90 lines
2.5 KiB
Markdown
90 lines
2.5 KiB
Markdown
---
|
|
creation date: 2022-01-08
|
|
tags: [note,linux,archlinux,security,hardening,docker]
|
|
---
|
|
|
|
## OS - Arch
|
|
|
|
See https://wiki.archlinux.org/title/Security
|
|
|
|
1. Use `sudo` for everything and disable root with `passwd --lock root`
|
|
2. Install `linux-hardened` and set as default
|
|
|
|
If using rootless #docker, enable `CONFIG_USER_NS_UNPRIVILEGED`.
|
|
|
|
## ssh
|
|
`ssh-guard` allowed.
|
|
|
|
## nginx
|
|
|
|
Execute the following
|
|
|
|
```shell
|
|
mkdir -p /etc/nginx/ssl
|
|
openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
|
|
```
|
|
|
|
In `nginx.conf`, set the following inside the `http` block:
|
|
|
|
```shell
|
|
# security hardened
|
|
server_tokens off;
|
|
```
|
|
|
|
|
|
For each `server` block, set the following
|
|
|
|
```shell
|
|
listen 443 ssl http2;
|
|
|
|
# enable session resumption to improve https performance
|
|
ssl_session_timeout 5m;
|
|
|
|
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
|
|
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
|
|
|
|
# enables server-side protection from BEAST attacks
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
# disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
|
|
ssl_protocols TLSv1.2;
|
|
|
|
# ciphers chosen for forward secrecy and compatibility
|
|
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
|
|
|
|
# security hardened
|
|
add_header X-Frame-Options SAMEORIGIN;
|
|
add_header X-Content-Type-Options nosniff;
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
|
add_header Content-Security-Policy "https; default-src 'self'; script-src 'self'; img-src 'self' data:;";
|
|
# OR: add_header Content-Security-Policy "https; default-src 'self'; script-src 'self'";
|
|
|
|
# no access logs
|
|
access_log off;
|
|
```
|
|
|
|
## PHP
|
|
|
|
```shell
|
|
session.cookie_secure = true
|
|
session.use_only_cookies = 1
|
|
session.cookie_httponly = true
|
|
```
|
|
|
|
## journald
|
|
|
|
Set maximum journal retention in `/etc/systemd/journald.conf`:
|
|
|
|
```shell
|
|
MaxRetentionSec=604800
|
|
MaxFileSec=86400
|
|
```
|
|
|
|
This makes logs only available for seven days and rotate each day.
|
|
|
|
Apply changes directly with `journalctl --vacuum-time=7d`.
|
|
|
|
## Other services
|
|
|
|
Set log level to warn or error
|