Checklists: System is Hacked (Part 2) Preventive Steps for Infra (OS Hardening)

Introduction

In the last article, we described a list of checks which can determine if a system is compromised or hacked.  In this article, we will talk about preventive steps (especially infra-related) that can be taken care of to avoid hacking or to make the system more secure. There are many directions in which we can secure our application as follows:

  • OS Hardening (Infra Level Security).
  • Secure Coding Guidelines.
  • Encryption Of Sensitive Data.
  • Ensure No Vulnerability Exists in System.

In this blog, we will be concerned about OS hardening (Infra Level Security) in Linux systems (CentOS/Redhat). We will cover other parts in future blogs.

List of Checks Which Can Give a Direction on How the System Is Compromised or Hacked

Now let’s go to the System Part. It has the following things to be taken care of: 

  • SSH Configuration:  
    • In a Linux-based system SSH default port is 22. This Default port should be changed to some unused port to enhance security.  
    • Use SSH Protocol 2 Version.
    • Ensure SSH X11 forwarding is disabled.
  • Port Configuration at Firewall:  Generally, in any application there are many applications running on a set of servers and each running on some different ports, say for example : 
    • Application server at  8080 port.
    • Database Server at 5432 port.

So, as in the above case, users need to log in through the 8080 port so only this port should be opened for the public as the Database needs to interact generally with the application server so the 5432 port should be allowed from Application Server’s IP.

  • Multi-Factor Authentication for SSH should be enabled — For setting up Google Authentication on CentOS or Redhat you can follow the link.
  • Root login for any server must be disabled.
  • Server Login Policies 
    • Ensure password expiration is 365 days or less.
    • Ensure minimum days between password changes are 7 or more.
    • Ensure password expiration warning days are 7 or more.
    • Ensure inactive password lock is 30 days or less.
    • Ensure the password is strong enough when a user changes their password.
  • Application and Database should be on different Servers: This is because if due to some vulnerability application hacked then access to the database, in that case, is protected. 
  • Regular package updates:  Configure Auto update or regularly update packages on all configured servers.
  • Tune Network Kernel Parameters :
    • IP forwarding should be disabled on all servers  
      • Do the following entry in sysctl.conf: 
        • net.ipv4.ip_forward = 0
    • Packets Redirecting should be disabled on all servers. 
      • Do the following entry in sysctl.conf:
        • net.ipv4.conf.all.send_redirects = 0
        • net.ipv4.conf.default.send_redirects = 0
  • SELinux should be enabled and configured.
  • Antivirus must be installed on all servers.

All of the above are basic minimum checklists that should be applied to all the servers in any production environment. For implementing in-depth OS Hardening especially for CentOS-based Systems, one needs to follow the latest CIS CentOS Benchmarklatest CIS

You can also check the below benchmark list from CIS for CentOS hardening: Below doc also explain how to implement things on CentOS.

cis_centos_linux_7_benchmark_v2.2.0

For Other Operating Systems/Technologies follow the CIS benchmark link.

In our future blog, we will explain other parts like Secure Code guidelines, Encryption, VAPT scan, etc., to make the system more secure.

Stay tuned.

This UrIoTNews article is syndicated fromDzone