Server Hardening Checklist

From braindump
Jump to navigation Jump to search


This is a checklist for harding a server. There is more to security than just that but it helps to check off all the items :).

Checklist

  • Only install required software or remove excess packages and services.
  • Audit running services and remove configuration items not required.
  • Limit network access to services by using host based firewalls or tcp-wrappers among others.
  • Restrict access to the server to the users that need it. Check boot loader, console and remote access.
  • Modify mount options to have apply the principal of least privileges.
  • Scan for special file permission such as SUID.
  • Install file system intrusion detection such as AIDE or tripwire and regularly review reports.
  • Configure syslog to ship logs to a centralized location.
  • Ensure time is kept in sync (important for postmortem analysis)
  • Install virus checkers and spam detection for mail.
  • Install security updates regularly.
  • Enable auditd and configure it to report the important activities.
  • Enable Mandatory Access Control (MAC) such as SELinux or AppArmor among others.
  • Audit the system regularly!