awesome-security-hardening
Security hardening guides
A collection of security hardening guides, tools, and resources for various operating systems and applications.
A collection of awesome security hardening guides, tools and other resources
6k stars
139 watching
581 forks
last commit: about 2 months ago
Linked from 1 awesome list
awesome-listbest-practicesblue-teamblueteamcis-benchmarkscomputer-securitycyber-securitycybersecurityinfoseclinux-hardeningsecuritysecurity-hardeningsecurity-toolswindows-hardening
Security Hardening Guides and Best Practices / Hardening Guide Collections | |||
| CIS Benchmarks | (registration required) | ||
| ANSSI Best Practices | |||
| NSA Cybersecurity Advisories & Guidance | |||
| NSA Cybersecurity Resources for Cybersecurity Professionals | and | ||
| US DoD DISA Security Technical Implementation Guides (STIGs) and Security Requirements Guides (SRGs) | |||
| OpenSCAP Security Policies | |||
| Australian Cyber Security Center Publications | |||
| FIRST Best Practice Guide Library (BPGL) | |||
| Harden the World | a collection of hardening guidelines for devices, applications and OSs (mostly Apple for now) | ||
Security Hardening Guides and Best Practices / GNU/Linux | |||
| ANSSI - Configuration recommendations of a GNU/Linux system | |||
| CIS Benchmark for Distribution Independent Linux | |||
| trimstray - The Practical Linux Hardening Guide | 9,947 | over 4 years ago | practical step-by-step instructions for building your own hardened systems and services. Tested on CentOS 7 and RHEL 7 |
| trimstray - Linux Hardening Checklist | 1,498 | almost 5 years ago | most important hardening rules for GNU/Linux systems (summarized version of The Practical Linux Hardening Guide) |
| How To Secure A Linux Server | 17,554 | about 1 month ago | for a single Linux server at home |
| nixCraft - 40 Linux Server Hardening Security Tips (2019 edition) | |||
| nixCraft - Tips To Protect Linux Servers Physical Console Access | |||
| TecMint - 4 Ways to Disable Root Account in Linux | |||
| ERNW - IPv6 Hardening Guide for Linux Servers | |||
| trimstray - Iptables Essentials: Common Firewall Rules and Commands | 1,483 | over 4 years ago | |
| Neo23x0/auditd | 1,499 | about 1 month ago | Best Practice Auditd Configuration |
| CIRCL TR-83 - Linux Boot Hardening HOWTO | How to secure the boot sequence of your Linux based distribution (2024) | ||
Security Hardening Guides and Best Practices / GNU/Linux / Red Hat Enterprise Linux - RHEL | |||
| Red Hat - A Guide to Securing Red Hat Enterprise Linux 7 | |||
| DISA STIGs - Red Hat Enterprise Linux 7 | (2019) | ||
| CIS Benchmark for Red Hat Linux | |||
| nixCraft - How to set up a firewall using FirewallD on RHEL 8 | |||
Security Hardening Guides and Best Practices / GNU/Linux / CentOS | |||
| Lisenet - CentOS 7 Server Hardening Guide | (2017) | ||
| HighOn.Coffee - Security Harden CentOS 7 | (2015) | ||
Security Hardening Guides and Best Practices / GNU/Linux / SUSE | |||
| SUSE Linux Enterprise Server 12 SP4 Security Guide | |||
| SUSE Linux Enterprise Server 12 Security and Hardening Guide | |||
Security Hardening Guides and Best Practices / GNU/Linux / Ubuntu | |||
| Ubuntu documentation - Security | |||
| Ubuntu wiki - Security Hardening Features | |||
Security Hardening Guides and Best Practices / Windows | |||
| Microsoft - Windows security baselines | |||
| Microsoft - Windows Server Security | Assurance | |||
| Microsoft - Windows 10 Enterprise Security | |||
| BSI/ERNW - Configuration Recommendations for Hardening of Windows 10 Using Built-in Functionalities | (2021) - focused on Windows 10 LTSC 2019 | ||
| ACSC - Hardening Microsoft Windows 10, version 21H1, Workstations | |||
| ACSC - Securing PowerShell in the Enterprise | |||
| Awesome Windows Domain Hardening | 1,749 | almost 5 years ago | |
| Microsoft - How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server | |||
| Microsoft recommended block rules | List of applications or files that can be used by an attacker to circumvent application whitelisting policies | ||
