Linux Hardening Guide

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com
C Linux Cryptography Systemd Ansible

WorkOS
Our great sponsors
  • WorkOS - The modern identity platform for B2B SaaS
  • InfluxDB - Power Real-Time Data Analytics at Scale
  • SaaSHub - Software Alternatives and Reviews
Our great sponsors

  • systemd

    The systemd System and Service Manager

    • - syslog-ng

    The name enumeration alone should ring bells.

    There's always more that can be done, but https://github.com/systemd/systemd/tree/master/src/fuzz contains more than most of the aforementioned combined.

    As for how your run your alternative services as non root, you may wish learn about what the contents of this file means: https://github.com/systemd/systemd/blob/master/units/systemd... or this one: https://github.com/systemd/systemd/blob/master/units/systemd...

    Can you point to a commonly used initrc that comes even remotely close?

    You should also read https://systemd.io/JOURNAL_FILE_FORMAT/ and NetworkManager, which is what Ubuntu uses.

    By all means bash away (pun intended), but I keep seeing these points go uncontested and they're not very well founded.

  • rustls

    A modern TLS library in Rust

    • Agree. Not something I know a lot about but it seems to be a significant undertaking. I figure a production-grade implementation in safe Rust is more likely than a verified implementation in SPARK.

    I don't know how serious the rustls implementation is. Nice to see it makes no use of Rust's unsafe features.

    https://github.com/ctz/rustls

  • WorkOS

    The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.

    WorkOS logo

  • magic-wormhole

    Discontinued get things from one computer to another, safely [Moved to: https://github.com/magic-wormhole/magic-wormhole] (by warner)

    • magic-wormhole could be useful. Secure and fast (and fun to use)!

    https://github.com/warner/magic-wormhole

  • ansible-collection-hardening

    This Ansible collection provides battle tested hardening for Linux, SSH, nginx, MySQL

    • While I did not read this properly yet, it seems like a good primer.

    There is also a great set of ansible playbooks and roles that should cover this and more that is a good base for Linux servers: https://github.com/dev-sec/ansible-collection-hardening

  • pam_pwnd

    A PAM module to test passwords against previous leaks at haveibeenpwned.com

    • > If the user has a super secure password shared with a different, compromised service, libcrack will not detect that.

    There's a module[0] for that (TM).

    > Expiry results in passwords like: (prefix)Dec2020, (prefix)5

    libcrack can enforce similarity and rotation checks too [1].

    > or cycling the last 2/3 entries.

    There's also another module[2] just for that.

    [0]: https://github.com/skx/pam_pwnd

  • Armada

    Armada is a tool for writing, and proving correct, high-performance concurrent programs. (by microsoft)

    • Even there it depends. 'Programming practices' is vague. Even C can be tamed, at great expense, using formal methods techniques. [0][1][2][3] Adoption of such methods can give a solid assurance of the lack of UB, like use of a safe language. Weaker measures, like adopting MISRA C, don't provide such strong assurances (although they can eliminate certain categories of errors), and as you indicate, their real value is a bit more subjective. Mandating a bad programming style could actively make things worse.

    [0] https://trust-in-soft.com/

    [1] https://www.eschertech.com/products/perfect_developer.php

    [2] https://github.com/microsoft/Armada

    [3] https://www.microsoft.com/en-us/research/project/vcc-a-verif...

  • Win32-OpenSSH

    Win32 port of OpenSSH

    • https://github.com/PowerShell/Win32-OpenSSH/releases

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

    InfluxDB logo

  • madaidans-insecurities.github.io

    • I think everyone with valid criticisms of this should file an Github issue, I'm definitely planning to, because of these things:

    - Lots of discussion on X11 security issues without any mention of wayland

    - Not on the Linux page, but they recommend iOS as a secure OS, which is total bullshit given how many failures we've seen with serious bugs/vulns put into production. I can't even remember how many times I've read about bugs in Safari, Whatsapp or some other app that can be chained to get kernel-level privileges. Remember the Jeff Bezos hack?

    - No discussion of threat models

    - Focusing on academic/technical arguments and not looking at real-world malware ecosystems/exploits (or: why there is orders of magnitude more malware for Windows than Linux)

    - Memory safe languages - Linux is totally exploring a way to use rust for parts of the kernel, and Windows is still probably 99% C/C++

    I'm all the more confused by this guy since he's a whonix developer, this almost sounds like a Microsoft employee based on how little scrutiny he applies to Windows...

    https://github.com/madaidans-insecurities/madaidans-insecuri...

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts