Examples of Deep Custom Security Configurations
β Return to the article on archive.forums.debian.net
Additional User Service Configurations
Below are examples of strong, individualized configurations for:
Also configurations of user services
These are not universal templates, but references illustrating advanced system hardening.
nftables config
bash
flush ruleset
table inet filter {
# = Main chain policy =
chain input {
type filter hook input priority 0;
policy drop;
# = Common rule set =
# π Allow loopback interface (internal system processes)
iif "lo" accept
# == π Allow established and related connections ==
ct state established,related accept
# == π Limiting new connections from one IP (anti-DDoS) ==
# == π Limit the rate of NEW connections per source IP (basic anti-DDoS protection) ==
# If you experience issues with slow or failed page loads in your browser,
# try increasing the limit, for example:
# ip saddr 0.0.0.0/0 ct state new limit rate 50/second burst 100 packets accept
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept
ip saddr 0.0.0.0/0 ct state new log prefix "π₯ BAN: too many conn " flags all
ip saddr 0.0.0.0/0 ct state new drop
# == π‘οΈ Ping rate limiting ==
ip protocol icmp icmp type echo-request limit rate 1/second accept
ip protocol icmp icmp type echo-request log prefix "π₯ BAN: ICMP flood " flags all
ip protocol icmp icmp type echo-request drop
# == π« Blocking SSDP and mDNS (local broadcast discovery protocols) ==
ip daddr 239.255.255.250 udp dport 1900 drop # β SSDP (UPnP/device discovery)
ip daddr 224.0.0.251 udp dport 5353 drop # β mDNS (Bonjour, Avahi)
# == π Blocking NetBIOS and LLMNR (Windows/systemd internal LAN protocols) ==
udp dport 137 drop # β NetBIOS Name Service (Windows network names)
udp dport 138 drop # β NetBIOS Datagram Service (LAN name discovery)
udp dport 5355 drop # β LLMNR (Link-Local Multicast Name Resolution)
# = Set of blocked IP addresses and ranges =
# == 𧱠Blocking known botnets and proxy networks ==
ip saddr {
45.9.20.0/24,
89.248.160.0/19,
185.220.100.0/22,
198.96.155.0/24,
185.107.56.0/24,
185.129.62.0/23
} log prefix "π₯ BAN: known bots " flags all
ip saddr {
45.9.20.0/24,
89.248.160.0/19,
185.220.100.0/22,
198.96.155.0/24,
185.107.56.0/24,
185.129.62.0/23
} drop
# == π« Blocking strange TCP flags (XMAS, NULL scans and others) ==
tcp flags & (fin|syn|rst|psh|ack|urg) == 0 drop # NULL scan
tcp flags & (fin|psh|urg) == (fin|psh|urg) drop # XMAS scan
tcp flags & (fin|syn) == (fin|syn) drop # SYN-ACK scan
tcp flags & (syn|rst|fin) == (syn|rst|fin) drop # Xmas scan
tcp flags & (syn|fin|rst|psh|ack) == (syn|rst|fin|ack) drop # Xmas scan
# == π« Blocking fragmented packets β commonly used in filter evasion ==
ip frag-off & 0x1fff != 0 drop
# == π Blocking spoofed IP packets ==
ip saddr 127.0.0.0/8 drop # localhost
ip saddr 10.0.0.0/8 drop # private network
ip saddr 172.16.0.0/12 drop # private network
ip saddr 192.168.0.0/16 drop # private network
ip saddr 169.254.0.0/16 drop # APIPA
ip saddr 0.0.0.0/8 drop # invalid address
ip saddr 224.0.0.0/4 drop # multicast
ip saddr 240.0.0.0/5 drop # reserved
}
# = Main chain policy =
chain forward {
type filter hook forward priority 0;
policy accept;
