[plug] Methods for intruder detection

Benjamin zorlin at gmail.com
Fri Aug 7 16:10:58 AWST 2020


That is a super comprehensive and awesome list, Alastair. Thank you.

I have only one small thing to add - you should use keys or certificates
for SSH, not passwords. For added security you can even require a password
AND a key

- b

On Fri, 7 Aug 2020, 15:53 Alastair Irvine, <alastair at plug.org.au> wrote:

> On Wed, 15 January, 2020 at 09:55:25PM +0800, ıuoʎ wrote:
> > Hi Pluggers!
> >
> > I was wondering of some easy / simple to deploy intruder detection on my
> > vps.
> >
> > https://cmd.com/ looks very interesting and I was wondering if anyone
> know
> > of some opensource local cli that might do something similar (even if
> much
> > less powerful)
>
> Rather than focusing on what someone might have done once they've
> compromised your box, I think it's a better use of time to harden it in
> the first place.  Some techniques:
>
>   - Automatic security updates
>   - Avoid running custom-built or self-compiled Internet-facing services
>   - Limit plugins (for WordPress, Jenkins, etc.) to those from
>     trustworthy sources and review the need for them regularly
>   - Ensure any plugins or non-distro-provided software install their own
>     security updates automatically
>   - Use the latest LTS distro release
>   - Don't open any ports except HTTP/HTTPS to the Internet; even SSH
>     should be locked down, and if you can't, turn off passwords and
>     install fail2ban
>   - Use a VPN for anything else you need private access to
>   - Ensure you have console access in case you get locked out
>   - Don't use password-less sudo on your account or the default cloud
>     admin account (e.g. ubuntu, ec2-user, etc.)
>   - When you do have to use password-less sudo (for cron jobs etc.),
>     lock down the commands it can run
>   - Use a Web Application Firewall to detect and block intrusion attempts
>   - Use a bastion host as an application-level "filter" to prevent hosts
>     containing critical data from being exposed to the Internet
>   - Spend time learning about other security techniques
>
> Off-site backups and log mirrors are generally a good idea too.
>
> If you want intrusion detection, you need to install software like AIDE,
> rkhunter or chkrootkit.  In practice, these tend to be a pain because
> usually there are so many false-positives that you end up filtering the
> reports to an e-mail folder that you never look at.
>
> It's probably less of a pain to use "immutable infrastructure" where
> possible.
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://lists.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.org.au
> PLUG Membership: http://www.plug.org.au/membership
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20200807/2b2d9987/attachment.html>


More information about the plug mailing list