decalage2 / Awesome Security Hardening
A collection of awesome security hardening guides, tools and other resources
Stars: ✭ 630
Labels
Projects that are alternatives of or similar to Awesome Security Hardening
Slack Watchman
Monitoring your Slack workspaces for sensitive information
Stars: ✭ 159 (-74.76%)
Mutual labels: infosec, cybersecurity, blueteam
Smogcloud
Find cloud assets that no one wants exposed 🔎 ☁️
Stars: ✭ 168 (-73.33%)
Mutual labels: security-tools, infosec, blueteam
Checkmyhttps
We propose a user-friendly add-on that allows you to check if your encrypted web traffic (SSL/TLS) towards secured Internet servers (HTTPS) is not intercepted (being listened to).
Stars: ✭ 35 (-94.44%)
Mutual labels: security-tools, infosec, cybersecurity
Spiderfoot
SpiderFoot automates OSINT for threat intelligence and mapping your attack surface.
Stars: ✭ 6,882 (+992.38%)
Mutual labels: infosec, cybersecurity, security-tools
Blue-Team-Notes
You didn't think I'd go and leave the blue team out, right?
Stars: ✭ 899 (+42.7%)
Mutual labels: cybersecurity, infosec, blueteam
Gitlab Watchman
Monitoring GitLab for sensitive data shared publicly
Stars: ✭ 127 (-79.84%)
Mutual labels: infosec, cybersecurity, blueteam
Content
Security automation content in SCAP, OSCAL, Bash, Ansible, and other formats
Stars: ✭ 1,219 (+93.49%)
Mutual labels: security-tools, cybersecurity, security-hardening
Defaultcreds Cheat Sheet
One place for all the default credentials to assist the Blue/Red teamers activities on finding devices with default password 🛡️
Stars: ✭ 1,949 (+209.37%)
Mutual labels: infosec, cybersecurity, blueteam
NIST-to-Tech
An open-source listing of cybersecurity technology mapped to the NIST Cybersecurity Framework (CSF)
Stars: ✭ 61 (-90.32%)
Mutual labels: cybersecurity, infosec, blueteam
github-watchman
Monitoring GitHub for sensitive data shared publicly
Stars: ✭ 60 (-90.48%)
Mutual labels: cybersecurity, infosec, blueteam
Vuls
Agent-less vulnerability scanner for Linux, FreeBSD, Container, WordPress, Programming language libraries, Network devices
Stars: ✭ 8,844 (+1303.81%)
Mutual labels: security-tools, cybersecurity, security-hardening
ad-privileged-audit
Provides various Windows Server Active Directory (AD) security-focused reports.
Stars: ✭ 42 (-93.33%)
Mutual labels: cybersecurity, security-hardening, blueteam
Oblivion
Data leak checker & OSINT Tool
Stars: ✭ 237 (-62.38%)
Mutual labels: security-tools, cybersecurity, blueteam
MurMurHash
This little tool is to calculate a MurmurHash value of a favicon to hunt phishing websites on the Shodan platform.
Stars: ✭ 79 (-87.46%)
Mutual labels: cybersecurity, infosec, blueteam
pyc2bytecode
A Python Bytecode Disassembler helping reverse engineers in dissecting Python binaries by disassembling and analyzing the compiled python byte-code(.pyc) files across all python versions (including Python 3.10.*)
Stars: ✭ 70 (-88.89%)
Mutual labels: cybersecurity, infosec, blueteam
Prowler
Prowler is a security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. It contains more than 200 controls covering CIS, ISO27001, GDPR, HIPAA, SOC2, ENS and other security frameworks.
Stars: ✭ 4,561 (+623.97%)
Mutual labels: security-tools, security-hardening
Xxe Injection Payload List
🎯 XML External Entity (XXE) Injection Payload List
Stars: ✭ 304 (-51.75%)
Mutual labels: infosec, cybersecurity
Bxss
bXSS is a utility which can be used by bug hunters and organizations to identify Blind Cross-Site Scripting.
