{"id":"bc0d7ed0-6145-4521-b0cd-3ce3f8c795a0","shortId":"zphYnd","kind":"skill","title":"server-hardening","tagline":"Comprehensive server security hardening workflows based on CIS Benchmarks. Use when securing new servers, improving security posture, or implementing security controls on Linux systems.","description":"# Server Hardening Skill\n\nThis skill provides comprehensive workflows, checklists, and automated scripts for hardening Linux servers according to industry best practices and CIS Benchmarks.\n\n## When to Use This Skill\n\nUse this skill when:\n- Setting up new production servers\n- Improving security posture of existing servers\n- Implementing CIS Benchmark compliance\n- Preparing for security audits\n- Responding to security incidents\n- Establishing security baselines\n- Configuring security monitoring\n\n## Core Principles\n\n### 1. Defense in Depth\n\n**Multiple layers of security:**\n- Network security (firewall, IDS/IPS)\n- Host security (hardening, patching)\n- Application security (WAF, input validation)\n- Access control (authentication, authorization)\n- Monitoring (logging, alerting)\n\n### 2. Principle of Least Privilege\n\n**Always apply:**\n- Minimal user permissions\n- Minimal service permissions\n- Minimal network access\n- Minimal file system access\n\n### 3. Zero Trust\n\n**Assume breach:**\n- Never trust, always verify\n- Verify every request\n- Log every action\n- Monitor continuously\n\n## Hardening Workflow\n\n### Phase 1: Pre-Hardening Assessment\n\n```\n┌─────────────────────────────────────────────────────────────┐\n│ Pre-Hardening Checklist │\n├─────────────────────────────────────────────────────────────┤\n│ □ Document current configuration │\n│ □ Create full system backup │\n│ □ Document running services │\n│ □ Document network connections │\n│ □ Document user accounts │\n│ □ Identify compliance requirements │\n│ □ Schedule maintenance window │\n│ □ Prepare rollback plan │\n└─────────────────────────────────────────────────────────────┘\n```\n\n### Phase 2: Security Baseline\n\n**Establish baseline before hardening:**\n\n```bash\n#!/bin/bash\n# Security baseline assessment\n\n# System information\necho \"=== System Information ===\"\nuname -a\nhostnamectl\ncat /etc/os-release\n\n# Running services\necho -e \"\\n=== Running Services ===\"\nsystemctl list-units --type=service --state=running\n\n# Open ports\necho -e \"\\n=== Open Ports ===\"\nss -tulpn\n\n# User accounts\necho -e \"\\n=== User Accounts ===\"\ncat /etc/passwd | grep -v nologin\n\n# Sudo users\necho -e \"\\n=== Sudo Users ===\"\ngetent group sudo\n\n# Installed packages\necho -e \"\\n=== Security Packages ===\"\ndpkg -l | grep -E \"(fail2ban|ufw|rkhunter|chkrootkit)\" || echo \"Not installed\"\n\n# Last logins\necho -e \"\\n=== Last Logins ===\"\nlast -10\n\n# Failed logins\necho -e \"\\n=== Failed Logins ===\"\ngrep \"Failed password\" /var/log/auth.log | tail -10 || echo \"No failed logins\"\n\n# Disk usage\necho -e \"\\n=== Disk Usage ===\"\ndf -h\n\n# Pending updates\necho -e \"\\n=== Pending Updates ===\"\napt list --upgradable 2>/dev/null | head -20 || yum check-update\n```\n\n### Phase 3: Hardening Implementation\n\n**Follow the hardening checklist:**\n\n```\n┌─────────────────────────────────────────────────────────────┐\n│ Server Hardening Checklist │\n├─────────────────────────────────────────────────────────────┤\n│ SYSTEM UPDATES │\n│ □ Update all packages to latest versions │\n│ □ Configure automatic security updates │\n│ □ Remove unnecessary packages │\n├─────────────────────────────────────────────────────────────┤\n│ USER MANAGEMENT │\n│ □ Remove/disable unused accounts │\n│ □ Enforce strong password policy │\n│ □ Configure sudo access │\n│ □ Disable root login │\n├─────────────────────────────────────────────────────────────┤\n│ SSH HARDENING │\n│ □ Change default SSH port │\n│ □ Disable root login │\n│ □ Disable password authentication │\n│ □ Configure key-based authentication │\n│ □ Limit users/groups │\n│ □ Configure idle timeout │\n├─────────────────────────────────────────────────────────────┤\n│ FIREWALL CONFIGURATION │\n│ □ Enable UFW/firewalld │\n│ □ Default deny incoming │\n│ □ Allow only required ports │\n│ □ Configure rate limiting │\n├─────────────────────────────────────────────────────────────┤\n│ FILE SYSTEM SECURITY │\n│ □ Set proper permissions on sensitive files │\n│ □ Mount /tmp, /var/tmp with noexec │\n│ □ Enable audit logging │\n│ □ Configure log rotation │\n├─────────────────────────────────────────────────────────────┤\n│ NETWORK SECURITY │\n│ □ Disable IPv6 if not used │\n│ □ Disable IP forwarding │\n│ □ Configure kernel security parameters │\n│ □ Enable SYN flood protection │\n├─────────────────────────────────────────────────────────────┤\n│ MONITORING & LOGGING │\n│ □ Install and configure Fail2ban │\n│ □ Configure centralized logging │\n│ □ Enable audit daemon │\n│ □ Configure log aggregation │\n├─────────────────────────────────────────────────────────────┤\n│ SECURITY TOOLS │\n□ Install intrusion detection (rkhunter, chkrootkit) │\n□ Install vulnerability scanner (lynis) │\n□ Configure malware scanning │\n└─────────────────────────────────────────────────────────────┘\n```\n\n## Implementation Scripts\n\n### Automated Hardening Script\n\nSee `resources/security-checklist.md` for the complete automated hardening script.\n\n### Manual Hardening Steps\n\n**Step 1: System Updates**\n\n```bash\n# Update system\napt-get update && apt-get upgrade -y\napt-get dist-upgrade -y\n\n# Remove unused packages\napt-get autoremove -y\napt-get autoclean\n\n# Install security tools\napt-get install -y fail2ban rkhunter chkrootkit lynis unattended-upgrades\n```\n\n**Step 2: User Management**\n\n```bash\n# Create admin user\nadduser admin\nusermod -aG sudo admin\n\n# Set password policy\ncat >> /etc/pam.d/common-password << EOF\npassword requisite pam_pwquality.so retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1\nEOF\n\n# Lock unused accounts\nusermod -L games\nusermod -L lists\nusermod -L news\n```\n\n**Step 3: SSH Hardening**\n\n```bash\n# Backup SSH config\ncp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup\n\n# Configure SSH\ncat > /etc/ssh/sshd_config << 'EOF'\nPort 2222\nProtocol 2\nPermitRootLogin no\nPasswordAuthentication no\nPubkeyAuthentication yes\nMaxAuthTries 3\nX11Forwarding no\nClientAliveInterval 300\nClientAliveCountMax 2\nEOF\n\n# Restart SSH\nsystemctl restart sshd\n```\n\n**Step 4: Firewall Configuration**\n\n```bash\n# Configure UFW\nufw --force reset\nufw default deny incoming\nufw default allow outgoing\n\n# Allow SSH (custom port)\nufw allow 2222/tcp comment 'SSH'\n\n# Allow HTTP/HTTPS\nufw allow 80/tcp comment 'HTTP'\nufw allow 443/tcp comment 'HTTPS'\n\n# Enable UFW\nufw --force enable\n```\n\n### Phase 4: Validation\n\n**Verify hardening was successful:**\n\n```bash\n#!