awesome-security-hardening/README.md

299 lines
18 KiB
Markdown
Raw Normal View History

2019-04-29 08:13:07 -04:00
# awesome-security-hardening
2019-04-29 08:46:42 -04:00
[![Awesome](https://cdn.rawgit.com/sindresorhus/awesome/d7305f38d29fed78fa85652e3a63e154dd8e8829/media/badge.svg)](https://github.com/sindresorhus/awesome)
2019-05-03 05:23:40 -04:00
A collection of awesome security hardening guides, best practices, tools and other resources.
This is work in progress: please contribute by forking, editing and sending pull requests. You may also send suggestions on Twitter to [@decalage2](https://twitter.com/decalage2), or use https://www.decalage.info/contact
2019-04-29 08:46:42 -04:00
2019-05-10 04:30:46 -04:00
------
# Table of Contents
2019-05-14 04:12:32 -04:00
2019-05-10 04:30:46 -04:00
- [Security Hardening Guides and Best Practices](#security-hardening-guides-and-best-practices)
- [Hardening Guide Collections](#hardening-guide-collections)
- [GNU/Linux](#gnulinux)
- [Red Hat Enterprise Linux - RHEL](#red-hat-enterprise-linux---rhel)
- [SUSE](#suse)
- [Ubuntu](#ubuntu)
- [Windows](#windows)
- [macOS](#macos)
- [Network Devices](#network-devices)
- [Switches](#switches)
- [Routers](#routers)
- [Virtualization - VMware](#virtualization---vmware)
2019-05-14 05:47:56 -04:00
- [Containers - Docker](#containers---docker)
2019-05-10 04:30:46 -04:00
- [Services](#services)
- [SSH](#ssh)
- [TLS/SSL](#tlsssl)
- [Web Servers](#web-servers)
- [Apache HTTP Server](#apache-http-server)
- [Apache Tomcat](#apache-tomcat)
- [Eclipse Jetty](#eclipse-jetty)
- [Microsoft IIS](#microsoft-iis)
- [Mail Servers](#mail-servers)
- [FTP Servers](#ftp-servers)
- [Database Servers](#database-servers)
2019-05-14 04:46:13 -04:00
- [Active Directory](#active-directory)
- [ADFS](#adfs)
2019-05-10 04:30:46 -04:00
- [LDAP](#ldap)
- [DNS](#dns)
- [NTP](#ntp)
- [CUPS](#cups)
- [Authentication - Passwords](#authentication---passwords)
- [Hardware - BIOS - UEFI](#hardware---bios---uefi)
- [Cloud](#cloud)
- [Tools](#tools)
- [Tools to check security hardening](#tools-to-check-security-hardening)
- [GNU/Linux](#gnulinux-1)
- [Network Devices](#network-devices-1)
- [TLS/SSL](#tlsssl-1)
2019-05-14 05:47:56 -04:00
- [Docker](#docker)
2019-05-10 04:30:46 -04:00
- [Tools to apply security hardening](#tools-to-apply-security-hardening)
- [GNU/Linux](#gnulinux-2)
- [Windows](#windows-1)
- [Books](#books)
2019-05-14 04:12:32 -04:00
- [Other Awesome Lists](#other-awesome-lists)
- [Other Awesome Security Lists](#other-awesome-security-lists)
2019-05-10 04:30:46 -04:00
2019-04-29 08:46:42 -04:00
------
2019-05-03 05:23:40 -04:00
# Security Hardening Guides and Best Practices
2019-04-29 08:46:42 -04:00
## Hardening Guide Collections
- [CIS Benchmarks](https://learn.cisecurity.org/benchmarks) (registration required)
- [ANSSI Best Practices](https://www.ssi.gouv.fr/en/best-practices/)
- [NSA Security Configuration Guidance](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/index.cfm?PAGE=1&itemsQty=ALL)
2019-05-01 02:35:50 -04:00
- [NSA Cybersecurity Resources for Cybersecurity Professionals](https://www.nsa.gov/what-we-do/cybersecurity/) and [NSA Cybersecurity publications](https://nsacyber.github.io/publications.html)
2019-04-30 04:00:08 -04:00
- [US DoD DISA Security Technical Implementation Guides (STIGs) and Security Requirements Guides (SRGs)](https://iase.disa.mil/stigs/Pages/index.aspx)
2019-05-06 05:38:34 -04:00