Stars: ✭ 331 (-47.46%)
Mutual labels: infosec, blueteam
Infosec reference
An Information Security Reference That Doesn't Suck; https://rmusser.net/git/admin-2/Infosec_Reference for non-MS Git hosted version.
Stars: ✭ 4,162 (+560.63%)
Mutual labels: infosec, blueteam
H2csmuggler
HTTP Request Smuggling over HTTP/2 Cleartext (h2c)
Stars: ✭ 292 (-53.65%)
Mutual labels: security-tools, infosec
awesome-security-hardening
A collection of awesome security hardening guides, best practices, checklists, benchmarks, tools and other resources. This is work in progress: please contribute by sending your suggestions. You may do this by creating issue tickets or forking, editing and sending pull requests. You may also send suggestions on Twitter to @decalage2, or use https://www.decalage.info/contact
Table of Contents
- Security Hardening Guides and Best Practices
- Tools
- Books
- Other Awesome Lists
Security Hardening Guides and Best Practices
Hardening Guide Collections
- CIS Benchmarks (registration required)
- ANSSI Best Practices
- NSA Security Configuration Guidance
- NSA Cybersecurity Resources for Cybersecurity Professionals and NSA Cybersecurity publications
- US DoD DISA Security Technical Implementation Guides (STIGs) and Security Requirements Guides (SRGs)
- OpenSCAP Security Policies
- Australian Cyber Security Center Publications
- FIRST Best Practice Guide Library (BPGL)
- Harden the World - a collection of hardening guidelines for devices, applications and OSs (mostly Apple for now).
GNU/Linux
- ANSSI - Configuration recommendations of a GNU/Linux system
- CIS Benchmark for Distribution Independent Linux
- trimstray - The Practical Linux Hardening Guide - practical step-by-step instructions for building your own hardened systems and services. Tested on CentOS 7 and RHEL 7.
- trimstray - Linux Hardening Checklist - most important hardening rules for GNU/Linux systems (summarized version of The Practical Linux Hardening Guide)
- How To Secure A Linux Server - for a single Linux server at home
- nixCraft - 40 Linux Server Hardening Security Tips (2019 edition)
- nixCraft - Tips To Protect Linux Servers Physical Console Access
- TecMint - 4 Ways to Disable Root Account in Linux
- ERNW - IPv6 Hardening Guide for Linux Servers
- trimstray - Iptables Essentials: Common Firewall Rules and Commands
- Neo23x0/auditd - Best Practice Auditd Configuration
Red Hat Enterprise Linux - RHEL
- Red Hat - A Guide to Securing Red Hat Enterprise Linux 7
- DISA STIGs - Red Hat Enterprise Linux 7 (2019)
- CIS Benchmark for Red Hat Linux
- nixCraft - How to set up a firewall using FirewallD on RHEL 8
CentOS
SUSE
- SUSE Linux Enterprise Server 12 SP4 Security Guide
- SUSE Linux Enterprise Server 12 Security and Hardening Guide
Ubuntu
Windows
- Microsoft - Windows security baselines
- Microsoft - Windows Server Security | Assurance
- Microsoft - Windows 10 Enterprise Security
- ACSC - Hardening Microsoft Windows 10, version 1709, Workstations
- ACSC - Securing PowerShell in the Enterprise
- Awesome Windows Domain Hardening
- Microsoft - How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server
- Microsoft recommended block rules - List of applications or files that can be used by an attacker to circumvent application whitelisting policies
- ERNW - IPv6 Hardening Guide for Windows Servers
- NSA - AppLocker Guidance - Configuration guidance for implementing application whitelisting with AppLocker
- NSA - Pass the Hash Guidance - Configuration guidance for implementing Pass-the-Hash mitigations (Archived)
- NSA - BitLocker Guidance - Configuration guidance for implementing disk encryption with BitLocker
- NSA - Event Forwarding Guidance - Configuration guidance for implementing collection of security relevant Windows Event Log events by using Windows Event Forwarding
- Windows Defense in Depth Strategies - work in progress
- Endpoint Isolation with the Windows Firewall based on Jessica Payne’s ‘Demystifying the Windows Firewall’ talk from Ignite 2016
See also Active Directory and ADFS below.