# = Blocking various types of attacks =
# Required in chain forward only if Docker or Oracle VirtualBox is present.
# If needed β uncomment.
# == π Limiting new connections from one IP (anti-DDoS) ==
# ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept
# ip saddr 0.0.0.0/0 ct state new log prefix "π₯ BAN: too many conn " flags all
# ip saddr 0.0.0.0/0 ct state new drop
# == π‘οΈ Ping rate limiting ==
# ip protocol icmp icmp type echo-request limit rate 1/second accept
# ip protocol icmp icmp type echo-request log prefix "π₯ BAN: ICMP flood " flags all
# ip protocol icmp icmp type echo-request drop
# = Allowing required TCP/UDP ports and ranges =
# == Allow TCP ports required for application operation ==
tcp dport {
53, # DNS β needed for domain name resolution
80, # HTTP β web traffic, updates and resource loading
443, # HTTPS β secure web traffic, VPN, browser
12043, # Custom 3D Application β specific client port
13000-13050 # Custom 3D Application β dynamic client port range
} accept
# == Allow UDP ports required for application operation ==
udp dport {
53, # DNS β needed for domain name resolution
443, # HTTPS via QUIC/HTTP3, browser protocols
3478, # STUN/TURN β WebRTC and video calls
3479-3481 # STUN/TURN β WebRTC and video calls
} accept
# = Blocking dangerous and unnecessary TCP/UDP ports and ranges =
# These blocklists are intended for a DESKTOP / workstation.
# They block remote access, outdated services, proxies, DBs, IoT, and ports
# often used by malware, scanners, and C2 infrastructures.
#
# β If you use the system as a SERVER, enable IP forwarding,
# or run services with internal routing
# (Docker NAT/bridge, VirtualBox host-only/bridged, VPN clients),
# carefully review the blocked ports/ranges in the forward chain β
# these services may need extra ports.
# Adjust or comment out required items if necessary.
# == Blocking various suspicious TCP ports ==
tcp dport {
# === Remote access (high risk) ===
22, # SSH β common brute-force target
23, # Telnet β outdated, no encryption
3389, # RDP β Windows remote desktop
5900, # VNC β remote access, frequent vulnerabilities
# === FTP / SMB / NetBIOS (unsafe file-sharing protocols) ===
21, # FTP β insecure protocol
137, # NetBIOS Name Service
138, # NetBIOS Datagram
139, # NetBIOS Session
445, # SMB/CIFS β common exploit target
# === Databases (NEVER expose to the Internet) ===
3306, # MySQL/MariaDB
1433, # MS SQL Server
1434, # MS SQL Browser
# === HTTP-alt/Proxy/Elasticsearch (exploited frequently) ===
8080, # HTTP proxy / web interfaces β often exposed accidentally
9200, # Elasticsearch API β full remote data access
# === UPnP/IoT (insecure by design) ===
1900, # SSDP / UPnP
# === Common for malware (RAT, C2, reverse shells) ===
4444, # Metasploit reverse shell
5555, # Android ADB / IoT botnets
9001, # Tor transport (used by malware)
