Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
awesome-security-hardening
A collection of awesome security hardening guides, tools and other resources
https://github.com/decalage2/awesome-security-hardening
Last synced: 6 days ago
JSON representation
-
Hardening Guide Collections
- NSA Cybersecurity Resources for Cybersecurity Professionals
- US DoD DISA Security Technical Implementation Guides (STIGs) and Security Requirements Guides (SRGs)
- CIS Benchmarks
- ANSSI Best Practices
- OpenSCAP Security Policies
- Australian Cyber Security Center Publications
- FIRST Best Practice Guide Library (BPGL)
- Harden the World - a collection of hardening guidelines for devices, applications and OSs (mostly Apple for now).
- CIS Benchmarks
- Harden the World - a collection of hardening guidelines for devices, applications and OSs (mostly Apple for now).
- NSA Cybersecurity Advisories & Guidance
-
GNU/Linux
-
- ANSSI - Configuration recommendations of a GNU/Linux system
- CIS Benchmark for Distribution Independent Linux
- nixCraft - 40 Linux Server Hardening Security Tips (2019 edition)
- nixCraft - Tips To Protect Linux Servers Physical Console Access
- TecMint - 4 Ways to Disable Root Account in Linux
- ERNW - IPv6 Hardening Guide for Linux Servers
- trimstray - The Practical Linux Hardening Guide - practical step-by-step instructions for building your own hardened systems and services. Tested on CentOS 7 and RHEL 7.
- trimstray - Linux Hardening Checklist - most important hardening rules for GNU/Linux systems (summarized version of The Practical Linux Hardening Guide)
- How To Secure A Linux Server - for a single Linux server at home
- Neo23x0/auditd - Best Practice Auditd Configuration
- ANSSI - Configuration recommendations of a GNU/Linux system
- CIRCL TR-83 - Linux Boot Hardening HOWTO - How to secure the boot sequence of your Linux based distribution (2024)
- ERNW - IPv6 Hardening Guide for Linux Servers
-
Red Hat Enterprise Linux - RHEL
-
CentOS
-
SUSE
-
Ubuntu
-
-
Windows
-
Ubuntu
- Microsoft - Windows security baselines
- Microsoft - Windows Server Security | Assurance
- Microsoft - Windows 10 Enterprise Security
- BSI/ERNW - Configuration Recommendations for Hardening of Windows 10 Using Built-in Functionalities - focused on Windows 10 LTSC 2019
- ACSC - Hardening Microsoft Windows 10, version 21H1, Workstations
- ACSC - Securing PowerShell in the Enterprise
- Microsoft - How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server
- Microsoft recommended block rules - List of applications or files that can be used by an attacker to circumvent application whitelisting policies
- ERNW - IPv6 Hardening Guide for Windows Servers
- Windows Defense in Depth Strategies - work in progress
- Endpoint Isolation with the Windows Firewall
- Microsoft - How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server
- Awesome Windows Domain Hardening
- NSA - AppLocker Guidance - Configuration guidance for implementing application whitelisting with AppLocker
- NSA - Pass the Hash Guidance - Configuration guidance for implementing Pass-the-Hash mitigations (Archived)
- NSA - BitLocker Guidance - Configuration guidance for implementing disk encryption with BitLocker
- NSA - Event Forwarding Guidance - Configuration guidance for implementing collection of security relevant Windows Event Log events by using Windows Event Forwarding
- ZeroSec - Paving The Way to DA - red teaming techniques and how to prevent them
- ERNW - IPv6 Hardening Guide for Windows Servers
- Microsoft recommended block rules - List of applications or files that can be used by an attacker to circumvent application whitelisting policies
-
-
macOS
-
Network Devices
-
Ubuntu
- NSA - Harden Network Devices - very short but good summary
-
Switches
-
Routers
-
IPv6
- NSA - IPv6 Security Guidance
