In this article, we will release the best server security practices for all time. Since security is challenging subject for all, it is often ignored and many get caught unknowingly when a issue occurs. But these best practices can surely help you to lower the risk of being compromised by any malicious actor.<\/p>\n
The first and foremost thing to enhance your server security is to always be alert about your security. It is similar to locking doors at night or ensuring that windows of your cars are rolled up. These practices indicate that you are cautious against the possibility of being compromised.<\/p>\n
This doesn\u2019t mean that you should always be logged in to your server and monitor the logs or constantly block connections in the firewall. Your life doesn\u2019t only focus around your WooCommerce store or blogging platform of choice. If your business is your bread and butter then it should be your significant part of the day. It is recommended to think broadly on security and setup a good plan in advance to restrain the attackers. So, ensure that your crucial data is locked down and is accessible to only some important people that you trust.<\/p>\n
It\u2019s a fact that we don\u2019t know, what we don\u2019t know. Read it carefully again\u2026<\/p>\n
This means if you don\u2019t know what question to ask, you will miss something. No, you don\u2019t need to be a security expert. But yes you are the one responsible to be alert and secure your business.<\/p>\n
Some of you might be paying for the managed services and so you might thing why should I be alert?<\/p>\n
Remember security is a shared concern. That means both you and MilesWeb have to stay alert. Hence, educate yourself.<\/p>\n
a. Limit Server Access<\/strong><\/p>\n You can restrict the server access by using the iptables firewall which is available on most of the Linux servers. With the APF (Advanced Policy Firewall), you can easily manage your iptables firewall rules. More advanced technique is using CFS (ConfigServer Firewall) which controls your iptables but comprises of a more robust feature set. Here the idea is about blocking any unused open ports in your server firewall. With this, only the ports required to your server will communicate with other users. Additionally, you can implement cPHulk\u2019s brute force protection option via WHM to automatically block users that continuously try and fail to login with invalid credentials to the running services.<\/p>\n Your first step towards server security is to limit the physical access to the server. You can ask the query that mainly arises is related to your server\u2019s location. Is your server located in the basement or is it secured in a data center with verified virtual and physical policies and procedures that concentrate on the physical integrity of the server.<\/p>\n Below are some of the questions that should be asked prior to housing your server:<\/p>\n a. VPN<\/strong><\/p>\n A VPN or Virtual Private Network creates a secure \u201ctunnel\u201d or pipe from your computer to a secured network across an unsecured network such as the internet. All traffic is securely routed through the tunnel. Since a VPN take you into your business network, it must be considered your first layer of security.<\/p>\n So, always use a VPN.<\/p>\n b. SSH<\/strong><\/p>\n When there is access required to the server via a command line (terminal), an SSH (SHELL) connection is used. With this connection, a secure pipe is created for your data to travel through. With this type of connection, integrity of your data is offered while it passes via an unsecured network like the internet. Is that it routes all the traffic via this connection such as a VPN? No. The information that is send via the terminal from your computer to the server is only secured. Alternatively, you can use SSH within a VPN for adding a second layer of protection to your data connection.<\/p>\n c. Fail2Ban<\/strong><\/p>\n A server software, Fail2Ban reviews specific log files and blocks IPs that show signs of malicious behavior. Generally, valid login attempts take just a couple of tries to access the server (and in case SSH keys are used, no more than one). If any server hits with multiple unsuccessful logins within a given time, it indicates an attempt of malicious access.<\/p>\n After that Fail2Ban provides updates to firewall rules for blocking suspect IP addresses for a specified amount of time (although other actions can also be taken). It comprises of a default set of filters for services such as apache and ssh.<\/p>\n You can monitor several protocols using Fail2Ban including HTTP, SSH, and SMTP. But by default, Fail2Ban only monitors SSH and acts as a helpful security restriction for any server since the SSH daemon is usually configured for continuous functioning and listen for connections from any remote IP address.<\/p>\n Restrict SSH to a limited subset of users. This task can be completed by adding the below information to the \/etc\/ssh\/sshd_config file:<\/p>\n Then add ssh users group to \/etc\/ssh\/sshd_config:<\/p>\n e. SSHKeys<\/strong><\/p>\n Using SSHKeys you can turn off the SSH feature that is needed for accessing the server as the root user, and so you don\u2019t need to use a root password. With this, you get an additional layer of security when connecting to the server. SSHKeys are highly secured than just using a password. Additionally, SSHKeys also enable users to create a cryptographically secure keypair which stores unique connection information locally on your computer and the server.<\/p>\n SSHKey pairs are generated cryptographically, particularly, the larger the size of the key, the more secure it is. For your information the smallest key size is 1024 bits and the maximum is 4096 bits. Also, the number of entropy bits will depend on the algorithm used, eg. RSA.<\/p>\n f. Alternate SSH Ports<\/strong><\/p>\n For further security, you can modify the port on which SSH listeners on. You can modify this ssh port setting to a random port. Generally, you can modify this SSH port setting to a random port. Usually, port 22 is used by SSH but it is recommended to use a port range of 32768 to 61000. With this being said, depending on security by complexity is not an effective means to fight against incursions. IANA suggests using ports 49152 to 65535.<\/p>\n g. SFTP<\/strong><\/p>\n When you transfer files to and from the server, you should use SFTP (secure FTP). With SFTP, you can connect to the server in a secure way, similar to the way of SSH usage. Multiple FTP software titles such as Filezilla or WinSCP have excellent features to enable for this connection type.<\/p>\n h. SSL<\/strong><\/p>\n You should ensure that the use of SSL certificates is implemented across all domains and services on the server. In this way, even connections that are seemingly less important are secured.<\/p>\n i. EMail<\/strong><\/p>\n Email is still one of the primary attack vectors used by malicious actors. Attackers use this medium widely as millions of people use emails for conversation. Today, almost all are aware of the dangers of opening an unknown email but it is still an issue in several companies. This can be restricted with continuous security training and reinforcement of security policies.<\/p>\n MilesWeb offers SpamExperts to secure your email account from spam mails.<\/p>\n j. Secure Application Logins<\/strong><\/p>\n Some of the typical applications such as WordPress, email, cPanel, or webmail are accessed by you on your server. It is possible to configure connection methods for each service for secure connections so that there isn\u2019t any information transmitted via plain text between your computer and the server.<\/p>\n Insecure Application logins<\/em><\/p>\n You can access these default server applications from any web-browser and pass the official data in plaintext when accessed from any of these insecure URLs:<\/p>\n Secure Application Logins<\/em><\/p>\n These same services can be accessed on your server over https to keep your credentials encrypted and transmitted securely you would use these URLs:<\/p>\n Just log into WHM and then go to Tweak Settings >> Redirection and turn on Always redirect to SSL to force all cPanel applications for using https by default.<\/p>\n This is the first security measure for most services on your server. For this, you should always use a strong password for anything that has an access to the server. Check the below guidelines for securing your server.<\/p>\n a. Use Password Management Software<\/strong><\/p>\n It is recommended by the NIST to use a password manager for the storage and dissemination of passwords. With the software, you can use stronger as well as secure passwords daily. Below are some of the software suggested by some reviewers for generating strong passwords:<\/p>\n b. Use A Passphrase Instead of a Password<\/strong><\/p>\n While selecting a password, it is often better to use an altered phrase or a passphrase which is easy to remember but hard to guess. Check this example: T0 3Rr 1$ Hum@N<\/strong>, t0<\/strong> F0rg1v3 D1v1n3!<\/strong><\/p>\n As per an expert, the above passphrase would take a computer about 2 SEXDECILLION YEARS<\/strong> (that is 1051 power or a 1 followed by 51 zeros, or in Great Britain 1096 or by 1 followed by 96 zeros) to crack it.<\/p>\n c. Expire Passwords After X Time<\/strong><\/p>\n If you want to find the expired password, use the chage command that lists and changes the password aging info for a Linux user account. To lists specific info for a user use the chage -l command and the chage -M command for modifying the value of the number of days prior to the password expires again:<\/p>\n d. Password Policy Requirements<\/strong><\/p>\n Make sure you follow the latest NIST standards for your password policy.<\/p>\n e. Define what passwords NOT to use<\/strong><\/p>\n Remember don\u2019t use the words that are commonly found in the dictionary. Also avoid using well known places, person\u2019s names, events or pet names. Never reuse passwords instead use an adjacent keyboard string of characters.<\/p>\n a. Audit Services<\/strong><\/p>\n With service auditing, you can explore services that actively run on the server, the protocols used and the ports they interact with. Keeping these factors in mind will help to decrease any attack vectors in the system.<\/p>\n Certain services are by default enabled on most servers. These services can enable you to use several features available on the server but in case you don\u2019t want to use these extra features, you should disable them. To find these services execute the below commands on a RedHat based system and you get the below outputs:<\/p>\n Redhat\/CentOS Enabled Services<\/em><\/p>\n and running the below command outputs:<\/p>\n To disable a service, use:<\/p>\n Debian\/Ubuntu Running Services<\/em><\/p>\n The below commands will show you the services active on a Debian\/Ubuntu based server:<\/p>\n lists the state of the services that the system regulates. The plus (+) and (-) indicators indicate if the service is active or not.<\/p>\n To disable a service, use:<\/p>\n Remove X Windows from the system.<\/em><\/p>\n There is no need for a GUI on most servers for general server administration tasks. A management panel may be used by some servers to perform administrative tasks. This doesn\u2019t matter but know the number of open paths to the server and just enable the ones you essentially need.<\/p>\n One of the security precautions for any operating system is to keep all of your software up to date then be it a desktop, laptop or mobile. The software updates include critical vulnerability patches to minor bug fixes, and many software vulnerabilities are actually patched until they become public.<\/p>\n a. Don\u2019t use default yum-updates.<\/strong><\/p>\n It is important to update your system for keeping it secure but the default versions of yum-updatesd contain some glitches. Therefore, set up a cron job to apply updates. You can accomplish this via the following steps:<\/p>\n This file should be run and placed in \/etc\/cron.daily or \/etc\/cron.weekly.<\/p>\n b. Hide Server Information<\/strong><\/p>\n Provide at least some information about the underlying infrastructure. It is better to display less about the server.<\/p>\n Additionally, hiding the version numbers of any software installed on the server is a good idea. By default, the exact release date is revealed which can help hackers while searching for weaknesses. You can remove this information simply by deleting it from the HTTP header of its greeting banner.<\/p>\n It is important to review website access logs for unwanted activity and block irrelevant users from your website of you find any. It is good to block bad users at the website level prior to blocking them in the server\u2019s firewall. In case your website is developed in WordPress, you should ensure that it is secure from things such as WordPress Brute Force attack with WordFence or a similar product, so your account also remains secure.<\/p>\n With a firewall such as IPtables can be used to block bad inbound traffic to your server and this offers a highly effective security layer. When you are high specific about the traffic you allow on your website, it becomes easy to avoid intrusions and other attempts to gain access from the internet.<\/p>\n One of the best ways is to allow only the traffic you need and deny the other. Furthermore, it comes with a newly implemented command-line utility called as nft. The command line syntax of nft is simpler as compared to iptables.<\/p>\n With file monitoring, you can detect the unwanted file changes on the system. This is called as task auditing. Linux used audit.d for tracking and recording several characteristics of the system files when in a healthy state and then compare it to a then altered state. When different versions of the same files are contrasted side by side, it is possible to detect any inconsistencies that exist and track the changes.<\/p>\n a. Monitor Login Attempts<\/strong><\/p>\n HIDs (Host Intrusion Detection systems) help to find the files that are being accessed, applications that are being used and the data that is present in the kernel logs.<\/p>\n NIDs (Network Intrusion Detection systems) help to review the data flow between computers within a network. Those connections are particularly detected for doubtful behavior.<\/p>\n It is possible to use HIDs for a more versatile solution and NDIs are majorly used for a LAN based solution. You can use below HIDs:<\/p>\n A combination of NIDs and HIDs can form a strong, comprehensive IDS strategy. You can use the below NIDs:<\/p>\n b. Limit User Permissions<\/strong><\/p>\n To restrict the users\u2019 access to critical systems, you can limit the permission sets such as 644 or 444 for files and 755 for folders.<\/p>\n c. Perform User Testing<\/strong><\/p>\n You can set a specific date for performing a security audit and inform the users in advance about it. Mention your expectations and hold them responsible for any inadequacy.<\/p>\n d. Ongoing Security Training<\/strong><\/p>\n You can send monthly reminders and train the staff every three months, with six-month testing across multiple platforms (email, physical and network) and find out failures to improve and start additional training in those areas.<\/p>\n e. Travel Security<\/strong><\/p>\n Security isn\u2019t just meant for the front end of your business. It is important to set up security parameter training for employees that are travelling abroad.<\/p>\n You can take several steps to secure the filesystem on the servers. Make sure you mount filesystems with user-writable directories on separate partitions. Don\u2019t miss to use nodev, nousid, and no exec in the \/etc\/fstab file.<\/p>\n a. Make sure \/boot is read-only<\/strong><\/p>\n You also need to check that the \/boot folder is set to RW mode by default, instead of only being used for reading\/loading modules and the kernel. Additionally, ensure that it is set to ready-only in \/etc\/fstab:<\/p>\n b. Disable booting from removable media.<\/strong><\/p>\n For this, modify the bios setting to disable boosting from removable media such as a USB stick.<\/p>\n c. Set a password for the GRUB bootloader.<\/strong><\/p>\n In case there is a physical access to the server, one can easily enter the server. You can setup a wall between the attacker and the server access by setting up a password on the GRUB bootloader. This can be done by setting up a password to limit access. The first step is to backup the current grub.conf file.<\/p>\n The next step is to generate a secure password. Then create a file and then the password with the help of grub-md5-crypt command. A prompt window will ask you to enter a password twice. Just copy the created password from the secure file into the grub.conf file.<\/p>\n After this, copy the password and paste it into the grub.conf file after the first line (in Redhat), as below. Then type the \u201c:wq\u201d<\/strong> in vim to save the file.<\/p>\n Now reboot the server to check if the changes have been implemented.<\/p>\n d. Ask for the root password prior to entering single-user mode.<\/strong><\/p>\n In case a malicious actor can access your server, he can even select a particular kernel to boot into from the grub menu item by simply pressing \u201ce\u201d<\/strong> letter. Due to this, one can edit the first boot option so that booting gets enabled into single-user mode without asking for a password.<\/p>\n It is important for your system to be configured such that it prompts for the root password prior to entering single-user mode to restrict possible exploitation. You can get this done by following the instructions above in \u201cSet a password for the GRUB bootloader.\u201d<\/strong><\/p>\n SELinux, a kernel-based security module offers a method for supporting access control security policies, along with mandatory access controls (MAC). Basically, it is used for adjusting access control requirements. It is possible to designate the working of a process of user with SELinux. Operations can be restricted to their own domain and due to this any actions can only interact from the allowed domains with certain file types or other processes. The existence of SELinux is in any of the below three possible modes:<\/p>\n a. Use A Multi-Server Environments<\/strong><\/p>\n Having an isolated environment is one of the best types of server security. To get a full isolation, one requires having a dedicated bare-metal server that doesn\u2019t share any components with other server. Though this being the easiest to manage and offers highest security, it is very expensive. In a data center, having isolated execution environments permit the Separation of Duties (SoD) and also allows to set server configuration as per the functions fulfilled by the server.<\/p>\n It is a standard security step to separate database servers and web application servers. Separate execution environment offer benefits in a large scale business that can\u2019t afford any security breaches. Sensitive information and systems files remain secured from hackers on independent database servers that can manage to access your administrative accounts. Additionally, due to isolation system administrators can separately configure the web application security and reduce the attack surface by setting web application firewalls.<\/p>\n b. Use Virtual Isolated Environments<\/strong><\/p>\n If complete isolation with dedicated server components isn\u2019t affordable or you don\u2019t require it, you can select to isolate execution environments. By doing that, you will be able to deal with any security issues that may arise without compromising the other data. It is possible to select between containers (based on top of the host OS) or VM virtualization which can be set up easily.<\/p>\n Creating chroot jails is another option for virtualized environments in a UNIX operating system. Chroot separates a process from the root directory of central operating system and allows it to access only the files present in its directory tree. But, this isn\u2019t complete isolation and needs to be practiced only with other security measures.<\/p>\n a. Buy a Website Backup Plan<\/strong> b. Backup Testing<\/strong> For configuring LUKS on CentOS, you need to have the cryptsetup package. You will find this software installed by default in later versions of CentOS. Using the cryptsetup command you can encrypt specific disks or partitions to protection all of the information stored on it.<\/p>\n That\u2019s all! Don\u2019t miss to check these top 15 server security practices to secure your server.<\/p>\n","protected":false},"excerpt":{"rendered":" In this article, we will release the best server security practices for all time. Since security is challenging subject for all, it is often ignored and many get caught unknowingly when a issue occurs. But these best practices can surely help you to lower the risk of being compromised by any malicious actor. 1. Be […]<\/p>\n","protected":false},"author":16,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[1310,99,1309],"class_list":["post-7227","post","type-post","status-publish","format-standard","placeholder-for-hentry","category-web-hosting-faq","tag-how-to-secure-your-server","tag-server-security","tag-server-security-tips"],"yoast_head":"\n\n
3. Secure Connections<\/h3>\n
d. Restrict Root Access<\/h3>\n
PermitRootLogin no\r\nProtocol 2<\/pre>\n
AllowGroups sshusers<\/pre>\n
\n
\n
4. Make Use of Strong Passwords<\/h3>\n
\n
[root@host ~]# chage -l user\r\nLast password change : Jan 01, 2019\r\nPassword expires : never\r\nPassword inactive : never\r\nAccount expires : never\r\nMinimum number of days between password change : 0\r\nMaximum number of days between password change : 90\r\nNumber of days of warning before password expires : 7\r\n\r\n[root@host ~]# chage -M 90 user\r\nLast password change : Jan 1, 2019\r\nPassword expires : March 1, 2019\r\nPassword inactive : never\r\nAccount expires : never\r\nMinimum number of days between password change : 0\r\nMaximum number of days between password change : 90\r\nNumber of days of warning before password expires : 7\r\n[root@host ~]#<\/pre>\n
5. Turn Off All Unwanted Services<\/h3>\n