| ERNW - IPv6 Hardening Guide for Windows Servers | |||
| NSA - AppLocker Guidance | 209 | almost 5 years ago | Configuration guidance for implementing application whitelisting with AppLocker |
| NSA - Pass the Hash Guidance | 198 | almost 8 years ago | Configuration guidance for implementing Pass-the-Hash mitigations (Archived) |
| NSA - BitLocker Guidance | 120 | over 5 years ago | Configuration guidance for implementing disk encryption with BitLocker |
| NSA - Event Forwarding Guidance | 852 | about 4 years ago | Configuration guidance for implementing collection of security relevant Windows Event Log events by using Windows Event Forwarding |
| Windows Defense in Depth Strategies | work in progress | ||
| Endpoint Isolation with the Windows Firewall | based on Jessica Payne’s talk from Ignite 2016 | ||
| ZeroSec - Paving The Way to DA | red teaming techniques and how to prevent them | ||
Security Hardening Guides and Best Practices / macOS | |||
| ERNW - IPv6 Hardening Guide for OS-X | |||
Security Hardening Guides and Best Practices / Network Devices | |||
| NSA - Harden Network Devices | (PDF) - very short but good summary | ||
Security Hardening Guides and Best Practices / Network Devices / Switches | |||
| DISA - Layer 2 Switch SRG v2r1 | |||
Security Hardening Guides and Best Practices / Network Devices / Routers | |||
| NSA - A Guide to Border Gateway Protocol (BGP) Best Practices | |||
Security Hardening Guides and Best Practices / Network Devices / IPv6 | |||
| NSA - IPv6 Security Guidance | (Jan 2023) | ||
| Part 1 | ERNW - Developing an Enterprise IPv6 Security Strategy , , , - Network Isolation on the Routing Layer, Traffic Filtering in IPv6 Networks | ||
Security Hardening Guides and Best Practices / Network Devices / Firewalls | |||
| NIST SP 800-41 Rev 1 - Guidelines on Firewalls and Firewall Policy | (2009) | ||
| trimstray - Iptables Essentials: Common Firewall Rules and Commands | 1,483 | over 4 years ago | |
Security Hardening Guides and Best Practices / Virtualization - VMware | |||
| VMware Security Hardening Guides | covers most VMware products and versions | ||
| CIS VMware ESXi 6.5 Benchmark | (2018) | ||
| DISA STIGs - Virtualisation | VMware vSphere 6.0 and 5 | ||
| ENISA - Security aspects of virtualization | generic, high-level best practices for virtualization and containers (Feb 2017) | ||
| NIST SP 800-125 - Guide to Security for Full Virtualization Technologies | (2011) | ||
| NIST SP 800-125A Revision 1 - Security Recommendations for Server-based Hypervisor Platforms | (2018) | ||
| NIST SP 800-125B Secure Virtual Network Configuration for Virtual Machine (VM) Protection | (2016) | ||
| ANSSI - Recommandations de sécurité pour les architectures basées sur VMware vSphere ESXi | for VMware 5.5 (2016), in French | ||
| ANSSI - Problématiques de sécurité associées à la virtualisation des systèmes d’information | (2013), in French | ||
| VMware - Protecting vSphere From Specialized Malware | (2022) - see also | ||
Security Hardening Guides and Best Practices / Containers - Docker - Kubernetes | |||
| How To Harden Your Docker Containers | |||
| CIS Docker Benchmarks | registration required | ||
| NIST SP 800-190 - Application Container Security Guide | |||
| A Practical Introduction to Container Security | |||
| ANSSI - Recommandations de sécurité relatives au déploiement de conteneurs Docker | (2020), in French | ||
| Kubernetes Security Checklist | |||
| Kubernetes Role Based Access Control Good Practices | |||
| Kubernetes Multi-tenancy | |||
| Kubernetes blog - A Closer Look at NSA/CISA Kubernetes Hardening Guidance | |||
| ReynardSec - Docker Security – Step-by-Step Hardening (Docker Hardening) | (2023) | ||
Security Hardening Guides and Best Practices / Services / SSH | |||
| NIST IR 7966 - Security of Interactive and Automated Access Management Using Secure Shell (SSH) | |||
| ANSSI - (Open)SSH secure use recommendations | |||
