Hardening

Alternatives to Bastille Linux: system hardening with Lynis

Bastille Linux is a great tool for hardening of Linux systems. With the project looking outdated (or even dead), there are new alternatives to Bastille. One example is hardening your system after...

Summary of Alternatives to Bastille Linux: system hardening with Lynis

Many people used Bastille Linux to harden their Linux systems. Unfortunately the website of Bastille seems very outdated, including the tool. This resulted in people searching for a great alternative to replace this tool. We found the alternative by actually combining different solutions, being more powerful. Security automation is hot, so forget Bastille and do it the right way. Automatic hardening makes sense Most system administrators can’t keep up with the new technologies and security threats.

Read the full article…

Are security hardening guides still useful?

With Linux and other Unix systems being decently hardened by default, would it make sense to invest a lot of time in reading hardening guides to harden your system?

Summary of Are security hardening guides still useful?

This was the big question we asked ourselves recently, when reading a few of them. With Linux and other Unix systems being decently hardened by default, would it still make sense to invest a lot of time to harden your system? Hardening guides Years ago both Windows and Linux were easy targets. A lot of system software was installed by default and these services were targeted often by malicious people and scripts.

Read the full article…

Do NOT use Linux hardening checklists for your servers

The solution to avoid using Linux hardening checklists for your servers is simple. With proper automation and regular checks, checklists could be avoided.

Summary of Do NOT use Linux hardening checklists for your servers

Quality is an interesting word. It describes, well, the quality of something. Quality is just another word for how well can you repeat something. The goal is to get each time exactly the same result. Whenever it’s a physical product, or rolling out a new Linux system, you want great quality. One method to increase quality is using checklists. However we strongly advice against using Linux hardening checklists.. But checklists are good, right?

Read the full article…

Find the alternatives: CIS-CAT auditing tool

Sometimes time or money is limited. We hunt to find great alternatives to commercial solutions. This time alternatives for the CIS auditing tool CIS-CAT.

Summary of Find the alternatives: CIS-CAT auditing tool

The Center for Internet Security, CIS for short, is the organization behind several in-depth hardening guides. The quality of these hardening guides is outstanding, with a high level of detail. This high level of detail has one downside: it costs a lot of time to read, try and test the recommendations. Sometimes we simply don’t have the time to do an extensive audit by hand. Let alone the time to actually repeat the auditing and hardening steps on a regular basis.

Read the full article…

FreeBSD hardening with Lynis

This article provides tips for FreeBSD hardening by using a powerful tool named Lynis. This script will perform an extensive audit to secure your systems.

Summary of FreeBSD hardening with Lynis

Lynis development has its roots on a FreeBSD system, therefore FreeBSD hardening is also easy and supported when using Lynis. People who want to audit and harden their FreeBSD system will discover Lynis to be a powerful tool for this purpose. In this article we will focus on how to audit your system with Lynis. Ports Lynis is available from the ports tree and usually the version is close or at the latest version.

Read the full article…

Hardening Guides and Tools for Red Hat Linux (RHEL)

Overview of tools and hardening guides to implement system hardening for Red Hat Linux. Also applies Fedora, CentOS and Scientific Linux systems.

Summary of Hardening Guides and Tools for Red Hat Linux (RHEL)

System hardening is an important part in securing computer networks. Each system should get the appropriate security measures to provide a minimum level of trust. In this post we have a look at some of the options when securing a Red Hat based system. This information applies to Red Hat Linux (RHEL), Fedora, CentOS, Scientific Linux and others. Red Hat Red Hat itself has a hardening guide for RHEL 4 and is freely available.

Read the full article…

Hiding the nginx version number

Security professionals usually don't advise to use "security through obscurity". Still, it's wise to hide the nginx version number.

Summary of Hiding the nginx version number

If you care about security, making your system “lean” is one very good start. Remove all clutter, like unused packages. It is part of system hardening and considered a good practice. This also applies to leaking of version numbers, which can only be harmful. Yes.. it is security through obscurity. But why would you reveal specific details about your environment to attackers? In this article we have a look at the very popular Nginx web server daemon.

