Tag: hardening

Hardening, nginx

Nginx Hardening & Security Script

Tested on Debian 9.x https://github.com/maldevel/blue-team Hide nginx version sed -i "s/# server_tokens off;/server_tokens off;/g" /etc/nginx/nginx.confsed -i "s/# server_tokens off;/server_tokens off;/g" /etc/nginx/nginx.conf Remove ETags sed -i ‘s/server_tokens off;/server_tokens off;\netag off;/’ /etc/nginx/nginx.confsed -i ‘s/server_tokens off;/server_tokens off;\netag off;/’ /etc/nginx/nginx.conf Remove default page echo "" > /var/www/html/index.htmlecho "" > /var/www/html/index.html Use strong cipher suites sed -i "s/ssl_prefer_server_ciphers on;/ssl_prefer_server_ciphers on;\nssl_ciphers …

Hardening, OpenSSH

SSH Hardening & Security Script

Tested on Debian 9.x https://github.com/maldevel/blue-team Set /etc/ssh/sshd_config ownership and access permissions chown root:root /etc/ssh/sshd_config chmod 600 /etc/ssh/sshd_configchown root:root /etc/ssh/sshd_config chmod 600 /etc/ssh/sshd_config Change Port sed -i "s/#Port 22/Port 62111/g" /etc/ssh/sshd_configsed -i "s/#Port 22/Port 62111/g" /etc/ssh/sshd_config Use Protocol 2 echo "Protocol 2" >> /etc/ssh/sshd_configecho "Protocol 2" >> /etc/ssh/sshd_config Set SSH LogLevel to INFO sed -i "/LogLevel.*/s/^#//g" …

Hardening, Network

Network Hardening & Security Script

Tested on Debian 9.x https://github.com/maldevel/blue-team Disable IP forwarding sed -i "s/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=0/" /etc/sysctl.conf sysctl -w net.ipv4.ip_forward=0sed -i "s/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=0/" /etc/sysctl.conf sysctl -w net.ipv4.ip_forward=0 Disable packet redirect sending sed -i "/net.ipv4.conf.all.send_redirects.*/s/^#//g" /etc/sysctl.conf echo "net.ipv4.conf.default.send_redirects=0" >> /etc/sysctl.conf sysctl -w net.ipv4.conf.all.send_redirects=0 sysctl -w net.ipv4.conf.default.send_redirects=0sed -i "/net.ipv4.conf.all.send_redirects.*/s/^#//g" /etc/sysctl.conf echo "net.ipv4.conf.default.send_redirects=0" >> /etc/sysctl.conf sysctl -w net.ipv4.conf.all.send_redirects=0 sysctl -w net.ipv4.conf.default.send_redirects=0 Disable source routed …

Hardening, IPTables

Basic iptables security script

Tested on Debian 9.x https://github.com/maldevel/blue-team Install iptables apt -y install iptablesapt -y install iptables Install iptables-persistent apt -y install iptables-persistent systemctl enable netfilter-persistentapt -y install iptables-persistent systemctl enable netfilter-persistent Flush/Delete firewall rules iptables -F iptables -X iptables -Ziptables -F iptables -X iptables -Z Βlock null packets (DoS) iptables -A INPUT -p tcp –tcp-flags ALL NONE …

Hardening, Linux

Linux Users Hardening & Security Script

Tested on Debian 9.x https://github.com/maldevel/blue-team Set Maximum number of days a password may be used sed -i "s/^PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/" /etc/login.defssed -i "s/^PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/" /etc/login.defs Set Minimum number of days allowed between password changes to 5 sed -i "s/^PASS_MIN_DAYS.*/PASS_MIN_DAYS 5/" /etc/login.defssed -i "s/^PASS_MIN_DAYS.*/PASS_MIN_DAYS 5/" /etc/login.defs Set Number of days warning given before a password expires sed …

Apache, Hardening

Apache Web Server Hardening & Security Script

Tested on Debian 9.x https://github.com/maldevel/blue-team Become root sudo su -sudo su – Hide Apache2 version echo "ServerSignature Off" >> /etc/apache2/apache2.conf echo "ServerTokens Prod" >> /etc/apache2/apache2.confecho "ServerSignature Off" >> /etc/apache2/apache2.conf echo "ServerTokens Prod" >> /etc/apache2/apache2.conf Remove ETags echo "FileETag None" >> /etc/apache2/apache2.confecho "FileETag None" >> /etc/apache2/apache2.conf Disable Directory Browsing a2dismod -f autoindexa2dismod -f autoindex Remove default …

Hardening, Microsoft Windows server 2016

Windows Server Hardening – Account Policies

The following were tested on Windows Server 2016 (Screenshots included). Account Policies Password Policy 1. Ensure ‘Enforce password history’ is set to ’24 or more password(s) Description: This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value …

Active Directory, Microsoft Windows Server 2003, Microsoft Windows Server 2008, Microsoft Windows Server 2012

Active Directory Security Hardening: Domain Admin Honeypot

Rename the account It’s a good idea to name the account like any other user account. That means giving it a real name, like Johnny Cash, with a username that matches your naming convention, say “jcash.” Remove description Next, you want to remove the default description for the built-in Administrator, which is “Built-in account for …

Debian

Hardening SSH on Debian

Open a terminal Open file /etc/ssh/sshd_config sudo nano /etc/ssh/sshd_configsudo nano /etc/ssh/sshd_config Change the listen port Port 65002Port 65002 Deny root Login PermitRootLogin noPermitRootLogin no Make sure that users with empty passwords are not allowed to login to the system PermitEmptyPasswords noPermitEmptyPasswords no Allow certain users to have access via ssh AllowUsers user1 user2AllowUsers user1 user2 …

Debian

Hardening Apache2 on Debian 8

Disable Apache Web Server Signature sudo nano /etc/apache2/apache2.confsudo nano /etc/apache2/apache2.conf Add the following two lines at the end of Apache config file: ServerSignature Off ServerTokens ProdServerSignature Off ServerTokens Prod Hide PHP Version sudo nano /etc/php5/apache2/php.inisudo nano /etc/php5/apache2/php.ini Make sure that expose_php option is off. expose_php = Offexpose_php = Off Disable Directory Browsing Globally sudo a2dismod …