| Linux Audit - OpenSSH security and hardening | |||
| Positron Security SSH Hardening Guides | (2017-2018) - focused on crypto algorithms | ||
| stribika - Secure Secure Shell | (2015) - some algorithm recommendations might be slightly outdated | ||
| Applied Crypto Hardening: bettercrypto.org | handy reference on how to configure the most common services’ crypto settings (TLS/SSL, PGP, SSH and other cryptographic tools) | ||
| IETF - Key Exchange (KEX) Method Updates and Recommendations for Secure Shell (SSH) draft-ietf-curdle-ssh-kex-sha2-10 | update to the recommended set of key exchange methods for use in the Secure Shell (SSH) protocol to meet evolving needs for stronger security. This document updates RFC 4250 | ||
| Gravitational - How to SSH Properly | how to configure SSH to use certificates and two-factor authentication | ||
Security Hardening Guides and Best Practices / Services / TLS/SSL | |||
| NIST SP800-52 Rev 2 (2nd draft) - Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations | 2018, recommends TLS 1.3 | ||
| Netherlands NCSC - IT Security Guidelines for Transport Layer Security (TLS) | 2021 | ||
| ANSSI - Security Recommendations for TLS | 2017, does not cover TLS 1.3 | ||
| Qualys SSL Labs - SSL and TLS Deployment Best Practices | 2,167 | over 1 year ago | 2017, does not cover TLS 1.3 |
| RFC 7540 Appendix A TLS 1.2 Cipher Suite Black List | |||
| Applied Crypto Hardening: bettercrypto.org | handy reference on how to configure the most common services’ crypto settings (TLS/SSL, PGP, SSH and other cryptographic tools) | ||
Security Hardening Guides and Best Practices / Services / Web Servers | |||
| Cipherlist.eu - Strong Ciphers for Apache, nginx and Lighttpd | |||
| Apache HTTP Server documentation - Security Tips | |||
| GeekFlare - Apache Web Server Hardening and Security Guide | |||
| Apache Config - Apache Security Hardening Guide | |||
| Apache Tomcat 9 Security Considerations | / / | ||
| OWASP Securing tomcat | |||
| How to get Tomcat 9 to work with authbind to bind to port 80 | |||
| Eclipse Jetty - Configuring Security | |||
| Jetty hardening | (2015) | ||
| CIS Microsoft IIS Benchmarks | |||
Security Hardening Guides and Best Practices / Services / Mail Servers | |||
| MDaemon - 15 Best Practices for Protecting Your Email | Generic recommandations but based on MDaemon Security Gateway for Email Servers | ||
Security Hardening Guides and Best Practices / Services / FTP Servers | |||
| JSCAPE - Guide for securing FTP | Generic recommandations but based on JSCAPE MFT Server | ||
Security Hardening Guides and Best Practices / Services / Database Servers | |||
| Netwrix - MS SQL Server Hardening Best Practices | |||
Security Hardening Guides and Best Practices / Services / Active Directory | |||
| Microsoft - Best Practices for Securing Active Directory | |||
| ANSSI CERT-FR - Active Directory Security Assessment Checklist | - 2022 (English and French versions) | ||
| "Admin Free" Active Directory and Windows, Part 1- Understanding Privileged Groups in AD | |||
| "Admin Free" Active Directory and Windows, Part 2- Protected Accounts and Groups in Active Directory | |||
| ASD - Detecting and mitigating Active Directory compromises | 2024 | ||
Security Hardening Guides and Best Practices / Services / ADFS | |||
| adsecurity.org - Securing Microsoft Active Directory Federation Server (ADFS) | |||
| Microsoft - Best practices for securing Active Directory Federation Services | |||
Security Hardening Guides and Best Practices / Services / Kerberos | |||
| CIS MIT Kerberos 1.10 Benchmark | 2012 | ||
Security Hardening Guides and Best Practices / Services / LDAP | |||
| OpenLDAP Software 2.4 Administrator's Guide - OpenLDAP Security Considerations | |||
| Best Practices in LDAP Security | (2011) | ||
| LDAP: Hardening Server Security (so administrators can sleep at night) | |||
| LDAP Authentication Best Practices | retrieved from web.archive.org | ||
| Hardening OpenLDAP on Linux with AppArmor and systemd | slides | ||
