What I thought was odd, was that so many guides advocate to disable SELinux. I didn’t even understand what SELinux was at the time, but I did know it was a security mechanism….

Continue Reading

Linux random security related stuff

Security. A couple of points I came across in the last couple of weeks. Some random ramblings really, how to make your Linux server (I myself am running CentOS 7.4 server) a bit more secure. There are way more elaborate posts on this blog, but every little bit counts. Since this year I have a…

Continue Reading

Install OpenVAS on Fedora 26

After a lot of security related installations and modifications on my test server, I want to test if it is indeed secure. A couple of online scanners were discussed here and here for example, but I want to take it a few steps further. I came across OpenVAS in a training video and will be…

Continue Reading

Securing SSL / HTTPS

Securing SSL and HTTPS might seem like a contradiction to you, because SSL and HTTPS are secure right? Well, not entirely and always. There are some awesome tools out there that will get your website from an F to an A+. Check this out. This is a good example of always being on top of…

Continue Reading

Nextcloud security and performance tweaks

Our last post took care of a working Nextcloud installation. Afterwards I pumped 100GB of data to my cloud without a hickup. But, especially in multi-user production environments, there are certainly a couple of important security and performance tricks to be performed. So be sure to check out these tips. I think this post is…

Continue Reading

HSTS / HTTP Security Headers and WordPress

After giving SSH a hardening makeover, I’ve discovered something new. Apparently, HTTP Strict Transport Security (HSTS) and all kinds of HTTP Security Headers is pretty hot at the moment. It has been for a while actually, but more people are adopting it nowadays. For WordPress, that I’m running, it is rather easy to setup. Stuff…

Continue Reading