[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"blog-/blog/tutorial/hardening-servidores-linux":3,"prev-/blog/tutorial/hardening-servidores-linux":2084,"next-/blog/tutorial/hardening-servidores-linux":2087,"related-/blog/tutorial/hardening-servidores-linux":2090},{"id":4,"title":5,"author":6,"authorUrl":7,"body":8,"category":2050,"cta":2051,"date":2054,"dateModified":2054,"description":2055,"draft":2056,"extension":2057,"faq":2058,"featured":319,"image":2071,"imageAlt":2072,"meta":2073,"navigation":319,"path":2074,"readingTime":377,"seo":2075,"stem":2076,"tags":2077,"__hash__":2083},"blog/blog/tutorial/hardening-servidores-linux.md","Hardening de servidores Linux — 15 pasos esenciales","Syswork México","/nosotros",{"type":9,"value":10,"toc":2030},"minimark",[11,15,24,29,42,45,49,52,106,110,113,145,148,161,164,172,175,179,187,269,273,280,295,298,450,464,467,485,489,492,510,513,604,624,627,644,648,651,671,674,750,752,756,867,871,874,892,898,933,937,940,1001,1004,1010,1013,1017,1020,1054,1057,1169,1173,1179,1389,1391,1395,1398,1428,1432,1435,1485,1488,1506,1510,1513,1561,1565,1568,1598,1601,1648,1652,1655,1973,1977,1980,2017,2026],[12,13,14],"p",{},"Un servidor con la configuración por defecto es un servidor vulnerable. Los valores por defecto están diseñados para compatibilidad y facilidad de uso, no para seguridad. SSH con acceso root habilitado, servicios innecesarios corriendo, firewall desactivado, sin límites de intentos de login — cada uno es una puerta abierta para un atacante.",[12,16,17,18,23],{},"Esta guía te lleva por los 15 pasos esenciales de hardening que aplicamos en cada servidor que desplegamos para nuestros clientes. No es una lista académica — son las configuraciones que bloquean los vectores de ataque más comunes que vemos en auditorías de ",[19,20,22],"a",{"href":21},"/servicios/ciberseguridad","ciberseguridad"," en empresas mexicanas.",[25,26,28],"h2",{"id":27},"antes-de-empezar","Antes de empezar",[30,31,34],"alert",{"title":32,"type":33},"Haz estos cambios en un ambiente de pruebas primero","warning",[12,35,36,37,41],{},"Aplicar hardening en un servidor de producción sin probar puede dejarte fuera del servidor o romper aplicaciones. Prueba cada paso en una VM de ",[19,38,40],{"href":39},"/tecnologias/proxmox","Proxmox"," o en un servidor de staging antes de aplicar en producción.",[12,43,44],{},"Todos los comandos asumen Ubuntu 24.04 LTS. La mayoría aplican también a Debian 12.",[25,46,48],{"id":47},"_1-actualizar-el-sistema","1. Actualizar el sistema",[12,50,51],{},"Lo más básico y lo más olvidado. Las actualizaciones de seguridad parchean vulnerabilidades conocidas:",[53,54,59],"pre",{"className":55,"code":56,"language":57,"meta":58,"style":58},"language-bash shiki shiki-themes material-theme-lighter github-light github-dark","sudo apt update && sudo apt upgrade -y\nsudo apt autoremove -y\n","bash","",[60,61,62,94],"code",{"__ignoreMap":58},[63,64,67,71,75,78,82,85,87,90],"span",{"class":65,"line":66},"line",1,[63,68,70],{"class":69},"sbgvK","sudo",[63,72,74],{"class":73},"s_sjI"," apt",[63,76,77],{"class":73}," update",[63,79,81],{"class":80},"sP7_E"," &&",[63,83,84],{"class":69}," sudo",[63,86,74],{"class":73},[63,88,89],{"class":73}," upgrade",[63,91,93],{"class":92},"stzsN"," -y\n",[63,95,97,99,101,104],{"class":65,"line":96},2,[63,98,70],{"class":69},[63,100,74],{"class":73},[63,102,103],{"class":73}," autoremove",[63,105,93],{"class":92},[25,107,109],{"id":108},"_2-configurar-actualizaciones-automáticas-de-seguridad","2. Configurar actualizaciones automáticas de seguridad",[12,111,112],{},"Las actualizaciones manuales dependen de que alguien se acuerde. Las automáticas no:",[53,114,116],{"className":55,"code":115,"language":57,"meta":58,"style":58},"sudo apt install unattended-upgrades -y\nsudo dpkg-reconfigure -plow unattended-upgrades\n",[60,117,118,132],{"__ignoreMap":58},[63,119,120,122,124,127,130],{"class":65,"line":66},[63,121,70],{"class":69},[63,123,74],{"class":73},[63,125,126],{"class":73}," install",[63,128,129],{"class":73}," unattended-upgrades",[63,131,93],{"class":92},[63,133,134,136,139,142],{"class":65,"line":96},[63,135,70],{"class":69},[63,137,138],{"class":73}," dpkg-reconfigure",[63,140,141],{"class":92}," -plow",[63,143,144],{"class":73}," unattended-upgrades\n",[12,146,147],{},"Verifica que esté activo:",[53,149,151],{"className":55,"code":150,"language":57,"meta":58,"style":58},"cat /etc/apt/apt.conf.d/20auto-upgrades\n",[60,152,153],{"__ignoreMap":58},[63,154,155,158],{"class":65,"line":66},[63,156,157],{"class":69},"cat",[63,159,160],{"class":73}," /etc/apt/apt.conf.d/20auto-upgrades\n",[12,162,163],{},"Debe tener:",[53,165,170],{"className":166,"code":168,"language":169},[167],"language-text","APT::Periodic::Update-Package-Lists \"1\";\nAPT::Periodic::Unattended-Upgrade \"1\";\n","text",[60,171,168],{"__ignoreMap":58},[173,174],"ad-banner",{},[25,176,178],{"id":177},"_3-configurar-firewall-con-ufw","3. Configurar firewall con UFW",[12,180,181,182,186],{},"Si aún no lo has hecho, sigue nuestra ",[19,183,185],{"href":184},"/blog/configurar-firewall-ufw-linux","guía de UFW",". El resumen rápido:",[53,188,190],{"className":55,"code":189,"language":57,"meta":58,"style":58},"sudo ufw default deny incoming\nsudo ufw default allow outgoing\nsudo ufw limit ssh\nsudo ufw allow 80/tcp\nsudo ufw allow 443/tcp\nsudo ufw enable\n",[60,191,192,208,222,235,247,259],{"__ignoreMap":58},[63,193,194,196,199,202,205],{"class":65,"line":66},[63,195,70],{"class":69},[63,197,198],{"class":73}," ufw",[63,200,201],{"class":73}," default",[63,203,204],{"class":73}," deny",[63,206,207],{"class":73}," incoming\n",[63,209,210,212,214,216,219],{"class":65,"line":96},[63,211,70],{"class":69},[63,213,198],{"class":73},[63,215,201],{"class":73},[63,217,218],{"class":73}," allow",[63,220,221],{"class":73}," outgoing\n",[63,223,225,227,229,232],{"class":65,"line":224},3,[63,226,70],{"class":69},[63,228,198],{"class":73},[63,230,231],{"class":73}," limit",[63,233,234],{"class":73}," ssh\n",[63,236,238,240,242,244],{"class":65,"line":237},4,[63,239,70],{"class":69},[63,241,198],{"class":73},[63,243,218],{"class":73},[63,245,246],{"class":73}," 80/tcp\n",[63,248,250,252,254,256],{"class":65,"line":249},5,[63,251,70],{"class":69},[63,253,198],{"class":73},[63,255,218],{"class":73},[63,257,258],{"class":73}," 443/tcp\n",[63,260,262,264,266],{"class":65,"line":261},6,[63,263,70],{"class":69},[63,265,198],{"class":73},[63,267,268],{"class":73}," enable\n",[25,270,272],{"id":271},"_4-endurecer-ssh","4. Endurecer SSH",[12,274,275,276,279],{},"SSH es el vector de ataque #1 en servidores Linux. Edita ",[60,277,278],{},"/etc/ssh/sshd_config",":",[53,281,283],{"className":55,"code":282,"language":57,"meta":58,"style":58},"sudo nano /etc/ssh/sshd_config\n",[60,284,285],{"__ignoreMap":58},[63,286,287,289,292],{"class":65,"line":66},[63,288,70],{"class":69},[63,290,291],{"class":73}," nano",[63,293,294],{"class":73}," /etc/ssh/sshd_config\n",[12,296,297],{},"Aplica estos cambios:",[53,299,303],{"className":300,"code":301,"language":302,"meta":58,"style":58},"language-ini shiki shiki-themes material-theme-lighter github-light github-dark","# Deshabilitar acceso root por SSH\nPermitRootLogin no\n\n# Solo autenticación por llaves (deshabilitar contraseñas)\nPasswordAuthentication no\nPubkeyAuthentication yes\n\n# Deshabilitar autenticación por teclado interactivo\nKbdInteractiveAuthentication no\n\n# Cambiar puerto (reduce 99% del ruido de bots)\nPort 2222\n\n# Limitar intentos de autenticación\nMaxAuthTries 3\nMaxSessions 3\n\n# Timeout de conexiones inactivas\nClientAliveInterval 300\nClientAliveCountMax 2\n\n# Deshabilitar X11 forwarding (no necesitas GUI en un servidor)\nX11Forwarding no\n\n# Solo permitir usuarios específicos\nAllowUsers tuusuario admin\n","ini",[60,304,305,310,315,321,326,331,336,341,347,353,358,364,370,375,381,387,393,398,404,410,416,421,427,433,438,444],{"__ignoreMap":58},[63,306,307],{"class":65,"line":66},[63,308,309],{},"# Deshabilitar acceso root por SSH\n",[63,311,312],{"class":65,"line":96},[63,313,314],{},"PermitRootLogin no\n",[63,316,317],{"class":65,"line":224},[63,318,320],{"emptyLinePlaceholder":319},true,"\n",[63,322,323],{"class":65,"line":237},[63,324,325],{},"# Solo autenticación por llaves (deshabilitar contraseñas)\n",[63,327,328],{"class":65,"line":249},[63,329,330],{},"PasswordAuthentication no\n",[63,332,333],{"class":65,"line":261},[63,334,335],{},"PubkeyAuthentication yes\n",[63,337,339],{"class":65,"line":338},7,[63,340,320],{"emptyLinePlaceholder":319},[63,342,344],{"class":65,"line":343},8,[63,345,346],{},"# Deshabilitar autenticación por teclado interactivo\n",[63,348,350],{"class":65,"line":349},9,[63,351,352],{},"KbdInteractiveAuthentication no\n",[63,354,356],{"class":65,"line":355},10,[63,357,320],{"emptyLinePlaceholder":319},[63,359,361],{"class":65,"line":360},11,[63,362,363],{},"# Cambiar puerto (reduce 99% del ruido de bots)\n",[63,365,367],{"class":65,"line":366},12,[63,368,369],{},"Port 2222\n",[63,371,373],{"class":65,"line":372},13,[63,374,320],{"emptyLinePlaceholder":319},[63,376,378],{"class":65,"line":377},14,[63,379,380],{},"# Limitar intentos de autenticación\n",[63,382,384],{"class":65,"line":383},15,[63,385,386],{},"MaxAuthTries 3\n",[63,388,390],{"class":65,"line":389},16,[63,391,392],{},"MaxSessions 3\n",[63,394,396],{"class":65,"line":395},17,[63,397,320],{"emptyLinePlaceholder":319},[63,399,401],{"class":65,"line":400},18,[63,402,403],{},"# Timeout de conexiones inactivas\n",[63,405,407],{"class":65,"line":406},19,[63,408,409],{},"ClientAliveInterval 300\n",[63,411,413],{"class":65,"line":412},20,[63,414,415],{},"ClientAliveCountMax 2\n",[63,417,419],{"class":65,"line":418},21,[63,420,320],{"emptyLinePlaceholder":319},[63,422,424],{"class":65,"line":423},22,[63,425,426],{},"# Deshabilitar X11 forwarding (no necesitas GUI en un servidor)\n",[63,428,430],{"class":65,"line":429},23,[63,431,432],{},"X11Forwarding no\n",[63,434,436],{"class":65,"line":435},24,[63,437,320],{"emptyLinePlaceholder":319},[63,439,441],{"class":65,"line":440},25,[63,442,443],{},"# Solo permitir usuarios específicos\n",[63,445,447],{"class":65,"line":446},26,[63,448,449],{},"AllowUsers tuusuario admin\n",[30,451,453],{"title":452,"type":33},"Antes de deshabilitar contraseñas",[12,454,455,456,459,460,463],{},"Asegúrate de haber copiado tu llave pública SSH al servidor con ",[60,457,458],{},"ssh-copy-id"," y de que puedes conectarte sin contraseña. Si desactivas ",[60,461,462],{},"PasswordAuthentication"," sin tener una llave configurada, te quedas fuera permanentemente.",[12,465,466],{},"Reinicia SSH:",[53,468,470],{"className":55,"code":469,"language":57,"meta":58,"style":58},"sudo systemctl restart sshd\n",[60,471,472],{"__ignoreMap":58},[63,473,474,476,479,482],{"class":65,"line":66},[63,475,70],{"class":69},[63,477,478],{"class":73}," systemctl",[63,480,481],{"class":73}," restart",[63,483,484],{"class":73}," sshd\n",[25,486,488],{"id":487},"_5-instalar-fail2ban","5. Instalar fail2ban",[12,490,491],{},"fail2ban monitorea los logs de SSH y bloquea automáticamente IPs que intentan fuerza bruta:",[53,493,495],{"className":55,"code":494,"language":57,"meta":58,"style":58},"sudo apt install fail2ban -y\n",[60,496,497],{"__ignoreMap":58},[63,498,499,501,503,505,508],{"class":65,"line":66},[63,500,70],{"class":69},[63,502,74],{"class":73},[63,504,126],{"class":73},[63,506,507],{"class":73}," fail2ban",[63,509,93],{"class":92},[12,511,512],{},"Crea la configuración local:",[53,514,516],{"className":55,"code":515,"language":57,"meta":58,"style":58},"sudo tee /etc/fail2ban/jail.local > /dev/null \u003C\u003CEOF\n[DEFAULT]\nbantime = 3600\nfindtime = 600\nmaxretry = 3\nbanaction = ufw\n\n[sshd]\nenabled = true\nport = 2222\nfilter = sshd\nlogpath = /var/log/auth.log\nmaxretry = 3\nEOF\n",[60,517,518,542,547,552,557,562,567,571,576,581,586,591,596,600],{"__ignoreMap":58},[63,519,520,522,525,528,532,535,538],{"class":65,"line":66},[63,521,70],{"class":69},[63,523,524],{"class":73}," tee",[63,526,527],{"class":73}," /etc/fail2ban/jail.local",[63,529,531],{"class":530},"smGrS"," >",[63,533,534],{"class":73}," /dev/null",[63,536,537],{"class":530}," \u003C\u003C",[63,539,541],{"class":540},"sjJ54","EOF\n",[63,543,544],{"class":65,"line":96},[63,545,546],{"class":73},"[DEFAULT]\n",[63,548,549],{"class":65,"line":224},[63,550,551],{"class":73},"bantime = 3600\n",[63,553,554],{"class":65,"line":237},[63,555,556],{"class":73},"findtime = 600\n",[63,558,559],{"class":65,"line":249},[63,560,561],{"class":73},"maxretry = 3\n",[63,563,564],{"class":65,"line":261},[63,565,566],{"class":73},"banaction = ufw\n",[63,568,569],{"class":65,"line":338},[63,570,320],{"emptyLinePlaceholder":319},[63,572,573],{"class":65,"line":343},[63,574,575],{"class":73},"[sshd]\n",[63,577,578],{"class":65,"line":349},[63,579,580],{"class":73},"enabled = true\n",[63,582,583],{"class":65,"line":355},[63,584,585],{"class":73},"port = 2222\n",[63,587,588],{"class":65,"line":360},[63,589,590],{"class":73},"filter = sshd\n",[63,592,593],{"class":65,"line":366},[63,594,595],{"class":73},"logpath = /var/log/auth.log\n",[63,597,598],{"class":65,"line":372},[63,599,561],{"class":73},[63,601,602],{"class":65,"line":377},[63,603,541],{"class":540},[53,605,607],{"className":55,"code":606,"language":57,"meta":58,"style":58},"sudo systemctl enable --now fail2ban\n",[60,608,609],{"__ignoreMap":58},[63,610,611,613,615,618,621],{"class":65,"line":66},[63,612,70],{"class":69},[63,614,478],{"class":73},[63,616,617],{"class":73}," enable",[63,619,620],{"class":92}," --now",[63,622,623],{"class":73}," fail2ban\n",[12,625,626],{},"Verifica las IPs bloqueadas:",[53,628,630],{"className":55,"code":629,"language":57,"meta":58,"style":58},"sudo fail2ban-client status sshd\n",[60,631,632],{"__ignoreMap":58},[63,633,634,636,639,642],{"class":65,"line":66},[63,635,70],{"class":69},[63,637,638],{"class":73}," fail2ban-client",[63,640,641],{"class":73}," status",[63,643,484],{"class":73},[25,645,647],{"id":646},"_6-deshabilitar-servicios-innecesarios","6. Deshabilitar servicios innecesarios",[12,649,650],{},"Cada servicio corriendo es una superficie de ataque potencial. Revisa qué está corriendo:",[53,652,654],{"className":55,"code":653,"language":57,"meta":58,"style":58},"sudo systemctl list-units --type=service --state=running\n",[60,655,656],{"__ignoreMap":58},[63,657,658,660,662,665,668],{"class":65,"line":66},[63,659,70],{"class":69},[63,661,478],{"class":73},[63,663,664],{"class":73}," list-units",[63,666,667],{"class":92}," --type=service",[63,669,670],{"class":92}," --state=running\n",[12,672,673],{},"Deshabilita lo que no necesites:",[53,675,677],{"className":55,"code":676,"language":57,"meta":58,"style":58},"# Ejemplos comunes de servicios innecesarios en un servidor\nsudo systemctl disable --now cups        # Impresión\nsudo systemctl disable --now avahi-daemon # Descubrimiento de red\nsudo systemctl disable --now bluetooth   # Bluetooth\nsudo systemctl disable --now ModemManager # Módem\n",[60,678,679,685,702,718,734],{"__ignoreMap":58},[63,680,681],{"class":65,"line":66},[63,682,684],{"class":683},"sutJx","# Ejemplos comunes de servicios innecesarios en un servidor\n",[63,686,687,689,691,694,696,699],{"class":65,"line":96},[63,688,70],{"class":69},[63,690,478],{"class":73},[63,692,693],{"class":73}," disable",[63,695,620],{"class":92},[63,697,698],{"class":73}," cups",[63,700,701],{"class":683},"        # Impresión\n",[63,703,704,706,708,710,712,715],{"class":65,"line":224},[63,705,70],{"class":69},[63,707,478],{"class":73},[63,709,693],{"class":73},[63,711,620],{"class":92},[63,713,714],{"class":73}," avahi-daemon",[63,716,717],{"class":683}," # Descubrimiento de red\n",[63,719,720,722,724,726,728,731],{"class":65,"line":237},[63,721,70],{"class":69},[63,723,478],{"class":73},[63,725,693],{"class":73},[63,727,620],{"class":92},[63,729,730],{"class":73}," bluetooth",[63,732,733],{"class":683},"   # Bluetooth\n",[63,735,736,738,740,742,744,747],{"class":65,"line":249},[63,737,70],{"class":69},[63,739,478],{"class":73},[63,741,693],{"class":73},[63,743,620],{"class":92},[63,745,746],{"class":73}," ModemManager",[63,748,749],{"class":683}," # Módem\n",[173,751],{},[25,753,755],{"id":754},"_7-configurar-permisos-de-archivos-críticos","7. Configurar permisos de archivos críticos",[53,757,759],{"className":55,"code":758,"language":57,"meta":58,"style":58},"# Proteger archivos de configuración\nsudo chmod 600 /etc/ssh/sshd_config\nsudo chmod 600 /etc/shadow\nsudo chmod 644 /etc/passwd\nsudo chmod 700 /root\n\n# Proteger crontab\nsudo chmod 600 /etc/crontab\nsudo chmod 700 /etc/cron.d\nsudo chmod 700 /etc/cron.daily\nsudo chmod 700 /etc/cron.hourly\n",[60,760,761,766,779,790,802,814,818,823,834,845,856],{"__ignoreMap":58},[63,762,763],{"class":65,"line":66},[63,764,765],{"class":683},"# Proteger archivos de configuración\n",[63,767,768,770,773,777],{"class":65,"line":96},[63,769,70],{"class":69},[63,771,772],{"class":73}," chmod",[63,774,776],{"class":775},"srdBf"," 600",[63,778,294],{"class":73},[63,780,781,783,785,787],{"class":65,"line":224},[63,782,70],{"class":69},[63,784,772],{"class":73},[63,786,776],{"class":775},[63,788,789],{"class":73}," /etc/shadow\n",[63,791,792,794,796,799],{"class":65,"line":237},[63,793,70],{"class":69},[63,795,772],{"class":73},[63,797,798],{"class":775}," 644",[63,800,801],{"class":73}," /etc/passwd\n",[63,803,804,806,808,811],{"class":65,"line":249},[63,805,70],{"class":69},[63,807,772],{"class":73},[63,809,810],{"class":775}," 700",[63,812,813],{"class":73}," /root\n",[63,815,816],{"class":65,"line":261},[63,817,320],{"emptyLinePlaceholder":319},[63,819,820],{"class":65,"line":338},[63,821,822],{"class":683},"# Proteger crontab\n",[63,824,825,827,829,831],{"class":65,"line":343},[63,826,70],{"class":69},[63,828,772],{"class":73},[63,830,776],{"class":775},[63,832,833],{"class":73}," /etc/crontab\n",[63,835,836,838,840,842],{"class":65,"line":349},[63,837,70],{"class":69},[63,839,772],{"class":73},[63,841,810],{"class":775},[63,843,844],{"class":73}," /etc/cron.d\n",[63,846,847,849,851,853],{"class":65,"line":355},[63,848,70],{"class":69},[63,850,772],{"class":73},[63,852,810],{"class":775},[63,854,855],{"class":73}," /etc/cron.daily\n",[63,857,858,860,862,864],{"class":65,"line":360},[63,859,70],{"class":69},[63,861,772],{"class":73},[63,863,810],{"class":775},[63,865,866],{"class":73}," /etc/cron.hourly\n",[25,868,870],{"id":869},"_8-configurar-política-de-contraseñas","8. Configurar política de contraseñas",[12,872,873],{},"Aunque uses llaves SSH, los usuarios locales deben tener contraseñas fuertes:",[53,875,877],{"className":55,"code":876,"language":57,"meta":58,"style":58},"sudo apt install libpam-pwquality -y\n",[60,878,879],{"__ignoreMap":58},[63,880,881,883,885,887,890],{"class":65,"line":66},[63,882,70],{"class":69},[63,884,74],{"class":73},[63,886,126],{"class":73},[63,888,889],{"class":73}," libpam-pwquality",[63,891,93],{"class":92},[12,893,894,895,279],{},"Edita ",[60,896,897],{},"/etc/security/pwquality.conf",[53,899,901],{"className":300,"code":900,"language":302,"meta":58,"style":58},"minlen = 12\ndcredit = -1\nucredit = -1\nocredit = -1\nlcredit = -1\nmaxrepeat = 3\n",[60,902,903,908,913,918,923,928],{"__ignoreMap":58},[63,904,905],{"class":65,"line":66},[63,906,907],{},"minlen = 12\n",[63,909,910],{"class":65,"line":96},[63,911,912],{},"dcredit = -1\n",[63,914,915],{"class":65,"line":224},[63,916,917],{},"ucredit = -1\n",[63,919,920],{"class":65,"line":237},[63,921,922],{},"ocredit = -1\n",[63,924,925],{"class":65,"line":249},[63,926,927],{},"lcredit = -1\n",[63,929,930],{"class":65,"line":261},[63,931,932],{},"maxrepeat = 3\n",[25,934,936],{"id":935},"_9-limitar-el-uso-de-sudo","9. Limitar el uso de sudo",[12,938,939],{},"No todos los usuarios deben tener acceso sudo completo:",[53,941,943],{"className":55,"code":942,"language":57,"meta":58,"style":58},"# Crear un grupo de administradores\nsudo groupadd sysadmins\n\n# Agregar usuarios al grupo\nsudo usermod -aG sysadmins tuusuario\n\n# Configurar sudo solo para el grupo\nsudo visudo\n",[60,944,945,950,960,964,969,985,989,994],{"__ignoreMap":58},[63,946,947],{"class":65,"line":66},[63,948,949],{"class":683},"# Crear un grupo de administradores\n",[63,951,952,954,957],{"class":65,"line":96},[63,953,70],{"class":69},[63,955,956],{"class":73}," groupadd",[63,958,959],{"class":73}," sysadmins\n",[63,961,962],{"class":65,"line":224},[63,963,320],{"emptyLinePlaceholder":319},[63,965,966],{"class":65,"line":237},[63,967,968],{"class":683},"# Agregar usuarios al grupo\n",[63,970,971,973,976,979,982],{"class":65,"line":249},[63,972,70],{"class":69},[63,974,975],{"class":73}," usermod",[63,977,978],{"class":92}," -aG",[63,980,981],{"class":73}," sysadmins",[63,983,984],{"class":73}," tuusuario\n",[63,986,987],{"class":65,"line":261},[63,988,320],{"emptyLinePlaceholder":319},[63,990,991],{"class":65,"line":338},[63,992,993],{"class":683},"# Configurar sudo solo para el grupo\n",[63,995,996,998],{"class":65,"line":343},[63,997,70],{"class":69},[63,999,1000],{"class":73}," visudo\n",[12,1002,1003],{},"Agrega:",[53,1005,1008],{"className":1006,"code":1007,"language":169},[167],"%sysadmins ALL=(ALL:ALL) ALL\n",[60,1009,1007],{"__ignoreMap":58},[12,1011,1012],{},"Verifica que no haya entradas genéricas de sudo innecesarias.",[25,1014,1016],{"id":1015},"_10-habilitar-auditoría-del-sistema","10. Habilitar auditoría del sistema",[12,1018,1019],{},"auditd registra eventos de seguridad — quién accedió a qué archivo, quién ejecutó qué comando:",[53,1021,1023],{"className":55,"code":1022,"language":57,"meta":58,"style":58},"sudo apt install auditd audispd-plugins -y\nsudo systemctl enable --now auditd\n",[60,1024,1025,1041],{"__ignoreMap":58},[63,1026,1027,1029,1031,1033,1036,1039],{"class":65,"line":66},[63,1028,70],{"class":69},[63,1030,74],{"class":73},[63,1032,126],{"class":73},[63,1034,1035],{"class":73}," auditd",[63,1037,1038],{"class":73}," audispd-plugins",[63,1040,93],{"class":92},[63,1042,1043,1045,1047,1049,1051],{"class":65,"line":96},[63,1044,70],{"class":69},[63,1046,478],{"class":73},[63,1048,617],{"class":73},[63,1050,620],{"class":92},[63,1052,1053],{"class":73}," auditd\n",[12,1055,1056],{},"Agrega reglas de auditoría para archivos críticos:",[53,1058,1060],{"className":55,"code":1059,"language":57,"meta":58,"style":58},"sudo tee /etc/audit/rules.d/hardening.rules > /dev/null \u003C\u003CEOF\n# Monitorear cambios en usuarios y grupos\n-w /etc/passwd -p wa -k identity\n-w /etc/group -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/sudoers -p wa -k identity\n\n# Monitorear cambios en SSH\n-w /etc/ssh/sshd_config -p wa -k sshd_config\n\n# Monitorear cambios en cron\n-w /etc/crontab -p wa -k cron\n-w /var/spool/cron -p wa -k cron\n\n# Monitorear ejecución de comandos como root\n-a always,exit -F arch=b64 -F euid=0 -S execve -k root_commands\nEOF\n\nsudo augenrules --load\n",[60,1061,1062,1079,1084,1089,1094,1099,1104,1108,1113,1118,1122,1127,1132,1137,1141,1146,1151,1155,1159],{"__ignoreMap":58},[63,1063,1064,1066,1068,1071,1073,1075,1077],{"class":65,"line":66},[63,1065,70],{"class":69},[63,1067,524],{"class":73},[63,1069,1070],{"class":73}," /etc/audit/rules.d/hardening.rules",[63,1072,531],{"class":530},[63,1074,534],{"class":73},[63,1076,537],{"class":530},[63,1078,541],{"class":540},[63,1080,1081],{"class":65,"line":96},[63,1082,1083],{"class":73},"# Monitorear cambios en usuarios y grupos\n",[63,1085,1086],{"class":65,"line":224},[63,1087,1088],{"class":73},"-w /etc/passwd -p wa -k identity\n",[63,1090,1091],{"class":65,"line":237},[63,1092,1093],{"class":73},"-w /etc/group -p wa -k identity\n",[63,1095,1096],{"class":65,"line":249},[63,1097,1098],{"class":73},"-w /etc/shadow -p wa -k identity\n",[63,1100,1101],{"class":65,"line":261},[63,1102,1103],{"class":73},"-w /etc/sudoers -p wa -k identity\n",[63,1105,1106],{"class":65,"line":338},[63,1107,320],{"emptyLinePlaceholder":319},[63,1109,1110],{"class":65,"line":343},[63,1111,1112],{"class":73},"# Monitorear cambios en SSH\n",[63,1114,1115],{"class":65,"line":349},[63,1116,1117],{"class":73},"-w /etc/ssh/sshd_config -p wa -k sshd_config\n",[63,1119,1120],{"class":65,"line":355},[63,1121,320],{"emptyLinePlaceholder":319},[63,1123,1124],{"class":65,"line":360},[63,1125,1126],{"class":73},"# Monitorear cambios en cron\n",[63,1128,1129],{"class":65,"line":366},[63,1130,1131],{"class":73},"-w /etc/crontab -p wa -k cron\n",[63,1133,1134],{"class":65,"line":372},[63,1135,1136],{"class":73},"-w /var/spool/cron -p wa -k cron\n",[63,1138,1139],{"class":65,"line":377},[63,1140,320],{"emptyLinePlaceholder":319},[63,1142,1143],{"class":65,"line":383},[63,1144,1145],{"class":73},"# Monitorear ejecución de comandos como root\n",[63,1147,1148],{"class":65,"line":389},[63,1149,1150],{"class":73},"-a always,exit -F arch=b64 -F euid=0 -S execve -k root_commands\n",[63,1152,1153],{"class":65,"line":395},[63,1154,541],{"class":540},[63,1156,1157],{"class":65,"line":400},[63,1158,320],{"emptyLinePlaceholder":319},[63,1160,1161,1163,1166],{"class":65,"line":406},[63,1162,70],{"class":69},[63,1164,1165],{"class":73}," augenrules",[63,1167,1168],{"class":92}," --load\n",[25,1170,1172],{"id":1171},"_11-configurar-los-parámetros-del-kernel","11. Configurar los parámetros del kernel",[12,1174,894,1175,1178],{},[60,1176,1177],{},"/etc/sysctl.conf"," para endurecer la pila de red y el kernel:",[53,1180,1182],{"className":55,"code":1181,"language":57,"meta":58,"style":58},"sudo tee -a /etc/sysctl.conf > /dev/null \u003C\u003CEOF\n\n# --- Hardening de red ---\n# Deshabilitar redirecciones ICMP (previene MitM)\nnet.ipv4.conf.all.accept_redirects = 0\nnet.ipv4.conf.default.accept_redirects = 0\nnet.ipv4.conf.all.send_redirects = 0\n\n# Deshabilitar source routing\nnet.ipv4.conf.all.accept_source_route = 0\nnet.ipv4.conf.default.accept_source_route = 0\n\n# Habilitar protección contra SYN flood\nnet.ipv4.tcp_syncookies = 1\n\n# Ignorar pings broadcast (previene Smurf attack)\nnet.ipv4.icmp_echo_ignore_broadcasts = 1\n\n# Log de paquetes marcianos (paquetes con IPs imposibles)\nnet.ipv4.conf.all.log_martians = 1\n\n# Deshabilitar IPv6 si no lo usas\nnet.ipv6.conf.all.disable_ipv6 = 1\nnet.ipv6.conf.default.disable_ipv6 = 1\n\n# --- Hardening del kernel ---\n# Restringir acceso a logs del kernel\nkernel.dmesg_restrict = 1\n\n# Deshabilitar SysRq (teclas mágicas del kernel)\nkernel.sysrq = 0\n\n# ASLR habilitado (randomización de memoria)\nkernel.randomize_va_space = 2\nEOF\n\nsudo sysctl -p\n",[60,1183,1184,1204,1208,1213,1218,1223,1228,1233,1237,1242,1247,1252,1256,1261,1266,1270,1275,1280,1284,1289,1294,1298,1303,1308,1313,1317,1322,1328,1334,1339,1345,1351,1356,1362,1368,1373,1378],{"__ignoreMap":58},[63,1185,1186,1188,1190,1193,1196,1198,1200,1202],{"class":65,"line":66},[63,1187,70],{"class":69},[63,1189,524],{"class":73},[63,1191,1192],{"class":92}," -a",[63,1194,1195],{"class":73}," /etc/sysctl.conf",[63,1197,531],{"class":530},[63,1199,534],{"class":73},[63,1201,537],{"class":530},[63,1203,541],{"class":540},[63,1205,1206],{"class":65,"line":96},[63,1207,320],{"emptyLinePlaceholder":319},[63,1209,1210],{"class":65,"line":224},[63,1211,1212],{"class":73},"# --- Hardening de red ---\n",[63,1214,1215],{"class":65,"line":237},[63,1216,1217],{"class":73},"# Deshabilitar redirecciones ICMP (previene MitM)\n",[63,1219,1220],{"class":65,"line":249},[63,1221,1222],{"class":73},"net.ipv4.conf.all.accept_redirects = 0\n",[63,1224,1225],{"class":65,"line":261},[63,1226,1227],{"class":73},"net.ipv4.conf.default.accept_redirects = 0\n",[63,1229,1230],{"class":65,"line":338},[63,1231,1232],{"class":73},"net.ipv4.conf.all.send_redirects = 0\n",[63,1234,1235],{"class":65,"line":343},[63,1236,320],{"emptyLinePlaceholder":319},[63,1238,1239],{"class":65,"line":349},[63,1240,1241],{"class":73},"# Deshabilitar source routing\n",[63,1243,1244],{"class":65,"line":355},[63,1245,1246],{"class":73},"net.ipv4.conf.all.accept_source_route = 0\n",[63,1248,1249],{"class":65,"line":360},[63,1250,1251],{"class":73},"net.ipv4.conf.default.accept_source_route = 0\n",[63,1253,1254],{"class":65,"line":366},[63,1255,320],{"emptyLinePlaceholder":319},[63,1257,1258],{"class":65,"line":372},[63,1259,1260],{"class":73},"# Habilitar protección contra SYN flood\n",[63,1262,1263],{"class":65,"line":377},[63,1264,1265],{"class":73},"net.ipv4.tcp_syncookies = 1\n",[63,1267,1268],{"class":65,"line":383},[63,1269,320],{"emptyLinePlaceholder":319},[63,1271,1272],{"class":65,"line":389},[63,1273,1274],{"class":73},"# Ignorar pings broadcast (previene Smurf attack)\n",[63,1276,1277],{"class":65,"line":395},[63,1278,1279],{"class":73},"net.ipv4.icmp_echo_ignore_broadcasts = 1\n",[63,1281,1282],{"class":65,"line":400},[63,1283,320],{"emptyLinePlaceholder":319},[63,1285,1286],{"class":65,"line":406},[63,1287,1288],{"class":73},"# Log de paquetes marcianos (paquetes con IPs imposibles)\n",[63,1290,1291],{"class":65,"line":412},[63,1292,1293],{"class":73},"net.ipv4.conf.all.log_martians = 1\n",[63,1295,1296],{"class":65,"line":418},[63,1297,320],{"emptyLinePlaceholder":319},[63,1299,1300],{"class":65,"line":423},[63,1301,1302],{"class":73},"# Deshabilitar IPv6 si no lo usas\n",[63,1304,1305],{"class":65,"line":429},[63,1306,1307],{"class":73},"net.ipv6.conf.all.disable_ipv6 = 1\n",[63,1309,1310],{"class":65,"line":435},[63,1311,1312],{"class":73},"net.ipv6.conf.default.disable_ipv6 = 1\n",[63,1314,1315],{"class":65,"line":440},[63,1316,320],{"emptyLinePlaceholder":319},[63,1318,1319],{"class":65,"line":446},[63,1320,1321],{"class":73},"# --- Hardening del kernel ---\n",[63,1323,1325],{"class":65,"line":1324},27,[63,1326,1327],{"class":73},"# Restringir acceso a logs del kernel\n",[63,1329,1331],{"class":65,"line":1330},28,[63,1332,1333],{"class":73},"kernel.dmesg_restrict = 1\n",[63,1335,1337],{"class":65,"line":1336},29,[63,1338,320],{"emptyLinePlaceholder":319},[63,1340,1342],{"class":65,"line":1341},30,[63,1343,1344],{"class":73},"# Deshabilitar SysRq (teclas mágicas del kernel)\n",[63,1346,1348],{"class":65,"line":1347},31,[63,1349,1350],{"class":73},"kernel.sysrq = 0\n",[63,1352,1354],{"class":65,"line":1353},32,[63,1355,320],{"emptyLinePlaceholder":319},[63,1357,1359],{"class":65,"line":1358},33,[63,1360,1361],{"class":73},"# ASLR habilitado (randomización de memoria)\n",[63,1363,1365],{"class":65,"line":1364},34,[63,1366,1367],{"class":73},"kernel.randomize_va_space = 2\n",[63,1369,1371],{"class":65,"line":1370},35,[63,1372,541],{"class":540},[63,1374,1376],{"class":65,"line":1375},36,[63,1377,320],{"emptyLinePlaceholder":319},[63,1379,1381,1383,1386],{"class":65,"line":1380},37,[63,1382,70],{"class":69},[63,1384,1385],{"class":73}," sysctl",[63,1387,1388],{"class":92}," -p\n",[173,1390],{},[25,1392,1394],{"id":1393},"_12-deshabilitar-usb-y-medios-removibles-servidores","12. Deshabilitar USB y medios removibles (servidores)",[12,1396,1397],{},"En un servidor de producción nadie debería conectar una USB:",[53,1399,1401],{"className":55,"code":1400,"language":57,"meta":58,"style":58},"echo \"blacklist usb-storage\" | sudo tee /etc/modprobe.d/disable-usb-storage.conf\n",[60,1402,1403],{"__ignoreMap":58},[63,1404,1405,1409,1412,1415,1418,1421,1423,1425],{"class":65,"line":66},[63,1406,1408],{"class":1407},"sptTA","echo",[63,1410,1411],{"class":540}," \"",[63,1413,1414],{"class":73},"blacklist usb-storage",[63,1416,1417],{"class":540},"\"",[63,1419,1420],{"class":530}," |",[63,1422,84],{"class":69},[63,1424,524],{"class":73},[63,1426,1427],{"class":73}," /etc/modprobe.d/disable-usb-storage.conf\n",[25,1429,1431],{"id":1430},"_13-configurar-banners-de-advertencia","13. Configurar banners de advertencia",[12,1433,1434],{},"Un banner legal advierte a posibles intrusos que el acceso no autorizado es ilegal y será perseguido:",[53,1436,1438],{"className":55,"code":1437,"language":57,"meta":58,"style":58},"sudo tee /etc/issue.net > /dev/null \u003C\u003CEOF\n***********************************************\n*  Acceso restringido a personal autorizado   *\n*  Toda actividad es monitoreada y registrada *\n*  El acceso no autorizado será procesado     *\n***********************************************\nEOF\n",[60,1439,1440,1457,1462,1467,1472,1477,1481],{"__ignoreMap":58},[63,1441,1442,1444,1446,1449,1451,1453,1455],{"class":65,"line":66},[63,1443,70],{"class":69},[63,1445,524],{"class":73},[63,1447,1448],{"class":73}," /etc/issue.net",[63,1450,531],{"class":530},[63,1452,534],{"class":73},[63,1454,537],{"class":530},[63,1456,541],{"class":540},[63,1458,1459],{"class":65,"line":96},[63,1460,1461],{"class":73},"***********************************************\n",[63,1463,1464],{"class":65,"line":224},[63,1465,1466],{"class":73},"*  Acceso restringido a personal autorizado   *\n",[63,1468,1469],{"class":65,"line":237},[63,1470,1471],{"class":73},"*  Toda actividad es monitoreada y registrada *\n",[63,1473,1474],{"class":65,"line":249},[63,1475,1476],{"class":73},"*  El acceso no autorizado será procesado     *\n",[63,1478,1479],{"class":65,"line":261},[63,1480,1461],{"class":73},[63,1482,1483],{"class":65,"line":338},[63,1484,541],{"class":540},[12,1486,1487],{},"Actívalo en SSH:",[53,1489,1491],{"className":55,"code":1490,"language":57,"meta":58,"style":58},"# En /etc/ssh/sshd_config\nBanner /etc/issue.net\n",[60,1492,1493,1498],{"__ignoreMap":58},[63,1494,1495],{"class":65,"line":66},[63,1496,1497],{"class":683},"# En /etc/ssh/sshd_config\n",[63,1499,1500,1503],{"class":65,"line":96},[63,1501,1502],{"class":69},"Banner",[63,1504,1505],{"class":73}," /etc/issue.net\n",[25,1507,1509],{"id":1508},"_14-configurar-ntp-sincronización-de-tiempo","14. Configurar NTP (sincronización de tiempo)",[12,1511,1512],{},"Los logs de seguridad son inútiles si la hora del servidor está mal. Los timestamps inconsistentes hacen imposible correlacionar eventos entre servidores:",[53,1514,1516],{"className":55,"code":1515,"language":57,"meta":58,"style":58},"sudo apt install chrony -y\nsudo systemctl enable --now chrony\n\n# Verificar sincronización\nchronyc tracking\n",[60,1517,1518,1531,1544,1548,1553],{"__ignoreMap":58},[63,1519,1520,1522,1524,1526,1529],{"class":65,"line":66},[63,1521,70],{"class":69},[63,1523,74],{"class":73},[63,1525,126],{"class":73},[63,1527,1528],{"class":73}," chrony",[63,1530,93],{"class":92},[63,1532,1533,1535,1537,1539,1541],{"class":65,"line":96},[63,1534,70],{"class":69},[63,1536,478],{"class":73},[63,1538,617],{"class":73},[63,1540,620],{"class":92},[63,1542,1543],{"class":73}," chrony\n",[63,1545,1546],{"class":65,"line":224},[63,1547,320],{"emptyLinePlaceholder":319},[63,1549,1550],{"class":65,"line":237},[63,1551,1552],{"class":683},"# Verificar sincronización\n",[63,1554,1555,1558],{"class":65,"line":249},[63,1556,1557],{"class":69},"chronyc",[63,1559,1560],{"class":73}," tracking\n",[25,1562,1564],{"id":1563},"_15-programar-escaneos-de-vulnerabilidades","15. Programar escaneos de vulnerabilidades",[12,1566,1567],{},"Instala Lynis para auditorías periódicas de seguridad:",[53,1569,1571],{"className":55,"code":1570,"language":57,"meta":58,"style":58},"sudo apt install lynis -y\nsudo lynis audit system\n",[60,1572,1573,1586],{"__ignoreMap":58},[63,1574,1575,1577,1579,1581,1584],{"class":65,"line":66},[63,1576,70],{"class":69},[63,1578,74],{"class":73},[63,1580,126],{"class":73},[63,1582,1583],{"class":73}," lynis",[63,1585,93],{"class":92},[63,1587,1588,1590,1592,1595],{"class":65,"line":96},[63,1589,70],{"class":69},[63,1591,1583],{"class":73},[63,1593,1594],{"class":73}," audit",[63,1596,1597],{"class":73}," system\n",[12,1599,1600],{},"Lynis genera un reporte con puntuación de hardening y recomendaciones específicas. Prográmalo semanal con cron y revisa el reporte:",[53,1602,1604],{"className":55,"code":1603,"language":57,"meta":58,"style":58},"# Crontab semanal\n0 2 * * 0 /usr/bin/lynis audit system --quiet >> /var/log/lynis-weekly.log 2>&1\n",[60,1605,1606,1611],{"__ignoreMap":58},[63,1607,1608],{"class":65,"line":66},[63,1609,1610],{"class":683},"# Crontab semanal\n",[63,1612,1613,1616,1619,1623,1625,1628,1631,1633,1636,1639,1642,1645],{"class":65,"line":96},[63,1614,1615],{"class":69},"0",[63,1617,1618],{"class":775}," 2",[63,1620,1622],{"class":1621},"s_hVV"," *",[63,1624,1622],{"class":1621},[63,1626,1627],{"class":775}," 0",[63,1629,1630],{"class":73}," /usr/bin/lynis",[63,1632,1594],{"class":73},[63,1634,1635],{"class":73}," system",[63,1637,1638],{"class":92}," --quiet",[63,1640,1641],{"class":530}," >>",[63,1643,1644],{"class":73}," /var/log/lynis-weekly.log",[63,1646,1647],{"class":530}," 2>&1\n",[25,1649,1651],{"id":1650},"script-de-hardening-automatizado","Script de hardening automatizado",[12,1653,1654],{},"Para aplicar todos los pasos en servidores nuevos, automatiza con un script o con Ansible. Aquí el resumen en un script:",[53,1656,1658],{"className":55,"code":1657,"language":57,"meta":58,"style":58},"#!/bin/bash\n# hardening.sh — Hardening básico para Ubuntu 24.04\n# Ejecutar como root en servidores NUEVOS antes de poner en producción\n\nset -e\n\necho \"=== Actualizando sistema ===\"\napt update && apt upgrade -y\n\necho \"=== Configurando actualizaciones automáticas ===\"\napt install unattended-upgrades -y\ndpkg-reconfigure -plow unattended-upgrades\n\necho \"=== Configurando firewall ===\"\nufw default deny incoming\nufw default allow outgoing\nufw limit 2222/tcp\nufw --force enable\n\necho \"=== Instalando fail2ban ===\"\napt install fail2ban -y\nsystemctl enable --now fail2ban\n\necho \"=== Instalando auditoría ===\"\napt install auditd -y\nsystemctl enable --now auditd\n\necho \"=== Aplicando sysctl ===\"\nsysctl -p\n\necho \"=== Ejecutando Lynis ===\"\napt install lynis -y\nlynis audit system --quiet\n\necho \"=== Hardening completado ===\"\necho \"NOTA: Configura SSH manualmente (/etc/ssh/sshd_config)\"\necho \"NOTA: Revisa el reporte de Lynis en /var/log/lynis.log\"\n",[60,1659,1660,1665,1670,1675,1679,1687,1691,1703,1718,1722,1733,1743,1752,1756,1767,1778,1788,1797,1806,1810,1821,1831,1842,1846,1857,1867,1877,1881,1892,1899,1903,1914,1924,1936,1940,1951,1962],{"__ignoreMap":58},[63,1661,1662],{"class":65,"line":66},[63,1663,1664],{"class":683},"#!