Server Hardening: The Checklist
Server Hardening means installing a new server in a secure fashion and maintaining the security and integrity of the server and application software. If you are planning to own a Virtual Private Server (VPS) or planning to get a Dedicated Server, then you need to prepare server Harndening checklist before launching your website on that server.
If you are running *nix based server (almost 66% of internet servers) then first and mostly you ought to do Host.conf & sysctl hardening. Making sure that your server is performing its best through configuration of the system control files is essential to optimized operation of your server. Apart from major optimizations, secure patch updates following are the things you should look into while hardening your server.
* Enable an SSH Banner (Legal Message/Warning on connect)
* Secure SSHD Daemon. (Disable root login, change default port..)
* Disable apache/named id outputs.
* Disable insecure PHP functions (mail(), CHMOD 755).
* Disable/remove unneeded default system accounts.
* Disable insecure cPanel scripts (if applicable)
* Modify WHM/cPanel settings for security purposes.
* Install Port Monitor (PMON)
* Setup Brute Force Detection (BFD)
* Setup Firewall Solution (APF/KISS)
* Setup rootkit hunters (chkrootkit and rkhunter)
* Install Process Resource Monitor (PRM)
* Disable/remove shell accounts (if applicable)
* Disable unused system services.
* Harden /etc/host.conf file.
* Change permissions on compilers and download utils (wget, lynx, GET, etc..)
* Secure and harden temporary directories (/tmp, /var/tmp, /dev/shm, etc..)
* Disable TELNET
* Modify logwatch for security.
* Setup Denial of Service (DDoS) and SYNFLOOD protection (Kernel Level).
* Install System Integrity Monitor (SIM).
* Install Tripwire Intrusion Detection System (Tracks moved/edited files on the system)
* Install file integrity checker (SAMHAIN).
* Install SMARTD (Tests reliability of S.M.A.R.T. devices such as hard drive.)
* Install mod_security for apache.
* Install mod_dosevasive for apache.
* Install mod_perl for apache.
Leave a Reply