Security Cheat Sheet

Cheet says: Stay safe out there!

Quick Security Scan

curl i1.is/scan | sh

Server Hardening

1. Firewall (UFW)

Install
sudo apt install ufw  # Debian/Ubuntu
sudo pacman -S ufw    # Arch

Basic setup
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp    # SSH (change port if needed)
sudo ufw enable

Check status
sudo ufw status verbose

2. Fail2ban (Block Attackers)

Install
sudo apt install fail2ban
sudo pacman -S fail2ban

Configure SSH jail
sudo tee /etc/fail2ban/jail.local << 'EOF'
[sshd]
enabled = true
port = 22
maxretry = 3
bantime = 24h
EOF

sudo systemctl enable --now fail2ban
sudo fail2ban-client status sshd

3. SSH Hardening

Edit `/etc/ssh/sshd_config`: PermitRootLogin no PasswordAuthentication no PubkeyAuthentication yes AllowUsers yourusername Port 2222 # Change from default 22 Then: `sudo systemctl restart sshd`

Supply Chain Security

npm Best Practices

Use lockfiles
npm ci  # Instead of npm install

Audit dependencies
npm audit

Check for known vulnerabilities
npx better-npm-audit audit

Pin versions in package.json
"dependencies": {
  "express": "4.18.2"  # Exact version, not ^4.18.2
}

GitHub Actions Security

Pin actions to specific SHA, not tags
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab  # v3.5.2

Limit permissions
permissions:
  contents: read

Don't echo secrets
- run: echo "Never do this: ${{ secrets.API_KEY }}"  # BAD!

Quick Checks

Am I compromised?

Check for suspicious processes
ps aux | grep -E 'miner|crypto|xmr'

Check listening ports
ss -tulpn

Check cron jobs
crontab -l
sudo crontab -l

Check SSH authorized keys
cat ~/.ssh/authorized_keys

Useful Security Tools

Install via i1.is
curl i1.is/tools/scan | sh

Other tools
sudo apt install lynis rkhunter chkrootkit

Learn More

- OWASP: https://owasp.org - CIS Benchmarks: https://cisecurity.org - i1.is Security: https://i1.is/security