Security Engineer Cheat Sheet
System hardening, auditing, and compliance quick reference.
Quick Reference
# Security audit
sudo lynis audit system
# Check for listening ports
ss -tuln
# Recent auth failures
grep "Failed password" /var/log/auth.log | tail -20
# SSL/TLS check
openssl s_client -connect example.com:443System Hardening
SSH Hardening
# /etc/ssh/sshd_config
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3
AllowUsers admin deploy
Protocol 2Firewall (UFW)
# Enable firewall
sudo ufw enable
# Allow SSH
sudo ufw allow 22/tcp
# Allow web
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
# Status
sudo ufw status verbose
# Deny by default
sudo ufw default deny incoming
sudo ufw default allow outgoingKernel Hardening
# /etc/sysctl.d/99-security.conf
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
kernel.randomize_va_space = 2
kernel.kptr_restrict = 2Vulnerability Scanning
Nmap
# Service detection
nmap -sV target
# Script scan
nmap -sC target
# Full scan
nmap -sV -sC -p- target
# Vulnerability scripts
nmap --script vuln targetOpenVAS/Greenbone
# Start OpenVAS
sudo gvm-start
# Scan from CLI
gvm-cli socket --gmp-username admin --gmp-password passLog Analysis
Auth Logs
# Failed logins
grep "Failed password" /var/log/auth.log | \
awk '{print $(NF-3)}' | sort | uniq -c | sort -rn
# Successful logins
grep "Accepted" /var/log/auth.log
# sudo usage
grep "sudo:" /var/log/auth.logAudit Logs
# Search by key
ausearch -k privileged
# File access
ausearch -f /etc/passwd
# User activity
ausearch -ua 1000
# Generate report
aureport --summarySSL/TLS Testing
# Check certificate
openssl s_client -connect host:443 -servername host
# Check expiry
echo | openssl s_client -connect host:443 2>/dev/null | \
openssl x509 -noout -dates
# Test protocols
nmap --script ssl-enum-ciphers -p 443 host
# SSLyze
sslyze host:443Security Tools
Fail2Ban
# Status
sudo fail2ban-client status
sudo fail2ban-client status sshd
# Ban/unban
sudo fail2ban-client set sshd banip 1.2.3.4
sudo fail2ban-client set sshd unbanip 1.2.3.4ClamAV
# Update definitions
sudo freshclam
# Scan directory
clamscan -r /home
# Scan with report
clamscan -ri --log=/var/log/clamscan.log /homeCompliance Checks
CIS Benchmarks
# Run Lynis audit
sudo lynis audit system
# Specific test
sudo lynis audit system --tests-from-group authenticationFile Integrity
# AIDE init
sudo aideinit
# Check changes
sudo aide --check
# Update database
sudo aide --updateSecurity Checklist
| Area | Check |
|---|---|
| SSH | Key-only auth, no root |
| Firewall | Default deny, minimal ports |
| Updates | Automatic security updates |
| Logging | Centralized, monitored |
| Backups | Regular, tested, encrypted |
| Accounts | Least privilege, MFA |
- security
- hardening
- compliance
- auditing
- vulnerability