Server Hardening Guidelines for Faveo Helpdesk
Introduction:
At Faveo Helpdesk, we prioritize the security of our infrastructure to ensure the protection of sensitive data and the smooth functioning of our services. Server hardening is a critical process that involves securing the server’s configuration, reducing vulnerabilities, and implementing robust controls to prevent unauthorized access and potential exploits.
This document outlines the key steps we follow to harden our servers, ensuring they are resilient against attacks and compliant with industry standards.
1. Secure SSH Configuration
a. Disable Root Access
To minimize the risk of brute force attacks or unauthorized access, root login via SSH is disabled. Administrative tasks are performed using non-root user accounts with limited privileges.
b. Create Non-Root Users
Instead of root, specific users are created for system management. Access to privileged operations is granted via sudo
on a need-to-know basis.
c. Change SSH Port We modify the default SSH port to a non-standard port to reduce the likelihood of automated attacks targeting the default port (22).
d. Enable Two-Factor Authentication (2FA) For added protection, we enable Two-Factor Authentication (2FA) to ensure only authorized personnel can gain access to the server, adding an extra security layer.
f. SSH Access Controls Strict SSH access controls are enforced by limiting access to a whitelist of IP addresses and utilizing SSH key authentication for secure remote access.
2. ConfigServer Security & Firewall (CSF)
We deploy ConfigServer Security & Firewall (CSF) for monitoring and controlling incoming and outgoing traffic. CSF is configured through the command line to block malicious traffic and provide robust protection against intrusions.
3. Antivirus and Malware Detection
We employ ClamAV for virus and malware detection, running regular scans to detect, isolate, and remove harmful files. This proactive approach ensures that the system remains free from threats.
4. Web Server Hardening
a. Security Headers We configure critical security headers (Content-Security-Policy, X-Frame-Options, etc.) to protect against common vulnerabilities like cross-site scripting (XSS) and clickjacking for both NGINX and Apache.
b. ModSecurity with OWASP Rules ModSecurity is implemented alongside the OWASP Core Rule Set (CRS) to provide an extra layer of protection against web application attacks like SQL injection and cross-site scripting.
5. Disabling Unsecured Ports
We ensure that only necessary and secured ports are active on our servers. All unused or unsecured ports are disabled to prevent unauthorized access.
6. OS Patching and Log Rotation
Regular OS Patching: We maintain up-to-date system software and patches to close known security loopholes.
Log Rotation: Log files, including those in /tmp
, are regularly rotated to ensure system stability and prevent malicious users from exploiting log data.
7. Regular Backups
A robust backup system is in place to regularly store and archive data. Backups are secured and periodically tested for recovery to ensure we can quickly restore data in the event of a breach or system failure.
Conclusion
Server hardening is an ongoing process, and at Faveo Helpdesk, we continuously monitor, audit, and update our systems to defend against evolving threats. By following these best practices, we aim to maintain the integrity, availability, and security of our servers, keeping our infrastructure safe from attacks and ensuring uninterrupted service.