20 ways to harden your server
Server hardening
Server hardening a technique to making it harder to break into the servers or systems. This is very important aspects to keep your critical data and device secure. Below are the 20 points a server or system administrator should take care of it.
- Uninstall any unneeded or unused services from your system. Because every extra service becomes your extra vulnerability.
- Disable unwanted communication ports.
- Similarly, do not install unnecessary software and applications in your server or system. Because the extra applications depend upon on additional services and additional ports and that’s means presence of some additional vulnerabilities.
- Keep your device security patches up to date. This is very crucial one. Whenever one OEM or vendor announces their security patch released information, the hackers behind the screen notices it as that announcement was gone on public domain. So immediately the hacker checks who have not patched till and penetrates those systems.
- The organization should disable any unneeded hardware and physical ports or devices.
- Implement BIOS password, so when someone gains access to your server and attempt to reboot the server, then no changes will be there.
- The wake on feature should be disabled in the server. So that no one can wake on server from network or outside of network.
- Avoid using insecure protocols that send your information or passwords in plain text and use data encryption for all your communication to and from server.
- When using Linux, SELinux should be considered. Linux server hardening is a primary focus for the web hosting industry, however in web hosting SELinux is probably not a good option as it often causes issues when the server is used for web hosting purposes.
- User Accounts should have very strong passwords and user should change the password on a regular basis and same passwords should not be reused. Implement strong password policy. Lock accounts after too many login failures. Often these login failures are illegitimate attempts to gain access to your system. Do not permit empty passwords.
- Implement SSH Hardening such as: set idle time out interval, limit the maximum authentication attempts, Disable X11 forwarding, disable empty passwords, etc.
- Disable direct root logins and switch to root from a lower level account only when necessary. Can Install Root Kit Hunter an unix-based tool that scans for rootkits, backdoors and possible local exploits.
- Configure the system firewall (Iptables) or get a software installed like CSF or APF. Proper setup of a firewall itself can prevent many attacks.
- Disable unwanted binaries and hide BIND DNS Sever Version and Apache version.
- Maintain server logs; mirror logs to a separate log server.
- You can Install Logwatch and review logwatch emails daily. Investigate any suspicious activity on your server.
- Use brute force and intrusion detection systems.
- Install Mod security as Webserver Hardening as well harden the php installation. Refer to (https://www.hardened-php.net/)
- Install Linux Socket Monitor to Detects/alerts when new sockets are created on your system, often revealing hacker activity in the network.
- Maintain regular back up of your server and system.
-DR
No comments:
Post a Comment