/bin/bash\n# Post-hardening validation\n\necho \"=== SSH Configuration ===\"\nsshd -T | grep -E \"^(port|permitrootlogin|passwordauthentication)\"\n\necho -e \"\\n=== Firewall Status ===\"\nufw status verbose\n\necho -e \"\\n=== Running Services ===\"\nsystemctl list-units --type=service --state=running | wc -l\necho \"services running\"\n\necho -e \"\\n=== Open Ports ===\"\nss -tulpn | grep LISTEN\n\necho -e \"\\n=== Security Tools Status ===\"\nsystemctl status fail2ban --no-pager\nsystemctl status auditd --no-pager\n\necho -e \"\\n=== Lynis Security Audit ===\"\nlynis audit system 2>&1 | grep -E \"(Warnings|Suggestions)\" | head -20\n```\n\n### Phase 5: Ongoing Maintenance\n\n**Regular security maintenance:**\n\n```yaml\n# Daily Tasks\n- Review security logs\n- Check failed login attempts\n- Verify backup completion\n\n# Weekly Tasks\n- Review system updates\n- Check intrusion detection alerts\n- Audit user accounts\n\n# Monthly Tasks\n- Run vulnerability scan (lynis)\n- Review firewall rules\n- Update security baseline\n- Test backup restoration\n\n# Quarterly Tasks\n- Full security audit\n- Review and rotate credentials\n- Update hardening scripts\n- Compliance review\n```\n\n## CIS Benchmark Compliance\n\n### Key CIS Controls\n\n**1. Account Policies:**\n\n```bash\n# Password expiration\nchage -M 90 -m 7 -W 14 username\n\n# Lock inactive accounts\nusermod -L -e 1 username\n```\n\n**2. Audit Configuration:**\n\n```bash\n# Enable auditd\nsystemctl enable auditd\nsystemctl start auditd\n\n# Configure audit rules\ncat >> /etc/audit/rules.d/hardening.rules << 'EOF'\n# Monitor user/group changes\n-w /etc/passwd -p wa -k identity\n-w /etc/group -p wa -k identity\n-w /etc/shadow -p wa -k identity\n\n# Monitor sudo\n-w /etc/sudoers -p wa -k sudoers\n\n# Monitor SSH\n-w /etc/ssh/sshd_config -p wa -k sshd\n\n# Monitor authentication\n-w /var/log/auth.log -p wa -k auth_log\nEOF\n```\n\n**3. File Permissions:**\n\n```bash\n# Secure sensitive files\nchmod 644 /etc/passwd\nchmod 640 /etc/shadow\nchmod 640 /etc/group\nchmod 600 /etc/ssh/sshd_config\n\n# Find world-writable files\nfind / -type f -perm -002 2>/dev/null\n\n# Find SUID binaries\nfind / -type f -perm -4000 2>/dev/null\n```\n\n## Security Monitoring\n\n### Log Monitoring\n\n```bash\n#!/bin/bash\n# Security log monitoring script\n\nLOG_FILE=\"/var/log/auth.log\"\n\necho \"=== Failed Login Attempts (Last 24h) ===\"\ngrep \"Failed password\" $LOG_FILE | since \"24 hours ago\" | wc -l\n\necho -e \"\\n=== Top IPs with Failed Logins ===\"\ngrep \"Failed password\" $LOG_FILE | awk '{print $(NF-3)}' | sort | uniq -c | sort -rn | head -10\n\necho -e \"\\n=== Successful Logins (Last 24h) ===\"\ngrep \"Accepted\" $LOG_FILE | since \"24 hours ago\" | wc -l\n\necho -e \"\\n=== Sudo Usage (Last 24h) ===\"\ngrep \"sudo:\" $LOG_FILE | since \"24 hours ago\" | wc -l\n\necho -e \"\\n=== New User Accounts ===\"\ngrep \"useradd\" $LOG_FILE | tail -10\n\necho -e \"\\n=== SSH Key Changes ===\"\ngrep \"authorized_keys\" $LOG_FILE | tail -10\n```\n\n### Intrusion Detection\n\n```bash\n#!