Securing Slackware server
I'm looking for some suggestions on securing my slackware 15 server. For now it's only running a couple video game servers for my kids and a mariadb (mysql) that I use for development. I have a firewall (dedicated hardware router/firewall/IPS) that only allows the appropriate IP4 ports through however IPv6 is a thing and not knowing as much about it I'm concerned about security on the linux box.
I have disabled SSH password logins, requiring keys. I stay up to date with slackpkg+ I routinely manually check the last and lastb looking for any strange logins <-- I'd like a more automated way to check this, maybe something like "fail2ban". I only run the network processes/applications I actively use. Any other suggestions or resources? -Brian |
Why not disable IPv6?
|
Computer security is one of those topics where asking 10 people for advice results in 12 answers.
Security usually is about risk vs. benefit and how big of a tinfoil hat one wants to wear. Often security is about layers. For example, an nmap scan would reveal what is open to the world. Although there is a network layer firewall, a simple no frills rc.firewall could be added to ensure nobody hacks the computer if the network firewall is compromised. Monitoring /var/log/secure might be more useful than monitoring /var/log/wtmp (last[b]). There might be other ways of securing the environment. For example, development could be contained to inside a virtual machine that has no internet access. Young children usually are not security concerns. They use whatever parents provide. Just provide them their own login account and let them play. Older children know about the outside world. They tend to get frustrated when they are denied access and start learning or recruiting friends to help them thwart parental controls unless there is a healthy relationship with the parents. The usual caveats apply -- I'm not a security guru and do not play one on TV. :) |
Quote:
I'm just looking for the most current IPv6 and general system hardening recommendations, without going full paranoia mode. -Brian |
Quote:
At least the system is mostly for personal stuff and worst case if someone does compromise it I could format and reinstall, only losing some sleep in the process. I do agree there are so many opinions about security, but that's why I asked. Sometimes you get some really good ideas that you never even considered before. -Brian |
Why not let an auditing tool loose on your system?
Lynis always first, that springs to mind... But others... like https://geekflare.com/server-configu...itoring-tools/ |
If your edge device (router or modem to access the internet) supports IPv6 then the filtering there should support filtering and blocking IPv6. IF it does NOT support IPv6 then you do not have to worry about it passing through IPv6 addressed packets.
Your firewall on your host should have settings for both IPv4 and IPv6 filtering. You can always use that to secure your host, it is what it is made to do. |
@dalgrim , If your routing device is a cisco/juniper/... , there is a set of security related reference templates for these and other devices & protocols that may be of use to you ...
Provided by team-cymru these have been of good service to me . Hth , JimL http://https://github.com/team-cymru...rity-templates |
Quote:
If is possible try to change the default ports, like 22(ssh) to 30350 or any high number, if you do to others services will be bette. If you have cloudflare you can put a WAF in from off the application if you web application. |
Quote:
|
All times are GMT -5. The time now is 01:46 AM. |