knowledge-base/KB/Linux/Server/Security hardening.md

---
creation date: 2022-01-08
tags: [note,linux,archlinux,security,hardening]
---

# Security hardening

## ssh
`ssh-guard` allowed.

## nginx

Execute the following

```
mkdir -p /etc/nginx/ssl
openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
```

In `nginx.conf`, set the following inside the `http` block:

```
# security hardened
server_tokens off;
```


For each `server` block, set the following

```
listen 443 ssl http2;

# enable session resumption to improve https performance
ssl_session_timeout 5m;

# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/nginx/ssl/dhparam.pem;

# enables server-side protection from BEAST attacks
ssl_prefer_server_ciphers on;

# disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
ssl_protocols TLSv1.2;

# ciphers chosen for forward secrecy and compatibility
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

# security hardened
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Content-Security-Policy "https; default-src 'self'; script-src 'self'; img-src 'self' data:;";
# OR: add_header Content-Security-Policy "https; default-src 'self'; script-src 'self'";

# no access logs
access_log off;
```

## PHP

```
session.cookie_secure = true
session.use_only_cookies = 1
session.cookie_httponly = true
```

## journald

Set maximum journal retention in `/etc/systemd/journald.conf`:

```
MaxRetentionSec=604800
MaxFileSec=86400
```

This makes logs only available for seven days and rotate each day.

Apply changes directly with `journalctl --vacuum-time=7d`.

## Andere Dienste

Set log level to warn or error
Initial commit of knowledge base 2022-09-04 12:54:22 +00:00			`---`
			`creation date: 2022-01-08`
			`tags: [note,linux,archlinux,security,hardening]`
			`---`

			`# Security hardening`

			`## ssh`
			`ssh-guard` allowed.

			`## nginx`

			`Execute the following`

			```
			`mkdir -p /etc/nginx/ssl`
			`openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048`
			```

			In `nginx.conf`, set the following inside the `http` block:

			```
			`# security hardened`
			`server_tokens off;`
			```


			For each `server` block, set the following

			```
			`listen 443 ssl http2;`

			`# enable session resumption to improve https performance`
			`ssl_session_timeout 5m;`

			`# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits`
			`ssl_dhparam /etc/nginx/ssl/dhparam.pem;`

			`# enables server-side protection from BEAST attacks`
			`ssl_prefer_server_ciphers on;`

			`# disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0`
			`ssl_protocols TLSv1.2;`

			`# ciphers chosen for forward secrecy and compatibility`
			`ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";`

			`# security hardened`
			`add_header X-Frame-Options SAMEORIGIN;`
			`add_header X-Content-Type-Options nosniff;`
			`add_header X-XSS-Protection "1; mode=block";`
			`add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;`
			`add_header Content-Security-Policy "https; default-src 'self'; script-src 'self'; img-src 'self' data:;";`
			`# OR: add_header Content-Security-Policy "https; default-src 'self'; script-src 'self'";`

			`# no access logs`
			`access_log off;`
			```

			`## PHP`

			```
			`session.cookie_secure = true`
			`session.use_only_cookies = 1`
			`session.cookie_httponly = true`
			```

			`## journald`

			Set maximum journal retention in `/etc/systemd/journald.conf`:

			```
			`MaxRetentionSec=604800`
			`MaxFileSec=86400`
			```

			`This makes logs only available for seven days and rotate each day.`

			Apply changes directly with `journalctl --vacuum-time=7d`.

			`## Andere Dienste`

			`Set log level to warn or error`