What server hardening is and why it is needed
Hardening literally means making the server resistant to attack. Linux distributions by default enable many services for broad usefulness: FTP, Telnet, RPC, Samba and others. All of these expand the attack surface. Hardening aims to shrink that surface as much as possible.
In Sayt.uz practice every new server is configured by an automated hardening script based on CIS Benchmark and NIST recommendations, applying over 200 rules. This approach eliminates manual error and produces a standard result in audits.
Linux audit and initial check
The first step is understanding the current state. Tools like Lynis, OpenSCAP or tiger scan the server and produce a security report. The report covers open ports, running services, file permissions, user accounts and settings. Each issue includes a severity level and a remediation recommendation.
Audit is not a one-off task but a continuous process. At Sayt.uz Lynis runs weekly and results are posted to Slack. If the score drops below 90, a ticket is created for the responsible engineer and must be fixed within 48 hours.
Disabling unnecessary services
The rule "an unused service is an attack vector" always holds. The systemctl list-unit-files command shows all enabled services. A web server needs no FTP, Telnet, Avahi, CUPS or Bluetooth. They are fully shut down with systemctl disable and systemctl mask.
Sayt.uz recommendation: minimum production set โ sshd, your application, monitoring agent and log forwarder. Everything else is disabled. For convenience a base image (Docker or AMI) is prepared and all servers start in the same state.
Firewall and network segmentation
Firewall is a core part of hardening. Move away from default allow to default deny. Open only required ports to only required sources. Rules are written through iptables, nftables or ufw โ simple and clear.
Sayt.uz network scheme: external firewall (Cloudflare WAF) opens only 80 and 443, internal firewall allows SSH only from bastion IP and the database port only from app server IPs. Such segmentation prevents an attacker from pivoting to other systems even if one server is compromised.
SELinux and mandatory permissions
SELinux is an extra security layer in the Linux kernel that introduces mandatory permissions for each process and file. Not even root can break a SELinux rule. AppArmor is the analogous mechanism for Ubuntu and Debian.
Many administrators turn SELinux off claiming "it does not work", but this is a big mistake. In Sayt.uz practice SELinux runs in enforcing mode and a custom policy is written for each application. Start in permissive mode, analyze the audit log, then move to enforcing โ that is the correct path.
Sayt.uz practice
Hardening at Sayt.uz: all servers configured via Ansible playbook (CIS Benchmark Level 2), SELinux enforcing, fail2ban for SSH and web, auditd on all critical files, unattended-upgrades enabled, root login fully forbidden, every sudo command logged. Lynis audit monthly, penetration test quarterly, results reported to management.