Battening the hatches¶

The stack and failures pages explain how a server’s defences fit together and what gives way when one is missing. These are the procedures: the steps to put a control in place, confirm it is working, or work out what happened when something went wrong.

They run roughly in the order a server’s life does. Locking down access and the network comes first, since it closes the most exposure for the least effort. Certificates and routine monitoring follow. The investigation and recovery procedures sit at the end, for the day they are needed. Each one is written to be followed start to finish by whoever is on hand, security background or not.

Access and authentication

Disable root access
Harden the SSH server
SSH key setup and rotation
Configure sudo
Set a password policy

Network and firewall

Configure the firewall with UFW
Configure the firewall with iptables
Set up fail2ban

Certificates

Internal certificate authority
TLS certificates with Let’s Encrypt

Monitoring and hygiene

Audit running services
Centralised logging
File integrity monitoring with Samhain
Check exposed services with nmap
Log reading commands

Investigation and recovery

SSH host key warning
Compromise investigation: what to look for
Bootable recovery media