A server hardening process works by taking steps to guarantee that all aspects of a server are as secure as possible. With the help of tools like IT operations management software, you can gain better visibility of the different components in your server and ensure that different parts of the process have been properly executed. Each step in the server hardening process helps you to further secure and protect your server.
Steps:
- Physical Protection
Lockdown your server rooms access, use racks locking and video surveillance. Take into consideration that any physical access to server rooms can expose your machine to serious security issues. BIOS passwords can be changed by resetting jumpers on the motherboard or by disconnecting the CMOS battery. Also, an intruder can steal the hard disks or directly attach new hard disks to the motherboard interfaces (SATA, SCSI, etc), boot up with a Linux live distro, and clone or copy data without leaving any software trace.
- Reduce Spying Impact
In case of highly sensitive data, you should probably use advanced physical protection such as placing and locking the server into a Faraday Cage or use a military TEMPEST solution in order to minimize the impact of spying the system via radio or electrical leaking emanations.
- Secure BIOS/UEFI
Start the process of hardening your machine by securing BIOS/UEFI settings, especially set a BIOS/UEFI password and disable boot media devices (CD, DVD, disable USB support) in order to prevent any unauthorized users from modifying the system BIOS settings or altering the boot device priority and booting the machine from an alternate medium.
- Secure Boot Loader
Set a GRUB password in order to prevent malicious users to tamper with kernel boot sequence or run levels, edit kernel parameters or start the system into a single-user mode in order to harm your system and reset the root password to gain privileged control.
- Use Separate Disk Partitions
When installing OS on systems intended as production servers use dedicated partitions or dedicated hard disks for the following parts of the system:
- Encrypt Transmitted Data
Do not use unsecured protocols for remote access or file transfer such as Telnet, FTP, or other plain text high protocols such as SMTP, HTTP, NFS, or SMB which, by default, does not encrypt the authentication sessions or sent data.
- Use PGP and Public-Key Cryptography
In order to encrypt disks, use PGP and Public-Key Cryptography or OpenSSL command to encrypt and decrypt sensitive files with a password.
- Remove Unnecessary Software Packages
Install minimal software required for your machine. Never install extra programs or services. Install packages only from trusted or official repositories. Use minimal installation of the system in case the machine is destined to run its entire life as a server.
- Update the system frequently.
Update the system regularly. Keep Linux kernel in sync with the latest security patches and all the installed software up to date.