HxHippy

Security Engineer Cheat Sheet

System hardening, auditing, and security compliance.

Last updated: 2025-01-15

Security Engineer Cheat Sheet

System hardening, auditing, and compliance quick reference.

Quick Reference

# Security audit
sudo lynis audit system

# Check for listening ports
ss -tuln

# Recent auth failures
grep "Failed password" /var/log/auth.log | tail -20

# SSL/TLS check
openssl s_client -connect example.com:443

System Hardening

SSH Hardening

# /etc/ssh/sshd_config
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3
AllowUsers admin deploy
Protocol 2

Firewall (UFW)

# Enable firewall
sudo ufw enable

# Allow SSH
sudo ufw allow 22/tcp

# Allow web
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

# Status
sudo ufw status verbose

# Deny by default
sudo ufw default deny incoming
sudo ufw default allow outgoing

Kernel Hardening

# /etc/sysctl.d/99-security.conf
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
kernel.randomize_va_space = 2
kernel.kptr_restrict = 2

Vulnerability Scanning

Nmap

# Service detection
nmap -sV target

# Script scan
nmap -sC target

# Full scan
nmap -sV -sC -p- target

# Vulnerability scripts
nmap --script vuln target

OpenVAS/Greenbone

# Start OpenVAS
sudo gvm-start

# Scan from CLI
gvm-cli socket --gmp-username admin --gmp-password pass

Log Analysis

Auth Logs

# Failed logins
grep "Failed password" /var/log/auth.log | \
  awk '{print $(NF-3)}' | sort | uniq -c | sort -rn

# Successful logins
grep "Accepted" /var/log/auth.log

# sudo usage
grep "sudo:" /var/log/auth.log

Audit Logs

# Search by key
ausearch -k privileged

# File access
ausearch -f /etc/passwd

# User activity
ausearch -ua 1000

# Generate report
aureport --summary

SSL/TLS Testing

# Check certificate
openssl s_client -connect host:443 -servername host

# Check expiry
echo | openssl s_client -connect host:443 2>/dev/null | \
  openssl x509 -noout -dates

# Test protocols
nmap --script ssl-enum-ciphers -p 443 host

# SSLyze
sslyze host:443

Security Tools

Fail2Ban

# Status
sudo fail2ban-client status
sudo fail2ban-client status sshd

# Ban/unban
sudo fail2ban-client set sshd banip 1.2.3.4
sudo fail2ban-client set sshd unbanip 1.2.3.4

ClamAV

# Update definitions
sudo freshclam

# Scan directory
clamscan -r /home

# Scan with report
clamscan -ri --log=/var/log/clamscan.log /home

Compliance Checks

CIS Benchmarks

# Run Lynis audit
sudo lynis audit system

# Specific test
sudo lynis audit system --tests-from-group authentication

File Integrity

# AIDE init
sudo aideinit

# Check changes
sudo aide --check

# Update database
sudo aide --update

Security Checklist

Area Check
SSH Key-only auth, no root
Firewall Default deny, minimal ports
Updates Automatic security updates
Logging Centralized, monitored
Backups Regular, tested, encrypted
Accounts Least privilege, MFA
advanced Security Roles Updated 2025-01-15
  • security
  • hardening
  • compliance
  • auditing
  • vulnerability