systemctl list-unit-files | grep enabled<\/pre>\n
[root@host ~]# systemctl list-unit-files | grep enabled\r\nvar-lib-snapd-snap-core-7917.mount enabled\r\nvar-lib-snapd-snap-hello\\x2dworld-29.mount enabled\r\nvar-lib-snapd-snap-snapcraft-3440.mount enabled\r\nacpid.service enabled\r\nauditd.service enabled\r\nautovt@.service enabled\r\ncrond.service enabled\r\ndbus-org.fedoraproject.FirewallD1.service enabled\r\nfirewalld.service enabled\r\ngetty@.service enabled\r\nirqbalance.service enabled\r\nmicrocode.service enabled\r\nNetworkManager-wait-online.service enabled\r\npostfix.service enabled\r\nqemu-guest-agent.service enabled\r\nrhel-autorelabel.service enabled\r\nrhel-configure.service enabled\r\nrhel-dmesg.service enabled\r\nrhel-domainname.service enabled\r\nrhel-import-state.service enabled\r\nrhel-loadmodules.service enabled\r\nrhel-readonly.service enabled\r\nrsyslog.service enabled\r\nsonarpush.service enabled\r\nsshd.service enabled\r\nsystemd-readahead-collect.service enabled\r\nsystemd-readahead-drop.service enabled\r\nsystemd-readahead-replay.service enabled\r\ntuned.service enabled\r\nsnapd.socket enabled\r\ndefault.target enabled\r\nmulti-user.target enabled\r\nremote-fs.target enabled\r\nrunlevel2.target enabled\r\nrunlevel3.target enabled\r\nrunlevel4.target enabled\r\n[root@host ~]#<\/pre>\n
systemctl | grep running<\/pre>\n
[root@host ~]# systemctl | grep running\r\nsession-2969.scope loaded active running Session 2969 of user root\r\nacpid.service loaded active running ACPI Event Daemon\r\nauditd.service loaded active running Security Auditing Service\r\ncrond.service loaded active running Command Scheduler\r\ndbus.service loaded active running D-Bus System Message Bus\r\nfirewalld.service loaded active running firewalld - dynamic firewall daemon\r\ngetty@tty1.service loaded active running Getty on tty1\r\nirqbalance.service loaded active running irqbalance daemon\r\npolkit.service loaded active running Authorization Manager\r\npostfix.service loaded active running Postfix Mail Transport Agent\r\nrsyslog.service loaded active running System Logging Service\r\nserial-getty@ttyS0.service loaded active running Storm management console on Serial Getty ttyS0\r\nsnapd.service loaded active running Snappy daemon\r\nsonarpush.service loaded active running MilesWeb Sonarpush Monitoring Agent\r\nsshd.service loaded active running OpenSSH server daemon\r\nsystemd-journald.service loaded active running Journal Service\r\nsystemd-logind.service loaded active running Login Service\r\nsystemd-udevd.service loaded active running udev Kernel Device Manager\r\ntuned.service loaded active running Dynamic System Tuning Daemon\r\ndbus.socket loaded active running D-Bus System Message Bus Socket\r\nsnapd.socket loaded active running Socket activation for snappy daemon\r\nsystemd-journald.socket loaded active running Journal Socket\r\nsystemd-udevd-control.socket loaded active running udev Control Socket\r\nsystemd-udevd-kernel.socket loaded active running udev Kernel Socket\r\n[root@host ~]#<\/pre>\n
systemctl disable bluetooth<\/pre>\n
service --status-all |grep '+'\r\nroot@host ~# service --status-all |grep '+'\r\n[ + ] apache-htcacheclean\r\n[ + ] apache2\r\n[ + ] apparmor\r\n[ + ] apport\r\n[ + ] atd\r\n[ + ] binfmt-support\r\n[ + ] cron\r\n[ + ] dbus\r\n[ + ] ebtables\r\n[ + ] grub-common\r\n[ + ] irqbalance\r\n[ + ] iscsid\r\n[ + ] lvm2-lvmetad\r\n[ + ] lvm2-lvmpolld\r\n[ + ] lxcfs\r\n[ + ] procps\r\n[ + ] rsyslog\r\n[ + ] ssh\r\n[ + ] udev\r\n[ + ] ufw\r\n[ + ] unattended-upgrades\r\nroot@host ~#<\/pre>\n
systemctl | grep running<\/pre>\n
root@host ~# systemctl | grep running\r\nproc-sys-fs-binfmt_misc.automount loaded active running Arbitrary Executable File Formats File System Automount Point\r\ninit.scope loaded active running System and Service Manager\r\nsession-1726.scope loaded active running Session 1726 of user root\r\naccounts-daemon.service loaded active running Accounts Service\r\napache2.service loaded active running The Apache HTTP Server\r\natd.service loaded active running Deferred execution scheduler\r\ncron.service loaded active running Regular background program processing daemon\r\ndbus.service loaded active running D-Bus System Message Bus\r\ngetty@tty1.service loaded active running Getty on tty1\r\nirqbalance.service loaded active running irqbalance daemon\r\nlvm2-lvmetad.service loaded active running LVM2 metadata daemon\r\nlxcfs.service loaded active running