Simple security audit script for your personal server
License: GNU General Public License v3.0
Hello @ZeHiro, @nicofrand, @Phyks and @ldvc,
I would like to inform you that I moved this repository and the personal-server-community organization to Gitlab. It sounded better suited to me to host the code on a self-hostable platform.
https://gitlab.com/personal-server-community/pschecker
I set up a forum too to have open discussions about self-hosting dedicated to personal usage:
http://forum.personal-server.org/
Cheers
Some of your servers listen to the 0.0.0.0 host: rspamd: (11333), node (9104), dovecot (4190), rspamd: (11333), mysqld (3306), dovecot (4190)
As you can see some processes are listed twice.
sudo netstat -pltn | grep 0.0.0.0 returns tcp 0 0 0.0.0.0:4190 0.0.0.0:* LISTEN 8848/dovecot
sudo netstat -pltn | grep 0\ :::" returns tcp6 0 0 :::4190 :::* LISTEN 8848/dovecot
I am not sure whether the same info is displayed twice or if I misunderstand how the processes work… In the first case, maybe a de-duplication should be made to list each process only one time?
Hi,
From the current code, it seems you prefer to have no root password and ssh to root using a set of keys. On the contrary, I usually have SSH enabled only for an unprivileged user and manually use su (no sudo) to escalate to root with password.
Problem of my setup is that the root account has a password which could eventually be found and used. On the other hand, the "no root password" setup has the issue that if your SSH keys get compromised, an attacker will have root access to all your servers.
Not sure if there are any clear advantages for one solution or the other?
I guess the best would still be to have systematic 2FA with TOTP on root connections, but that's not something out of the box.
Hello @ZeHiro, @nicofrand, @Phyks and @ldvc,
I added a new check that ensures that a domain name can only be accessed through SSL. Could you tell me what you think about it. It's available in the 0.2.1 version.
It requires an option to run properly:
pschecker --domains blog.mydomain.net,www.mydomain.netHello all,
I added a check plugin to test if an update was performed recently. @ZeHiro, @nicofrand, @Phyks and @ldvc could you try it?
It fails if your last OS update occured more than two weeks ago.
Hi & thank you a lot for this, I am sure this is gonna prove useful !
In the readme we can read
No process listens on 0.0.0.0 host: OK
But when launching pschecker there is only 1 check (about root password). I guess this is yet to be implemented, this issue is just a friendly reminder.
Hi,
I can see you added a check about firewalls (\o/):
A firewall should be up and running: KO
* No firewall is running.
However I do have a firewall running (and I did launch pschecker with root). I use iptables, here is an extract for example:
# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
fail2ban-yunohost tcp -- anywhere anywhere multiport dports http,https
fail2ban-nginx tcp -- anywhere anywhere multiport dports http,https
fail2ban-postfix tcp -- anywhere anywhere multiport dports smtp,urd,submission
fail2ban-proftpd tcp -- anywhere anywhere multiport dports ftp,ftp-data,ftps,ftps-data
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:urd
ACCEPT tcp -- anywhere anywhere tcp dpt:submission
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:xmpp-client
ACCEPT tcp -- anywhere anywhere tcp dpt:xmpp-server
ACCEPT tcp -- anywhere anywhere tcp dpt:6697
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:mdns
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
It does not appear in ps though:
# ps -ef | grep iptables
root 30478 30474 0 12:00 pts/0 00:00:00 grep iptables
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.