Read the full article…

How to deal with Lynis suggestions?

Auditing tool Lynis for Linux, guides administrators with discovering weaknesses. This article helps in dealing with Lynis suggestions displayed on screen.

Summary of How to deal with Lynis suggestions?

After finishing an audit with Lynis, the screen is usually filled with a lot of suggestions. Most users don’t know where to start with hardening and how to deal with these Lynis suggestions in particular. We provide you some tips! Before we start, we strongly suggest to use the latest version of Lynis. If you are using an outdated version from the software repositories, the output could be slightly different.

Read the full article…

How to secure a Linux system

Looking to secure your Linux system? This security guide shows you how to perform system hardening and run technical audits to keep it in optimal condition.

Summary of How to secure a Linux system

Every Linux system will benefit from more security, especially if it contains sensitive data. With so many resources available on the internet, one might think that securing Linux has become easy. We know it is not. Linux system hardening takes a good amount of understanding about how the Linux kernel works. It also requires a good understanding of the operating system principles. In this guide, we will help you to get this understanding and provide you with tips and tools.

Read the full article…

Linux hardening steps for starters

One of the myths is that Linux systems are secure by default. Even with a good foundation, some system hardening still needs to be done. This article will show you what and how.

Summary of Linux hardening steps for starters

Most systems have confidential data that needs to be protected. To safeguard this data, we need to secure our Linux system. But how to properly harden a Linux system? In this article, we will cover this step by step. We start by with physical security measures to prevent unauthorized people from access the system in the first place. Next is doing the installation the right way, so we have a solid foundation.

Read the full article…

Linux hardening with sysctl settings

The Linux kernel can be secured as well. Learn how system hardening principles can be applied using sysctl settings.

Summary of Linux hardening with sysctl settings

The GNU/Linux kernel powers a lot of systems, from big mainframes to the Android device in your pocket. If you want to achieve more security on your Linux systems, it would make sense to start hardening there, right? While securing the kernel looks easy at first sight, there is more to it than initially meets the eye. We will have a look at some kernel options and how to select the best sysctl values for Linux systems.

Read the full article…

Linux Security Guide for Hardening IPv6

Extensive guide to help you secure your IPv6 configuration on Linux. From initial set-up to hardening the kernel with sysctl.

Summary of Linux Security Guide for Hardening IPv6

Version 6 of Internet Protocol is now 20+ years available. You would think it is widely available now, right? Not exactly. Still many internet providers don’t have it deployed for their customers. Hosting companies are not always eager to deploy it either. Mostly because of lacking knowledge. To get at east more knowledge shared on the security side of IPv6, we have crafted this guide. Hopefully it will be a practical guide for your to configure and tune your configurations.

Read the full article…

Linux security guide: the extended version

Feeling overwhelmed with the options available to secure your Linux system? With this guide, we walk step-by-step through the option, tools, and resources.

Summary of Linux security guide: the extended version

Feeling overwhelmed with the resources available to secure your Linux system? With this Linux security guide, we walk step-by-step through the options, tools, and resources. After reading this article, you will be able to make educated decisions about what Linux security defenses to implement for your systems. You will be introduced to the right tools that help you automate and test your improvements. Instead, related articles and resources will be available in the text.

Read the full article…

Linux server security: Three steps to secure each system

Article about Linux server security and guidance for securing your Linux systems. Focus on auditing, hardening and compliance, to improve security defenses.

Summary of Linux server security: Three steps to secure each system

Determining the level of Linux server security can only by measuring the actual implemented security safeguards. This process is called auditing and focuses on comparing common security measures with the ones implemented. While there is almost no system with all possible safeguards implemented, we still can determine how well (or badly) the system is protected. Security is about finding the weakest link(s) and associate risk with each weakness. Depending on the role of the system, sensitivity of data and possible threats, we can then select what security safeguards are appropriate.

