[plug] Methods for intruder detection

Benjamin zorlin at gmail.com
Fri Aug 7 19:19:30 AWST 2020

Oops, never mind! You already covered that. :)
- b

On Fri, 7 Aug 2020, 16:10 Benjamin, <zorlin at gmail.com> wrote:

> That is a super comprehensive and awesome list, Alastair. Thank you.
> I have only one small thing to add - you should use keys or certificates
> for SSH, not passwords. For added security you can even require a password
> AND a key
> - b
> On Fri, 7 Aug 2020, 15:53 Alastair Irvine, <alastair at plug.org.au> wrote:
>> On Wed, 15 January, 2020 at 09:55:25PM +0800, ıuoʎ wrote:
>> > Hi Pluggers!
>> >
>> > I was wondering of some easy / simple to deploy intruder detection on my
>> > vps.
>> >
>> > https://cmd.com/ looks very interesting and I was wondering if anyone
>> know
>> > of some opensource local cli that might do something similar (even if
>> much
>> > less powerful)
>> Rather than focusing on what someone might have done once they've
>> compromised your box, I think it's a better use of time to harden it in
>> the first place.  Some techniques:
>>   - Automatic security updates
>>   - Avoid running custom-built or self-compiled Internet-facing services
>>   - Limit plugins (for WordPress, Jenkins, etc.) to those from
>>     trustworthy sources and review the need for them regularly
>>   - Ensure any plugins or non-distro-provided software install their own
>>     security updates automatically
>>   - Use the latest LTS distro release
>>   - Don't open any ports except HTTP/HTTPS to the Internet; even SSH
>>     should be locked down, and if you can't, turn off passwords and
>>     install fail2ban
>>   - Use a VPN for anything else you need private access to
>>   - Ensure you have console access in case you get locked out
>>   - Don't use password-less sudo on your account or the default cloud
>>     admin account (e.g. ubuntu, ec2-user, etc.)
>>   - When you do have to use password-less sudo (for cron jobs etc.),
>>     lock down the commands it can run
>>   - Use a Web Application Firewall to detect and block intrusion attempts
>>   - Use a bastion host as an application-level "filter" to prevent hosts
>>     containing critical data from being exposed to the Internet
>>   - Spend time learning about other security techniques
>> Off-site backups and log mirrors are generally a good idea too.
>> If you want intrusion detection, you need to install software like AIDE,
>> rkhunter or chkrootkit.  In practice, these tend to be a pain because
>> usually there are so many false-positives that you end up filtering the
>> reports to an e-mail folder that you never look at.
>> It's probably less of a pain to use "immutable infrastructure" where
>> possible.
>> _______________________________________________
>> PLUG discussion list: plug at plug.org.au
>> http://lists.plug.org.au/mailman/listinfo/plug
>> Committee e-mail: committee at plug.org.au
>> PLUG Membership: http://www.plug.org.au/membership
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20200807/89f1265b/attachment.html>

More information about the plug mailing list