banner



How To Garden Without Critters

awesome-security-hardening

Awesome

A collection of awesome security hardening guides, best practices, checklists, benchmarks, tools and other resources. This is work in progress: please contribute by sending your suggestions. You may do this by creating issue tickets or forking, editing and sending pull requests. You may also send suggestions on Twitter to @decalage2, or use https://www.decalage.info/contact


Table of Contents

  • Security Hardening Guides and Best Practices
    • Hardening Guide Collections
    • GNU/Linux
      • Red Hat Enterprise Linux - RHEL
      • CentOS
      • SUSE
      • Ubuntu
    • Windows
    • macOS
    • Network Devices
      • Switches
      • Routers
      • IPv6
      • Firewalls
    • Virtualization - VMware
    • Containers - Docker
    • Services
      • SSH
      • TLS/SSL
      • Web Servers
        • Apache HTTP Server
        • Apache Tomcat
        • Eclipse Jetty
        • Microsoft IIS
      • Mail Servers
      • FTP Servers
      • Database Servers
      • Active Directory
      • ADFS
      • Kerberos
      • LDAP
      • DNS
      • NTP
      • NFS
      • CUPS
    • Authentication - Passwords
    • Hardware - CPU - BIOS - UEFI
    • Cloud
  • Tools
    • Tools to check security hardening
      • GNU/Linux
      • Windows
      • Network Devices
      • TLS/SSL
      • SSH
      • Hardware - CPU - BIOS - UEFI
      • Docker
      • Cloud
    • Tools to apply security hardening
      • GNU/Linux
      • Windows
      • TLS/SSL
      • Cloud
    • Password Generators
  • Books
  • Other Awesome Lists
    • Other Awesome Security Lists

Security Hardening Guides and Best Practices

Hardening Guide Collections

  • CIS Benchmarks (registration required)
  • ANSSI Best Practices
  • NSA Security Configuration Guidance
  • NSA Cybersecurity Resources for Cybersecurity Professionals and NSA Cybersecurity publications
  • US DoD DISA Security Technical Implementation Guides (STIGs) and Security Requirements Guides (SRGs)
  • OpenSCAP Security Policies
  • Australian Cyber Security Center Publications
  • FIRST Best Practice Guide Library (BPGL)
  • Harden the World - a collection of hardening guidelines for devices, applications and OSs (mostly Apple for now).

GNU/Linux

  • ANSSI - Configuration recommendations of a GNU/Linux system
  • CIS Benchmark for Distribution Independent Linux
  • trimstray - The Practical Linux Hardening Guide - practical step-by-step instructions for building your own hardened systems and services. Tested on CentOS 7 and RHEL 7.
  • trimstray - Linux Hardening Checklist - most important hardening rules for GNU/Linux systems (summarized version of The Practical Linux Hardening Guide)
  • How To Secure A Linux Server - for a single Linux server at home
  • nixCraft - 40 Linux Server Hardening Security Tips (2019 edition)
  • nixCraft - Tips To Protect Linux Servers Physical Console Access
  • TecMint - 4 Ways to Disable Root Account in Linux
  • ERNW - IPv6 Hardening Guide for Linux Servers
  • trimstray - Iptables Essentials: Common Firewall Rules and Commands
  • Neo23x0/auditd - Best Practice Auditd Configuration

Red Hat Enterprise Linux - RHEL

  • Red Hat - A Guide to Securing Red Hat Enterprise Linux 7
  • DISA STIGs - Red Hat Enterprise Linux 7 (2019)
  • CIS Benchmark for Red Hat Linux
  • nixCraft - How to set up a firewall using FirewallD on RHEL 8

CentOS

  • Lisenet - CentOS 7 Server Hardening Guide (2017)
  • HighOn.Coffee - Security Harden CentOS 7 (2015)

SUSE

  • SUSE Linux Enterprise Server 12 SP4 Security Guide
  • SUSE Linux Enterprise Server 12 Security and Hardening Guide

Ubuntu

  • Ubuntu documentation - Security
  • Ubuntu wiki - Security Hardening Features

Windows

  • Microsoft - Windows security baselines
  • Microsoft - Windows Server Security | Assurance
  • Microsoft - Windows 10 Enterprise Security
  • BSI/ERNW - Configuration Recommendations for Hardening of Windows 10 Using Built-in Functionalities (2021) - focused on Windows 10 LTSC 2019
  • ACSC - Hardening Microsoft Windows 10, version 1709, Workstations
  • ACSC - Securing PowerShell in the Enterprise
  • Awesome Windows Domain Hardening
  • Microsoft - How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server
  • Microsoft recommended block rules - List of applications or files that can be used by an attacker to circumvent application whitelisting policies
  • ERNW - IPv6 Hardening Guide for Windows Servers
  • NSA - AppLocker Guidance - Configuration guidance for implementing application whitelisting with AppLocker
  • NSA - Pass the Hash Guidance - Configuration guidance for implementing Pass-the-Hash mitigations (Archived)
  • NSA - BitLocker Guidance - Configuration guidance for implementing disk encryption with BitLocker
  • NSA - Event Forwarding Guidance - Configuration guidance for implementing collection of security relevant Windows Event Log events by using Windows Event Forwarding
  • Windows Defense in Depth Strategies - work in progress
  • Endpoint Isolation with the Windows Firewall based on Jessica Payne's 'Demystifying the Windows Firewall' talk from Ignite 2016