| zytrax LDAP for Rocket Scientists - LDAP Security | |||
| How To Encrypt OpenLDAP Connections Using STARTTLS | |||
Security Hardening Guides and Best Practices / Services / DNS | |||
| CIS - BIND DNS Server 9.9 Benchmark | (2017) | ||
| DISA STIGs - BIND 9.x | (2019) | ||
| NIST SP 800-81-2 - Secure Domain Name System (DNS) Deployment Guide | (2013) | ||
| CMU SEI - Six Best Practices for Securing a Robust Domain Name System (DNS) Infrastructure | |||
| NSA BIND 9 DNS Security | (2011) | ||
Security Hardening Guides and Best Practices / Services / NTP | |||
| IETF - Network Time Protocol Best Current Practices draft-ietf-ntp-bcp | (last draft #13 in March 2019) | ||
| CMU SEI - Best Practices for NTP Services | |||
| Linux.com - Arrive On Time With NTP -- Part 2: Security Options | |||
| Linux.com - Arrive On Time With NTP -- Part 3: Secure Setup | |||
Security Hardening Guides and Best Practices / Services / NFS | |||
| Linux NFS-HOWTO - Security and NFS | a good overview of NFS security issues and some mitigations | ||
| Red Hat - A Guide to Securing Red Hat Enterprise Linux 7 - Securing NFS | |||
| Red Hat - RHEL7 Storage Administration Guide - Securing NFS | |||
| NFSv4 without Kerberos and permissions | why NFSv4 without Kerberos does not provide security | ||
| CertDepot - RHEL7: Use Kerberos to control access to NFS network shares | |||
Security Hardening Guides and Best Practices / Services / CUPS | |||
| CUPS Server Security | |||
Security Hardening Guides and Best Practices / Authentication - Passwords | |||
| UK NCSC - Password administration for system owners | |||
| NIST SP 800-63 Digital Identity Guidelines | |||
| OWASP Password Storage Cheat Sheet | |||
| ANSSI - Recommendations on multi-factor authentication and passwords | (2021, French) | ||
Security Hardening Guides and Best Practices / Hardware - CPU - BIOS - UEFI | |||
| ANSSI - Hardware security requirements for x86 platforms | recommendations for security features and configuration options applying to hardware devices (CPU, BIOS, UEFI, etc) (Nov 2019) | ||
| NSA - Hardware and Firmware Security Guidance | 774 | over 1 year ago | Guidance for the Spectre, Meltdown, Speculative Store Bypass, Rogue System Register Read, Lazy FP State Restore, Bounds Check Bypass Store, TLBleed, and L1TF/Foreshadow vulnerabilities as well as general hardware and firmware security guidance |
| NSA Info Sheet: UEFI Lockdown Quick Guidance (March 2018) | |||
| NSA Tech Report: UEFI Defensive Practices Guidance (July 2017) | |||
Security Hardening Guides and Best Practices / Cloud | |||
| NSA Info Sheet: Cloud Security Basics (August 2018) | |||
| DISA DoD Cloud Computing Security | |||
| asecure.cloud - Build a Secure Cloud | A free repository of customizable AWS security configurations and best practices | ||
Tools / Tools to check security hardening | |||
| Chef InSpec | open-source testing framework by Chef that enables you to specify compliance, security, and other policy requirements. can run on Windows and many Linux distributions | ||
Tools / Tools to check security hardening / GNU/Linux | |||
| Lynis | script to check the configuration of Linux hosts | ||
| OpenSCAP Base | oscap command line tool | ||
| SCAP Workbench | GUI for oscap | ||
| Tiger - The Unix security audit and intrusion detection tool | (might be outdated) | ||
| otseca | 486 | over 4 years ago | Open source security auditing tool to search and dump system configuration. It allows you to generate reports in HTML or RAW-HTML formats |
| SUDO_KILLER | 2,240 | 5 months ago | A tool to identify sudo rules' misconfigurations and vulnerabilities within sudo |
| CIS Benchmarks Audit | 248 | 7 months ago | bash script which performs tests against your CentOS system to give an indication of whether the running server may comply with the CIS v2.2.0 Benchmarks for CentOS (only CentOS 7 for now) |
Tools / Tools to check security hardening / Windows | |||
