
Ask HN: Best Server Hardening Guide? - Kinnard
What are the best server hardening guides?
======
e1ven
One quick note - You probably shouldn't be performing your server hardening
manually on each server. It's easy to miss things.

I'd suggest using an ansible/chef/puppet/whatever script, that you customize
to meet the needs of your particular application.

Some simple ones you could start with are available at
[http://tinyurl.com/AnsibleFirst5](http://tinyurl.com/AnsibleFirst5) and/or
[http://hardening.io/](http://hardening.io/)

Expand to add additional configuration and hardening for your particular
infrastructure.

------
api
(1) sudo netstat -tanp | grep LISTEN

(2) For anything not listening to 127.0.0.1: what is it and do you need it?

(3) If answer to #2 is "dunno" or "no," turn it off.

:)

~~~
Kinnard
Nice.

------
richardthered
Check out :
[https://benchmarks.cisecurity.org/downloads/multiform/](https://benchmarks.cisecurity.org/downloads/multiform/)

They call them 'benchmarks', but they are really just checklists of things to
do (disable X, lock down Y, etc.)

------
VarunAgw
Co-incidentally I got this in E-Mail as newsletter

[https://www.digitalocean.com/community/tutorials/7-security-...](https://www.digitalocean.com/community/tutorials/7-security-
measures-to-protect-your-servers)

------
ch215
The Hardened Gentoo project page has a lot of useful information, guides on
using Pax, grsecurity and so on...

[https://wiki.gentoo.org/wiki/Project:Hardened](https://wiki.gentoo.org/wiki/Project:Hardened)

------
leni536
I used this for my iptables settings.

[https://wiki.archlinux.org/index.php/Simple_stateful_firewal...](https://wiki.archlinux.org/index.php/Simple_stateful_firewall)

------
jlawer
Red Hat have a very good guide for RHEL / CentOS:

[https://access.redhat.com/documentation/en-
US/Red_Hat_Enterp...](https://access.redhat.com/documentation/en-
US/Red_Hat_Enterprise_Linux/6/pdf/Security_Guide/Red_Hat_Enterprise_Linux-6-Security_Guide-
en-US.pdf)

NSA have also put out some good hardening guides

------
tmaly
stay away from ufw and stick with iptables. I had some ufw stuff fail on me
and I discovered when I logged in that everything was open again.

------
Kinnard
Surprised HN doesn't have more advice on this.

