CyberSecurityBeginner – Servers Hardening​

Servers Hardening​

Linux Server Hardening – Best Practices & Examples

1. Disable Unused Services

  • Why: Reduce attack surface.

  • Command:

sudo systemctl list-units --type=service --state=running
sudo systemctl disable bluetooth.service
sudo systemctl stop bluetooth.service

2. SSH Hardening

  • Best Practices:

    • Disable root login

    • Use key-based authentication

    • Change default port

  • Practical Steps:
    Edit /etc/ssh/sshd_config:

Port 2222
PermitRootLogin no
PasswordAuthentication no
sudo systemctl restart sshd

3. Firewall Setup

  • Use UFW (Ubuntu/Debian):

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 2222/tcp
sudo ufw enable

Use firewalld (RedHat/CentOS/Fedora):

sudo firewall-cmd --permanent --add-port=2222/tcp
sudo firewall-cmd --reload

4. Enable Automatic Security Updates

  • Debian/Ubuntu:

sudo apt install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades

RedHat-based:

sudo yum install dnf-automatic
sudo systemctl enable --now dnf-automatic.timer

5. Audit System Logs

  • Install and configure auditd:

sudo apt install auditd audispd-plugins
sudo systemctl enable auditd

Example Audit Rule:
Track access to /etc/shadow:

sudo auditctl -w /etc/shadow -p wa

6. Intrusion Detection

  • Tool: AIDE (Advanced Intrusion Detection Environment)

sudo apt install aide
sudo aideinit
sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
sudo aide --check

7. Manage User Accounts and Privileges

  • Audit users:

     
cut -d: -f1 /etc/passwd

Lock inactive accounts:

sudo usermod -L olduser
  • Limit sudo usage:
    Only allow needed users in /etc/sudoers or group sudo.

8. Disable IPv6 (if unused)

  • Example:

sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1
sudo sysctl -w net.ipv6.conf.default.disable_ipv6=1

9. Enforce Strong File Permissions

  • Example: /etc/shadow should be:

sudo chmod 000 /etc/shadow
sudo chown root:shadow /etc/shadow

10. Security Tools

  • Fail2Ban: Protect from brute force

sudo apt install fail2ban
sudo systemctl enable fail2ban

Windows Server Hardening – Best Practices & Examples

1. Use Strong Password Policy

  • Group Policy Path:
    Computer Configuration → Windows Settings → Security Settings → Account Policies → Password Policy

    • Enforce password history: 24

    • Minimum password length: 14

    • Maximum password age: 60

    • Lockout duration: 15 minutes

2. Disable Unused Services

  • Use PowerShell:

Get-Service | Where-Object {$_.Status -eq 'Running'}
Stop-Service -Name 'Fax' -Force
Set-Service -Name 'Fax' -StartupType Disabled

3. Configure Windows Defender Firewall

  • Example:

New-NetFirewallRule -DisplayName "Allow RDP" -Direction Inbound -Protocol TCP -LocalPort 3389 -Action Allow

4. Enable BitLocker Encryption

  • Use Group Policy or run:

manage-bde -on C: -RecoveryPassword

5. Enable and Monitor Event Logging

  • Enable Audit Policies:
    Group Policy → Security Settings → Advanced Audit Policy Configuration

    • Audit Logon Events

    • Audit Object Access

    • Audit Privilege Use

  • Review logs using Event Viewer

6. Disable SMBv1

  • Command:

Disable-WindowsOptionalFeature -Online -FeatureName "SMB1Protocol"

7. RDP Hardening

  • Enable NLA (Network Level Authentication)

  • Limit RDP users to a secure group

  • Use Duo 2FA or Remote Desktop Gateway

  • Restrict via IP (firewall rule or VPN)

8. Least Privilege Access

  • Use Group Policy to restrict:

    • Access to cmd, powershell, registry tools

    • Disable local admin accounts

  • Configure User Rights Assignment:

    • Deny logon locally: Guests, unused accounts

    • Logon as a service: only specific service accounts

9. Install Windows Defender ATP or EDR Tools

  • Configure real-time protection, cloud-delivered protection, tamper protection.

10. Apply CIS Benchmarks