The purpose of system hardening is to eliminate as many security risks as possible. This is typically done by removing all non-essential software programs and utilities from the computer. While these programs may offer useful features to the user, if they provide “back-door” access to the system, they must be removed during system hardening.
Many servers online today are attacked thousands of times per hour, tens and sometimes hundreds of thousands of times each and every day. The best defense against such attacks is to ensure that server hardening is a well-established practice within your organization or to outsource this task to an experienced & established server hardening agency.
Some common server hardening tips & tricks include:
– Use Data Encryption for your Communications
– Avoid using insecure protocols that send your information or passwords in plain text.
– Minimize unnecessary software on your servers.
– Disable Unwanted SUID and SGID Binaries
– Keeping security patches and hotfixes updates.
– Using security extensions is a plus.
– Complex password policy
– Lock accounts after too many login failures.
– Use Data Encryption for your Communications
– Avoid using insecure protocols that send your information or passwords in plain text.
– Minimize unnecessary software on your servers.
– Disable Unwanted SUID and SGID Binaries
– Keeping security patches and hotfixes updates.
– Using security extensions is a plus.
– Complex password policy
– Lock accounts after too many login failures.
– SSH Hardening
— Change the port from default to a non standard one
— Disable direct root logins. Switch to root from a lower level account only when necessary.
– Disablling Unnecessary services ,instances of IRC – BitchX, bnc, eggdrop, generic-sniffers, guardservices, ircd, psyBNC, ptlink.
– Securing /tmp /var/tmp /dev/shm
– Hide BIND DNS Sever Version and Apache version
– Hardening sysctl.conf
– Server hardenining by installing Root Kit Hunter and ChrootKit hunter.
– Minimize open network ports to be only what is needed for your specific circumstances.
– Configure the system firewall (Iptables) or get a software installed like CSF or APF.
– Separate partitions in ways that make your system more secure.
– Disable unwanted binaries
– Maintain server logs; mirror logs to a separate log server
– Install Logwatch and review logwatch emails daily.
— Change the port from default to a non standard one
— Disable direct root logins. Switch to root from a lower level account only when necessary.
– Disablling Unnecessary services ,instances of IRC – BitchX, bnc, eggdrop, generic-sniffers, guardservices, ircd, psyBNC, ptlink.
– Securing /tmp /var/tmp /dev/shm
– Hide BIND DNS Sever Version and Apache version
– Hardening sysctl.conf
– Server hardenining by installing Root Kit Hunter and ChrootKit hunter.
– Minimize open network ports to be only what is needed for your specific circumstances.
– Configure the system firewall (Iptables) or get a software installed like CSF or APF.
– Separate partitions in ways that make your system more secure.
– Disable unwanted binaries
– Maintain server logs; mirror logs to a separate log server
– Install Logwatch and review logwatch emails daily.
– Investigate any suspicious activity on your server.
– Use brute force, Nessus and intrusion detection systems, Pen test etc
– Install Linux Socket Monitor – Detects/alerts when new sockets are created on your system, often revealing hacker activity
– Install Mod_security as Webserver Hardening
– Limit user accounts access
– Maintain physical server security
– Use brute force, Nessus and intrusion detection systems, Pen test etc
– Install Linux Socket Monitor – Detects/alerts when new sockets are created on your system, often revealing hacker activity
– Install Mod_security as Webserver Hardening
– Limit user accounts access
– Maintain physical server security
References
http://web.bryant.edu/~commtech/downloads/ServerHardening.pdf