- [OpenSCAP Security Policies](https://www.open-scap.org/security-policies/)
2019-04-29 08:46:42 -04:00
- [Australian Cyber Security Center Publications](https://www.cyber.gov.au/publications)
- [FIRST Best Practice Guide Library (BPGL)](https://www.first.org/resources/guides/)
## GNU/Linux
- [ANSSI - Configuration recommendations of a GNU/Linux system](https://www.ssi.gouv.fr/en/guide/configuration-recommendations-of-a-gnulinux-system/)
2019-05-14 04:57:53 -04:00
- [How To Secure A Linux Server](https://github.com/imthenachoman/How-To-Secure-A-Linux-Server) - for a single Linux server at home
2019-04-29 08:46:42 -04:00
- [nixCraft - 40 Linux Server Hardening Security Tips (2019 edition)](https://www.cyberciti.biz/tips/linux-security.html)
2019-04-30 02:48:12 -04:00
- [nixCraft - Tips To Protect Linux Servers Physical Console Access](https://www.cyberciti.biz/tips/tips-to-protect-linux-servers-physical-console-access.html)
- [TecMint - 4 Ways to Disable Root Account in Linux](https://www.tecmint.com/disable-root-login-in-linux/)
2019-04-29 08:46:42 -04:00
### Red Hat Enterprise Linux - RHEL
- [A Guide to Securing Red Hat Enterprise Linux 7](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/security_guide/index)
2019-04-30 02:40:39 -04:00
- [DISA STIGs RHEL](https://iase.disa.mil/stigs/os/unix-linux/Pages/red-hat.aspx)
2019-04-30 02:46:01 -04:00
- [nixCraft - How to set up a firewall using FirewallD on RHEL 8](https://www.cyberciti.biz/faq/configure-set-up-a-firewall-using-firewalld-on-rhel-8/)
2019-04-29 08:46:42 -04:00
### SUSE
- [SUSE Linux Enterprise Server 12 SP4 Security Guide](https://www.suse.com/documentation/sles-12/singlehtml/book_security/book_security.html)
2019-04-30 02:33:33 -04:00
- [SUSE Linux Enterprise Server 12 Security and Hardening Guide](https://www.suse.com/documentation/sles-12/book_hardening/data/book_hardening.html)
2019-04-29 08:46:42 -04:00
### Ubuntu
2019-05-10 06:17:36 -04:00
- [Ubuntu documentation - Security](https://help.ubuntu.com/lts/serverguide/security.html.en)
- [Ubuntu wiki - Security Hardening Features](https://wiki.ubuntu.com/Security/Features)
2019-04-29 08:46:42 -04:00
## Windows
2019-05-10 06:13:33 -04:00
- [Microsoft - Windows security baselines](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-baselines)
- [Microsoft - Windows Server Security | Assurance](https://docs.microsoft.com/en-us/windows-server/security/security-and-assurance)
- [Microsoft - Windows 10 Enterprise Security](https://docs.microsoft.com/en-us/windows/security/)
2019-05-14 04:46:13 -04:00
- [ACSC - Hardening Microsoft Windows 10, version 1709, Workstations](https://www.cyber.gov.au/publications/hardening-microsoft-windows-10-build-1709)
- [ACSC - Securing PowerShell in the Enterprise](https://www.cyber.gov.au/publications/securing-powershell-in-the-enterprise)
2019-05-01 02:27:47 -04:00
- [Awesome Windows Domain Hardening](https://github.com/PaulSec/awesome-windows-domain-hardening)
- [Microsoft - How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server](https://support.microsoft.com/en-gb/help/2696547/detect-enable-disable-smbv1-smbv2-smbv3-in-windows-and-windows-server)
- [Microsoft recommended block rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules) - List of applications or files that can be used by an attacker to circumvent application whitelisting policies
2019-05-01 02:27:47 -04:00
2019-05-14 04:46:13 -04:00
See also [Active Directory](#active-directory) and [ADFS](#adfs) below.