1234, # Netcat / reverse connections
1337, # Common C2 port used by malware
# === β οΈ Scanner ports and potentially vulnerable services ===
1080, # SOCKS proxy β used to bypass filtering
3128, # Squid proxy β may be abused as open proxy
8000, # Alternative HTTP ports, dev servers
8888, # Web interfaces, proxies, dev tools
10000 # Webmin β remote admin panel, frequent attacks
} drop
# == Blocking various suspicious UDP ports ==
udp dport {
161, # SNMP β network monitoring; abused by attackers
162 # SNMP Trap β also potentially vulnerable
} drop
# Attention! Blocking wide port ranges β be careful!
# Do not break system or application functionality!
# == TCP port ranges not used by a workstation during transit routing ==
# Blocked to prevent unwanted forwarding, hidden tunnels,
# NAT evasion, parasitic flows, and potential forward-path attacks.
tcp dport {
1024-2047, # System/legacy services; rarely needed in forward
2048-4095, # Proprietary daemons; NFS (2049) β check if used
4096-8191, # Old VPNs, some games, P2P; rarely needed on desktop
8192-12287, # Alternative HTTP/proxy, multimedia; test as needed
12288-16383, # Media/VoIP (TCP fallback); may break calls
16384-24575, # RTP/WebRTC (TCP fallback); block unless AV needed
24576-32767, # Dynamic ranges for games/VPN; may cause issues
32768-49151, # Registered/ephemeral; risky β may break NAT, Docker, VM
49152-65535 # High ephemeral; widely used by modern apps
} drop
# == π« Blocking UDP ports β high and dynamic ranges ==
udp dport {
1024-9999, # low/mid ephemeral ports; used by trojans, P2P, games, VPN
10000-65535 # high ephemeral; used by dynamic apps, VPN, Docker
} drop
# = π·οΈ Suspicious IPs β large ranges often used by botnets, spam nets, and scanners =
ip saddr {
185.0.0.0/8, # abused hosting and proxy networks
37.0.0.0/8, # cheap VPS, frequent scanning sources
88.0.0.0/8, # common brute-force and scanner range
77.0.0.0/8, # TOR/proxy nodes
91.0.0.0/8 # botnets and βgrey-zoneβ hosting
} drop
}
chain output {
# = Main chain policy =
type filter hook output priority 0;
policy accept;
# = Blocking various types of attacks =
# == π Limiting new connections from a single IP (anti-DDoS) ==
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept
ip saddr 0.0.0.0/0 ct state new log prefix "π₯ BAN: too many conn " flags all
ip saddr 0.0.0.0/0 ct state new drop
# = ICMP protocol restrictions =
# == π‘οΈ Ping limitation ==
ip protocol icmp icmp type echo-request limit rate 1/second accept
ip protocol icmp icmp type echo-request log prefix "π₯ BAN: ICMP flood " flags all
ip protocol icmp icmp type echo-request drop
# == Critically important ICMP for network ==
ip protocol icmp icmp type { destination-unreachable, time-exceeded, parameter-problem } accept
# == Important ICMPv6 for IPv6 ==
ip6 nexthdr icmpv6 icmpv6 type { 1, 2, 3, 4 } accept
ip6 nexthdr icmpv6 icmpv6 type { 135, 136 } accept # NS/NA
ip6 nexthdr icmpv6 icmpv6 type { 133, 134 } accept # RS/RA
# == Drop all other ICMP and ICMPv6 ==
ip protocol icmp drop # drop all other ICMP
ip6 nexthdr icmpv6 drop # drop all other ICMPv6
# = SCTP protocol blocking =
# 99.9% of desktop systems do not use SCTP at all
meta l4proto sctp drop
# = DCCP β Datagram Congestion Control Protocol blocking =
# Not used by any mainstream desktop applications
meta l4proto dccp drop
# = Allowing required TCP/UDP ports and ranges =
# == Allow TCP ports and ranges required for application functionality ==
tcp dport {
53, # DNS client. Required for Internet to work: domain name resolution (UDP/TCP).
80, # HTTP traffic to unencrypted websites; apps may use it for API/redirects.
443, # HTTPS. Main port for all encrypted web traffic β browsers, API, VPN, updates.
3306, # MySQL client. Needed if you connect to MySQL.
3478, # STUN/TURN WebRTC. Needed for audio/video/Discord.
3000, # Node.js dev servers. Needed for development.
3690, # SVN. If you work with an old repository.
4443, # Alternative HTTPS (some APIs). Also used by some VPN/clients.
12043, # Required for Custom 3D Application.
13000-13050 # Required for Custom 3D Application.
} accept
# == Allow UDP ports and ranges required for applications ==
udp dport {
443, # Required for fast and stable operation of modern websites
# (Google, YouTube, ChatGPT, Cloudflare)
13000-13050 # Required for Custom 3D Application.
} accept
# = Blocking potentially dangerous / unnecessary TCP/UDP ports =
# These blocks are intended for a DESKTOP / workstation.
# β If you use the system as a SERVER β
# adjust or comment out the required ports/ranges as needed.
# == Blocking various suspicious TCP ports ==
tcp dport {
# === Remote access (high-risk) ===
22, # SSH β target of brute-force attacks.
23, # Telnet β outdated, unencrypted.
3389, # RDP β Windows remote access.
5900, # VNC β remote access, often vulnerable.
# === FTP / SMB / NetBIOS (dangerous file-sharing services) ===
21, # FTP β insecure protocol.
137, # NetBIOS Name Service.
138, # NetBIOS Datagram.
139, # NetBIOS Session.
445, # SMB/CIFS β frequent exploitation target.
# === Databases (NEVER open to the Internet) ===
3306, # MySQL/MariaDB.
1433, # MS SQL Server.
1434, # MS SQL Browser.
# === HTTP-alt/Proxy/Elasticsearch (dangerous, often attacked) ===
8080, # HTTP proxy / web interfaces β often exposed test interfaces.
9200, # Elasticsearch API β full remote access to data.
# === UPnP/IoT (vulnerable by design) ===
1900, # SSDP / UPnP.
# === Common malware ports (RAT, C2, reverse shells) ===
4444, # Metasploit reverse shell.
5555, # Android ADB / IoT botnets.
9001, # Tor transport (used by malware).
1234, # Netcat / reverse connections.
1337, # Common C2 malware port.
