linux-hardening

Secure Linux servers following CIS benchmarks and security best practices.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "linux-hardening" with this command: npx skills add bagelhole/devops-security-agent-skills/bagelhole-devops-security-agent-skills-linux-hardening

Linux Hardening

Secure Linux servers following CIS benchmarks and security best practices.

When to Use This Skill

Use this skill when:

  • Hardening production servers

  • Meeting compliance requirements

  • Implementing security baselines

  • Configuring secure SSH access

SSH Hardening

/etc/ssh/sshd_config

PermitRootLogin no PasswordAuthentication no PubkeyAuthentication yes MaxAuthTries 3 ClientAliveInterval 300 ClientAliveCountMax 2 AllowUsers deploy admin Protocol 2

User Security

Password policy

sudo apt install libpam-pwquality

/etc/security/pwquality.conf

minlen = 14 dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1

Lock inactive accounts

useradd -D -f 30

Audit sudo usage

echo "Defaults logfile=/var/log/sudo.log" >> /etc/sudoers

Firewall Configuration

UFW setup

ufw default deny incoming ufw default allow outgoing ufw allow ssh ufw allow 443/tcp ufw enable

Or iptables

iptables -P INPUT DROP iptables -P FORWARD DROP iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Kernel Hardening

/etc/sysctl.d/99-security.conf

net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.icmp_echo_ignore_broadcasts = 1 kernel.randomize_va_space = 2 fs.suid_dumpable = 0

Apply

sysctl -p

File Permissions

Critical files

chmod 600 /etc/shadow chmod 644 /etc/passwd chmod 700 /root chmod 600 /etc/ssh/sshd_config

Find world-writable files

find / -type f -perm -0002 -ls

Find SUID files

find / -perm -4000 -type f -ls

Audit Configuration

Install auditd

apt install auditd

/etc/audit/rules.d/audit.rules

-w /etc/passwd -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/sudoers -p wa -k actions -a always,exit -F arch=b64 -S execve -k exec

Best Practices

  • Disable unused services

  • Keep system updated

  • Use fail2ban for intrusion prevention

  • Enable SELinux/AppArmor

  • Regular security audits

  • Monitor log files

  • Implement least privilege

Related Skills

  • cis-benchmarks - Compliance scanning

  • firewall-config - Firewall rules

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

sops-encryption

No summary provided by upstream source.

Repository SourceNeeds Review
31-bagelhole
Security

windows-server

No summary provided by upstream source.

Repository SourceNeeds Review
22-bagelhole
Security

vpn-setup

No summary provided by upstream source.

Repository SourceNeeds Review
22-bagelhole
Security

openshift

No summary provided by upstream source.

Repository SourceNeeds Review
21-bagelhole