2019-05-14 04:12:32 -04:00
2019-04-29 08:46:42 -04:00
## macOS
## Network Devices
- [NSA - Harden Network Devices](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-tips/harden-network-devices.cfm) - very short but good summary
### Switches
- [DISA - Layer 2 Switch SRG](http://iasecontent.disa.mil/stigs/zip/U_Layer_2_Switch_V1R3_SRG.zip)
### Routers
2019-05-01 02:44:53 -04:00
- [NSA - A Guide to Border Gateway Protocol (BGP) Best Practices](https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/ctr-guide-to-border-gateway-protocol-best-practices.pdf?v=1)
2019-04-30 02:52:27 -04:00
2019-04-29 08:46:42 -04:00
## Virtualization - VMware
- [VMware Security Hardening Guides](https://www.vmware.com/security/hardening-guides.html)
2019-05-14 05:47:56 -04:00
## Containers - Docker
- [How To Harden Your Docker Containers](https://www.secjuice.com/how-to-harden-docker-containers/)
- [CIS Docker Benchmarks](https://www.cisecurity.org/benchmark/docker/) - registration required
2019-04-29 08:46:42 -04:00
## Services
### SSH
- [NIST IR 7966 - Security of Interactive and Automated Access Management Using Secure Shell (SSH)](https://nvlpubs.nist.gov/nistpubs/ir/2015/NIST.IR.7966.pdf)
- [ANSSI - (Open)SSH secure use recommendations](https://www.ssi.gouv.fr/en/guide/openssh-secure-use-recommendations/)
- [Linux Audit - OpenSSH security and hardening](https://linux-audit.com/audit-and-harden-your-ssh-configuration/)
2019-04-30 02:37:43 -04:00
- [Positron Security SSH Hardening Guides](https://www.sshaudit.com/hardening_guides.html) - focused on crypto algorithms
2019-04-29 08:46:42 -04:00
2019-05-02 09:36:39 -04:00
### TLS/SSL
2019-05-03 05:08:39 -04:00
- [NIST SP800-52 Rev 2 (2nd draft) - Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations](https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/draft) - 2018, recommends TLS 1.3
- [Netherlands NCSC - IT Security Guidelines for Transport Layer Security (TLS)](https://www.ncsc.nl/english/current-topics/factsheets/it-security-guidelines-for-transport-layer-security-tls.html) - 2019
2019-05-03 05:08:39 -04:00
- [ANSSI - Security Recommendations for TLS](https://www.ssi.gouv.fr/en/guide/security-recommendations-for-tls/) - 2017, does not cover TLS 1.3
- [Qualys SSL Labs - SSL and TLS Deployment Best Practices](https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices) - 2017, does not cover TLS 1.3
2019-05-03 06:23:18 -04:00
- [RFC 7540 Appendix A TLS 1.2 Cipher Suite Black List](https://tools.ietf.org/html/rfc7540#appendix-A)
2019-05-02 09:36:39 -04:00
2019-04-29 08:46:42 -04:00
### Web Servers
2019-05-07 05:36:00 -04:00
- [Cipherli.st - Strong Ciphers for Apache, nginx and Lighttpd](https://cipherli.st/)
2019-05-07 05:17:51 -04:00
#### Apache HTTP Server
- [Apache HTTP Server documentation - Security Tips](http://httpd.apache.org/docs/current/misc/security_tips.html)
- [GeekFlare - Apache Web Server Hardening and Security Guide](https://geekflare.com/apache-web-server-hardening-security/)
- [Apache Config - Apache Security Hardening Guide](https://www.apachecon.eu/)
2019-05-07 04:18:09 -04:00
#### Apache Tomcat
- [Apache Tomcat 9 Security Considerations](https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html) / [v8](https://tomcat.apache.org/tomcat-8.0-doc/security-howto.html) / [v7](https://tomcat.apache.org/tomcat-7.0-doc/security-howto.html)