See also Active Directory and ADFS below.

macOS

  • ERNW - IPv6 Hardening Guide for OS-X

Network Devices

  • NSA - Harden Network Devices - very short but good summary

Switches

  • DISA - Layer 2 Switch SRG

Routers

  • NSA - A Guide to Border Gateway Protocol (BGP) Best Practices

IPv6

  • ERNW - Developing an Enterprise IPv6 Security Strategy Part 1, Part 2, Part 3, Part 4 - Network Isolation on the Routing Layer, Traffic Filtering in IPv6 Networks
  • see also IPv6 links under GNU/Linux, Windows and macOS

Firewalls

  • NIST SP 800-41 Rev 1 - Guidelines on Firewalls and Firewall Policy (2009)
  • trimstray - Iptables Essentials: Common Firewall Rules and Commands

Virtualization - VMware

  • VMware Security Hardening Guides - covers most VMware products and versions
  • CIS VMware ESXi 6.5 Benchmark (2018)
  • DISA STIGs - Virtualisation - VMware vSphere 6.0 and 5
  • ENISA - Security aspects of virtualization - generic, high-level best practices for virtualization and containers (Feb 2017)
  • NIST SP 800-125 - Guide to Security for Full Virtualization Technologies - (2011)
  • NIST SP 800-125A Revision 1 - Security Recommendations for Server-based Hypervisor Platforms (2018)
  • NIST SP 800-125B Secure Virtual Network Configuration for Virtual Machine (VM) Protection (2016)
  • ANSSI - Recommandations de sécurité pour les architectures basées sur VMware vSphere ESXi - for VMware 5.5 (2016), in French
  • ANSSI - Problématiques de sécurité associées à la virtualisation des systèmes d'information (2013), in French

Containers - Docker

  • How To Harden Your Docker Containers
  • CIS Docker Benchmarks - registration required
  • NIST SP 800-190 - Application Container Security Guide
  • A Practical Introduction to Container Security
  • ANSSI - Recommandations de sécurité relatives au déploiement de conteneurs Docker (2020), in French

Services

SSH

  • NIST IR 7966 - Security of Interactive and Automated Access Management Using Secure Shell (SSH)
  • ANSSI - (Open)SSH secure use recommendations
  • Linux Audit - OpenSSH security and hardening
  • Positron Security SSH Hardening Guides (2017-2018) - focused on crypto algorithms
  • stribika - Secure Secure Shell (2015) - some algorithm recommendations might be slightly outdated
  • Applied Crypto Hardening: bettercrypto.org - handy reference on how to configure the most common services' crypto settings (TLS/SSL, PGP, SSH and other cryptographic tools)
  • IETF - Key Exchange (KEX) Method Updates and Recommendations for Secure Shell (SSH) draft-ietf-curdle-ssh-kex-sha2-10 - update to the recommended set of key exchange methods for use in the Secure Shell (SSH) protocol to meet evolving needs for stronger security. This document updates RFC 4250.
  • Gravitational - How to SSH Properly - how to configure SSH to use certificates and two-factor authentication

TLS/SSL

  • NIST SP800-52 Rev 2 (2nd draft) - Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations - 2018, recommends TLS 1.3
  • Netherlands NCSC - IT Security Guidelines for Transport Layer Security (TLS) - 2019
  • ANSSI - Security Recommendations for TLS - 2017, does not cover TLS 1.3
  • Qualys SSL Labs - SSL and TLS Deployment Best Practices - 2017, does not cover TLS 1.3
  • RFC 7540 Appendix A TLS 1.2 Cipher Suite Black List
  • Applied Crypto Hardening: bettercrypto.org - handy reference on how to configure the most common services' crypto settings (TLS/SSL, PGP, SSH and other cryptographic tools)

Web Servers

  • Cipherli.st - Strong Ciphers for Apache, nginx and Lighttpd

Apache HTTP Server

  • Apache HTTP Server documentation - Security Tips
  • GeekFlare - Apache Web Server Hardening and Security Guide
  • Apache Config - Apache Security Hardening Guide

Apache Tomcat

  • Apache Tomcat 9 Security Considerations / v8 / v7
  • OWASP Securing tomcat
  • How to get Tomcat 9 to work with authbind to bind to port 80

