Saturday, February 3rd, 2024
Wise men talk because they have something to say; fools, because they have to say something.
— Plato
CCDC plan
Database
- Rotate root & regular user credentials. Be careful not to reset regular user credential without submitting a password reset request.
- Secure SSH service configuration.
- Ensure that the service can only be accessed through password.
- PostgreSQL: SCRAM only
- MySQL: 4.1.0 hash
- Ensure that database root user also has a password.
- Rotate all user passwords and coordinate with dependent services.
- Audit SSH keys
- Launch enumeration scripts
- LinPEAS (WinPEAS)
- Lynis audit
- Set up host-based firewall so that only services that need database can connect to it.
- PostgreSQL: pg_hba.conf
- MySQL: use iptables
sudo iptables -A INPUT -p tcp -s 10.150.1.1 --dport 3306 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPTRENAME USER 'linuxconfig'@'localhost' TO 'linuxconfig'@'10.150.1.1';- alternatively
CREATE USER 'linuxconfig'@'10.150.1.1' IDENTIFIED BY 'password_here'; - https://linuxconfig.org/mysql-allow-access-from-specific-ip-address
- Check and reduce granted privileges to application user
SHOW GRANTS
- Check role/group memberships
- Run system upgrade
- Enable TLS
- Ensure database is not running as root
- chattr
- service configs
- shadow, passwd, groups
- Backup database
- Follow standard procedures
Procedures
- Change passwords and submit appropriate password change requests.
- Log passwords into document (note that Google Docs is not available)
- Run enumeration scripts (winPEAS, linPEAS, lynis audit)
Maintenance
- Password rotation every hour
- Routine monitor service availability
- Routine backup
Nginx
- self-signed
Redis
- requirepass
- enable TLS
- screw it