- [OWASP Securing tomcat](https://www.owasp.org/index.php/Securing_tomcat)
2019-05-07 05:11:18 -04:00
- [How to get Tomcat 9 to work with authbind to bind to port 80](https://serverfault.com/questions/889122/how-to-get-tomcat-9-to-work-with-authbind-to-bind-to-port-80)
2019-05-07 04:18:09 -04:00
2019-05-07 04:33:14 -04:00
#### Eclipse Jetty
- [Eclipse Jetty - Configuring Security](https://www.eclipse.org/jetty/documentation/current/configuring-security.html)
- [Jetty hardening](https://virgo47.wordpress.com/2015/02/07/jetty-hardening/) (2015)
2019-05-07 06:00:42 -04:00
#### Microsoft IIS
- [CIS Microsoft IIS Benchmarks](https://learn.cisecurity.org/benchmarks)
2019-04-29 08:46:42 -04:00
### Mail Servers
### FTP Servers
### Database Servers
2019-05-14 04:46:13 -04:00
### Active Directory
- [Microsoft - Best Practices for Securing Active Directory](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory)
- ["Admin Free" Active Directory and Windows, Part 1- Understanding Privileged Groups in AD](https://blogs.technet.microsoft.com/lrobins/2011/06/23/admin-free-active-directory-and-windows-part-1-understanding-privileged-groups-in-ad/)
- ["Admin Free" Active Directory and Windows, Part 2- Protected Accounts and Groups in Active Directory](https://blogs.technet.microsoft.com/lrobins/2011/06/23/admin-free-active-directory-and-windows-part-2-protected-accounts-and-groups-in-active-directory/)
### ADFS
2019-05-14 04:12:32 -04:00
- [adsecurity.org - Securing Microsoft Active Directory Federation Server (ADFS)](https://adsecurity.org/?p=3782)
- [Microsoft - Best practices for securing Active Directory Federation Services](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs)
2019-04-29 08:46:42 -04:00
### LDAP
2019-04-30 03:11:42 -04:00
- [OpenLDAP Security Considerations](http://www.openldap.org/doc/admin24/security.html)
2019-04-30 03:18:08 -04:00
- [Best Practices in LDAP Security](https://www.skills-1st.co.uk/papers/ldap-best-2011/best-practices-in-ldap-security.pdf) (2011)
2019-04-30 03:21:32 -04:00
- [LDAP: Hardening Server Security (so administrators can sleep at night)](https://ff1959.wordpress.com/2013/07/31/ldap-hardening-server-security-so-administrators-can-sleep-at-night/)
2019-05-01 06:07:10 -04:00
- [LDAP Authentication Best Practices](http://web.archive.org/web/20130801091446/http://www.ldapguru.info/ldap/authentication-best-practices.html) - retrieved from web.archive.org
- [Hardening OpenLDAP on Linux with AppArmor and systemd](http://www.openldap.org/conf/odd-tuebingen-2018/Michael1.pdf) - slides
2019-05-01 07:52:41 -04:00
- [zytrax LDAP for Rocket Scientists - LDAP Security](http://www.zytrax.com/books/ldap/ch15/)
- [How To Encrypt OpenLDAP Connections Using STARTTLS](https://www.digitalocean.com/community/tutorials/how-to-encrypt-openldap-connections-using-starttls)
2019-04-30 03:11:42 -04:00
2019-04-30 02:56:14 -04:00
### DNS
- [NIST SP 800-81-2 - Secure Domain Name System (DNS) Deployment Guide](https://csrc.nist.gov/publications/detail/sp/800-81/2/final) (2013)
- [CMU SEI - Six Best Practices for Securing a Robust Domain Name System (DNS) Infrastructure](https://insights.sei.cmu.edu/sei_blog/2017/02/six-best-practices-for-securing-a-robust-domain-name-system-dns-infrastructure.html)
2019-04-30 02:56:14 -04:00
- [NSA BIND 9 DNS Security](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/applications/bind-9-dns-security.cfm) (2011)
