Which of the following Linys auditing suggestions are worthwhile?
I'm currently securing a Linode VPS that will host a WordPress store and two Python web applications. Security-wise, I've run the most "basic" steps, such as hardening SSH access (i.e. disabling password & root login), setting up Fail2Ban to protect SSH, setting up UFW, and configuring Apache with the mod_security
WAF and the OWASP rules.
I've also hardened the WordPress installation with the most common measures (preventing file execution, changing permissions, etc) and disabled unused communication protocols, like DCCP.
I'm currently auditing my system with Lynis before installing Snort and setting up hardware & log auditing, and I have received a series of suggestions that seem either snake oil (changing the SSH port) or useless, given my setup.
Some are related to password security, such as:
Check PAM configuration, add rounds if applicable, and expire passwords to encrypt with new values [AUTH-9229].
Configure password hashing rounds in /etc/login.defs [AUTH-9230].
Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc [AUTH-9262].
When possible set expire dates for all password protected accounts [AUTH-9282].
Configure minimum password age in /etc/login.defs [AUTH-9286]
Configure maximum password age in /etc/login.defs [AUTH-9286]
Default umask in /etc/login.defs could be more strict like 027 [AUTH-9328]
But my server has only two accounts (root & my user), so I don't see the point in applying them.
Another group of suggestions indicates that var
, home
, tmp
, and home
should be on a separate partition, that I should set up a password on the GRUB boot loader, and that I should disable USB drivers... but this is a virtual private server, so they seem pointless (maybe the USB one might have a point if the drivers have any sort of 0-day vulnerability -if I'm not using it, why have it?- but then again, it's a virtual server).
I'm particularly interested in the following:
- Consider hardening system services [BOOT-5264] Details : Run
'/usr/bin/systemd-analyze security SERVICE'
for each service https://cisofy.com/lynis/controls/BOOT-5264/
When I check this particular test, I receive a list of services that should be checked, like:
2023-05-06 17:46:05 Result: apache2.service: 9.2 UNSAFE
2023-05-06 17:46:05 Result: apport.service: 9.6 UNSAFE
2023-05-06 17:46:05 Result: clamav-daemon.service: 9.6 UNSAFE
2023-05-06 17:46:05 Result: clamav-freshclam.service: 9.6 UNSAFE
2023-05-06 17:46:05 Result: dm-event.service: 9.5 UNSAFE
2023-05-06 17:46:05 Result: dmesg.service: 9.6 UNSAFE
2023-05-06 17:46:05 Result: emergency.service: 9.5 UNSAFE
2023-05-06 17:46:05 Result: mysql.service: 9.2 UNSAFE
It seems interesting, but upon reading about how to perform and harden those services, it looks like a long and (especially) delicate task.
I guess my question is if any of those suggestions are actually useful for my use case.