Checklists – System is Hacked – Part 2 – Preventive Steps for Infra (OS Hardening)

In last article we described List of Checks which can determine if system is compromised or hacked .  In this article we will talk about preventive steps (specially infra related) can be taken care to avoid hacking or to make system more secure  . There are many directions in which we can secure our application  as follows : 

  • OS hardening (Infra Level Security)
  • Secure Coding guidelines
  • Encryption Of Sensitive Data  . 
  • Ensure No Vulnerability exists in system . 

In this Blog we will be concerned about OS hardening (Infra Level Security) in Linux systems(CentOS/Redhat). We will Cover Other parts in Future Blogs .

Now Let’s go to the System Part. It has following things to be taken care of : 

  • SSH Configuration :  
    • In linux based system SSH default port is 22 . This Defaut port should be changed to some unused port to enhance security .  
    • Use SSH Protocol 2 Version
    • Ensure SSH X11 forwarding is disabled
  • Port Configuration at Firewall :  Generally , in any application there are many applications running on set of servers and each running on some different ports , Say for example : 
    • Application server at  8080 port
    • Database Server at 5432 port

So,  as in above Case Users need to login through 8080 port so only this port should be opened for public as Database needs to interact generally with application server so 5432 port should be allowed from Application Server’s IP  . 

  • Multi Factor Authentication for SSH should be enabled   —  For setting up Google Authentication on CentOS or Redhat you can follow the link
  • Root login for any server must be disabled 
  • Server Login Policies 
    • Ensure password expiration is 365 days or less 
    • Ensure minimum days between password changes is 7 or more 
    • Ensure password expiration warning days is 7 or more 
    • Ensure inactive password lock is 30 days or less 
    • Ensure Password should be strong enough when user change its password
  • Application and Database should be on different Servers  :  this is because of that if due to some vulnerability  application hacked than acces to database in that case is protected  . 
  • Regular package updates   :  Configure Auto update or regularly update packages on all configured servers .
  • Tune Network Kernel Parameters :
    • IP forwarding should be disabled on all servers  
      • Do the following entry in sysctl.conf 
        • net.ipv4.ip_forward = 0
    • Packets Redirecting  should be diabled on all servers . 
      • Do the following entry in sysctl.conf 
        • net.ipv4.conf.all.send_redirects = 0
        • net.ipv4.conf.default.send_redirects = 0
  • Selinux should be enabled and configured . 
  • Antivirus must  be installed on all servers . 

All Above are basic minimum checklists which should be applied to all the servers in any production environment . For implementing in-depth OS Hardening specially for CentOS based Systems , one need to follow the latest CIS CentOS Benchmarklatest CIS

You can also check the below benchmark list from CIS for CentOS hardening : Below doc also explain how to implement things on CentOS .

For Other Operating Systems/Technologies follow the CIS benchmark link.  

In Our Future blog we will explain other parts like Secure Code guidelines , Encryption , VAPT scan etc  to make system more secure . 

Stay tuned . 

11 thoughts on “Checklists – System is Hacked – Part 2 – Preventive Steps for Infra (OS Hardening)

  1. Thanks for a marvelous posting! I certainly enjoyed reading it, you may be a great author.I will ensure that I bookmark your blog and may come back down the road. I want to encourage you continue your great work, have a nice day!

    Like

  2. I have figured out some new elements from your web page about computer systems. Another thing I’ve always presumed is that laptop computers have become a product that each family must have for many reasons. They provide convenient ways in which to organize the home, pay bills, go shopping, study, tune in to music and in many cases watch tv shows. An innovative strategy to complete these tasks is a notebook computer. These personal computers are mobile, small, robust and easily transportable.

    Like

  3. Thanks for revealing your ideas. One thing is that college students have a selection between fed student loan along with a private student loan where it can be easier to go for student loan consolidation than with the federal education loan.

    Like

  4. Thanks for the new stuff you have exposed in your short article. One thing I would like to touch upon is that FSBO connections are built after a while. By releasing yourself to the owners the first weekend their FSBO is actually announced, before the masses commence calling on Wednesday, you create a good network. By giving them resources, educational components, free reports, and forms, you become an ally. By using a personal desire for them plus their situation, you develop a solid link that, on many occasions, pays off once the owners opt with an adviser they know and also trust – preferably you.

    Like

  5. Hi there, You’ve done an excellent job. I will certainly digg it and in my view suggest to my friends. I am sure they will be benefited from this web site.

    Like

  6. I’m very happy to find this page. I need to to thank you for ones time due to this wonderful read!! I definitely savored every part of it and i also have you book-marked to see new things on your site.

    Like

  7. Wow that was unusual. I just wrote an extremely long comment but after I clicked submit my comment didn’t show up. Grrrr… well I’m not writing all that over again. Anyways, just wanted to say wonderful blog!

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s