Lynis score: 68 → 83/100
Bazinis auditas atliktas 2026-05-04 (vps-audit.sh), po kurio pritaikytas hardening su vps-harden.sh.
Kritiniai radiniai (ištaisyta)
| Sritis | Problema | Pataisymas |
|---|---|---|
| SSH | PasswordAuthentication=yes (cloud-init override) | 50-cloud-init.conf → no |
| Users | ubuntu vartotojas sudo grupėje (mirusi paskyra) | deluser ubuntu sudo |
| Users | dayzserver su /bin/bash (nebereikalingas) | usermod -s /usr/sbin/nologin |
| nginx | Trūko Content-Security-Policy | CSP pridėta visiems vhostams |
| nginx | Referrer-Policy nenuosekli | Standartizuota: strict-origin-when-cross-origin |
SSH hardening
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no
MaxAuthTries 3
X11Forwarding no
AllowTcpForwarding no
AllowAgentForwarding no
MaxSessions 2
LogLevel VERBOSE
Sysctl hardening (12 parametrų)
kernel.kptr_restrict = 2
kernel.sysrq = 0
kernel.yama.ptrace_scope = 2
fs.suid_dumpable = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.core.bpf_jit_harden = 2
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
kernel.unprivileged_bpf_disabled = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
Papildomos priemonės
- Core dumps disabled
- USB storage modulis disabled
- Unused protocols blocked: dccp, sctp, rds, tipc
- login.defs: UMASK=027, PASS_MIN/MAX_DAYS, SHA_CRYPT rounds
- Cron dirs: 700 perms
- Compiler access: restricted
- Legal banners:
/etc/issue,/etc/issue.net - Redis:
rename-command CONFIG ""
Pakėtai (security)
libpam-tmpdir, debsums, apt-show-versions, libpam-pwquality,
sysstat, auditd, rkhunter, acct
Auditd taisyklės
Stebimi failai:
/etc/passwd,/etc/shadow,/etc/sudoers/etc/ssh/sshd_config/var/www/pterodactyl/.env
CrowdSec (IDS)
CrowdSec agent v1.4.6 veikia kaip intrusion detection system su 6 kolekcijomis:
- sshd, nginx, linux, http-cve, base-http-scenarios, apache2
Firewall bouncer pašalintas — nftables bouncer blokavo SSH ir sukėlė lockout. Planuojama
crowdsec-nginx-bouncer(application-level) kaip saugesnė alternatyva.
Fail2ban
3 aktyvūs jails su ntfy alerting:
sshd(bantime=24h)nginx-http-authnginx-botsearch
Home IP whitelisted (ignoreip) apsaugai nuo self-ban.
Lynis savaitinis auditas
play-army-lynis-audit.timer — sekmadieniais 04:00 UTC. Jei score < 70, siunčiamas high-priority ntfy alert.
Kas nekeičiama (ir kodėl)
| Lynis sugestija | Priežastis |
|---|---|
| Atskiros partijos /home, /tmp, /var | VPS — negalima |
| GRUB password | VPS be fizinės prieigos |
net.ipv4.conf.all.forwarding=1 | Docker/Pterodactyl reikalingas |
kernel.modules_disabled=0 | Moduliai reikalingi runtime |
| SSH port change | UFW rate-limited pakanka |