linux-hardening

📁 bagelhole/devops-security-agent-skills 📅 9 days ago

总安装量

周安装量

#53341

全站排名

安装命令

npx skills add https://github.com/bagelhole/devops-security-agent-skills --skill linux-hardening

Agent 安装分布

opencode 1

codex 1

claude-code 1

Skill 文档

Linux Hardening

Secure Linux servers following CIS benchmarks and security best practices.

When to Use This Skill

Use this skill when:

Hardening production servers
Meeting compliance requirements
Implementing security baselines
Configuring secure SSH access

SSH Hardening

# /etc/ssh/sshd_config
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2
AllowUsers deploy admin
Protocol 2

User Security

# Password policy
sudo apt install libpam-pwquality
# /etc/security/pwquality.conf
minlen = 14
dcredit = -1
ucredit = -1
ocredit = -1
lcredit = -1

# Lock inactive accounts
useradd -D -f 30

# Audit sudo usage
echo "Defaults logfile=/var/log/sudo.log" >> /etc/sudoers

Firewall Configuration

# UFW setup
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw allow 443/tcp
ufw enable

# Or iptables
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Kernel Hardening

# /etc/sysctl.d/99-security.conf
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
kernel.randomize_va_space = 2
fs.suid_dumpable = 0

# Apply
sysctl -p

File Permissions

# Critical files
chmod 600 /etc/shadow
chmod 644 /etc/passwd
chmod 700 /root
chmod 600 /etc/ssh/sshd_config

# Find world-writable files
find / -type f -perm -0002 -ls

# Find SUID files
find / -perm -4000 -type f -ls

Audit Configuration

# Install auditd
apt install auditd

# /etc/audit/rules.d/audit.rules
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/sudoers -p wa -k actions
-a always,exit -F arch=b64 -S execve -k exec

Best Practices

Disable unused services
Keep system updated
Use fail2ban for intrusion prevention
Enable SELinux/AppArmor
Regular security audits
Monitor log files
Implement least privilege

Related Skills

cis-benchmarks – Compliance scanning
firewall-config – Firewall rules

GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台