2019-05-06 03:43:58 -04:00
### NTP
- [IETF - Network Time Protocol Best Current Practices draft-ietf-ntp-bcp](https://tools.ietf.org/html/draft-reilly-ntp-bcp) (2019)
- [CMU SEI - Best Practices for NTP Services](https://insights.sei.cmu.edu/sei_blog/2017/04/best-practices-for-ntp-services.html)
- [Linux.com - Arrive On Time With NTP -- Part 2: Security Options](https://www.linux.com/learn/arrive-time-ntp-part-2-security-options)
- [Linux.com - Arrive On Time With NTP -- Part 3: Secure Setup](https://www.linux.com/learn/2017/2/arrive-time-ntp-part-3-secure-setup)
2019-05-06 03:43:58 -04:00
2019-05-07 04:23:04 -04:00
### CUPS
- [CUPS Server Security](https://www.cups.org/doc/security.html)
2019-04-29 09:27:22 -04:00
## Authentication - Passwords
- [UK NCSC - Password administration for system owners](https://www.ncsc.gov.uk/collection/passwords)
- [NIST SP 800-63 Digital Identity Guidelines](https://pages.nist.gov/800-63-3/)
2019-05-01 02:49:58 -04:00
## Hardware - BIOS - UEFI
- [NSA Info Sheet: UEFI Lockdown Quick Guidance (March 2018)](https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/csi-uefi-lockdown.pdf?v=1)
- [NSA Tech Report: UEFI Defensive Practices Guidance (July 2017)](https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/ctr-uefi-defensive-practices-guidance.pdf?ver=2018-11-06-074836-090)
2019-05-01 02:54:10 -04:00
## Cloud
- [NSA Info Sheet: Cloud Security Basics (August 2018)](https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/csi-cloud-security-basics.pdf?v=1)
- [DISA DoD Cloud Computing Security](https://iase.disa.mil/cloud_security/Pages/index.aspx)
2019-04-29 08:46:42 -04:00
# Tools
## Tools to check security hardening
### GNU/Linux
2019-05-01 08:39:20 -04:00
- [Lynis](https://cisofy.com/lynis/) - script to check the configuration of Linux hosts
2019-05-06 05:38:34 -04:00
- [OpenSCAP Base](https://www.open-scap.org/tools/openscap-base/) - oscap command line tool
- [SCAP Workbench](https://www.open-scap.org/tools/scap-workbench/) - GUI for oscap
- [Tiger - The Unix security audit and intrusion detection tool](https://www.nongnu.org/tiger/) (might be outdated)
### Network Devices
2019-05-01 08:39:20 -04:00
- [Nipper-ng](https://github.com/arpitn30/nipper-ng) - to check the configuration of network devices (does not seem to be updated)
### TLS/SSL
2019-05-03 05:17:35 -04:00
- [Qualys SSL Labs - List of tools to assess TLS/SSL servers and clients](https://github.com/ssllabs/research/wiki/Assessment-Tools)
2019-04-29 08:46:42 -04:00
2019-05-14 05:47:56 -04:00
### Docker
- [Docker Bench for Security](https://github.com/docker/docker-bench-security) - script that checks for dozens of common best-practices around deploying Docker containers in production, inspired by the CIS Docker Community Edition Benchmark v1.1.0.
2019-04-29 08:46:42 -04:00
## Tools to apply security hardening
### GNU/Linux
2019-05-14 04:57:53 -04:00
- [Linux Server Hardener](https://github.com/pratiktri/server_init_harden) - for Debian/Ubuntu (2019)
2019-04-29 09:01:42 -04:00
- [Bastille Linux](http://bastille-linux.sourceforge.net/) - outdated
### Windows
2019-04-29 09:01:42 -04:00
- [Hardentools](https://github.com/securitywithoutborders/hardentools) - for Windows individual users (not corporate environments) at risk, who might want an extra level of security at the price of some usability.