/bin/bash\n# Check for signs of compromise\n\necho \"=== Checking for Rootkits ===\"\nrkhunter --check --skip-keypress\n\necho -e \"\\n=== Checking for Malware ===\"\nchkrootkit\n\necho -e \"\\n=== Checking for Suspicious Processes ===\"\nps auxf | grep -v grep | grep -E \"(nc|netcat|nmap|masscan)\" || echo \"No suspicious processes\"\n\necho -e \"\\n=== Checking for Unusual Network Connections ===\"\nnetstat -antp | grep -E \"(ESTABLISHED|LISTEN)\" | grep -v \"127.0.0.1\"\n\necho -e \"\\n=== Checking for Modified Binaries ===\"\ndebsums -s 2>/dev/null || rpm -Va 2>/dev/null || echo \"Package verification not available\"\n\necho -e \"\\n=== Checking Cron Jobs ===\"\ncat /etc/crontab\nls -la /etc/cron.*\n```\n\n## Incident Response\n\n### Security Incident Checklist\n\n```\n┌─────────────────────────────────────────────────────────────┐\n│ Security Incident Response │\n├─────────────────────────────────────────────────────────────┤\n│ IMMEDIATE ACTIONS │\n│ □ Isolate affected system │\n│ □ Preserve evidence (logs, memory dump) │\n│ □ Document timeline │\n│ □ Notify security team │\n├─────────────────────────────────────────────────────────────┤\n│ INVESTIGATION │\n│ □ Identify attack vector │\n│ □ Determine scope of compromise │\n│ □ Check for lateral movement │\n│ □ Identify affected data │\n├─────────────────────────────────────────────────────────────┤\n│ CONTAINMENT │\n│ □ Block attacker IPs │\n│ □ Rotate compromised credentials │\n│ □ Patch vulnerabilities │\n│ □ Remove malware/backdoors │\n├─────────────────────────────────────────────────────────────┤\n│ RECOVERY │\n│ □ Restore from clean backup │\n│ □ Verify system integrity │\n│ □ Re-enable services │\n│ □ Monitor for re-infection │\n├─────────────────────────────────────────────────────────────┤\n│ POST-INCIDENT │\n│ □ Document lessons learned │\n│ □ Update security controls │\n│ □ Report to stakeholders │\n│ □ Update incident response plan │\n└─────────────────────────────────────────────────────────────┘\n```\n\n## Implementation Resources\n\nRefer to the following resources in this skill for detailed implementations:\n\n- **`resources/cis-benchmarks.md`**: Complete CIS Benchmark implementation guide\n- **`resources/security-checklist.md`**: Comprehensive security checklist with scripts\n- **`resources/hardening-scripts/`**: Automated hardening scripts for different distributions\n\n## Compliance Frameworks\n\n### Supported Frameworks\n\n| Framework | Coverage | Documentation |\n|-----------|----------|---------------|\n| CIS Benchmarks | 95% | resources/cis-benchmarks.md |\n| NIST 800-53 | 80% | resources/nist-controls.md |\n| PCI DSS | 75% | resources/pci-dss.md |\n| HIPAA | 70% | resources/hipaa.md |\n| SOC 2 | 80% | resources/soc2.md |\n\n## Anti-Patterns\n\n**Avoid these hardening mistakes:**\n\n❌ **Hardening without backup** (always backup first)\n❌ **Applying all controls at once** (phase the rollout)\n❌ **Not testing after hardening** (verify functionality)\n❌ **Ignoring application requirements** (consider app needs)\n❌ **One-time hardening** (continuous process)\n❌ **No documentation** (document all changes)\n❌ **Skipping validation** (verify with scans)\n❌ **Ignoring updates** (regular patching required)\n\n## Success Metrics\n\n**Measure hardening effectiveness:**\n\n| Metric | Target | Measurement |\n|--------|--------|-------------|\n| CIS Score | > 90% | Lynis audit |\n| Critical Vulnerabilities | 0 | Vulnerability scan |\n| Failed