You are on page 1of 4

Apalya Production servers Hardening Process

Partition of HDD and RAM Size allocation as per Standard Size


Team should ensure HDD partition and SWAP size allocation should be as per standard size

Named account with required access to their folders only


Team should ensure that only named account should be present and their access should be limited to their folders with required access permission.

Application Installation:
Team should ensure the installation directory should be as per the allocate directory not with default directory of app.

No Root Login :
Team will ensure that there should not be any login with root at user and application level as well.

Anonymous FTP Access should be disabled


Management should ensure that the anonymous access should be disabled and strong login credential should be used. Further for file transfer, secure services like SFTP should be used instead of clear text service such as FTP.

Strong Authentication Parameter


Management should ensure that Easy to guess and/or Organization default passwords should not be used. All the passwords should comply with the Organization's password complexity settings.

No Presence of VNC /Remote Services


The management should critically review the requirement of using VNC on the impacted servers and disable the same if it is not required. If required, management should consider implementing an IP based access list/ filter to restrict and limit the access to VNC servers. Also, SSH tunneling over a VNC connection should be implemented to secure the VNC session over public network.

Clear Text Services should be disabled


Management should consider disable FTP service and instead if required use SFTP service which is secure version of clear text FTP.

SU (Switch User) Privilege


Management should consider disabling 'ALL ALL = (ALL) ALL' in sudoers' configuration and allow 'su' privilege only to root and/or admin users using customized configuration in /etc/sudoers.

UMASK setting
We recommend configuring the umask for the root account to 077 (only accessible for root) for the other accounts to at least 027 (only writable for the account itself.

SSH v1 should be disabled


Management should consider disabling support for version 1 of the SSH protocol and allow use of only SSH version 2 instead. Change the configurations in /etc/sshd_config/

adequate Password aging parameter


Management should critically review the password parameters settings and should implement the appropriate values for the same in compliance with the defined password policy.

No Multiple Accounts should be Present


Management should critically review the requirement of these accounts. If not required these accounts should be disabled. The following steps are recommended: - removing the unused accounts; - creating additional accounts for the administrators; - providing all the accounts with appropriate descriptions. - set an expiry value for each account

No Default Login on Application Administration Console


Management should ensure that Easy to guess and/or default passwords should not be used. All the passwords should comply with the Organization's password complexity settings.

Access to application server


Management should consider restricting access to the management console options to the limited and authorized users only.

URL Redirection not be allowed in between application


Application should allow redirection only to whitelist of URLs, also management should ensure that the parameters are passed in a encrypted form instead of clear text to prevent tampering.

Insecure Cookie
Management should consider enabling HTTP Only feature for session cookies, marking a cookie as HTTP Only would provide an additionally layer of protection against attacks making the cookies not readable by client-side scripts

Login Banner
Team should ensure if any user get login he should go with login policy and he should get the details of login banner once he login to server.

Securing default JBoss Landing page :


For Jboss 4.x Goto $JBOSS_HOME/server/default/deploy/ jbossweb-tomcat55.sar/ROOT.war/ Rename index.html to <new filename>.html Create a new index.html and add the following html code <html><body><h1>Unauthorized Access</h1></body></html> For Jboss 5.x Goto $JBOSS_HOME/server/default/deploy/ROOT.war/ Rename index.html to <new filename>.html Create a new index.html and add the following html code <html><body><h1>Unauthorized Access</h1></body></html>

No Default Login to MySQL and JBoss, PHP


Team should ensure My Sql, Jboss, PHP app should not be installed with default login & password and should be secured as per the application security policies.

Authentication on streaming servers


Team should ensure that we must have authentication module at client and streaming server to ensure security at streaming.

Firewall Policies
Team should ensure India CDN level based policies and Port level policies with inbound and outbound traffic.

You might also like