--- creation date: 2022-01-08 tags: [note,linux,archlinux,security,hardening] --- # Security hardening ## ssh `ssh-guard` allowed. ## nginx Execute the following ``` mkdir -p /etc/nginx/ssl openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048 ``` In `nginx.conf`, set the following inside the `http` block: ``` # security hardened server_tokens off; ``` For each `server` block, set the following ``` listen 443 ssl http2; # enable session resumption to improve https performance ssl_session_timeout 5m; # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits ssl_dhparam /etc/nginx/ssl/dhparam.pem; # enables server-side protection from BEAST attacks ssl_prefer_server_ciphers on; # disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0 ssl_protocols TLSv1.2; # ciphers chosen for forward secrecy and compatibility ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; # security hardened add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header Content-Security-Policy "https; default-src 'self'; script-src 'self'; img-src 'self' data:;"; # OR: add_header Content-Security-Policy "https; default-src 'self'; script-src 'self'"; # no access logs access_log off; ``` ## PHP ``` session.cookie_secure = true session.use_only_cookies = 1 session.cookie_httponly = true ``` ## journald Set maximum journal retention in `/etc/systemd/journald.conf`: ``` MaxRetentionSec=604800 MaxFileSec=86400 ``` This makes logs only available for seven days and rotate each day. Apply changes directly with `journalctl --vacuum-time=7d`. ## Andere Dienste Set log level to warn or error