2019-05-12 06:31:04 -04:00
- [Windows 10 Hardening](https://github.com/aghorler/Windows-10-Hardening) - A collective resource of settings modifications (mostly opt-outs) that attempt to make Windows 10 as private and as secure as possible.
2019-05-12 06:33:17 -04:00
- [Hardening Auditor](https://github.com/cottinghamd/HardeningAuditor) - Scripts for comparing Microsoft Windows compliance with the ASD 1709 & Office 2016 Hardening Guides
2019-05-12 06:31:04 -04:00
- [Windows 10 Initial Setup Script](https://github.com/Disassembler0/Win10-Initial-Setup-Script) - PowerShell script for automation of routine tasks done after fresh installations of Windows 10 / Server 2016 / Server 2019
2019-04-29 09:01:42 -04:00
2019-04-29 08:46:42 -04:00
# Books
2019-05-13 07:47:19 -04:00
# Other Awesome Lists
(borrowed from [Awesome Security](https://github.com/sbilly/awesome-security))
## Other Awesome Security Lists
- [Awesome Security](https://github.com/sbilly/awesome-security) - A collection of awesome software, libraries, documents, books, resources and cools stuffs about security.
- [Android Security Awesome](https://github.com/ashishb/android-security-awesome) - A collection of android security related resources.
- [Awesome CTF](https://github.com/apsdehal/awesome-ctf) - A curated list of CTF frameworks, libraries, resources and software.
- [Awesome Cyber Skills](https://github.com/joe-shenouda/awesome-cyber-skills) - A curated list of hacking environments where you can train your cyber skills legally and safely.
- [Awesome Hacking](https://github.com/carpedm20/awesome-hacking) - A curated list of awesome Hacking tutorials, tools and resources.
- [Awesome Honeypots](https://github.com/paralax/awesome-honeypots) - An awesome list of honeypot resources.
- [Awesome Malware Analysis](https://github.com/rshipp/awesome-malware-analysis) - A curated list of awesome malware analysis tools and resources.
- [Awesome PCAP Tools](https://github.com/caesar0301/awesome-pcaptools) - A collection of tools developed by other researchers in the Computer Science area to process network traces.
- [Awesome Pentest](https://github.com/enaqx/awesome-pentest) - A collection of awesome penetration testing resources, tools and other shiny things.
- [Awesome Linux Containers](https://github.com/Friz-zy/awesome-linux-containers) - A curated list of awesome Linux Containers frameworks, libraries and software.
- [Awesome Incident Response](https://github.com/meirwah/awesome-incident-response) - A curated list of resources for incident response.
- [Awesome Web Hacking](https://github.com/infoslack/awesome-web-hacking) - This list is for anyone wishing to learn about web application security but do not have a starting point.
- [Awesome Threat Intelligence](https://github.com/hslatman/awesome-threat-intelligence) - A curated list of threat intelligence resources.
- [Awesome Pentest Cheat Sheets](https://github.com/coreb1t/awesome-pentest-cheat-sheets) - Collection of the cheat sheets useful for pentesting
- [Awesome Industrial Control System Security](https://github.com/mpesen/awesome-industrial-control-system-security) - A curated list of resources related to Industrial Control System (ICS) security.
- [Awesome YARA](https://github.com/InQuest/awesome-yara) - A curated list of awesome YARA rules, tools, and people.
- [Awesome Threat Detection and Hunting](https://github.com/0x4D31/awesome-threat-detection) - A curated list of awesome threat detection and hunting resources.
- [Awesome Container Security](https://github.com/kai5263499/container-security-awesome) - A curated list of awesome resources related to container building and runtime security
- [Awesome Crypto Papers](https://github.com/pFarb/awesome-crypto-papers) - A curated list of cryptography papers, articles, tutorials and howtos.