Checklists – System is Hacked – Part 2 – Preventive Steps for Infra (OS Hardening)

In last article we described List of Checks which can determine if system is compromised or hacked .  In this article we will talk about preventive steps (specially infra related) can be taken care to avoid hacking or to make system more secure  . There are many directions in which we can secure our application  as follows : 

• OS hardening (Infra Level Security)
• Secure Coding guidelines
• Encryption Of Sensitive Data  . 
• Ensure No Vulnerability exists in system . 

In this Blog we will be concerned about OS hardening (Infra Level Security) in Linux systems(CentOS/Redhat). We will Cover Other parts in Future Blogs .

Now Let’s go to the System Part. It has following things to be taken care of : 

• SSH Configuration :  
  • In linux based system SSH default port is 22 . This Defaut port should be changed to some unused port to enhance security .  
  • Use SSH Protocol 2 Version
  • Ensure SSH X11 forwarding is disabled
• Port Configuration at Firewall :  Generally , in any application there are many applications running on set of servers and each running on some different ports , Say for example : 
  • Application server at  8080 port
  • Database Server at 5432 port

So,  as in above Case Users need to login through 8080 port so only this port should be opened for public as Database needs to interact generally with application server so 5432 port should be allowed from Application Server’s IP  . 

• Multi Factor Authentication for SSH should be enabled   —  For setting up Google Authentication on CentOS or Redhat you can follow the link
• Root login for any server must be disabled 
• Server Login Policies 
  • Ensure password expiration is 365 days or less 
  • Ensure minimum days between password changes is 7 or more 
  • Ensure password expiration warning days is 7 or more 
  • Ensure inactive password lock is 30 days or less 
  • Ensure Password should be strong enough when user change its password
• Application and Database should be on different Servers  :  this is because of that if due to some vulnerability  application hacked than acces to database in that case is protected  . 
• Regular package updates   :  Configure Auto update or regularly update packages on all configured servers .
• Tune Network Kernel Parameters :
  • IP forwarding should be disabled on all servers  
    • Do the following entry in sysctl.conf 
      • net.ipv4.ip_forward = 0
  • Packets Redirecting  should be diabled on all servers . 
    • Do the following entry in sysctl.conf 
      • net.ipv4.conf.all.send_redirects = 0
      • net.ipv4.conf.default.send_redirects = 0

• Selinux should be enabled and configured . 
• Antivirus must  be installed on all servers . 

All Above are basic minimum checklists which should be applied to all the servers in any production environment . For implementing in-depth OS Hardening specially for CentOS based Systems , one need to follow the latest CIS CentOS Benchmarklatest CIS . 

You can also check the below benchmark list from CIS for CentOS hardening : Below doc also explain how to implement things on CentOS .

cis_centos_linux_7_benchmark_v2.2.0Download

For Other Operating Systems/Technologies follow the CIS benchmark link.  

In Our Future blog we will explain other parts like Secure Code guidelines , Encryption , VAPT scan etc  to make system more secure . 

Stay tuned . 

Advertisement