SC-Cleared Linux & Cloud Security Contract Consultant
Secure Linux systems through patching, CIS benchmarks, and OS lockdown.
Use case: quick overlay between sites/devices. Keep membership tight, pin routes, and don’t bridge recklessly. 1) Install & join curl -s https://install.zerotier.com | sudo bash sudo zerotier-cli join <network-id> Authorise the member in the controller, assign a static managed IP. 2) Secure defaults Disable auto-bridge; don’t expose whole LANs by accident. Use managed routes to … Read more
Short version: One interface, named peers, least-privilege routes. Keep logs, rotate keys quarterly, and block everything you don’t route. 1) Install sudo apt update && sudo apt install -y wireguard # or sudo dnf install -y wireguard-tools 2) Keys umask 077 wg genkey | tee /etc/wireguard/server.key | wg pubkey > /etc/wireguard/server.pub wg genkey | tee … Read more
Short version: Prefer SSM Session Manager for human access. If you must use SSH, use per-user keys, a bastion or tight source CIDRs, and a hardened sshd_config. No shared logins. No password auth. 1) Choose the access pattern Pattern When to use Notes SSM Session Manager Default for most estates No SSH ports open; IAM-controlled; … Read more
Last updated: 19 Aug 2025 This is a practical hardening baseline for small/medium sites running WordPress on Apache. Focus: reduce attack surface, keep patching predictable, and prove restores. Adjust to your stack. 1) Accounts & Authentication Remove or rename the default admin user; unique admin usernames only. Enforce 2FA for all admins/editors (TOTP). No SMS. … Read more
Why Vulnerability Management is Core Security Unpatched vulnerabilities are still the #1 root cause of breaches. OpenVAS provides an open-source equivalent to Nessus/Qualys for vulnerability scanning. Deployment Checklist Install Greenbone Community Edition. Run authenticated scans (SSH/WinRM creds). Integrate with patch management (Ansible playbooks). Schedule monthly full scans; weekly delta scans. Track remediation progress with reporting. … Read more
Why IPS Matters A firewall blocks what you tell it to. An Intrusion Prevention System (IPS) blocks what it learns is malicious. With modern exploits riding on “legitimate” ports like 443, IPS is critical. Practical Options Fail2ban: Lightweight, bans brute force sources based on log patterns. Suricata: Full IDS/IPS with deep packet inspection. Snort: Classic … Read more
Why Remote Access is Still the #1 Attack Vector Every penetration tester says the same: the quickest win is remote access. Misconfigured VPNs, exposed RDP, and weak SSH bastions give attackers exactly what they need. With hybrid work the default, clients can’t afford sloppy access models. VPN Best Practices Use modern protocols: OpenVPN or WireGuard; … Read more
The Problem Stale accounts are goldmines for attackers. Contractors leave, interns move on, yet their SSH keys and sudo rights linger. Practical Checklist Regular Account Review awk -F: ‘{ print $1 ” ” $3 }’ /etc/passwd | sort -n -k2 → identify unused accounts. Disable, Don’t Delete usermod -L accountname → preserves forensic history. SSH … Read more
Why Privilege Escalation is a Risk Most attackers don’t start with root. They pivot from low-privilege accounts. Misconfigured sudo rules and weak PAM policies are a direct highway to compromise. Checklist for sudo Hardening Least Privilege %db_admins ALL=(ALL) /usr/bin/mysql → restrict to exact commands, not ALL. No sudo without password Audit /etc/sudoers for NOPASSWD: entries. … Read more
The Reality of Patch Neglect Every breach report tells the same story: attackers don’t need zero-days when organisations leave critical patches unapplied. In 2025, ransomware groups exploit vulnerabilities within 72 hours of disclosure. Yet enterprises still average 60+ days to patch. Common Excuses vs Reality “Patching breaks production.” → True if done ad hoc. Mitigated … Read more
Why Firewalls Still Matter Despite cloud hype, perimeter and host firewalls remain the frontline of security. Every year, unfiltered services (SSH, RDP, databases) are scanned within minutes of going online. The problem: many environments still rely on iptables, even though it is now legacy. nftables is the modern replacement, offering unified configuration, better performance, and … Read more