| Microsoft Security Compliance Toolkit 1.0 | set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products | ||
| Microsoft DSC Environment Analyzer (DSCEA) | simple implementation of PowerShell Desired State Configuration that uses the declarative nature of DSC to scan Windows OS based systems in an environment against a defined reference MOF file and generate compliance reports as to whether systems match the desired configuration | ||
| HardeningAuditor | 159 | almost 5 years ago | Scripts for comparing Microsoft Windows compliance with the Australian ASD 1709 & Office 2016 Hardening Guides |
| PingCastle | Tool to check the security of Active Directory | ||
| MDE-AuditCheck | 97 | over 2 years ago | Tool to check that Windows audit settings are properly configured in the GPO for Microsoft Defender for Endpoint |
Tools / Tools to check security hardening / Network Devices | |||
| Nipper-ng | 66 | over 2 years ago | to check the configuration of network devices (does not seem to be updated) |
Tools / Tools to check security hardening / TLS/SSL | |||
| Qualys SSL Labs - List of tools to assess TLS/SSL servers and clients | 2,167 | over 1 year ago | |
| CryptoLyzer | 26 | 5 months ago | Fast, flexible and comprehensive server cryptographic protocol (TLS, SSL, SSH, DNSSEC) and related setting (HTTP headers, DNS records) analyzer and fingerprint (JA3, HASSH tag) generator with Python API and CLI |
| SSLyze | 3,267 | 3 months ago | Fast and powerful SSL/TLS scanning library |
| testssl.sh | 7,987 | 25 days ago | Testing TLS/SSL encryption anywhere on any port |
Tools / Tools to check security hardening / SSH | |||
| CryptoLyzer | 26 | 5 months ago | Fast, flexible and comprehensive server cryptographic protocol (TLS, SSL, SSH, DNSSEC) and related setting (HTTP headers, DNS records) analyzer and fingerprint (JA3, HASSH tag) generator with Python API and CLI |
| ssh-audit | 2,960 | 5 months ago | SSH server auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc) |
Tools / Tools to check security hardening / Hardware - CPU - BIOS - UEFI | |||
| CHIPSEC: Platform Security Assessment Framework | 2,941 | 8 days ago | framework for analyzing the security of PC platforms including hardware, system firmware (BIOS/UEFI), and platform components |
| chipsec-check | 46 | about 3 years ago | Tools to generate a Debian Linux distribution with chipsec to test hardware requirements |
Tools / Tools to check security hardening / Docker | |||
| Docker Bench for Security | 9,146 | about 1 month ago | script that checks for dozens of common best-practices around deploying Docker containers in production, inspired by the CIS Docker Community Edition Benchmark v1.1.0 |
Tools / Tools to check security hardening / Cloud | |||
| toniblyx/my-arsenal-of-aws-security-tools | 8,983 | 26 days ago | List of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc |
Tools / Tools to apply security hardening | |||
| DevSec Hardening Framework | a framework to automate hardening of OS and applications, using Chef, Ansible and Puppet | ||
Tools / Tools to apply security hardening / GNU/Linux | |||
| Linux Server Hardener | 93 | 3 months ago | for Debian/Ubuntu (2019) |
| Bastille Linux | outdated | ||
Tools / Tools to apply security hardening / Windows | |||
| Microsoft Security Compliance Toolkit 1.0 | set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products | ||
| Hardentools | 2,931 | 8 months ago | for Windows individual users (not corporate environments) at risk, who might want an extra level of security at the price of some usability |
| Windows 10 Hardening | 172 | almost 4 years ago | A collective resource of settings modifications (mostly opt-outs) that attempt to make Windows 10 as private and as secure as possible |
| Disassembler0 Windows 10 Initial Setup Script | 4,696 | over 3 years ago | PowerShell script for automation of routine tasks done after fresh installations of Windows 10 / Server 2016 / Server 2019 |
