SC-Cleared Linux & Cloud Security Contract Consultant
Admin Use case: quick overlay between sites/devices. Keep membership tight, pin routes, and don’t bridge recklessly. 1) Install & join curl -s https://install.zerotier.com | sudo bash sudo zerotier-cli join <network-id> Authorise the member in the controller, assign a static managed IP. 2) Secure defaults Disable auto-bridge; don’t expose whole LANs by accident. Use managed routes to … Read more
In many cloud security reviews, Identity and Access Management (IAM) often turns out to be the weakest area. AWS provides powerful tools to control access, but its defaults are permissive and administrators often grant overly broad rights. The result is predictable: accounts with far more privilege than needed, with API keys that never expire, and … Read more
Identity and Access Management (IAM) is at the centre of every security framework I have worked with. Whether on Linux systems or in cloud platforms, controlling who can do what is fundamental. In my experience, organisations often underestimate IAM. They focus on firewalls or malware protection, while leaving access control inconsistent or poorly documented. In … Read more
Pluggable Authentication Modules (PAM): Controlling Access in Linux Pluggable Authentication Modules (PAM) form the backbone of authentication and access control on most modern Linux systems. In my work, PAM is often overlooked or misunderstood. Administrators know it exists but rarely configure it beyond the defaults. That leaves opportunities for weak passwords, mismanaged access, and non-compliance. … Read more
On almost every Linux system sudo is central to access control. It allows administrators to delegate privileges without handing out the root password. Used properly, it enforces least privilege. Used poorly, it creates a false sense of security and leaves audit gaps. This article sets out the best practices for configuring and managing sudo. The … Read more
Secure Shell (SSH) is the standard tool for remote administration of Linux systems. In practice, it is also one of the most common weaknesses I encounter when reviewing environments. Misconfigurations are frequent, and attackers actively exploit them. Hardening SSH is one of the most effective early steps in strengthening infrastructure security. 1. Why SSH Security … Read more
Short version: One interface, named peers, least-privilege routes. Keep logs, rotate keys quarterly, and block everything you don’t route. 1) Install sudo apt update && sudo apt install -y wireguard # or sudo dnf install -y wireguard-tools 2) Keys umask 077 wg genkey | tee /etc/wireguard/server.key | wg pubkey > /etc/wireguard/server.pub wg genkey | tee … Read more
Short version: Use SSHFS for occasional admin access, not as a core storage layer. Mount over SSH with per-user keys, prefer read-only, and avoid backup loops. 1) Install (client) # Debian/Ubuntu sudo apt update && sudo apt install -y sshfs # RHEL/Rocky/Alma sudo dnf install -y fuse-sshfs 2) One safe pattern (read-only) sudo mkdir -p … Read more