Professional Documents
Culture Documents
Securing Server
Securing Server
Securing Server
Server Hardening
1. Protect the BIOS with PW
During the boot process you can set the PW by entering in the BIOS.
2. Protect GRUB with PW
# i boot!grub!grub.con"
passw#$grubpassw#
%. Disab&e root &ogin' Per(it)(ptyPasswor#s no
*. +&&ow speci"ic user to &ogin' +&&owUsers a&e,
-. .hange ss port to /222' port $ /222 0#on1t "orget to open this port2
3. User ssh protoco& 2' Protoco& 2
4. Gie a#(in user a#(in per(ission
isu#o
5whee& +66$0+662 +66
whee&','17'a&e,
8. Disab&e unuse# serices to start at boot
# ntsys
/. Disab&e reboot by .tr&9+&t9De&
# i !etc!init!contro&:a&t:#e&ete.con"
#e,ec !sbin!shut#own :r now ;.ontro&:+&t:De&ete presse#;
17. )nab&e "irewa&&
# a"ter chec<out with this c(#' iptab&es :6
11. Set S)6inu, to en"orcing
# seten"orce 1
# geten"orce
)n"orcing
11. .hec< "i&e syste( per(ission an# a#apt i" necessar. Stic<y bit shou&# be set on !t(p
#rw,rw,rwt. % root root *7/3 =u& 2* 7%'%7 t(p
#rw,r:,r:,. * root root *7/3 =u& 2% 2%'-8 ho(e
#r:,r:,:::. % root root *7/3 =u& 2* 77'7% root
12. Set we&co( an# preention (essage
# cat > !etc!issue
?his serice is restricte# to authori@e# users on&y. +&& actiities on this syste( are &ogge#.
Unauthori@e# access wi&& be "u&&y inestigate# an# reporte# to the appropriate &aw
en"orce(ent agencies. .tr&9D to Auit
1%. Disab&e &oca& &ogin e,cept the root account
touch !etc!no&ogin
1*. &oc< ssh users a"ter % "ai&e# &ogin atte(pts
# echo ;auth reAuire# pa(Bta&&y2.so #eny$% onerr$"ai& un&oc<Bti(e$377; >>
!etc!pa(.#!ssh#
pa(Bta&&y2.so uses the "i&e !ar!&og!ta&&y&og as a counter "or the "ai&e# &ogisC i" you wish
to chec< the counter you can use the co((an# pa(Bta&&y2
DrootEnu<eF# pa(Bta&&y2
1-. )n"orce passwor# po&icy
Preent Reusing O&# Passwor#s
su#o i !etc!pa(.#!syste(:auth
passwor# su""icient pa(Buni,.so sha-12 sha#ow nu&&o< tryB"irstBpass useBauthto<
remember=5
Set Gini(u( Passwor# 6ength
su#o i !etc!pa(.#!syste(:auth
passwor# reAuisite pa(Bcrac<&ib.so retry$% #i"o<$% minlen=10
Set Passwor# .o(p&e,ity
su#o i !etc!pa(.#!syste(:auth
passwor# reAuisite pa(Bcrac<&ib.so retry$% #i"o<$% (in&en$17 ucredit=-1 lcredit=-
2 dcredit=-1 ocredit=-1
Set Passwor# ),piration Perio#
su#o i !etc!&ogin.#e"s
It can a&so be #one by per user basis su#o chage :& ,(o#u&o