macOS
Network Devices
- NSA - Harden Network Devices - very short but good summary
Switches
Routers
IPv6
- ERNW - Developing an Enterprise IPv6 Security Strategy Part 1, Part 2, Part 3, Part 4 - Network Isolation on the Routing Layer, Traffic Filtering in IPv6 Networks
- see also IPv6 links under GNU/Linux, Windows and macOS
Firewalls
- NIST SP 800-41 Rev 1 - Guidelines on Firewalls and Firewall Policy (2009)
- trimstray - Iptables Essentials: Common Firewall Rules and Commands
Virtualization - VMware
- VMware Security Hardening Guides - covers most VMware products and versions
- CIS VMware ESXi 6.5 Benchmark (2018)
- DISA STIGs - Virtualisation - VMware vSphere 6.0 and 5
- ENISA - Security aspects of virtualization - generic, high-level best practices for virtualization and containers (Feb 2017)
- NIST SP 800-125 - Guide to Security for Full Virtualization Technologies - (2011)
- NIST SP 800-125A Revision 1 - Security Recommendations for Server-based Hypervisor Platforms (2018)
- NIST SP 800-125B Secure Virtual Network Configuration for Virtual Machine (VM) Protection (2016)
- ANSSI - Recommandations de sécurité pour les architectures basées sur VMware vSphere ESXi - for VMware 5.5 (2016), in French
Containers - Docker
- How To Harden Your Docker Containers
- CIS Docker Benchmarks - registration required
- NIST SP 800-190 - Application Container Security Guide
- A Practical Introduction to Container Security
Services
SSH
- NIST IR 7966 - Security of Interactive and Automated Access Management Using Secure Shell (SSH)
- ANSSI - (Open)SSH secure use recommendations
- Linux Audit - OpenSSH security and hardening
- Positron Security SSH Hardening Guides (2017-2018) - focused on crypto algorithms
- stribika - Secure Secure Shell (2015) - some algorithm recommendations might be slightly outdated
- Applied Crypto Hardening: bettercrypto.org - handy reference on how to configure the most common services’ crypto settings (TLS/SSL, PGP, SSH and other cryptographic tools)
- IETF - Key Exchange (KEX) Method Updates and Recommendations for Secure Shell (SSH) draft-ietf-curdle-ssh-kex-sha2-10 - update to the recommended set of key exchange methods for use in the Secure Shell (SSH) protocol to meet evolving needs for stronger security. This document updates RFC 4250.
- Gravitational - How to SSH Properly - how to configure SSH to use certificates and two-factor authentication
TLS/SSL
- NIST SP800-52 Rev 2 (2nd draft) - Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations - 2018, recommends TLS 1.3
- Netherlands NCSC - IT Security Guidelines for Transport Layer Security (TLS) - 2019
- ANSSI - Security Recommendations for TLS - 2017, does not cover TLS 1.3
- Qualys SSL Labs - SSL and TLS Deployment Best Practices - 2017, does not cover TLS 1.3
- RFC 7540 Appendix A TLS 1.2 Cipher Suite Black List
- Applied Crypto Hardening: bettercrypto.org - handy reference on how to configure the most common services’ crypto settings (TLS/SSL, PGP, SSH and other cryptographic tools)
Web Servers
Apache HTTP Server
- Apache HTTP Server documentation - Security Tips
- GeekFlare - Apache Web Server Hardening and Security Guide
- Apache Config - Apache Security Hardening Guide
Apache Tomcat
- Apache Tomcat 9 Security Considerations / v8 / v7
- OWASP Securing tomcat
- How to get Tomcat 9 to work with authbind to bind to port 80
Eclipse Jetty
Microsoft IIS
Mail Servers
FTP Servers
Database Servers