Login Rate | < 10/day | Log analysis |\n| Patch Compliance | > 95% | Update audit |\n| Security Incidents | 0 | Incident tracking |\n\n## Tool Usage\n\n### Recommended Tools\n\n**Security Scanning:**\n- Lynis (system audit)\n- OpenVAS (vulnerability scan)\n- rkhunter (rootkit detection)\n- chkrootkit (rootkit detection)\n\n**Monitoring:**\n- OSSEC (HIDS)\n- Wazuh (SIEM)\n- Fail2ban (intrusion prevention)\n- Auditd (audit logging)\n\n**Compliance:**\n- CIS-CAT (CIS benchmark)\n- OpenSCAP (compliance scanning)\n- InSpec (compliance as code)","tags":["server","hardening","dolu","agents","skills","dolutech","agent-skills","opencode"],"capabilities":["skill","source-dolutech","skill-server-hardening","topic-agent-skills","topic-opencode","topic-skills"],"categories":["dolu-agents-skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/dolutech/dolu-agents-skills/server-hardening","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add dolutech/dolu-agents-skills","source_repo":"https://github.com/dolutech/dolu-agents-skills","install_from":"skills.sh"}},"qualityScore":"0.453","qualityRationale":"deterministic score 0.45 from registry signals: · indexed on github topic:agent-skills · 6 github stars · SKILL.md body (15,526 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-05-18T19:14:40.582Z","embedding":null,"createdAt":"2026-05-18T13:22:10.280Z","updatedAt":"2026-05-18T19:14:40.582Z","lastSeenAt":"2026-05-18T19:14:40.582Z","tsv":"'-002':951 '-1':572,574,576,578 '-10':289,302,1017,1063,1076 '-20':329,768 '-3':1010 '-4000':961 '-53':1299 '/bin/bash':203,684,969,1080 '/dev/null':327,953,963,1151,1155 '/etc/audit/rules.d/hardening.rules':874 '/etc/cron':1171 '/etc/crontab':1168 '/etc/group':886,938 '/etc/os-release':216 '/etc/pam.d/common-password':562 '/etc/passwd':249,880,932 '/etc/shadow':892,935 '/etc/ssh/sshd_config':601,606,908,941 '/etc/ssh/sshd_config.backup':602 '/etc/sudoers':900 '/tmp':421 '/var/log/auth.log':300,916,976 '/var/tmp':422 '0':1382,1398 '1':92,160,495,762,836,856 '10/day':1388 '127.0.0.1':1140 '14':570,848 '2':120,195,326,545,611,625,761,858,952,962,1150,1154,1310 '2222':609 '2222/tcp':656 '24':989,1030,1047 '24h':982,1024,1041 '3':140,335,568,593,619,923 '300':623 '4':633,677 '443/tcp':668 '5':770 '600':940 '640':934,937 '644':931 '7':846 '70':1307 '75':1304 '80':1300,1311 '80/tcp':663 '800':1298 '90':844,1377 '95':1295,1393 'accept':1026 'access':113,135,139,371 'accord':44 'account':184,242,247,364,582,800,837,852,1057 'action':154,1181 'addus':552 'admin':550,553,557 'affect':1183,1208 'ag':555 'aggreg':463 'ago':991,1032,1049 'alert':119,797 'allow':404,648,650,655,659,662,667 'alway':125,147,1323 'analysi':1390 'anti':1314 'anti-pattern':1313 'antp':1133 'app':1344 'appli':126,1326 'applic':108,1341 'apt':323,502,506,511,521,526,533 'apt-get':501,505,510,520,525,532 'assess':164,206 'assum':143 'attack':1197,1212 'attempt':785,980 'audit':79,426,459,757,759,798,820,859,871,1379,1395,1409,1428 'auditd':748,863,866,869,1427 'auth':920 'authent':115,386,391,914 'author':116,1071 'autoclean':528 'autom':38,480,488,1280 'automat':354 'autoremov':523 'auxf':1110 'avail':1160 'avoid':1316 'awk':1007 'backup':175,597,787,814,1225,1322,1324 'base':9,390 'baselin':86,197,199,205,812 'bash':202,498,548,596,636,683,839,861,926,968,1079 'benchmark':12,51,74,831,1270,1294,1435 