# === β οΈ Ports of scanners and potentially vulnerable services ===
1080, # SOCKS proxy β often abused for bypassing filters.
3128, # Squid HTTP proxy β can be used as open proxy.
8000, # Alternative HTTP ports, web services β potentially vulnerable.
8888, # Alternative web interfaces β test and proxy ports.
10000 # Webmin β web admin panel, target of attacks.
} drop
# == Blocking various suspicious UDP ports ==
udp dport {
161, # SNMP β network monitoring; can be abused by attackers.
162 # SNMP Trap β same, potential vulnerability.
} drop
# Warning! β οΈ Be careful blocking wide port ranges! β οΈ
# Do not break system or application functionality!
# If you need a range β uncomment.
# If you donβt β comment out.
# == Blocking βdangerousβ and desktop-unnecessary TCP port ranges ==
tcp dport {
1-1023, # π Privileged ports.
1024-2047, # r-commands (rlogin, rsh, rexec), old RPC, NFS, legacy daemons.
2048-3071, # Rare proprietary protocols and middleware.
3072-4999, # Mostly ports of legacy, server, corporate apps;
# rarely needed on workstations.
5000-5999, # Alternative services, old P2P/admin ports, rarely used on desktops.
7000-7999, # Alternative/test ports, often used by trojans.
9000-9999, # Web services, proxies, possible backdoor ports.
10000-19998, # Dynamic/high service ports; may be required by some apps like Custom 3D Application,
# but not needed by most desktop services.
19999-32767 # Old ephemeral port range; used by P2P, games, some VPNs,
# but system services rarely use them.
} drop
# == Blocking βdangerousβ and desktop-unnecessary UDP port ranges ==
udp dport {
1024-2047, # Old UNIX services, RPC, NFS, r-commands, legacy daemons.
# Usually safe to block.
2048-4095, # Rarely used standard ports, proprietary services.
# Usually safe to block.
4096-8191, # VPN, games, P2P, WebRTC, VoIP of some clients.
# Can block, but cautiously: may affect VPN/apps.
8192-12287, # QUIC/HTTP3, proxies, multimedia protocols.
# Might cause side effects; better test first.
12288-16383, # Old RTP/VoIP ranges and media streams.
# Can block, but might break video calls.
16384-24575, # Main RTP range (audio/video), WebRTC, VoIP.
# β Do not block if you need video calls/WebRTC/VPN.
24576-32767 # Dynamic ports for VPN, P2P, games, streaming data.
# β May break VPN or some apps.
} drop
# == π·οΈ Blocking suspicious IPs β
# large ranges often used by botnets, spam networks, and scanners ==
ip saddr {
185.0.0.0/8, # Abused hosting and proxy networks.
37.0.0.0/8, # Cheap VPS, scanning sources.
88.0.0.0/8, # Frequent brute-force and scanners.
77.0.0.0/8, # Massive TOR/proxy nodes.
91.0.0.0/8 # Botnets and βgreyβ hosting.
} drop
}
}
sysctl config
kernel parameters configuration
/etc/sysctl.d/99-protect.conf
bash
# ============================================ # SYSTEM HARDENING CONFIGURATION # Debian 13 (Trixie) / MATE # Version: 5.0 (final) # Date: 2026-02-26 # ============================================ # IMPORTANT: Apply with command: sudo sysctl --system # After applying, reboot the system to verify stability. # ============================================ # ========== MAIN NETWORK RULES ========== # 1. Complete ICMP Echo (ping) ignoring - INCOMING REQUESTS ONLY # Effect: System does not respond to incoming ping requests. Makes your PC "invisible" # to simple network scanners and automated bots. # Important: This does NOT block outgoing ping requests from your system. # # Side effects: # - Other hosts on the network cannot check your PC's availability via ping. # - Some VPNs and tunnels may use ICMP for keepalive (rare). # # Suitable for: # β Home/office PC not providing public services β completely safe. # β Public server β comment out this line. In this case, item 16 # (icmp_ignore_bogus_error_responses) will filter only erroneous ICMP packets. # # Note: Since IPv6 is disabled (item 11), this rule applies only to ICMPv4. net.ipv4.icmp_echo_ignore_all = 1 # 2. Ignore ICMP broadcast requests # Effect: Protection against Smurf attacks (traffic amplification through broadcast requests). # Side effects: None for regular PC. net.ipv4.icmp_echo_ignore_broadcasts = 1 # 3. Enable SYN Cookies # Effect: Protection against SYN flood attacks (DoS). When the SYN queue overflows, # enables cookie mechanism instead of dropping connections. # Side effects: Slight load increase during attack. May affect some high-load servers, # but safe for desktop. net.ipv4.tcp_syncookies = 1 # 4. Disable Source Routing # Effect: Blocks attacker's ability to specify packet route through your system # (protection against spoofing). # Side effects: None for regular user. net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 # 5. Log "martian" packets # Effect: Logs packets with impossible (deliberately forged) source/destination addresses. # Side effects: May fill logs (journalctl) during network attacks or incorrect network configuration. net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 # 6. Disable ICMP Redirects # Effect: Prevents routing table modification via ICMP packets. Protection against # man-in-the-middle attacks. # Side effects: May be needed in