FUSE filesystem for LXC\r\nnetworkd-dispatcher.service loaded active running Dispatcher daemon for systemd-networkd\r\npolkit.service loaded active running Authorization Manager\r\nrsyslog.service loaded active running System Logging Service\r\nserial-getty@ttyS0.service loaded active running Storm management console on Serial Getty ttyS0\r\nsnapd.service loaded active running Snappy daemon\r\nssh.service loaded active running OpenBSD Secure Shell server\r\nsystemd-journald.service loaded active running Journal Service\r\nsystemd-logind.service loaded active running Login Service\r\nsystemd-networkd.service loaded active running Network Service\r\nsystemd-resolved.service loaded active running Network Name Resolution\r\nsystemd-timesyncd.service loaded active running Network Time Synchronization\r\nsystemd-udevd.service loaded active running udev Kernel Device Manager\r\nunattended-upgrades.service loaded active running Unattended Upgrades Shutdown\r\nuser@0.service loaded active running User Manager for UID 0\r\ndbus.socket loaded active running D-Bus System Message Bus Socket\r\nlvm2-lvmetad.socket loaded active running LVM2 metadata daemon socket\r\nsnapd.socket loaded active running Socket activation for snappy daemon\r\nsyslog.socket loaded active running Syslog Socket\r\nsystemd-journald-audit.socket loaded active running Journal Audit Socket\r\nsystemd-journald-dev-log.socket loaded active running Journal Socket (\/dev\/log)\r\nsystemd-journald.socket loaded active running Journal Socket\r\nsystemd-udevd-control.socket loaded active running udev Control Socket\r\nsystemd-udevd-kernel.socket loaded active running udev Kernel Socket\r\nroot@host ~#<\/pre>\n
systemctl disable apache<\/pre>\n
yum groupremove \u201cX Window System\"<\/pre>\n
6. Keep Your System Updated<\/h3>\n
\n
!\/bin\/sh\r\n\/usr\/bin\/yum -R 120 -e 0 -d 0 -y update yum\r\n\/usr\/bin\/yum -R 10 -e 0 -d 0 -y update<\/pre>\n
7. Restrict Website Access<\/h3>\n
8. Configure a Firewall<\/h3>\n
9. Setup Audits<\/h3>\n
10. User Management<\/h3>\n
\n
\n
11. Secure the Filesystem<\/h3>\n
\/dev\/sda1 \/boot ext2 defaults ro 1 2<\/pre>\n
root@host ~# cp \/etc\/grub.conf \/etc\/grub.conf.bak<\/pre>\n
root@host ~# touch secure\r\nroot@host ~# grub-md5-crypt > secure<\/pre>\n
splashimage=(hd0,0)\/grub\/splash.xpm.gz\r\npassword --md5 JnK!xdBep53lt1NVk@K6wb!js%!HEI#^<\/pre>\n
12. Utilize SELinux<\/h3>\n
\n
13. Use Multi-Server \/ Isolated Environments<\/h3>\n
14. Take Backups<\/h3>\n
\nIt is said many times, backups are an essential part of every security protocol. We recommend purchasing a website backup plan for backup retention.<\/p>\n
\nMake sure you test your backup systems in advance and clearly save the procedures and process for restoring them in a document.<\/p>\n15. Use LUKS Encryption<\/h3>\n
[root@host ~]# cryptsetup luksFormat \/dev\/sdc\r\nWARNING!\r\n========\r\nThis will overwrite data on \/dev\/sdc irrevocably.\r\nAre you sure? (Type uppercase yes): YES\r\nEnter LUKS passphrase:\r\nVerify passphrase:\r\n\r\n[root@host ~]# cryptsetup -v luksOpen \/dev\/sdc mysecuredrive\r\nEnter passphrase for \/dev\/sdc:\r\nKey slot 0 unlocked.\r\nCommand successful.\r\n\r\n[root@host ~]# mkfs.xfs \/dev\/mapper\/mysecuredrive\r\n[root@host ~]# mkdir -p \/mnt\/my_secure_drive\r\n[root@host ~]# mount -v \/dev\/mapper\/mysecuredrive \/mnt\/my_secure_drive\/\r\n\r\n(***you may get an SELinux warning here***)\r\n\r\nmount: \/mnt\/my_secure_drive does not contain SELinux labels.\r\nYou just mounted an file system that supports labels which does not\r\ncontain labels, onto an SELinux box. It is likely that confined\r\napplications will generate AVC messages and not be allowed access to\r\nthis file system. For more details see restorecon(8) and mount(8).\r\nmount: \/dev\/mapper\/mysecuredrivemounted on \/mnt\/my_secure_drive.\r\n\r\n[root@host ~]# restorecon -vvRF \/mnt\/my_secure_drive\/\r\n\r\nRelabeled \/mnt\/my_secure_drive from\r\nsystem_u:object_r:unlabeled_t:s1 to\r\nsystem_u:object_r:mnt_t:s1\r\n\r\nmount -v -o remount \/mnt\/my_secure_drive\/\r\nmount: \/dev\/mapper\/mysecuredrive mounted on \/mnt\/my_secure_drive\r\n\r\n(***no selinux warnings seen***)\r\n\r\n[root@host ~]# cryptsetup luksDump \/dev\/sdc\r\nLUKS header information\r\nVersion: 2\r\nEpoch: 3\r\nMetadata area: 12288 bytes\r\n[\u2026\u2026]\r\nDigest: 49 20 4c 6f 76 65 20 77 72 69 74 69 6e 67 20 61\r\n62 6f 75 74 20 6c 69 6e 75 78 22 2f 47 55 b7 8f<\/pre>\n
Conclusion<\/h3>\n