SP007 production hardening

From regional-training

This is an example production policy.

SP007 production hardening

Production systems shall be hardened via customisation and actions of:

  • syslog (or equivalent) shall be installed on production systems
  • sshd
    • shall never permit root login on production systems.
    • shall never return an identifying banner during connection. (The banner ordinarily informs version and operating system; it may

be necessary to use hexedit to find the banner text and replace it with something like xxxxxx, as on Debian Systems the Banner none and PrintMotd directives are ignored. [1])

  • fail2ban shall be installed on production external facing systems and protect:
    • ssh remote access
    • nginx proxy servers
  • web servers shall not reflect their version nor the operating systems in the response headers
  • tripwire shall be installed on production systems
  1. hide sshd banner http://kb.ictbanking.net/article.php?id=666
Retrieved from ‘https://regional-training.org:443/rt-dir/index.php?title=SP007_production_hardening&oldid=758