'best':47 'binari':956,1147 'block':1211 'breach':144 'c':1013 'cat':215,248,561,605,873,1167,1433 'central':456 'chage':842 'chang':377,878,1069,1356 'check':332,782,794,1081,1087,1091,1098,1105,1127,1144,1164,1203 'check-upd':331 'checklist':36,168,341,344,1176,1276 'chkrootkit':277,470,539,1101,1416 'chmod':930,933,936,939 'cis':11,50,73,830,834,1269,1293,1375,1432,1434 'cis-cat':1431 'clean':1224 'clientalivecountmax':624 'clientaliveinterv':622 'code':1442 'comment':657,664,669 'complet':487,788,1268 'complianc':75,186,828,832,1286,1392,1430,1437,1440 'comprehens':4,34,1274 'compromis':1085,1202,1215 'config':599 'configur':87,171,353,369,387,394,398,408,428,441,453,455,461,475,603,635,637,691,860,870 'connect':181,1131 'consid':1343 'contain':1210 'continu':156,1350 'control':24,114,835,1246,1328 'core':90 'coverag':1291 'cp':600 'creat':172,549 'credenti':824,1216 'critic':1380 'cron':1165 'current':170 'custom':652 'daemon':460 'daili':777 'data':1209 'dcredit':571 'debsum':1148 'default':378,401,643,647 'defens':93 'deni':402,644 'depth':95 'detail':1265 'detect':468,796,1078,1415,1418 'determin':1199 'df':314 'differ':1284 'disabl':372,381,384,433,438 'disk':307,312 'dist':514 'dist-upgrad':513 'distribut':1285 'document':169,176,179,182,1190,1241,1292,1353,1354 'dpkg':270 'dss':1303 'dump':1189 'e':220,235,244,256,266,273,284,293,310,319,695,700,708,726,735,753,764,855,995,1019,1036,1053,1065,1096,1103,1115,1125,1135,1142,1162 'echo':209,219,234,243,255,265,278,283,292,303,309,318,689,699,707,722,725,734,752,977,994,1018,1035,1052,1064,1086,1095,1102,1120,1124,1141,1156,1161 'effect':1371 'enabl':399,425,445,458,671,675,862,865,1231 'enforc':365 'eof':563,579,607,626,875,922 'establish':84,198,1136 'everi':150,153 'evid':1186 'exist':70 'expir':841 'f':949,959 'fail':290,295,298,305,783,978,984,1000,1003,1385 'fail2ban':274,454,537,742,1424 'file':137,411,419,924,929,946,975,987,1006,1028,1045,1061,1074 'find':942,947,954,957 'firewal':102,397,634,702,808 'first':1325 'flood':447 'follow':338,1259 'forc':640,674 'forward':440 'framework':1287,1289,1290 'full':173,818 'function':1339 'game':585 'get':503,507,512,522,527,534 'getent':260 'grep':250,272,297,694,732,763,983,1002,1025,1042,1058,1070,1111,1113,1114,1134,1138 'group':261 'guid':1272 'h':315 'harden':3,7,29,41,106,157,163,167,201,336,340,343,376,481,489,492,595,680,687,826,1281,1318,1320,1337,1349,1370 'head':328,767,1016 'hid':1421 'hipaa':1306 'host':104 'hostnamectl':214 'hour':990,1031,1048 'http':665 'http/https':660 'https':670 'ident':884,890,896 'identifi':185,1196,1207 'idl':395 'ids/ips':103 'ignor':1340,1362 'immedi':1180 'implement':22,72,337,478,1254,1266,1271 'improv':18,66 'inact':851 'incid':83,1172,1175,1178,1240,1251,1397,1399 'incom':403,645 'industri':46 'infect':1237 'inform':208,211 'input':111 'inspec':1439 'instal':263,280,451,466,471,529,535 'integr':1228 'intrus':467,795,1077,1425 'investig':1195 'ip':439,998,1213 'ipv6':434 'isol':1182 'job':1166 'k':883,889,895,903,911,919 'kernel':442 'key':389,833,1068,1072 'key-bas':388 'keypress':1094 'l':271,584,587,590,721,854,993,1034,1051 'la':1170 'last':281,286,288,981,1023,1040 'later':1205 'latest':351 'layer':97 'lcredit':577 'learn':1243 'least':123 'lesson':1242 'limit':392,410 'linux':26,42 'list':226,324,588,714 'list-unit':225,713 'listen':733,1137 