complex networks with dynamic routing, # but safe for stationary PC. net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 # 7. Disable packet forwarding # Effect: System does not act as a router (does not forward packets between interfaces). # Side effects: None (default value). net.ipv4.ip_forward = 0 # 8. Protection against empty TCP window attacks # Effect: Enables RFC 1337 - protection against attacks using "empty" TCP segments # to hold connections. # Side effects: None. net.ipv4.tcp_rfc1337 = 1 # 9. ARP request filtering # Effect: Protects against ARP spoofing by forcing kernel to filter ARP responses # from multiple interfaces. # Side effects: May cause issues in complex networks with load balancing (requires tuning). net.ipv4.conf.all.arp_filter = 1 net.ipv4.conf.default.arp_filter = 1 # 10. TCP window limits # Effect: Sets minimum, default, and maximum receive/send buffer sizes. # Side effects: Too small values may reduce download speed, but specified values are optimal. net.ipv4.tcp_rmem = 4096 87380 4194304 net.ipv4.tcp_wmem = 4096 65536 4194304 # 11. COMPLETE IPv6 DISABLE # Effect: Disables entire IPv6 stack. Removes entire class of IPv6-related vulnerabilities. # β οΈ RED MARKING β οΈ # Side effects: Applications requiring IPv6 stop working (some torrents, Docker containers, # some websites via IPv6). # Note: If using Docker or modern browsers with IPv6 preferences, may have issues with localhost. net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 # 12. Reduce SYN-ACK retry count # Effect: Speeds up closing of "half-open" connections during attacks. # Side effects: With poor connection, some legitimate connections may drop faster. net.ipv4.tcp_synack_retries = 2 # ========== NETWORK ENHANCEMENTS ========== # 13. Disable ICMP redirect sending # Effect: Supplement to item 6 - prevents system from sending redirects (system is not a router). # Side effects: None. net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 # 14. Reverse Path Filtering # Effect: Strict protection against IP spoofing. Packet is dropped if it arrived on an interface # through which it should not have come. # β οΈ RED MARKING β οΈ # Side effects: If you have a complex network with multiple interfaces (e.g., wired + Wi-Fi + VPN), # strict mode (1) may disable internet on one of the interfaces. # Solution: If you experience network issues, try value 2 (loose mode). # If that doesn't help - comment out the lines. net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.*.rp_filter = 1 # 15. Reduce TCP timeouts # This parameter works only for outgoing (client) connections. For incoming connections # (if you were running a server) it is useless. # Effect: Fast resource release for closed connections. # Side effects: In rare cases, may prematurely close "slow" connections. net.ipv4.tcp_fin_timeout = 15 net.ipv4.tcp_tw_reuse = 1 # 16. Ignore erroneous ICMP responses # Effect: Drops ICMP packets with incorrect error codes. # Side effects: None. net.ipv4.icmp_ignore_bogus_error_responses = 1 # ========== KERNEL HARDENING ========== # 17. Restrict access to kernel logs and addresses # Effect: dmesg_restrict - only root sees kernel message buffer. # kptr_restrict=2 - kernel pointer addresses hidden from everyone, including root. # Side effects: Makes debugging system problems harder for regular users. kernel.dmesg_restrict = 1 kernel.kptr_restrict = 2 # 18. Full Address Space Layout Randomization (ASLR) # Effect: Maximum protection against memory vulnerability exploitation (buffer overflow). # Side effects: May cause rare issues with old software compiled without PIC/PIE support. kernel.randomize_va_space = 2 # 19. ptrace restriction (YAMA) # Effect: Prevents processes from tracing (debugging) other processes. Protects browser memory # from being read by stealers. # β οΈ RED MARKING β οΈ # Side effects: Breaks debuggers (gdb, strace) if trying to attach to another PID. # Does not affect child processes (e.g., debugging from terminal works). # Note: For regular users - safe and necessary. kernel.yama.ptrace_scope = 1 # 20. DISABLE USER NAMESPACES # Effect: Closes main local privilege escalation vector. Prevents container isolation # for unprivileged users. # β οΈβ οΈβ οΈ RED MARKING (HIGH COMPATIBILITY RISK) β οΈβ οΈβ οΈ # Side effects: # - COMPLETELY breaks Flatpak/Snap applications # - Breaks Docker/Podman for regular users # - Breaks Chrome/Chromium sandbox (browser may crash or work unstable) # - Some modern applications may not start # Test: If after reboot browser or app store doesn't start - comment out these two lines # (commented by default, uncomment only if necessary). # kernel.unprivileged_userns_clone = 0 # user.max_user_namespaces = 0 # 21. Disable eBPF for unprivileged users # Effect: Prevents creation of eBPF programs (often used by rootkits and exploits). # Side effects: Breaks monitoring tools using eBPF (e.g., bcc-tools) if not run as root. kernel.unprivileged_bpf_disabled = 1 # ========== END OF CONFIG ========== # After applying, check browser and Flatpak applications functionality. # For User Namespace issues - see item 20.