/bin/bash\n",[63,1666,1667],{"class":65,"line":96},[63,1668,1669],{"class":683},"# hardening.sh — Hardening básico para Ubuntu 24.04\n",[63,1671,1672],{"class":65,"line":224},[63,1673,1674],{"class":683},"# Ejecutar como root en servidores NUEVOS antes de poner en producción\n",[63,1676,1677],{"class":65,"line":237},[63,1678,320],{"emptyLinePlaceholder":319},[63,1680,1681,1684],{"class":65,"line":249},[63,1682,1683],{"class":1407},"set",[63,1685,1686],{"class":92}," -e\n",[63,1688,1689],{"class":65,"line":261},[63,1690,320],{"emptyLinePlaceholder":319},[63,1692,1693,1695,1697,1700],{"class":65,"line":338},[63,1694,1408],{"class":1407},[63,1696,1411],{"class":540},[63,1698,1699],{"class":73},"=== Actualizando sistema ===",[63,1701,1702],{"class":540},"\"\n",[63,1704,1705,1708,1710,1712,1714,1716],{"class":65,"line":343},[63,1706,1707],{"class":69},"apt",[63,1709,77],{"class":73},[63,1711,81],{"class":80},[63,1713,74],{"class":69},[63,1715,89],{"class":73},[63,1717,93],{"class":92},[63,1719,1720],{"class":65,"line":349},[63,1721,320],{"emptyLinePlaceholder":319},[63,1723,1724,1726,1728,1731],{"class":65,"line":355},[63,1725,1408],{"class":1407},[63,1727,1411],{"class":540},[63,1729,1730],{"class":73},"=== Configurando actualizaciones automáticas ===",[63,1732,1702],{"class":540},[63,1734,1735,1737,1739,1741],{"class":65,"line":360},[63,1736,1707],{"class":69},[63,1738,126],{"class":73},[63,1740,129],{"class":73},[63,1742,93],{"class":92},[63,1744,1745,1748,1750],{"class":65,"line":366},[63,1746,1747],{"class":69},"dpkg-reconfigure",[63,1749,141],{"class":92},[63,1751,144],{"class":73},[63,1753,1754],{"class":65,"line":372},[63,1755,320],{"emptyLinePlaceholder":319},[63,1757,1758,1760,1762,1765],{"class":65,"line":377},[63,1759,1408],{"class":1407},[63,1761,1411],{"class":540},[63,1763,1764],{"class":73},"=== Configurando firewall ===",[63,1766,1702],{"class":540},[63,1768,1769,1772,1774,1776],{"class":65,"line":383},[63,1770,1771],{"class":69},"ufw",[63,1773,201],{"class":73},[63,1775,204],{"class":73},[63,1777,207],{"class":73},[63,1779,1780,1782,1784,1786],{"class":65,"line":389},[63,1781,1771],{"class":69},[63,1783,201],{"class":73},[63,1785,218],{"class":73},[63,1787,221],{"class":73},[63,1789,1790,1792,1794],{"class":65,"line":395},[63,1791,1771],{"class":69},[63,1793,231],{"class":73},[63,1795,1796],{"class":73}," 2222/tcp\n",[63,1798,1799,1801,1804],{"class":65,"line":400},[63,1800,1771],{"class":69},[63,1802,1803],{"class":92}," --force",[63,1805,268],{"class":73},[63,1807,1808],{"class":65,"line":406},[63,1809,320],{"emptyLinePlaceholder":319},[63,1811,1812,1814,1816,1819],{"class":65,"line":412},[63,1813,1408],{"class":1407},[63,1815,1411],{"class":540},[63,1817,1818],{"class":73},"=== Instalando fail2ban ===",[63,1820,1702],{"class":540},[63,1822,1823,1825,1827,1829],{"class":65,"line":418},[63,1824,1707],{"class":69},[63,1826,126],{"class":73},[63,1828,507],{"class":73},[63,1830,93],{"class":92},[63,1832,1833,1836,1838,1840],{"class":65,"line":423},[63,1834,1835],{"class":69},"systemctl",[63,1837,617],{"class":73},[63,1839,620],{"class":92},[63,1841,623],{"class":73},[63,1843,1844],{"class":65,"line":429},[63,1845,320],{"emptyLinePlaceholder":319},[63,1847,1848,1850,1852,1855],{"class":65,"line":435},[63,1849,1408],{"class":1407},[63,1851,1411],{"class":540},[63,1853,1854],{"class":73},"=== Instalando auditoría ===",[63,1856,1702],{"class":540},[63,1858,1859,1861,1863,1865],{"class":65,"line":440},[63,1860,1707],{"class":69},[63,1862,126],{"class":73},[63,1864,1035],{"class":73},[63,1866,93],{"class":92},[63,1868,1869,1871,1873,1875],{"class":65,"line":446},[63,1870,1835],{"class":69},[63,1872,617],{"class":73},[63,1874,620],{"class":92},[63,1876,1053],{"class":73},[63,1878,1879],{"class":65,"line":1324},[63,1880,320],{"emptyLinePlaceholder":319},[63,1882,1883,1885,1887,1890],{"class":65,"line":1330},[63,1884,1408],{"class":1407},[63,1886,1411],{"class":540},[63,1888,1889],{"class":73},"=== Aplicando sysctl ===",[63,1891,1702],{"class":540},[63,1893,1894,1897],{"class":65,"line":1336},[63,1895,1896],{"class":69},"sysctl",[63,1898,1388],{"class":92},[63,1900,1901],{"class":65,"line":1341},[63,1902,320],{"emptyLinePlaceholder":319},[63,1904,1905,1907,1909,1912],{"class":65,"line":1347},[63,1906,1408],{"class":1407},[63,1908,1411],{"class":540},[63,1910,1911],{"class":73},"=== Ejecutando Lynis ===",[63,1913,1702],{"class":540},[63,1915,1916,1918,1920,1922],{"class":65,"line":1353},[63,1917,1707],{"class":69},[63,1919,126],{"class":73},[63,1921,1583],{"class":73},[63,1923,93],{"class":92},[63,1925,1926,1929,1931,1933],{"class":65,"line":1358},[63,1927,1928],{"class":69},"lynis",[63,1930,1594],{"class":73},[63,1932,1635],{"class":73},[63,1934,1935],{"class":92}," --quiet\n",[63,1937,1938],{"class":65,"line":1364},[63,1939,320],{"emptyLinePlaceholder":319},[63,1941,1942,1944,1946,1949],{"class":65,"line":1370},[63,1943,1408],{"class":1407},[63,1945,1411],{"class":540},[63,1947,1948],{"class":73},"=== Hardening completado ===",[63,1950,1702],{"class":540},[63,1952,1953,1955,1957,1960],{"class":65,"line":1375},[63,1954,1408],{"class":1407},[63,1956,1411],{"class":540},[63,1958,1959],{"class":73},"NOTA: Configura SSH manualmente (/etc/ssh/sshd_config)",[63,1961,1702],{"class":540},[63,1963,1964,1966,1968,1971],{"class":65,"line":1380},[63,1965,1408],{"class":1407},[63,1967,1411],{"class":540},[63,1969,1970],{"class":73},"NOTA: Revisa el reporte de Lynis en /var/log/lynis.log",[63,1972,1702],{"class":540},[25,1974,1976],{"id":1975},"siguientes-pasos","Siguientes pasos",[12,1978,1979],{},"Con estos 15 pasos cubiertos, tu servidor es significativamente más difícil de comprometer. Para ir más allá:",[1981,1982,1983,1991,1997,2003,2011],"ul",{},[1984,1985,1986,1990],"li",{},[1987,1988,1989],"strong",{},"Automatización con Ansible"," — aplica el hardening a decenas de servidores en minutos con playbooks reproducibles",[1984,1992,1993,1996],{},[1987,1994,1995],{},"AIDE/Tripwire"," — detección de cambios no autorizados en archivos del sistema (integridad de archivos)",[1984,1998,1999,2002],{},[1987,2000,2001],{},"Wazuh"," — SIEM open source que correlaciona eventos de seguridad de todos tus servidores en un solo dashboard",[1984,2004,2005,2010],{},[1987,2006,2007],{},[19,2008,2009],{"href":21},"Pentesting"," — contrata una auditoría de penetración para validar que el hardening es efectivo contra ataques reales",[1984,2012,2013,2016],{},[1987,2014,2015],{},"CIS Benchmark completo"," — esta guía cubre los puntos más críticos; el benchmark CIS completo tiene 200+ controles",[2018,2019],"call-to-action",{"description":2020,"eyebrow":2021,"icon":2022,"label":2023,"title":2024,"to":2025},"Implementamos hardening automatizado con Ansible y CIS benchmarks para que cada servidor nuevo de tu infraestructura esté protegido desde el primer minuto.","Seguridad