Server: hardening measures

[GPMueller]

From the general guide (see here):

• Firewalls: here and here
• TCP/IP stack hardening
• ssh security measures
  • deny root login
  • force public key
  • two-factor authentication with Google
  • note about ports: link

One question is if sensible hardening measures can be pre-configured by the installer or if anything needs to be done after the install.

A second question is if we change the ssh port. In case we use two-factor authentication I guess it won't be necessary. It seems that it should be enough by default to only open the ssh port in the firewall configuration, while also requiring public key-only login (only disadvantage is that at least one key needs to be set up while connected directly to the server).

[GPMueller]

I think it is a good default to only allow ssh incoming and otherwise setup the firewall as the example describes. key-only ssh and freeing up anything on the firewall will then be the admin's job, but at least the server won't be completely open to attacks.

Note that the iptables and ip6tables services should be enabled by systemctl. ipv6 should either default to deactivated or mirror ipv4 settings minus the open ssh port.

The rules files can be easily added to the repo and copied to the appropriate place (from the live-iso, that's /mnt/etc/iptables/).

[GPMueller]

The iptables should also be added to autostart, I believe they are not in there by default.