Secure Linux Servers by Default

I get beyond upset when I come across a Linux server running at a company that is either not configured securely, or so out of date that I have to lookup what year the kernel was from. In this environment where companies continuously get pop, leak data and get compromised, I have zero tolerance for either of these scenarios.

Of course anytime I come across this I start asking questions, I talk to other teams (since whoever I talk to always has to pass the buck to some other team), and then when I finally get an explanation it’s usually along the lines that their waiting for the vendor to update the image, that they’ll then upgrade to. Example, an Amazon Web Services AMI.. the base image they build is the one the team installs, and they don’t modify or update this image… ever. This is unacceptable, all of this security theater is leaving Linux servers vulnerable of too much passing the buck, or let’s be honest, people that are running the servers don’t really know how to run the servers. I’ve long projects like DevSec Hardening Framework, which I love because they address of slew of best practices pulled from all sorts of sources, and allow the automatic updating of these configurations via an automation tool like Ansible. From this I built a project that will automatically install Ansible, apply these best practices to the base Linux system, but also setting up a far more secure OpenSSH setup. My thought is this should be the first thing run against a new server, and then use that as the ‘base’ for all servers. I call this project ‘base-secure’ as a play on something we used to say back in in the online Quake II days, which was a throwback to an earlier game, assume DOOM.

Regardless, like everything it could be improved and changed, but for now, this works, and I'm happy to build on it and try to get others to use and promote the idea of running SECURE BY DEFAULT LINUX SERVERS!

Leave a Comment