Secure Linux systems through patching, CIS benchmarks, and OS lockdown.
This guide shows how to set up Metasploit, run safe penetration tests, and convert the findings into concrete hardening actions. Legal reminder – only test systems you own or have explicit written permission to assess. Keep tests in scope, documented, and reversible. 1. What Metasploit is – and why defenders use it Metasploit is … Read more
This is the minimum bar. Expect scans within minutes of going live. Do these first or expect trouble. Scope – Linux hosts that serve web content publicly. Focus is quick wins that reduce real risk fast. 1) Patch immediately and automate updates must do Unpatched packages are the easiest path in. Patch before exposing … Read more
Metasploit is widely known as a hacking framework. That label is accurate but incomplete. In capable hands, the same tool becomes a disciplined method to protect systems. This article explains how security teams use Metasploit to turn speculative risk into measurable evidence, prioritize fixes, validate patches, and raise the cost of attack across Linux servers … Read more
In today’s digital world, cyber threats are more common – and more dangerous – than ever. Whether you’re a small business owner, IT professional, or simply someone who uses the internet every day, understanding the most common cyber threats is the first step toward protecting yourself and your data. Cybercriminals don’t just target corporations. They … Read more
Design: one inet table, stateful allows, explicit service sets, rate-limited logging of drops. Simple to reason about. 1) Ruleset # /etc/nftables.conf table inet filter { sets { admin_srcs { type ipv4_addr; flags interval; elements = { 203.0.113.0/24 } } } chains { input { type filter hook input priority 0; policy drop; ct state established,related … Read more
Goal: a single, sane vhost. TLS 1.2/1.3, basic security headers, OCSP stapling, HSTS (opt-in), tight logs, and no server leaks. 1) Modules & hardening sudo a2enmod ssl headers rewrite socache_shmcb # Hide version echo “ServerTokens Prod\nServerSignature Off” | sudo tee /etc/apache2/conf-available/hideversion.conf sudo a2enconf hideversion 2) Vhost <VirtualHost *:443> ServerName example.com DocumentRoot /var/www/html SSLEngine on SSLProtocol … Read more
Short version: Use NFSv4, export to specific hosts/IPs, keep root_squash on, and prefer Kerberos (sec=krb5p) for real environments. 1) Server basics sudo apt install -y nfs-kernel-server sudo mkdir -p /srv/share; sudo chown root:share /srv/share; sudo chmod 0750 /srv/share 2) /etc/exports (restrictive) /srv/share 10.0.20.0/24(rw,sync,root_squash,no_subtree_check) Reload: sudo exportfs -ra 3) Kerberos (preferred) If you have a KDC, … Read more
Use case: quick overlay between sites/devices. Keep membership tight, pin routes, and don’t bridge recklessly. 1) Install & join curl -s https://install.zerotier.com | sudo bash sudo zerotier-cli join <network-id> Authorise the member in the controller, assign a static managed IP. 2) Secure defaults Disable auto-bridge; don’t expose whole LANs by accident. Use managed routes to … Read more
Short version: One interface, named peers, least-privilege routes. Keep logs, rotate keys quarterly, and block everything you don’t route. 1) Install sudo apt update && sudo apt install -y wireguard # or sudo dnf install -y wireguard-tools 2) Keys umask 077 wg genkey | tee /etc/wireguard/server.key | wg pubkey > /etc/wireguard/server.pub wg genkey | tee … Read more
Short version: Prefer SSM Session Manager for human access. If you must use SSH, use per-user keys, a bastion or tight source CIDRs, and a hardened sshd_config. No shared logins. No password auth. 1) Choose the access pattern Pattern When to use Notes SSM Session Manager Default for most estates No SSH ports open; IAM-controlled; … Read more
Last updated: 19 Aug 2025 This is a practical hardening baseline for small/medium sites running WordPress on Apache. Focus: reduce attack surface, keep patching predictable, and prove restores. Adjust to your stack. 1) Accounts & Authentication Remove or rename the default admin user; unique admin usernames only. Enforce 2FA for all admins/editors (TOTP). No SMS. … Read more
Why Vulnerability Management is Core Security Unpatched vulnerabilities are still the #1 root cause of breaches. OpenVAS provides an open-source equivalent to Nessus/Qualys for vulnerability scanning. Deployment Checklist Install Greenbone Community Edition. Run authenticated scans (SSH/WinRM creds). Integrate with patch management (Ansible playbooks). Schedule monthly full scans; weekly delta scans. Track remediation progress with reporting. … Read more
Why IPS Matters A firewall blocks what you tell it to. An Intrusion Prevention System (IPS) blocks what it learns is malicious. With modern exploits riding on “legitimate” ports like 443, IPS is critical. Practical Options Fail2ban: Lightweight, bans brute force sources based on log patterns. Suricata: Full IDS/IPS with deep packet inspection. Snort: Classic … Read more
Why Remote Access is Still the #1 Attack Vector Every penetration tester says the same: the quickest win is remote access. Misconfigured VPNs, exposed RDP, and weak SSH bastions give attackers exactly what they need. With hybrid work the default, clients can’t afford sloppy access models. VPN Best Practices Use modern protocols: OpenVPN or WireGuard; … Read more
The Problem Stale accounts are goldmines for attackers. Contractors leave, interns move on, yet their SSH keys and sudo rights linger. Practical Checklist Regular Account Review awk -F: ‘{ print $1 ” ” $3 }’ /etc/passwd | sort -n -k2 → identify unused accounts. Disable, Don’t Delete usermod -L accountname → preserves forensic history. SSH … Read more
Why Privilege Escalation is a Risk Most attackers don’t start with root. They pivot from low-privilege accounts. Misconfigured sudo rules and weak PAM policies are a direct highway to compromise. Checklist for sudo Hardening Least Privilege %db_admins ALL=(ALL) /usr/bin/mysql → restrict to exact commands, not ALL. No sudo without password Audit /etc/sudoers for NOPASSWD: entries. … Read more
The Reality of Patch Neglect Every breach report tells the same story: attackers don’t need zero-days when organisations leave critical patches unapplied. In 2025, ransomware groups exploit vulnerabilities within 72 hours of disclosure. Yet enterprises still average 60+ days to patch. Common Excuses vs Reality “Patching breaks production.” → True if done ad hoc. Mitigated … Read more
Why Firewalls Still Matter Despite cloud hype, perimeter and host firewalls remain the frontline of security. Every year, unfiltered services (SSH, RDP, databases) are scanned within minutes of going online. The problem: many environments still rely on iptables, even though it is now legacy. nftables is the modern replacement, offering unified configuration, better performance, and … Read more