Active Directory
- Microsoft - Best Practices for Securing Active Directory
- ANSSI CERT-FR - Active Directory Security Assessment Checklist - 2020 (English and French versions)
- "Admin Free" Active Directory and Windows, Part 1- Understanding Privileged Groups in AD
- "Admin Free" Active Directory and Windows, Part 2- Protected Accounts and Groups in Active Directory
ADFS
- adsecurity.org - Securing Microsoft Active Directory Federation Server (ADFS)
- Microsoft - Best practices for securing Active Directory Federation Services
Kerberos
LDAP
- OpenLDAP Software 2.4 Administrator's Guide - OpenLDAP Security Considerations
- Best Practices in LDAP Security (2011)
- LDAP: Hardening Server Security (so administrators can sleep at night)
- LDAP Authentication Best Practices - retrieved from web.archive.org
- Hardening OpenLDAP on Linux with AppArmor and systemd - slides
- zytrax LDAP for Rocket Scientists - LDAP Security
- How To Encrypt OpenLDAP Connections Using STARTTLS
DNS
- CIS - BIND DNS Server 9.9 Benchmark (2017)
- DISA STIGs - BIND 9.x (2019)
- NIST SP 800-81-2 - Secure Domain Name System (DNS) Deployment Guide (2013)
- CMU SEI - Six Best Practices for Securing a Robust Domain Name System (DNS) Infrastructure
- NSA BIND 9 DNS Security (2011)
NTP
- IETF - Network Time Protocol Best Current Practices draft-ietf-ntp-bcp (last draft #13 in March 2019)
- CMU SEI - Best Practices for NTP Services
- Linux.com - Arrive On Time With NTP -- Part 2: Security Options
- Linux.com - Arrive On Time With NTP -- Part 3: Secure Setup
NFS
- Linux NFS-HOWTO - Security and NFS - a good overview of NFS security issues and some mitigations
- Red Hat - A Guide to Securing Red Hat Enterprise Linux 7 - Securing NFS
- Red Hat - RHEL7 Storage Administration Guide - Securing NFS
- NFSv4 without Kerberos and permissions - why NFSv4 without Kerberos does not provide security
- CertDepot - RHEL7: Use Kerberos to control access to NFS network shares
CUPS
Authentication - Passwords
Hardware - CPU - BIOS - UEFI
- ANSSI - Hardware security requirements for x86 platforms - recommendations for security features and configuration options applying to hardware devices (CPU, BIOS, UEFI, etc) (Nov 2019)
- NSA - Hardware and Firmware Security Guidance - Guidance for the Spectre, Meltdown, Speculative Store Bypass, Rogue System Register Read, Lazy FP State Restore, Bounds Check Bypass Store, TLBleed, and L1TF/Foreshadow vulnerabilities as well as general hardware and firmware security guidance.
- NSA Info Sheet: UEFI Lockdown Quick Guidance (March 2018)
- NSA Tech Report: UEFI Defensive Practices Guidance (July 2017)
Cloud
- NSA Info Sheet: Cloud Security Basics (August 2018)
- DISA DoD Cloud Computing Security
- asecure.cloud - Build a Secure Cloud - A free repository of customizable AWS security configurations and best practices
Tools
Tools to check security hardening
- Chef InSpec - open-source testing framework by Chef that enables you to specify compliance, security, and other policy requirements. can run on Windows and many Linux distributions.
GNU/Linux
- Lynis - script to check the configuration of Linux hosts
- OpenSCAP Base - oscap command line tool
- SCAP Workbench - GUI for oscap
- Tiger - The Unix security audit and intrusion detection tool (might be outdated)
- otseca - Open source security auditing tool to search and dump system configuration. It allows you to generate reports in HTML or RAW-HTML formats.
