SSL
SSL (Secure Sockets Layer) and its successor, TLS (Transport Layer Security), are protocols for establishing authenticated and encrypted links between networked computers.
Server Hardening
Server hardening is a general system hardening process that involves securing the data, ports, components, functions, and permissions of a server using advanced security measures at the hardware, firmware, and software layers.
Some Famous Server Hardening techniques in linux
- Use Strong and Unique Passwords:-
Strong passwords form the basis of any secure server. If possible, these should feature a minimum length of at least 10 characters, plus requirements for using special characters or upper and lowercase letters. The same password should never be used for multiple users or software systems. Don’t forget to configure expiration, as no password can provide adequate security indefinitely.
- Generate an SSH Key Pair:-
Secure shell (SSH) key pairs, in particular, are worth implementing because these systems are far more difficult to hack through brute force.
Command:- ssh-keygen -t rsa
- Update Your Software Regularly:-
Properly managing your Linux server security includes implementing regular software patches to address emerging vulnerabilities.
Command:- sudo apt update
- Enable Automatic Updates:-
Enabling automatic updates ensures that software security measures remain current, even when you neglect to pursue necessary updates because you’re occupied by other concerns.
Command:- sudo apt-get install unattended-upgrades
- Avoid Unnecessary Software:-
New software can be tempting to implement, but not all web services are truly necessary. Each additional program provides yet another opportunity to expose your server to potential problems down the road.
Disable Booting from External Devices:-
Malicious parties can easily use external devices such as USB thumb drives to gain access to sensitive information. Disabled booting for external devices may reduce the potential for physical attacks, which can be just as damaging as hacking. Without this extra step, many security layers can be circumvented easily.
- Close Hidden Open Ports:-
Open ports may reveal network architecture information while extending attack surfaces. Therefore, ports that aren’t absolutely essential should be closed with haste. The netstat command can be used to determine which ports are listening while also revealing the details of connections that may currently be available.
- Perform Security Audits:-
Without regular audits, it’s impossible to know where gaps exist or how they can be addressed to ensure that your server remains fully protected.
*Some Famous Server Hardening Techniques in Windows
*
- Organizational Security
- Maintain an inventory record for each server that clearly documents its baseline configuration and records each change to the server.
- Thoroughly test and validate every proposed change to server hardware or software before making the change in the production environment.
- Regularly perform a risk assessment. Use the results to update your risk management plan and maintain a prioritized list of all servers to ensure that security vulnerabilities are fixed in a timely manner.
- User Account Security Hardening
- Ensure your administrative and system passwords meet password best practices. In particular, verify that privileged account passwords are not be based on a dictionary word and are at least 15 characters long, with letters, numbers, special characters and invisible (CTRL ˆ ) characters interspersed throughout. Ensure that all passwords are changed every 90 days.
- Configure account lockout Group Policy according to account lockout best practices.
- Disallow users from creating and logging in with Microsoft accounts.
- Disable the guest account.
- Do not allow “everyone” permissions to apply to anonymous users.
- Do not allow anonymous enumeration of SAM accounts and shares.
- Disable anonymous SID/Name translation.
- Promptly disable or delete unused user accounts.
- Network Security Configuration
- Enable the Windows firewall in all profiles (domain, private, public) and configure it to block inbound traffic by default.
- Perform port blocking at the network setting level. Perform an analysis to determine which ports need to be open and restrict access to all other ports.
- Restrict the ability to access each computer from the network to Authenticated Users only.
- Do not grant any users the 'act as part of the operating system' right.
- Deny guest accounts the ability to log on as a service, a batch job, locally or via RDP.
- If RDP is utilized, set the RDP connection encryption level to high.
- Remove Enable LMhosts lookup.
- Disable NetBIOS over TCP/IP.
- Remove ncacn_ip_tcp.
- Configure both the Microsoft Network Client and the Microsoft Network Server to always digitally sign communications.
- Disable the sending of unencrypted passwords to third-party SMB servers.
- Do not allow any shares to be accessed anonymously.
- Allow Local System to use computer identity for NTLM.
- Disable Local System NULL session fallback.
- Configure allowable encryption types for Kerberos.
- Do not store LAN Manager hash values.
- Set the LAN Manager authentication level to allow only NTLMv2 and refuse LM and NTLM.
- Remove file and print sharing from network settings. File and print sharing could allow anyone to connect to a server and access critical data without requiring a user ID or password.
**PHP Hardening
**PHP can be hardened manually as well as with patching protocols. Below we highlight the steps you’ll want to take to make sure that your PHP installation is as locked down as possible.
- Locate the PHP Config File You’re Hardening on Your Server
- Editing the File on Shared Hosting
- Editing the File on Dedicated/VPS servers
- Use a Patch like Suhosin to Harden PHP Almost Instantly
Engineered specifically to provide an advanced layer of protection to PHP installations, the Suhosin patch is a dual action component that provides a level of hardening that may not be possible through any other manual approach.
Database Hardening
Database hardening is the process of analyzing and configuring your database to address security vulnerabilities by applying recommended best practices and implementing security product sets, processes and procedures.
- Deploy physical database security
- Separate database servers
- Set up an HTTPS proxy server
- Avoid using default network ports
- Use real-time database monitoring
- Use database and web application firewalls
- Deploy data encryption protocols
- Create regular backups of your database
- Keep applications up to date
- Use strong user authentication
Flood Attack Hardening
Flood attacks are also known as Denial of Service (DoS) attacks. In a flood attack, attackers send a very high volume of traffic to a system so that it cannot examine and allow permitted network traffic.
- Installing an IPS to detect anomalous traffic patterns.
- If capability exists, configure the onsite firewall for SYN Attack Thresholds and SYN Flood protection.
- Installing up to date networking equipment that has rate-limiting capabilities.
- Installing commercial tools to gain visibility across the entire network with the ability to see and analyze traffic from different parts of the network.
**Firewall
**A Firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization's previously established security policies. At its most basic, a firewall is essentially the barrier that sits between a private internal network and the public Internet.
Windows Firewall
Windows Firewall is a Microsoft Windows application that filters information coming to your system from the Internet and blocking potentially harmful programs. When using a public network, Windows Firewall can also secure the system by blocking all unsolicited attempts to connect to your computer.
Linux Firewall
A Linux firewall is a device that inspects Network traffic ( Inbound /Outbound connections ) and makes a decision to pass or filter out the traffic.
- Iptables
iptables is a user-space utility program that allows a system administrator to configure the IP packet filter rules of the Linux kernel firewall, implemented as different Netfilter modules. The filters are organized in different tables, which contain chains of rules for how to treat network traffic packets.
Firewalld
firewalld is a zone-based firewall. Zone-based firewalls are network security systems that monitor traffic and take actions based on a set of defined rules applied against incoming/outgoing packets.UFW
UFW, or uncomplicated firewall, is a frontend for managing firewall rules in Arch Linux, Debian, or Ubuntu. UFW is used through the command line (although it has GUIs available), and aims to make firewall configuration easy (or, uncomplicated).CSF
Config Server Firewall (or CSF) is a free and advanced firewall for most Linux distributions and Linux based VPS. In addition to the basic functionality of a firewall – filtering packets – CSF includes other security features, such as login/intrusion/flood detections. CSF includes UI integration for cPanel,DirectAdmin and Webmin.
Top comments (1)
You bring up some great points about using strong passwords, limiting privileges, and keeping software updated. Those are certainly foundational steps every organization should take.
Going beyond that, I would emphasize the criticality of taking a layered defense approach. Relying on just one control like passwords or firewalls creates single points of failure. Combining technical controls, policies, audits, logging, and staff training makes security much more robust.