Read the full article…

Linux system hardening: adding hidepid to /proc mount point

The pseudo-filesystem /proc contains a lot of useful information for the system administrator. With the hidepid option we can restrict what users can see.

Summary of Linux system hardening: adding hidepid to /proc mount point

When looking in /proc you will discover a lot of files and directories. Many of them are just numbers, which represent the information about a particular process ID (PID). By default, Linux systems are deployed to allow all local users to see this all information. This includes process information from other users. This could include sensitive details that you may not want to share with other users. By applying some file system configuration tweaks, we can change this behavior and improve the security of the system.

Read the full article…

Lock Down Strategies for Linux Servers

Strategies to properly lock down Linux systems, from networking to file integrity. With tips and techniques to select which strategy for locking down the system.

Summary of Lock Down Strategies for Linux Servers

Most of the security defenses on Linux, are based on the earlier performed hardening activities. By locking down components on the system, the chance of a full compromise is lowered. This step-by-step locking down is a time consuming process. Time to review some of the strategies which can be applied when you want to secure your systems. Strategy 1: Locking down processes The first area to lock down are system processes.

Read the full article…

OpenSSH security and hardening

The SSH configuration influences the security of your Linux system. This guide helps you to secure your OpenSSH server and client configuration.

Summary of OpenSSH security and hardening

SSH or Secure Shell is the popular protocol for doing system administration on Linux systems. It runs on most systems, often with its default configuration. As this service opens up a potential gateway into the system, it is one of the steps to hardening a Linux system. This article covers the SSH security tips to secure the OpenSSH service and increase the defenses of the system. OpenSSH security OpenSSH is under development by the security fanatics from the OpenBSD project.

Read the full article…

Postfix Hardening Guide for Security and Privacy

Learn how to secure the configuration of Postfix with this guide, and increase both security and privacy.

Summary of Postfix Hardening Guide for Security and Privacy

Postfix is a common software component on servers for receiving or sending email. It has a lot of configuration options available, including those to improve your Postfix security. This Postfix security and privacy guide will help with hardening your Postfix configuration. After you are finished, your system will have improved defenses against spam, abuse, and leaking sensitive data. Why Postfix hardening? Every service that is connected to the internet is sooner or later to be abused by automated scripts.

Read the full article…

Protect against the BEAST attack in Nginx

The BEAST attack showed up in 2011 and some servers are still vulnerable to it. With the right protocols, ciphers and preference, we can keep the BEAST out.

Summary of Protect against the BEAST attack in Nginx

What is this BEAST? BEAST, or “Browser Exploit Against SSL/TLS” is an attack against the cipher block chaining (CBC) method used with SSL/TLS. The weakness was discovered in 2002, but finally proven in 2011 by security researchers Thai Duong and Juliano Rizzo. With real proof of concept code, they showed it was no longer a theoretical attack. To successfully perform the BEAST attack, there are some conditions which needs to be met:

Read the full article…

Securing mount points on Linux

Since data is stored on file systems, appropriate measures should be taken to protect it. By securing mount points on Linux systems, we can improve the security of the system and data.

Summary of Securing mount points on Linux

Mount points are defined in /etc/fstab. They link a particular disk pointer to the related device (disk, partition or virtual device). By default the mount options are not focused on security, which gives us a room to further improve hardening of the system. This hardening is especially important considering our most precious data is stored here. Via mount options we can apply additional security controls to protect our data. Mount point example Let’s have a look at our /etc/fstab file.

Read the full article…

Security Automation for Linux: Are Humans Still Needed?

Machines are smarter, quicker and make less mistakes compared to humans. They might be the ultimate resource for security automation, securing our systems.

Summary of Security Automation for Linux: Are Humans Still Needed?