Eclipse Jetty

  • Eclipse Jetty - Configuring Security
  • Jetty hardening (2015)

Microsoft IIS

  • CIS Microsoft IIS Benchmarks

Mail Servers

FTP Servers

Database Servers

Active Directory

  • Microsoft - Best Practices for Securing Active Directory
  • ANSSI CERT-FR - Active Directory Security Assessment Checklist - 2020 (English and French versions)
  • "Admin Free" Active Directory and Windows, Part 1- Understanding Privileged Groups in AD
  • "Admin Free" Active Directory and Windows, Part 2- Protected Accounts and Groups in Active Directory

ADFS

  • adsecurity.org - Securing Microsoft Active Directory Federation Server (ADFS)
  • Microsoft - Best practices for securing Active Directory Federation Services

Kerberos

  • CIS MIT Kerberos 1.10 Benchmark - 2012

LDAP

  • OpenLDAP Software 2.4 Administrator's Guide - OpenLDAP Security Considerations
  • Best Practices in LDAP Security (2011)
  • LDAP: Hardening Server Security (so administrators can sleep at night)
  • LDAP Authentication Best Practices - retrieved from web.archive.org
  • Hardening OpenLDAP on Linux with AppArmor and systemd - slides
  • zytrax LDAP for Rocket Scientists - LDAP Security
  • How To Encrypt OpenLDAP Connections Using STARTTLS

DNS

  • CIS - BIND DNS Server 9.9 Benchmark (2017)
  • DISA STIGs - BIND 9.x (2019)
  • NIST SP 800-81-2 - Secure Domain Name System (DNS) Deployment Guide (2013)
  • CMU SEI - Six Best Practices for Securing a Robust Domain Name System (DNS) Infrastructure
  • NSA BIND 9 DNS Security (2011)

NTP

  • IETF - Network Time Protocol Best Current Practices draft-ietf-ntp-bcp (last draft #13 in March 2019)
  • CMU SEI - Best Practices for NTP Services
  • Linux.com - Arrive On Time With NTP -- Part 2: Security Options
  • Linux.com - Arrive On Time With NTP -- Part 3: Secure Setup

NFS

  • Linux NFS-HOWTO - Security and NFS - a good overview of NFS security issues and some mitigations
  • Red Hat - A Guide to Securing Red Hat Enterprise Linux 7 - Securing NFS
  • Red Hat - RHEL7 Storage Administration Guide - Securing NFS
  • NFSv4 without Kerberos and permissions - why NFSv4 without Kerberos does not provide security
  • CertDepot - RHEL7: Use Kerberos to control access to NFS network shares

CUPS

  • CUPS Server Security

Authentication - Passwords

  • UK NCSC - Password administration for system owners
  • NIST SP 800-63 Digital Identity Guidelines
  • OWASP Password Storage Cheat Sheet

Hardware - CPU - BIOS - UEFI

  • ANSSI - Hardware security requirements for x86 platforms - recommendations for security features and configuration options applying to hardware devices (CPU, BIOS, UEFI, etc) (Nov 2019)
  • NSA - Hardware and Firmware Security Guidance - Guidance for the Spectre, Meltdown, Speculative Store Bypass, Rogue System Register Read, Lazy FP State Restore, Bounds Check Bypass Store, TLBleed, and L1TF/Foreshadow vulnerabilities as well as general hardware and firmware security guidance.
  • NSA Info Sheet: UEFI Lockdown Quick Guidance (March 2018)
  • NSA Tech Report: UEFI Defensive Practices Guidance (July 2017)

Cloud

  • NSA Info Sheet: Cloud Security Basics (August 2018)
  • DISA DoD Cloud Computing Security
  • asecure.cloud - Build a Secure Cloud - A free repository of customizable AWS security configurations and best practices

Tools

Tools to check security hardening

  • Chef InSpec - open-source testing framework by Chef that enables you to specify compliance, security, and other policy requirements. can run on Windows and many Linux distributions.

GNU/Linux

  • Lynis - script to check the configuration of Linux hosts
  • OpenSCAP Base - oscap command line tool
  • SCAP Workbench - GUI for oscap
  • Tiger - The Unix security audit and intrusion detection tool (might be outdated)
  • otseca - Open source security auditing tool to search and dump system configuration. It allows you to generate reports in HTML or RAW-HTML formats.
  • SUDO_KILLER - A tool to identify sudo rules' misconfigurations and vulnerabilities within sudo
  • CIS Benchmarks Audit - bash script which performs tests against your CentOS system to give an indication of whether the running server may comply with the CIS v2.2.0 Benchmarks for CentOS (only CentOS 7 for now)