'lock':580,850 'log':118,152,427,429,450,457,462,781,921,966,971,974,986,1005,1027,1044,1060,1073,1187,1389,1429 'login':282,287,291,296,306,374,383,784,979,1001,1022,1386 'ls':1169 'lyni':474,540,755,758,806,1378,1407 'm':843,845 'mainten':189,772,775 'malwar':476,1100 'malware/backdoors':1220 'manag':361,547 'manual':491 'masscan':1119 'maxauthtri':618 'measur':1369,1374 'memori':1188 'metric':1368,1372 'minim':127,130,133,136 'minlen':569 'mistak':1319 'modifi':1146 'monitor':89,117,155,449,876,897,905,913,965,967,972,1233,1419 'month':801 'mount':420 'movement':1206 'multipl':96 'n':221,236,245,257,267,285,294,311,320,701,709,727,736,754,996,1020,1037,1054,1066,1097,1104,1126,1143,1163 'nc':1116 'need':1345 'netcat':1117 'netstat':1132 'network':100,134,180,431,1130 'never':145 'new':16,63,1055 'news':591 'nf':1009 'nist':1297 'nmap':1118 'no-pag':743,749 'noexec':424 'nologin':252 'notifi':1192 'ocredit':575 'one':1347 'one-tim':1346 'ongo':771 'open':232,237,728 'openscap':1436 'openva':1410 'ossec':1420 'outgo':649 'p':881,887,893,901,909,917 'packag':264,269,349,359,519,1157 'pager':745,751 'pam_pwquality.so':566 'paramet':444 'password':299,367,385,559,564,840,985,1004 'passwordauthent':614,698 'patch':107,1217,1365,1391 'pattern':1315 'pci':1302 'pend':316,321 'perm':950,960 'permiss':129,132,416,925 'permitrootlogin':612,697 'phase':159,194,334,676,769,1331 'plan':193,1253 'polici':368,560,838 'port':233,238,380,407,608,653,696,729 'post':686,1239 'post-harden':685 'post-incid':1238 'postur':20,68 'practic':48 'pre':162,166 'pre-harden':161,165 'prepar':76,191 'preserv':1185 'prevent':1426 'principl':91,121 'print':1008 'privileg':124 'process':1108,1123,1351 'product':64 'proper':415 'protect':448 'protocol':610 'provid':33 'ps':1109 'pubkeyauthent':616 'quarter':816 'rate':409,1387 're':1230,1236 're-en':1229 're-infect':1235 'recommend':1403 'recoveri':1221 'refer':1256 'regular':773,1364 'remov':357,517,1219 'remove/disable':362 'report':1247 'request':151 'requir':187,406,1342,1366 'requisit':565 'reset':641 'resourc':1255,1260 'resources/cis-benchmarks.md':1267,1296 'resources/hardening-scripts':1279 'resources/hipaa.md':1308 'resources/nist-controls.md':1301 'resources/pci-dss.md':1305 'resources/security-checklist.md':484,1273 'resources/soc2.md':1312 'respond':80 'respons':1173,1179,1252 'restart':627,630 'restor':815,1222 'retri':567 'review':779,791,807,821,829 'rkhunter':276,469,538,1090,1413 'rn':1015 'rollback':192 'rollout':1333 'root':373,382 'rootkit':1089,1414,1417 'rotat':430,823,1214 'rpm':1152 'rule':809,872 'run':177,217,222,231,710,719,724,803 'scan':477,805,1361,1384,1406,1412,1438 'scanner':473 'schedul':188 'scope':1200 'score':1376 'script':39,479,482,490,827,973,1278,1282 'secur':6,15,19,23,67,78,82,85,88,99,101,105,109,196,204,268,355,413,432,443,464,530,737,756,774,780,811,819,927,964,970,1174,1177,1193,1245,1275,1396,1405 'see':483 'sensit':418,928 'server':2,5,17,28,43,65,71,342 'server-harden':1 'servic':131,178,218,223,229,711,717,723,1232 'set':61,414,558 'siem':1423 'sign':1083 'sinc':988,1029,1046 'skill':30,32,56,59,1263 'skill-server-hardening' 'skip':1093,1357 'skip-keypress':1092 'soc':1309 'sort':1011,1014 'source-dolutech' 'ss':239,730 'ssh':375,379,594,598,604,628,651,658,690,906,1067 'sshd':631,692,912 'stakehold':1249 'start':868 