Now when I install a new server (or machine in general) there are a few tools that I like to install straight off the bat. This was following an excellent presentation given by François Marier at Linux.conf.au 2015.
|
etckeeper |
etckeeper is a collection of tools to let /etc be stored in a git repository. This lets you use git to review or revert changes that were made to /etc. It hooks into package managers like apt to automatically commit changes made to /etc during package upgrades. |
|
debsums |
debsums is a tool that verifies the integrity of installed package files against the MD5 checksums specified by the package creator. It can tell the administrator of a machine which files have been modified post package install or had media errors. For packages that don't have MD5 checksums included, these are generated for the .deb archive when installed. |
|
fcheck |
François is the maintainer of fcheck. fcheck is a useful IDS which can be used to monitor changes to any given filesystem. fcheck monitors directories, files or complete filesystems for any additions, deletions, and modifications. It can be using cron or from the command line. |
|
lynis |
lynis is a security auditing tool that detects and reports potential software and security issues. Running lynis and addressing issues is beyond the scope of this article but I may cover it in a later article. The repository package of lynis seems to be out of date. Updates can be found at: |
|
openssh-server |
Usually I install this at the outset from the install media. It's basically essential for remote access. |
|
unattended-upgrades |
This will install security upgrades automatically and (as suggested) in an unattended manner. |
| fail2ban | fail2ban scans log files and creates (temporary) iptables rules to ban IP addresses based on nefarious behaviour. |
Run the following to install the lot:
sudo aptitude install etckeeper debsums fcheck lynis openssh-server unattended-upgrades fail2ban
François' website has an excellent article that goes into greater depth on the issue.