Windows

  • Microsoft Security Compliance Toolkit 1.0 - set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products
  • Microsoft DSC Environment Analyzer (DSCEA) - simple implementation of PowerShell Desired State Configuration that uses the declarative nature of DSC to scan Windows OS based systems in an environment against a defined reference MOF file and generate compliance reports as to whether systems match the desired configuration
  • HardeningAuditor - Scripts for comparing Microsoft Windows compliance with the Australian ASD 1709 & Office 2016 Hardening Guides
  • PingCastle - Tool to check the security of Active Directory

Network Devices

  • Nipper-ng - to check the configuration of network devices (does not seem to be updated)

TLS/SSL

  • Qualys SSL Labs - List of tools to assess TLS/SSL servers and clients
  • SSL Decoder - checks the SSL/TLS configuration of a server

SSH

  • ssh-audit - SSH server auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc)

Hardware - CPU - BIOS - UEFI

  • CHIPSEC: Platform Security Assessment Framework - framework for analyzing the security of PC platforms including hardware, system firmware (BIOS/UEFI), and platform components
  • chipsec-check - Tools to generate a Debian Linux distribution with chipsec to test hardware requirements

Docker

  • Docker Bench for Security - script that checks for dozens of common best-practices around deploying Docker containers in production, inspired by the CIS Docker Community Edition Benchmark v1.1.0.

Cloud

  • toniblyx/my-arsenal-of-aws-security-tools - List of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc.

Tools to apply security hardening

  • DevSec Hardening Framework - a framework to automate hardening of OS and applications, using Chef, Ansible and Puppet

GNU/Linux

  • Linux Server Hardener - for Debian/Ubuntu (2019)
  • Bastille Linux - outdated

Windows

  • Microsoft Security Compliance Toolkit 1.0 - set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products
  • Hardentools - for Windows individual users (not corporate environments) at risk, who might want an extra level of security at the price of some usability.
  • Windows 10 Hardening - A collective resource of settings modifications (mostly opt-outs) that attempt to make Windows 10 as private and as secure as possible.
  • Disassembler0 Windows 10 Initial Setup Script - PowerShell script for automation of routine tasks done after fresh installations of Windows 10 / Server 2016 / Server 2019
  • Automated-AD-Setup - A PowerShell script that aims to have a fully configured domain built in under 10 minutes, but also apply security configuration and hardening
  • mackwage/windows_hardening.cmd - Script to perform some hardening of Windows 10

TLS/SSL

  • Mozilla SSL Configuration Generator

Cloud

  • toniblyx/my-arsenal-of-aws-security-tools - List of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc.

Password Generators

  • How-To Geek - 10 Ways to Generate a Random Password from the Linux Command Line
  • Vitux - 8 Ways to Generate a Random Password on Linux Shell
  • SS64 - Password security and a comparison of Password Generators

Books

Other Awesome Lists

  • Awesome Cybersecurity Blue Team - A curated collection of awesome resources, tools, and other shiny things for cybersecurity blue teams.

Other Awesome Security Lists

(borrowed from Awesome Security)

  • Awesome Security - A collection of awesome software, libraries, documents, books, resources and cools stuffs about security.
  • Android Security Awesome - A collection of android security related resources.
  • Awesome CTF - A curated list of CTF frameworks, libraries, resources and software.
  • Awesome Cyber Skills - A curated list of hacking environments where you can train your cyber skills legally and safely.
  • Awesome Hacking - A curated list of awesome Hacking tutorials, tools and resources.
  • Awesome Honeypots - An awesome list of honeypot resources.
  • Awesome Malware Analysis - A curated list of awesome malware analysis tools and resources.
  • Awesome PCAP Tools - A collection of tools developed by other researchers in the Computer Science area to process network traces.
  • Awesome Pentest - A collection of awesome penetration testing resources, tools and other shiny things.
  • Awesome Linux Containers - A curated list of awesome Linux Containers frameworks, libraries and software.
  • Awesome Incident Response - A curated list of resources for incident response.
  • Awesome Web Hacking - This list is for anyone wishing to learn about web application security but do not have a starting point.
  • Awesome Threat Intelligence - A curated list of threat intelligence resources.
  • Awesome Pentest Cheat Sheets - Collection of the cheat sheets useful for pentesting
  • Awesome Industrial Control System Security - A curated list of resources related to Industrial Control System (ICS) security.
  • Awesome YARA - A curated list of awesome YARA rules, tools, and people.
  • Awesome Threat Detection and Hunting - A curated list of awesome threat detection and hunting resources.
  • Awesome Container Security - A curated list of awesome resources related to container building and runtime security
  • Awesome Crypto Papers - A curated list of cryptography papers, articles, tutorials and howtos.

How To Garden Without Critters

Source: https://github.com/decalage2/awesome-security-hardening

Posted by: peckfornow.blogspot.com

0 Response to "How To Garden Without Critters"

Post a Comment

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel