General Security and Hardening Principles
-
Minimisation
Only components strictly necessary for the system’s functionality are installed.- All services, especially those actively listening on the network, are considered sensitive. Only those essential for system operation and maintenance are installed. Unjustified services are disabled, uninstalled, or removed.
- Features configured at the level of active services must be limited to the bare minimum required.
-
Least Privilege
Every object or entity managed by the system is granted only the permissions strictly necessary for its operation—no more, no less. -
Defence in Depth
Network services are hosted on separate environments whenever possible. This prevents other services from being affected if one becomes compromised within the same environment. -
Monitoring and Maintenance
Regular updates are performed, and the stable Debian distribution is used.
System Installation
-
Minimal Package Installation
Only essential packages are installed, ensuring the system setup is as minimal as possible, selecting only what is necessary for the intended purpose. -
Repository Selection
Only up-to-date official repositories of the distribution are used. -
Root Password and Administrator Accounts
- The root password is chosen with the utmost care, following current recommendations, and is known only to those who need access.
- Each administrator has a dedicated account (local or remote) and does not use the root account for system administration access. Privilege escalation operations are carried out using tools like
sudo
, ensuring activities are traceable.
System Configuration and Services
-
Hardening and Monitoring of Services Handling Arbitrary Traffic
- SSH access is permitted only via VPN.
- Root login is prohibited, and authentication is performed using SSH keys.
-
Network Sysctl Settings
- IP forwarding is systematically disabled for servers that do not act as routers.
-
Dedicated Service Accounts
Each service has its own exclusive system account, dedicated solely to its operation. -
Access Rights for Sensitive Files
Files containing sensitive information (e.g., certificates) are readable only by users who need access. -
Resident Services and Daemons
- Only network daemons strictly necessary for the system’s operation and the services they provide are active and listening on appropriate network interfaces.
- All other daemons are disabled and, wherever possible, uninstalled.