awesome-security-hardening

A collection of awesome security hardening guides, tools and other resources. This is work in progress: please contribute by forking, editing and sending pull requests.

---

Security Hardening Guides

Hardening Guide Collections

• CIS Benchmarks (registration required)
• ANSSI Best Practices
• NSA Security Configuration Guidance
• NSA Cybersecurity Resources for Cybersecurity Professionals and NSA Cybersecurity publications
• US DoD DISA Security Technical Implementation Guides (STIGs) and Security Requirements Guides (SRGs)
• Australian Cyber Security Center Publications
• FIRST Best Practice Guide Library (BPGL)

GNU/Linux

• ANSSI - Configuration recommendations of a GNU/Linux system
• nixCraft - 40 Linux Server Hardening Security Tips (2019 edition)
• nixCraft - Tips To Protect Linux Servers Physical Console Access

Red Hat Enterprise Linux - RHEL

• A Guide to Securing Red Hat Enterprise Linux 7
• DISA STIGs RHEL
• nixCraft - How to set up a firewall using FirewallD on RHEL 8

SUSE

• SUSE Linux Enterprise Server 12 SP4 Security Guide
• SUSE Linux Enterprise Server 12 Security and Hardening Guide

Ubuntu

Windows

• Awesome Windows Domain Hardening

macOS

Network Devices

• NSA - Harden Network Devices - very short but good summary

Switches

• DISA - Layer 2 Switch SRG

Routers

• NSA - A Guide to Border Gateway Protocol (BGP) Best Practices

Virtualization - VMware

• VMware Security Hardening Guides

Services

SSH

• NIST IR 7966 - Security of Interactive and Automated Access Management Using Secure Shell (SSH)
• ANSSI - (Open)SSH secure use recommendations
• Linux Audit - OpenSSH security and hardening
• Positron Security SSH Hardening Guides - focused on crypto algorithms

TLS/SSL

• NIST SP800-52 Rev 2 (2nd draft) - Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations
• ANSSI - Security Recommendations for TLS
• Qualys SSL Labs - SSL and TLS Deployment Best Practices

Web Servers

Mail Servers

FTP Servers

Database Servers

LDAP

• OpenLDAP Security Considerations
• Best Practices in LDAP Security (2011)
• LDAP: Hardening Server Security (so administrators can sleep at night)
• LDAP Authentication Best Practices - retrieved from web.archive.org
• Hardening OpenLDAP on Linux with AppArmor and systemd - slides
• zytrax LDAP for Rocket Scientists - LDAP Security
• How To Encrypt OpenLDAP Connections Using STARTTLS

DNS

• NSA BIND 9 DNS Security (2011)

Authentication - Passwords

• UK NCSC - Password administration for system owners
• NIST SP 800-63 Digital Identity Guidelines

Hardware - BIOS - UEFI

• NSA Info Sheet: UEFI Lockdown Quick Guidance (March 2018)
• NSA Tech Report: UEFI Defensive Practices Guidance (July 2017)

Cloud

• NSA Info Sheet: Cloud Security Basics (August 2018)
• DISA DoD Cloud Computing Security

Tools

Tools to check security hardening

• Lynis - script to check the configuration of Linux hosts
• Nipper-ng - to check the configuration of network devices (does not seem to be updated)

Tools to apply security hardening

• Bastille Linux - outdated
• Hardentools - for Windows individual users (not corporate environments) at risk, who might want an extra level of security at the price of some usability.

Books