- SUDO_KILLER - A tool to identify sudo rules' misconfigurations and vulnerabilities within sudo
- CIS Benchmarks Audit - bash script which performs tests against your CentOS system to give an indication of whether the running server may comply with the CIS v2.2.0 Benchmarks for CentOS (only CentOS 7 for now)
Windows
- Microsoft Security Compliance Toolkit 1.0 - set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products
- Microsoft DSC Environment Analyzer (DSCEA) - simple implementation of PowerShell Desired State Configuration that uses the declarative nature of DSC to scan Windows OS based systems in an environment against a defined reference MOF file and generate compliance reports as to whether systems match the desired configuration
- HardeningAuditor - Scripts for comparing Microsoft Windows compliance with the Australian ASD 1709 & Office 2016 Hardening Guides
- PingCastle - Tool to check the security of Active Directory
Network Devices
- Nipper-ng - to check the configuration of network devices (does not seem to be updated)
TLS/SSL
- Qualys SSL Labs - List of tools to assess TLS/SSL servers and clients
- SSL Decoder - checks the SSL/TLS configuration of a server
SSH
- ssh-audit - SSH server auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc)
Hardware - CPU - BIOS - UEFI
- CHIPSEC: Platform Security Assessment Framework - framework for analyzing the security of PC platforms including hardware, system firmware (BIOS/UEFI), and platform components
- chipsec-check - Tools to generate a Debian Linux distribution with chipsec to test hardware requirements
Docker
- Docker Bench for Security - script that checks for dozens of common best-practices around deploying Docker containers in production, inspired by the CIS Docker Community Edition Benchmark v1.1.0.
Cloud
- toniblyx/my-arsenal-of-aws-security-tools - List of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc.
Tools to apply security hardening
- DevSec Hardening Framework - a framework to automate hardening of OS and applications, using Chef, Ansible and Puppet
GNU/Linux
- Linux Server Hardener - for Debian/Ubuntu (2019)
- Bastille Linux - outdated
Windows
- Microsoft Security Compliance Toolkit 1.0 - set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products
- Hardentools - for Windows individual users (not corporate environments) at risk, who might want an extra level of security at the price of some usability.
- Windows 10 Hardening - A collective resource of settings modifications (mostly opt-outs) that attempt to make Windows 10 as private and as secure as possible.
- Disassembler0 Windows 10 Initial Setup Script - PowerShell script for automation of routine tasks done after fresh installations of Windows 10 / Server 2016 / Server 2019
- Automated-AD-Setup - A PowerShell script that aims to have a fully configured domain built in under 10 minutes, but also apply security configuration and hardening
- mackwage/windows_hardening.cmd - Script to perform some hardening of Windows 10
TLS/SSL
Cloud
- toniblyx/my-arsenal-of-aws-security-tools - List of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc.
Password Generators
- How-To Geek - 10 Ways to Generate a Random Password from the Linux Command Line
- Vitux - 8 Ways to Generate a Random Password on Linux Shell
- SS64 - Password security and a comparison of Password Generators
Books
Other Awesome Lists
- Awesome Cybersecurity Blue Team - A curated collection of awesome resources, tools, and other shiny things for cybersecurity blue teams.
Other Awesome Security Lists
(borrowed from Awesome Security)
- Awesome Security - A collection of awesome software, libraries, documents, books, resources and cools stuffs about security.
- Android Security Awesome - A collection of android security related resources.
- Awesome CTF - A curated list of CTF frameworks, libraries, resources and software.
- Awesome Cyber Skills - A curated list of hacking environments where you can train your cyber skills legally and safely.
- Awesome Hacking - A curated list of awesome Hacking tutorials, tools and resources.
- Awesome Honeypots - An awesome list of honeypot resources.
- Awesome Malware Analysis - A curated list of awesome malware analysis tools and resources.
- Awesome PCAP Tools - A collection of tools developed by other researchers in the Computer Science area to process network traces.
- Awesome Pentest - A collection of awesome penetration testing resources, tools and other shiny things.
- Awesome Linux Containers - A curated list of awesome Linux Containers frameworks, libraries and software.
- Awesome Incident Response - A curated list of resources for incident response.
- Awesome Web Hacking - This list is for anyone wishing to learn about web application security but do not have a starting point.
- Awesome Threat Intelligence - A curated list of threat intelligence resources.
- Awesome Pentest Cheat Sheets - Collection of the cheat sheets useful for pentesting
- Awesome Industrial Control System Security - A curated list of resources related to Industrial Control System (ICS) security.
- Awesome YARA - A curated list of awesome YARA rules, tools, and people.
- Awesome Threat Detection and Hunting - A curated list of awesome threat detection and hunting resources.
- Awesome Container Security - A curated list of awesome resources related to container building and runtime security
- Awesome Crypto Papers - A curated list of cryptography papers, articles, tutorials and howtos.
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].