• Enterprise Server Hardening

    Enterprise Server Hardening

Check Server Security

Enterprise Server Hardening


Check Server Security
  • CHKRootKit : Detects hacker software and notifies via email
  • RootKit Hunter : A tool which scans for backdoors and malicious softwares present in the server.
  • APF or CSF : A policy based iptables firewall system used for the easy configuration of iptables rules.
SSH Securing : For a better security of ssh connections.
Host.conf Hardening : Prevents IP spoofing and dns poisoning
Sysctl.conf Hardening : Prevents syn-flood attacks and other network abuses.
FTP Hardening : Secure FTP software by upgrading to latest version
TMP Hardening : Hardening /tmp, /var/tmp, /dev/shm for preventing the execution of malicious scripts and codes.
PHP Tightening : Tweak PHP by changing the parameters of php configuration for better security and performance.
PHP Upgrade : Compile PHP to its latest stable version which increases server security.
Shell Fork Bomb/Memory Hog Protection : Protection against Telnet/SSH users using all of the server resources and causing a system crash.
Update Control Panel to latest version
Install Logwatch for investigating any suspicious activity on the server
Turn off unused services and daemons
Disabling Chargen to stop the server from being misused by an attacker in their efforts to disrupt another server.
Symlink Protection
Kernel Hardening
Crontab Hardening
MySQL Hardening
ClamAV : Is a cross-platform antivirus software tool-kit able to detect many types of malicious software, including viruses
Root Logger Notification of root access when someone login as root in the server along with the timestamp and ip address information.
Email Password Scan
Logwatch : Install Logwatch and review logwatch emails. Investigate any suspicious activity on the server.
IFTOP : Install IFTOP which displays a frequently updated list of network bandwidth utilization (source and destination hosts) that passing through the network interface
Turn off compilers. Most rootkits come precompiled but not all of them do. It will also prevent shell users from trying to compile any irc related programs.
Enable PHP open_basedir Protection : PHP open_basedir protection prevents users from opening files outside of their home directory with php.
Network Socket Inode Validation (NSIV) A rule based utility intended to aid in the validation of inodes against each LISTEN socket on a system.
inux Environment Security (LES) Helpful in enforcing root-only permissions on system binaries (binaries that have no place being executed by normal users), enforcing root-only path traversal on system paths, enforcing immutable bit on essential rpm package contents (i.e: coreutils), and enforcing immutable bit on shell profile scripts.
Mail Server Hardening

  • Spoof Prevention
  • Setting the sender header when the email sender tries to spoof the sender
  • Adding MailHeaders for PHP
  • Stopping spoofing from webmail and SMTP authenticated users
  • Removing sendmail
  • Dictionary attack protection
  • Reject remote mail sent to the server\'s hostname
  • Attachments: Filter messages with dangerous attachments
  • Scan messages for malware from authenticated senders
  • Scan outgoing messages for malware
  • Enable SMTP Restrictions
  • Configure high failure rate protection
  • Experimental: Rewrite From: header
  • Configure the max hourly emails settings

Installation/configuration of SpamAssassin & ClamAV, Realtime Blackhole Lists (RBLs), dictionary attack protection and rate limiting
Mod Security (On Request)

ModSecurity is an embeddable web application firewall. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring and real-time analysis with no changes to existing infrastructure.
Mod Evasive (On Request)

Mod Evasive is an evasive maneuvers module for Apache that provides evasive action in the event of an HTTP DoS attack or brute force attack. It is also designed to be a detection and network management tool and can be easily configured to talk to ipchains, firewalls, routers, and more.