Security Configuration of Our Servers

General Security and Hardening Principles

  • Minimisation
    Only components strictly necessary for the system’s functionality are installed.

    • All services, especially those actively listening on the network, are considered sensitive. Only those essential for system operation and maintenance are installed. Unjustified services are disabled, uninstalled, or removed.
    • Features configured at the level of active services must be limited to the bare minimum required.
  • Least Privilege
    Every object or entity managed by the system is granted only the permissions strictly necessary for its operation—no more, no less.

  • Defence in Depth
    Network services are hosted on separate environments whenever possible. This prevents other services from being affected if one becomes compromised within the same environment.

  • Monitoring and Maintenance
    Regular updates are performed, and the stable Debian distribution is used.


System Installation

  • Minimal Package Installation
    Only essential packages are installed, ensuring the system setup is as minimal as possible, selecting only what is necessary for the intended purpose.

  • Repository Selection
    Only up-to-date official repositories of the distribution are used.

  • Root Password and Administrator Accounts

    • The root password is chosen with the utmost care, following current recommendations, and is known only to those who need access.
    • Each administrator has a dedicated account (local or remote) and does not use the root account for system administration access. Privilege escalation operations are carried out using tools like sudo, ensuring activities are traceable.

System Configuration and Services

  • Hardening and Monitoring of Services Handling Arbitrary Traffic

    • SSH access is permitted only via VPN.
    • Root login is prohibited, and authentication is performed using SSH keys.
  • Network Sysctl Settings

    • IP forwarding is systematically disabled for servers that do not act as routers.
  • Dedicated Service Accounts
    Each service has its own exclusive system account, dedicated solely to its operation.

  • Access Rights for Sensitive Files
    Files containing sensitive information (e.g., certificates) are readable only by users who need access.

  • Resident Services and Daemons

    • Only network daemons strictly necessary for the system’s operation and the services they provide are active and listening on appropriate network interfaces.
    • All other daemons are disabled and, wherever possible, uninstalled.

Was this article helpful?

/