2014-11-06 Michael BoelenHardening, Storage Leave a comment

Securing mount points on Linux

Securing mount points Mount points are defined in /etc/fstab. They link a particular disk pointer to the related device (disk, partition or virtual device). By default the mount options are not focused on security, which gives us a room to further improve hardening of the system. This hardening is especially important considering our most precious data is stored here. Via mount options we can apply additional security controls to protect our data. Mount points Let’s have a look at our […]

2014-11-01 Michael BoelenAuditing, Automation, Configuration Management, Hardening, Lynis, Monitoring, Software, System Administration Leave a comment

Alternatives to Bastille Linux: system hardening with Lynis

System hardening with Lynis Many people used Bastille Linux to harden their Linux systems. Unfortunately the website of Bastille seems very outdated, including the tool. This resulted in people searching for a great alternative to replace this tool. We found the alternative by actually combining different solutions, being more powerful. Security automation is hot, so forget Bastille and do it the right way. Automatic hardening makes sense Most system administrators can’t keep up with the new technologies and security threats. […]

2014-10-28 (last updated at September 17th, 2016) Michael BoelenAutomation Leave a comment

Security Automation for Linux: Are Humans Still Needed?

Security automation for Linux: Are humans still needed? The problem with humans is that they are smart yet slow at the same time. They can’t react to simultaneous events and aren’t always working. Besides that, they make mistakes, have to deal with budgets and internal company politics. Information security is impacted by these effects as well. As you might have guessed the solution is in automation. SCAP (Security Content Automation Protocol) is one of the answers. Especially the automation part is interesting, […]

2014-08-27 (last updated at April 5th, 2017) Michael BoelenHardening, Software 3 comments

Protect against the BEAST attack in Nginx

Protect against the BEAST attack in Nginx What is this BEAST? BEAST, or “Browser Exploit Against SSL/TLS” is an attack against the cipher block chaining (CBC) method used with SSL/TLS. The weakness was discovered in 2002, but finally proven in 2011 by security researchers Thai Duong and Juliano Rizzo. With real proof of concept code, they showed it was no longer a theoretical attack. To successfully perform the BEAST attack, there are some conditions which needs to be met: Vulnerable version of […]

2014-07-24 (last updated at October 20th, 2014) Michael BoelenAuditing, Compliance, Hardening Leave a comment

Do NOT use Linux hardening checklists for your servers

Do NOT use Linux hardening checklists for your servers Quality is an interesting word. It describes, well, the quality of something. Quality is just another word for how well can you repeat something. The goal is to get each time exactly the same result. Whenever it’s a physical product, or rolling out a new Linux system, you want great quality. One method to increase quality is using checklists. However we strongly advice against using Linux hardening checklists.. But checklists are […]

2014-07-18 (last updated at October 20th, 2014) Michael BoelenAuditing, Lynis Leave a comment

How to deal with Lynis suggestions?

How to deal with Lynis suggestions? After finishing an audit with Lynis, the screen is usually filled with a lot of suggestions. Most users don’t know where to start with hardening and how to deal with these Lynis suggestions in particular. We provide you some tips! Before we start, we strongly suggest to use the latest version of Lynis. If you are using an outdated version from the software repositories, the output could be slightly different. The latest version can […]

2014-07-12 (last updated at October 20th, 2014) Michael BoelenAuditing, Software 3 comments

Are security hardening guides still useful?

Are security hardening guides still useful? This was the big question we asked ourselves recently, when reading a few of them. With Linux and other Unix systems being decently hardened by default, would it still make sense to invest a lot of time to harden your system? Hardening guides Years ago both Windows and Linux were easy targets. A lot of system software was installed by default and these services were targeted often by malicious people and scripts. Then hardening […]

2014-07-03 (last updated at January 30th, 2016) Michael BoelenWeb Leave a comment

Hiding the Nginx version number

Hiding the Nginx version number If you care about security, making your system “lean” is one very good start. Remove all clutter, like unused packages. It is part of system hardening and considered a good practice. This also applies to leaking of version numbers, which can only be harmful. Yes.. it is security through obscurity. But why would you reveal specific details about your environment to attackers? In this article we have a look at the very popular Nginx web server daemon. […]

2014-06-12 (last updated at January 30th, 2015) Michael BoelenAuditing, Hardening, Linux

Hardening Guides and Tools for Red Hat Linux (RHEL)

Hardening Guides and Tools for Red Hat Linux (RHEL) System hardening is an important part in securing computer networks. Each system should get the appropriate security measures to provide a minimum level of trust. In this post we have a look at some of the options when securing a Red Hat based system. This information applies to Red Hat Linux (RHEL), Fedora, CentOS, Scientific Linux and others. Red Hat Red Hat itself has a hardening guide for RHEL 4 and […]

2014-05-30 (last updated at July 7th, 2018) Michael BoelenHardening Leave a comment

Linux hardening steps for starters

Most systems have confidential data that needs to be protected. To safeguard this data, we need to secure our Linux system. But how to properly harden a Linux system? In this article, we will cover this step by step. We start by with physical security measures to prevent unauthorized people from access the system in the first place. Next is doing the installation the right way, so we have a solid foundation. Finally, we will apply a set of common […]

2014-05-03 (last updated at October 20th, 2014) Michael BoelenAuditing, Compliance, Hardening, Lynis

Linux server security: Three steps to secure each system

Linux server security: Three steps to secure each system Determining the level of Linux server security can only by measuring the actual implemented security safeguards. This process is called auditing and focuses on comparing common security measures with the ones implemented. While there is almost no system with all possible safeguards implemented, we still can determine how well (or badly) the system is protected. Security is about finding the weakest link(s) and associate risk with each weakness. Depending on the […]

2014-04-09 (last updated at October 20th, 2014) Michael BoelenAuditing, FreeBSD, Hardening, Lynis

FreeBSD hardening with Lynis

FreeBSD hardening with Lynis Lynis development has its roots on a FreeBSD system, therefore FreeBSD hardening is also easy and supported when using Lynis. People who want to audit and harden their FreeBSD system will discover Lynis to be a powerful tool for this purpose. In this article we will focus on how to audit your system with Lynis. Lynis Lynis is an open source audit tool. It only requires root access and a normal shell and the tool is […]

«12