| Automated-AD-Setup | 198 | over 3 years ago | A PowerShell script that aims to have a fully configured domain built in under 10 minutes, but also apply security configuration and hardening |
| mackwage/windows_hardening.cmd | Script to perform some hardening of Windows 10 | ||
| Windows 10/11 Hardening Script by ZephrFish | 114 | 9 months ago | PowerShell script to harden Windows 10/11 |
Tools / Tools to apply security hardening / TLS/SSL | |||
| Mozilla SSL Configuration Generator | |||
Tools / Tools to apply security hardening / Cloud | |||
| toniblyx/my-arsenal-of-aws-security-tools | 8,983 | 26 days ago | List of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc |
Tools / Password Generators | |||
| How-To Geek - 10 Ways to Generate a Random Password from the Linux Command Line | |||
| Vitux - 8 Ways to Generate a Random Password on Linux Shell | |||
| SS64 - Password security and a comparison of Password Generators | |||
Other Awesome Lists | |||
| Awesome Cybersecurity Blue Team | 4,393 | 4 months ago | A curated collection of awesome resources, tools, and other shiny things for cybersecurity blue teams |
Other Awesome Lists / Other Awesome Security Lists | |||
| Awesome Security | 12,479 | 4 months ago | A collection of awesome software, libraries, documents, books, resources and cools stuffs about security |
| Android Security Awesome | 8,213 | 3 months ago | A collection of android security related resources |
| Awesome CTF | 9,873 | 4 months ago | A curated list of CTF frameworks, libraries, resources and software |
| Awesome Cyber Skills | 3,672 | 5 months ago | A curated list of hacking environments where you can train your cyber skills legally and safely |
| Awesome Hacking | 13,198 | 6 months ago | A curated list of awesome Hacking tutorials, tools and resources |
| Awesome Honeypots | 8,661 | 3 months ago | An awesome list of honeypot resources |
| Awesome Malware Analysis | 11,989 | 6 months ago | A curated list of awesome malware analysis tools and resources |
| Awesome PCAP Tools | 3,135 | 7 months ago | A collection of tools developed by other researchers in the Computer Science area to process network traces |
| Awesome Pentest | 21,934 | 29 days ago | A collection of awesome penetration testing resources, tools and other shiny things |
| Awesome Linux Containers | 1,811 | 8 months ago | A curated list of awesome Linux Containers frameworks, libraries and software |
| Awesome Incident Response | 7,682 | 4 months ago | A curated list of resources for incident response |
| Awesome Web Hacking | 5,875 | 2 days ago | This list is for anyone wishing to learn about web application security but do not have a starting point |
| Awesome Threat Intelligence | 8,127 | 3 months ago | A curated list of threat intelligence resources |
| Awesome Pentest Cheat Sheets | 3,889 | 9 months ago | Collection of the cheat sheets useful for pentesting |
| Awesome Industrial Control System Security | 28 | over 8 years ago | A curated list of resources related to Industrial Control System (ICS) security |
| Awesome YARA | 3,566 | 8 days ago | A curated list of awesome YARA rules, tools, and people |
| Awesome Threat Detection and Hunting | 3,853 | 4 months ago | A curated list of awesome threat detection and hunting resources |
| Awesome Container Security | 14 | over 5 years ago | A curated list of awesome resources related to container building and runtime security |
| Awesome Crypto Papers | 1,805 | about 1 month ago | A curated list of cryptography papers, articles, tutorials and howtos |
sbilly/awesome-securityMore related projects:
-
geeksniper/active-directory-pentest
-
hrishikesh7665/android-pentesting-checklist
-
hausec/adape-script
-
emilyanncr/windows-post-exploitation
-
s1ckb0y1337/active-directory-exploitation-cheat-sheet
-
empireproject/empire
-
tanprathan/mobileapp-pentest-cheatsheet
-
nextronsystems/aptsimulator
-
antoniococo/sharpyshell
-
clong/detectionlab
-
swiftonsecurity/orgkit
-
swisscom/powersponse
-
oliverwiegers/pentest_lab
-
zbetcheckin/security_list