The problem with humans is that they are smart yet slow at the same time. They can’t react to simultaneous events and aren’t always working. Besides that, they make mistakes, have to deal with budgets and internal company politics. Information security is impacted by these effects as well. As you might have guessed the solution is in automation. SCAP (Security Content Automation Protocol) is one of the answers. Especially the automation part is interesting, as it can improve quality, decrease time efforts and remove the “boring” work.

Read the full article…

Security Defenses to Fortify your Linux Systems

Your Linux systems should be protected against common security attacks. By using 4 common techniques, we can fortify our systems like a real fortress.

Summary of Security Defenses to Fortify your Linux Systems

Create a Linux security fortress; implementing security defenses using towers, bridges, and guards. Still many companies have difficulties implementing basic security measures. Even after years of websites being defaced, and customer records stolen, the same mistakes are made over and over again. While this all might sound like an unsolvable situation, information security is getting attention from more people. If you are responsible for the system management of Linux systems, ignoring security is no longer an option.

Read the full article…

Security Integration: Configuration Management and Auditing

Configuration Management and Auditing. Increased strength when combining tools for automation and security of IT environments Tools like Ansible, Chef, and Puppet are used a lot for rapid...

Summary of Security Integration: Configuration Management and Auditing

Increased strength when combining tools for automation and security of IT environments Tools like Ansible, Chef, and Puppet are used a lot for rapid deployment and keeping systems properly configured. These tools in itself are great for ensuring consistency over your systems. So what is Configuration Management? Configuration management is the art of keeping systems properly configured. Usually companies start small, which equals manual configuration. Each time a new system is deployed, it is configured manually.

Read the full article…

Tiger is History, Long Live Modern Alternatives!

The tiger tool was known for a long time to help with auditing Unix-based systems. Fortunately there are new tools that are better maintained.

Summary of Tiger is History, Long Live Modern Alternatives!

Recently I saw some tweets showing up from an old friend: Tiger. Surprised to see it being promoted, as I know the tool for years, but never seen any new releases in the last years. Both are actually a shame. An outdated tool is usually of lower value. Promoting old tools might actually disappoint others and harm the initial trust in the software. History of Tiger In its day, the tool was quite good.

Read the full article…

Ubuntu system hardening guide for desktops and servers

Step by step guide to secure any Ubuntu desktop or server. Harden your Ubuntu during installation and afterwards with the available security tips.

Summary of Ubuntu system hardening guide for desktops and servers

The system hardening process of a system is critical during and after installation. It helps the system to perform its duties properly. This blog post shows you several tips for Ubuntu system hardening. It will dive into the most critical steps to take first. Then more specific hardening steps can be added on top of these. As most security guides only tell you what to do, we will also go into more detail on why a specific security measure is important.

Read the full article…

Using Open Source Auditing Tools as alternative to CIS Benchmarks

Hardening guides, and the CIS benchmarks in particular, are a great resource to check your system for possible weaknesses and conduct system hardening. But who has the time to read it cover to...

Summary of Using Open Source Auditing Tools as alternative to CIS Benchmarks

An alternative to CIS Benchmarks and hardening guides Hardening guides, and the CIS benchmarks in particular, are a great resource to check your system for possible weaknesses and conduct system hardening. But who has the time to read it cover to cover, and apply every single step? In this article, we have a look at the alternative: open source auditing tools. Time.. Hardening is a time-consuming task. As security specialists, we know that.

Read the full article…

Why Linux security hardening scripts might backfire

We talk about the risks when using Linux security hardening scripts in this article. Hardening Linux with scripts might look like a nice idea, but is it?

Summary of Why Linux security hardening scripts might backfire

System administrators and engineers love to automate things. In the quest to get everything replaced by a script, automated hardening of systems is often requested. Unfortunately this automation might later backfire, resulting in a damaged trust in system hardening. Why System Hardening? The act of increasing system defenses is a good practice. It helps protecting your valuable data, so it can only be used by authorized people. System hardening itself consists of minimizing services and removing unneeded ones.

Read the full article…