empresarial","i-lucide-shield-check","Solicitar auditoría","¿Quieres que tus servidores nazcan seguros?","/contacto",[2027,2028,2029],"style",{},"html pre.shiki code .sbgvK, html code.shiki .sbgvK{--shiki-light:#E2931D;--shiki-default:#6F42C1;--shiki-dark:#B392F0}html pre.shiki code .s_sjI, html code.shiki .s_sjI{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF}html pre.shiki code .sP7_E, html code.shiki .sP7_E{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8}html pre.shiki code .stzsN, html code.shiki .stzsN{--shiki-light:#91B859;--shiki-default:#005CC5;--shiki-dark:#79B8FF}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .smGrS, html code.shiki .smGrS{--shiki-light:#39ADB5;--shiki-default:#D73A49;--shiki-dark:#F97583}html pre.shiki code .sjJ54, html code.shiki .sjJ54{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF}html pre.shiki code .sutJx, html code.shiki .sutJx{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#6A737D;--shiki-default-font-style:inherit;--shiki-dark:#6A737D;--shiki-dark-font-style:inherit}html pre.shiki code .srdBf, html code.shiki .srdBf{--shiki-light:#F76D47;--shiki-default:#005CC5;--shiki-dark:#79B8FF}html pre.shiki code .sptTA, html code.shiki .sptTA{--shiki-light:#6182B8;--shiki-default:#005CC5;--shiki-dark:#79B8FF}html pre.shiki code .s_hVV, html code.shiki .s_hVV{--shiki-light:#90A4AE;--shiki-default:#005CC5;--shiki-dark:#79B8FF}",{"title":58,"searchDepth":96,"depth":224,"links":2031},[2032,2033,2034,2035,2036,2037,2038,2039,2040,2041,2042,2043,2044,2045,2046,2047,2048,2049],{"id":27,"depth":96,"text":28},{"id":47,"depth":96,"text":48},{"id":108,"depth":96,"text":109},{"id":177,"depth":96,"text":178},{"id":271,"depth":96,"text":272},{"id":487,"depth":96,"text":488},{"id":646,"depth":96,"text":647},{"id":754,"depth":96,"text":755},{"id":869,"depth":96,"text":870},{"id":935,"depth":96,"text":936},{"id":1015,"depth":96,"text":1016},{"id":1171,"depth":96,"text":1172},{"id":1393,"depth":96,"text":1394},{"id":1430,"depth":96,"text":1431},{"id":1508,"depth":96,"text":1509},{"id":1563,"depth":96,"text":1564},{"id":1650,"depth":96,"text":1651},{"id":1975,"depth":96,"text":1976},"tutorial",{"title":2052,"description":2053,"label":2023,"to":2025,"icon":2022},"¿Necesitas hardening profesional para tu infraestructura?","Auditamos y endurecemos tus servidores siguiendo benchmarks CIS con automatización Ansible para que cada servidor nuevo nazca seguro.","2026-02-15","Checklist completo de hardening para servidores Ubuntu y Debian en producción. 15 pasos prácticos para reducir la superficie de ataque y proteger tu infraestructura de amenazas reales.",false,"md",[2059,2062,2065,2068],{"question":2060,"answer":2061},"¿Cuánto tiempo toma hacer hardening de un servidor?","Aplicar los 15 pasos de esta guía toma entre 1 y 2 horas por servidor si es la primera vez. Después, puedes automatizar el proceso con Ansible para aplicarlo en minutos a cualquier servidor nuevo. Lo importante es hacerlo antes de poner el servidor en producción, no después.",{"question":2063,"answer":2064},"¿El hardening puede romper aplicaciones?","Sí, si aplicas restricciones sin entender qué servicios necesita tu aplicación. Por eso recomendamos hacer hardening en un ambiente de pruebas primero y verificar que todo funciona antes de aplicar en producción. El paso más delicado es el firewall — asegúrate de no bloquear puertos que tu aplicación necesita.",{"question":2066,"answer":2067},"¿Debo hacer hardening si mi servidor está detrás de un firewall de red?","Sí. La defensa en profundidad (defense in depth) es un principio fundamental de seguridad. El firewall de red protege el perímetro, pero si un atacante lo bypasea (phishing, VPN comprometida, aplicación vulnerable), el hardening del servidor es tu segunda línea de defensa.",{"question":2069,"answer":2070},"¿Hay alguna certificación o benchmark que seguir?","Sí. Los benchmarks de CIS (Center for Internet Security) son el estándar de la industria. Existen perfiles específicos para Ubuntu, Debian, Rocky Linux y otras distribuciones. Esta guía cubre los puntos más críticos del benchmark CIS adaptados a entornos empresariales reales.","/images/blog/hardening-linux.jpg","Terminal de Linux mostrando proceso de hardening con verificación de configuraciones de seguridad",{},"/blog/tutorial/hardening-servidores-linux",{"title":5,"description":2055},"blog/tutorial/hardening-servidores-linux",[2078,2079,2080,2081,2082,2050],"seguridad","hardening","linux","servidores","ssh","qRXWFMwKy6_eH61ErQS_3rWTotKSmso_6r28S7FxvgA",{"path":2085,"title":2086},"/blog/tutorial/cicd-gitlab-guia-practica","Desplegar aplicaciones con CI/CD en GitLab — guía práctica",{"path":2088,"title":2089},"/blog/tutorial/dns-cloudflare-registros","Configurar DNS con Cloudflare — registros esenciales explicados",[2091,2098,2105],{"path":2092,"title":2093,"description":2094,"date":2095,"category":2050,"image":2096,"imageAlt":2097,"readingTime":366},"/blog/tutorial/apis-rest-python-fastapi","Crear APIs REST con Python y FastAPI para integraciones empresariales","Guía paso a paso para construir una API REST profesional con Python y FastAPI que conecte tu ERP, CRM o cualquier sistema con validación, autenticación y documentación automática.","2026-03-04","/images/blog/fastapi-api-rest.jpg","Editor de código mostrando una API FastAPI con documentación Swagger generada automáticamente",{"path":2099,"title":2100,"description":2101,"date":2102,"category":2050,"image":2103,"imageAlt":2104,"readingTime":343},"/blog/tutorial/configurar-firewall-ufw-linux","Configurar firewall en Linux con UFW — reglas esenciales","Guía paso a paso para configurar UFW (Uncomplicated Firewall) en Ubuntu y Debian con las reglas esenciales para proteger servidores de producción.","2026-03-01","/images/blog/ufw-firewall-linux.jpg","Terminal de Linux mostrando reglas de firewall UFW activas protegiendo un servidor de producción",{"path":2106,"title":2107,"description":2108,"date":2109,"category":2050,"image":2110,"imageAlt":2111,"readingTime":355},"/blog/tutorial/traefik-reverse-proxy-docker","Configurar Traefik como reverse proxy para contenedores Docker","Guía paso a paso para instalar Traefik como reverse proxy con descubrimiento automático de contenedores Docker, SSL con Let's Encrypt y dashboard de monitoreo.","2026-02-28","/images/blog/traefik-docker.jpg","Dashboard de Traefik mostrando rutas automáticas hacia múltiples contenedores Docker con SSL activo"]