Service-Specific Hardening

2 min read Infrastructure & DevOps Security

Service-Specific Hardening

Each network service requires specific hardening measures beyond simply limiting access. Understanding service-specific vulnerabilities and implementing appropriate countermeasures prevents exploitation even if ports remain accessible. Focus hardening efforts on commonly exposed services that attackers frequently target.

SSH hardening on Linux systems involves multiple configuration changes in /etc/ssh/sshd_config:

# Disable root login
PermitRootLogin no

# Use key-based authentication only
PasswordAuthentication no
PubkeyAuthentication yes

# Limit user access
AllowUsers admin john
AllowGroups sshusers

# Strengthen cryptography
KexAlgorithms curve25519-sha256,[email protected]
Ciphers [email protected],[email protected]
MACs [email protected],[email protected]

# Additional hardening
ClientAliveInterval 300
ClientAliveCountMax 2
MaxAuthTries 3
MaxSessions 2

RDP hardening on Windows requires Group Policy configuration and registry modifications:

# Configure RDP security settings via registry
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name SecurityLayer -Value 2
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name UserAuthentication -Value 1

# Require NLA
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name UserAuthentication -Value 1

# Set encryption level
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name MinEncryptionLevel -Value 3

# Limit RDP access to specific group
$rule = Get-NetFirewallRule -DisplayName "Remote Desktop - User Mode (TCP-In)"
Set-NetFirewallRule -InputObject $rule -RemoteAddress "192.168.1.0/24"

Web server hardening focuses on both the web server software and underlying platform:

# Apache hardening
cat >> /etc/apache2/conf-enabled/security.conf << EOF
ServerTokens Prod
ServerSignature Off
TraceEnable Off
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-XSS-Protection "1; mode=block"
EOF

# Nginx hardening
cat >> /etc/nginx/nginx.conf << EOF
server_tokens off;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
EOF

Database server hardening requires special attention due to sensitive data exposure:

-- MySQL/MariaDB hardening
DELETE FROM mysql.user WHERE User='';
DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');
DROP DATABASE IF EXISTS test;
FLUSH PRIVILEGES;

-- Disable dangerous features
SET GLOBAL local_infile = 0;
SET GLOBAL log_bin_trust_function_creators = 0;

-- Create application-specific users with minimal privileges
CREATE USER 'webapp'@'192.168.1.%' IDENTIFIED BY 'StrongPassword123!';
GRANT SELECT, INSERT, UPDATE ON appdb.* TO 'webapp'@'192.168.1.%';