Jump to content

Implement Server Hardening with CIS Benchmarks

Jessica Brown
Jessica Brown
in Server Administration

Featured Replies

Posted

You are reading Part 45 of the 57-part series: Harden and Secure Linux Servers. [Level 5]

This series covers progressive security measures, from fundamental hardening techniques to enterprise-grade defense strategies. Each article delves into a specific security practice, explaining its importance and providing step-by-step guidance for implementation.

To explore more security best practices, visit the main guide for a full breakdown of all levels and recommendations.

The Center for Internet Security (CIS) Benchmarks are industry-standard best practices for securing operating systems, applications, and cloud environments. Implementing CIS benchmarks ensures:

✅ Hardened server configurations against cyber threats.
✅ Compliance with security frameworks like NIST, ISO 27001, and PCI-DSS.
✅ Reduced attack surface by eliminating misconfigurations and vulnerabilities.
✅ Automated security auditing to enforce best practices.

By applying CIS benchmarks, you enhance security, maintain compliance, and proactively defend against threats.

How to Implement CIS Benchmarks for Linux Servers

1. Download the CIS Benchmark for Your OS

  1. Visit the CIS Website:

  2. Download the benchmark for your Linux distribution (Ubuntu, Debian, CentOS, RHEL).

  3. Review the recommendations and implement the security settings manually or with automation tools.

2. Automate Benchmarking with CIS-CAT Pro or Lynis

To scan for security misconfigurations, use CIS-CAT Lite (free) or Lynis.

Option 1: Install and Run CIS-CAT Lite

  1. Download CIS-CAT Lite from CIS Workbench.

  2. Extract and run the tool:

    tar -xvf CIS-CAT-Lite.tar.gz
cd CIS-CAT-Lite
./cis-cat.sh -a

  3. Review the security audit report and apply recommendations.

Option 2: Use Lynis for Automated Auditing

Lynis is a lightweight and open-source security auditing tool.

  1. Install Lynis:

    sudo apt install lynis -y   # Debian/Ubuntu
sudo yum install lynis -y   # CentOS/RHEL

  2. Run a full system security audit:

    sudo lynis audit system

  3. Review the security report:

    cat /var/log/lynis-report.dat

  4. Apply CIS security recommendations based on the audit findings.

3. Implement Key CIS Security Hardening Recommendations
A. Restrict Root Access and Enforce Least Privilege

  • Disable root login via SSH:

    sudo nano /etc/ssh/sshd_config

    Change:

    PermitRootLogin no

    Restart SSH:

    sudo systemctl restart sshd

  • Enforce sudo authentication:

    sudo visudo

    Ensure:

    Defaults timestamp_timeout=5
B. Enable Strong Authentication Policies

  • Enforce password complexity:

    sudo nano /etc/security/pwquality.conf

    Set:

    minlen = 12
minclass = 3

  • Enable automatic account lockout after failed logins:

    sudo nano /etc/pam.d/common-auth

    Add:

    auth required pam_tally2.so onerr=fail deny=5 unlock_time=900
C. Harden Network Security

  • Disable unused network services:

    sudo systemctl disable avahi-daemon
sudo systemctl disable cups

  • Enforce firewall rules:

    sudo ufw allow 22
sudo ufw allow 80
sudo ufw allow 443
sudo ufw enable

  • Restrict incoming connections with iptables:

    sudo iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j DROP
D. Enable Automatic Security Updates

For Debian/Ubuntu:

sudo apt install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades

For CentOS/RHEL:

sudo yum install yum-cron
sudo systemctl enable --now yum-cron
E. Secure File Permissions and Enable Logging

  • Restrict access to system logs:

    sudo chmod -R 640 /var/log/
sudo chown -R root:adm /var/log/

  • Enable audit logging:

    sudo apt install auditd -y
sudo systemctl enable auditd

    • Track root commands:

      sudo auditctl -w /etc/passwd -p wa -k passwd_changes

    • Review audit logs:

      sudo ausearch -k passwd_changes --start today
4. Schedule Regular Security Audits

To keep your system secure over time, automate periodic scans:

  1. Run Lynis every Sunday at 3 AM:

    sudo crontab -e

    Add:

    0 3 * * 0 lynis audit system --quiet >> /var/log/lynis_cron.log

  2. Send audit reports to administrators:

    mail -s "Weekly Linux Security Audit" admin@example.com < /var/log/lynis_cron.log

Best Practices for CIS Benchmark Implementation

✅ Use CIS-CAT or Lynis to automate security checks and compliance reports.
✅ Disable unnecessary services and restrict network access.
✅ Enforce strong authentication, least privilege, and secure file permissions.
✅ Automate security updates to patch vulnerabilities.
✅ Perform regular security audits and log monitoring.

By implementing CIS Benchmarks, you harden your Linux server against attacks, reduce misconfigurations, and ensure compliance with security standards.

  • Quote
    • Views 58
    • Created
    • Last Reply

    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.

    Guest
    Reply to this topic...
    Go to topic listing

    Important Information

    Terms of Use Privacy Policy Guidelines We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.