Linux Server Hardening

Complete Hardened Services Configuration

To help you get started with deriving your own hardened services policies, NNT have provided you with Hardened Services checklists. You can manually audit your server for compliance using the checklists provided below, changing service mode and state using the Windows Services Console (search or run -> services.msc). As ever, it pays to test application and service delivery as you apply hardening measures to ensure required functionality is preserved while security is improved. The file download contains Hardened Services Lists for Server 2016, Server 2012R2, Server 2008R2, Windows 10, RHEL 7 and CENTOS 7.

Please contact [email protected] with any questions or to get help with your hardening project.

Download The Complete Hardened Services Configuration

SYSTEM HARDENING VULNERABILITY MANAGEMENT

Linux Server Hardening

The Linux Paradigm

The beauty of Linux is that it is so accessible and freely available that it is easy to get up and running with very little training or knowledge. The web-based support community places all the tips and tutorials you’ll ever need to carry out any Linux set-up task or troubleshoot issues you may experience.

Finding and interpreting the right hardening checklist for your Linux hosts may still be a challenge so this guide gives you a concise checklist to work from, encompassing the highest priority hardening measures for a typical Linux server.

NNT Change Tracker Enterprise has been certified by the CIS to 100% accurately audit all RHEL, CentOS, Ubuntu, SUSE and other Linux, identifying where vulnerable configuration settings are present and explaining in plain English, how to mitigate them.

Account Policies

Access Security

Ensure SSH version 2 is in use
Disable remote root logons
Enable AllowGroups to permitted Group names only
Allow access to valid devices only
Restrict the number of concurrent root sessions to 1 or 2 only

Edit sshd.config to define SSHD policy parameters for your host and /etc/hosts.allow and /etc/hosts.deny to control access. Use /etc/securetty to restrict root access to tty1 or tty1 and tty2 only.

Secure Boot Only

Disable All Unnecessary Processes, Services, and Daemons

Each system is unique so it is important to review which processes and services are unnecessary for your server to run your applications.

Assess your server by running the ps –ax command and see what is running currently.

Similarly, assess the startup status of all processes by running a chkconfig –list command.

Disable any unnecessary services using the sysv-rc-conf service-name off

Restrict Permissions on Sensitive Files and Folders to root Only

Ensure the following folders are root access only

Disable SUID and SGID Binaries

Identify SUID and SGID files on the system: find / \( -perm -4000 -o -perm -2000 \) –print.

Render these files safe by removing the SUID or SGID bits using chmod –s filename

You should also restrict access to all compilers on the system by adding them to a new ‘compilers’ group.

chgrp compilers *cc*
chgrp compilers *++*
chgrp compilers ld
chgrp compilers as

Once added to the group, restrict permissions using a chmod 750 compiler

Implement Regular/Real-Time FIM on Sensitive Folders and Files

File integrity should be monitored for all files and folders to ensure permissions and files do not change without approval.

Standard guidance is to implement AIDE on Linux but a commercial Linux FIM solution like NNT Change Tracker can provide real-time FIM with Intelligent Change Control to reduce unwanted 'change noise'

Try it on your Linux Systems Now - Click Here

Configure Auditing on the Linux Server

General Hardening of Kernel Variables

Try it on your Linux Systems Now! Click Here

Receive NNT Threat Mitigation Kit to Automatically Harden Server Settings

NNT Products

Change Tracker™ Gen7 R2
Combine industry leading Device Hardening, File Integrity Monitoring, Change & Configuration Management, Security & Compliance Management into one easy to use solution!
NNT F.A.S.T. Cloud™ Threat Intelligence Integration
Automatically evaluate file changes in real-time with NNT FAST™ (File Approved-Safe Technology) Threat Intelligence.
Log Tracker Enterprise™
Comprehensive and easy to use security information & event log management with intelligent and self-learning correlation technology to highlight potentially harmful activity in seconds.

USA Offices

New Net Technologies LLC

Naples
Suite #10115, 9128 Strada Place
Naples, Florida, 34108

Atlanta
1175 Peachtree St NE
Atlanta, Georgia, 30361.

Portland
4145 SW Watson, Suite 350
Beaverton, Oregon, 97005.

Tel: (919) 345-8350

[email protected]

UK Office

New Net Technologies Ltd

Rivers Lodge, West Common
Harpenden, Hertfordshire
AL5 2JD

Tel: 01582 287310

[email protected]

Connect

Information

Copyright 2018, New Net Technologies LLC. All rights reserved.
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.