auditd rules config
/etc/audit/rules.d/audit.rules
bash
## Flush rules -D ## Buffers -b 8192 --backlog_wait_time 60000 -f 1 ## Network audit -a always,exit -F arch=b64 -S connect -F success=1 -k network_connect -a always,exit -F arch=b64 -S accept4 -F success=1 -k network_accept -a always,exit -F arch=b32 -S connect -F success=1 -k network_connect -a always,exit -F arch=b32 -S accept4 -F success=1 -k network_accept ## Logging execve commands -a always,exit -F arch=b64 -S execve -F key=exec_log ## Audit logins and sessions -w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins -w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k session -w /var/log/btmp -p wa -k session ## sudo / su -w /etc/sudoers -p wa -k sudo -w /etc/sudoers.d/ -p wa -k sudo -w /bin/su -p x -k su_cmd ## Account and configuration changes -w /etc/passwd -p wa -k identity -w /etc/group -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/hosts -p wa -k system_conf -w /etc/hostname -p wa -k system_conf -w /etc/resolv.conf -p wa -k system_conf -w /etc/issue -p wa -k system_conf -w /etc/network/ -p wa -k system_conf ## Time changes -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -F key=time_change -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -F key=time_change ## Audit SSH connections and changes -w /etc/ssh/sshd_config -p wa -k ssh_config_change -w /var/log/auth.log -p wa -k ssh_login ## Audit usage of remote tools (e.g., SSH, netcat) -a always,exit -F arch=b64 -S execve -F exe=/usr/bin/ssh -k ssh_process -a always,exit -F arch=b64 -S execve -F exe=/usr/bin/nc -k nc_process -a always,exit -F arch=b32 -S execve -F exe=/usr/bin/ssh -k ssh_process -a always,exit -F arch=b32 -S execve -F exe=/usr/bin/nc -k nc_process ## Audit privileged access -a always,exit -F arch=b64 -S setuid -S setgid -k privilege_escalation -a always,exit -F arch=b32 -S setuid -S setgid -k privilege_escalation -w /etc/sudoers -p wa -k sudoers_changes -w /etc/sudoers.d/ -p wa -k sudoers_changes -w /bin/sudo -p x -k sudo_command ## Monitor credential changes #-w /root/.ssh/ -p wa -k ssh_keys #-w /home/*/.ssh/ -p wa -k ssh_keys ## Audit use of remote network services -a always,exit -F arch=b64 -S socket -F success=1 -k socket_connect -a always,exit -F arch=b32 -S socket -F success=1 -k socket_connect # Log package installation and removal via dpkg -w /usr/bin/dpkg -p x -w /usr/sbin/apt-get -p x -w /usr/bin/apt -p x
SSH client config
(?GitHub Access)
Local SSH client configuration file for the current user:
/home/user/.ssh/config
bash
Host github.com HostName ssh.github.com # GitHub SSH server Port 443 # Use port 443 to bypass firewall restrictions User git # Default GitHub SSH user IdentityFile ~/.ssh/id_ed25519 # Private key for authentication AddKeysToAgent yes # Automatically add key to ssh-agent