'state':230,718 'status':703,705,739,741,747 'step':493,494,544,592,632 'strong':366 'success':682,1021,1367 'sudo':253,258,262,370,556,898,1038,1043 'sudoer':904 'suggest':766 'suid':955 'support':1288 'suspici':1107,1122 'syn':446 'system':27,138,174,207,210,345,412,496,500,760,792,1184,1227,1408 'systemctl':224,629,712,740,746,864,867 'tail':301,1062,1075 'target':1373 'task':778,790,802,817 'team':1194 'test':813,1335 'time':1348 'timelin':1191 'timeout':396 'tool':465,531,738,1401,1404 'top':997 'topic-agent-skills' 'topic-opencode' 'topic-skills' 'track':1400 'trust':142,146 'tulpn':240,731 'type':228,716,948,958 'ucredit':573 'ufw':275,638,639,642,646,654,661,666,672,673,704 'ufw/firewalld':400 'unam':212 'unattend':542 'unattended-upgrad':541 'uniq':1012 'unit':227,715 'unnecessari':358 'unus':363,518,581 'unusu':1129 'updat':317,322,333,346,347,356,497,499,504,793,810,825,1244,1250,1363,1394 'upgrad':325,508,515,543 'usag':308,313,1039,1402 'use':13,54,57,437 'user':128,183,241,246,254,259,360,546,551,799,1056 'user/group':877 'useradd':1059 'usermod':554,583,586,589,853 'usernam':849,857 'users/groups':393 'v':251,1112,1139 'va':1153 'valid':112,678,688,1358 'vector':1198 'verbos':706 'verif':1158 'verifi':148,149,679,786,1226,1338,1359 'version':352 'vulner':472,804,1218,1381,1383,1411 'w':847,879,885,891,899,907,915 'wa':882,888,894,902,910,918 'waf':110 'warn':765 'wazuh':1422 'wc':720,992,1033,1050 'week':789 'window':190 'without':1321 'workflow':8,35,158 'world':944 'world-writ':943 'writabl':945 'x11forwarding':620 'y':509,516,524,536 'yaml':776 'yes':617 'yum':330 'zero':141","prices":[{"id":"20f80304-fada-4203-bb31-6add92c13ab6","listingId":"bc0d7ed0-6145-4521-b0cd-3ce3f8c795a0","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"dolutech","category":"dolu-agents-skills","install_from":"skills.sh"},"createdAt":"2026-05-18T13:22:10.280Z"}],"sources":[{"listingId":"bc0d7ed0-6145-4521-b0cd-3ce3f8c795a0","source":"github","sourceId":"dolutech/dolu-agents-skills/server-hardening","sourceUrl":"https://github.com/dolutech/dolu-agents-skills/tree/main/skills/server-hardening","isPrimary":false,"firstSeenAt":"2026-05-18T13:22:10.280Z","lastSeenAt":"2026-05-18T19:14:40.582Z"}],"details":{"listingId":"bc0d7ed0-6145-4521-b0cd-3ce3f8c795a0","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"dolutech","slug":"server-hardening","github":{"repo":"dolutech/dolu-agents-skills","stars":6,"topics":["agent-skills","opencode","skills"],"license":"mit","html_url":"https://github.com/dolutech/dolu-agents-skills","pushed_at":"2026-03-21T12:00:55Z","description":"Dolu Agents Skills - Open-source collection of modular and extensible skills for AI agents.","skill_md_sha":"c440b0e8fdb89d79e0409a25fb56d3ac45b16317","skill_md_path":"skills/server-hardening/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/dolutech/dolu-agents-skills/tree/main/skills/server-hardening"},"layout":"multi","source":"github","category":"dolu-agents-skills","frontmatter":{"name":"server-hardening","description":"Comprehensive server security hardening workflows based on CIS Benchmarks. Use when securing new servers, improving security posture, or implementing security controls on Linux systems."},"skills_sh_url":"https://skills.sh/dolutech/dolu-agents-skills/server-hardening"},"updatedAt":"2026-05-18T19:14:40.582Z"}}