- Part 1 - an-enterprise-ipv6-security-strategy-part-2-network-isolation-on-the-routing-layer/), [Part 3](https://www.insinuator.net/2015/12/developing-an-enterprise-ipv6-security-strategy-part-3-traffic-filtering-in-ipv6-networks-i/), [Part 4](https://insinuator.net/2015/12/developing-an-enterprise-ipv6-security-strategy-part-4-traffic-filtering-in-ipv6-networks-ii/) - Network Isolation on the Routing Layer, Traffic Filtering in IPv6 Networks
-
Firewalls
-
-
Virtualization - VMware
-
Firewalls
- VMware Security Hardening Guides - covers most VMware products and versions
- CIS VMware ESXi 6.5 Benchmark
- DISA STIGs - Virtualisation - VMware vSphere 6.0 and 5
- ENISA - Security aspects of virtualization - generic, high-level best practices for virtualization and containers (Feb 2017)
- NIST SP 800-125 - Guide to Security for Full Virtualization Technologies - (2011)
- NIST SP 800-125A Revision 1 - Security Recommendations for Server-based Hypervisor Platforms
- NIST SP 800-125B Secure Virtual Network Configuration for Virtual Machine (VM) Protection
- ANSSI - Recommandations de sécurité pour les architectures basées sur VMware vSphere ESXi - for VMware 5.5 (2016), in French
- ANSSI - Problématiques de sécurité associées à la virtualisation des systèmes d’information
- VMware - Protecting vSphere From Specialized Malware - see also [Mandiant - Bad VIB(E)s Part Two: Detection and Hardening within ESXi Hypervisors](https://www.mandiant.com/resources/blog/esxi-hypervisors-detection-hardening)
- ANSSI - Recommandations de sécurité pour les architectures basées sur VMware vSphere ESXi - for VMware 5.5 (2016), in French
- ANSSI - Problématiques de sécurité associées à la virtualisation des systèmes d’information
- NIST SP 800-125B Secure Virtual Network Configuration for Virtual Machine (VM) Protection
-
-
Containers - Docker - Kubernetes
-
Firewalls
- How To Harden Your Docker Containers
- CIS Docker Benchmarks - registration required
- NIST SP 800-190 - Application Container Security Guide
- A Practical Introduction to Container Security
- ANSSI - Recommandations de sécurité relatives au déploiement de conteneurs Docker
- Kubernetes Security Checklist
- Kubernetes Role Based Access Control Good Practices
- Kubernetes Multi-tenancy
- Kubernetes blog - A Closer Look at NSA/CISA Kubernetes Hardening Guidance
- ANSSI - Recommandations de sécurité relatives au déploiement de conteneurs Docker
- ReynardSec - Docker Security – Step-by-Step Hardening (Docker Hardening)
-
-
Services
-
SSH
- NIST IR 7966 - Security of Interactive and Automated Access Management Using Secure Shell (SSH)
- ANSSI - (Open)SSH secure use recommendations
- Linux Audit - OpenSSH security and hardening
- Positron Security SSH Hardening Guides - 2018) - focused on crypto algorithms
- stribika - Secure Secure Shell - some algorithm recommendations might be slightly outdated
- IETF - Key Exchange (KEX) Method Updates and Recommendations for Secure Shell (SSH) draft-ietf-curdle-ssh-kex-sha2-10 - update to the recommended set of key exchange methods for use in the Secure Shell (SSH) protocol to meet evolving needs for stronger security. This document updates RFC 4250.
- Gravitational - How to SSH Properly - how to configure SSH to use certificates and two-factor authentication
- ANSSI - (Open)SSH secure use recommendations
-
TLS/SSL
- Netherlands NCSC - IT Security Guidelines for Transport Layer Security (TLS) - 2021
- NIST SP800-52 Rev 2 (2nd draft) - Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations - 2018, recommends TLS 1.3
- ANSSI - Security Recommendations for TLS - 2017, does not cover TLS 1.3
- Qualys SSL Labs - SSL and TLS Deployment Best Practices - 2017, does not cover TLS 1.3
- RFC 7540 Appendix A TLS 1.2 Cipher Suite Black List
- ANSSI - Security Recommendations for TLS - 2017, does not cover TLS 1.3
- Applied Crypto Hardening: bettercrypto.org - handy reference on how to configure the most common services’ crypto settings (TLS/SSL, PGP, SSH and other cryptographic tools)
-
Web Servers
- Cipherlist.eu - Strong Ciphers for Apache, nginx and Lighttpd
- Apache HTTP Server documentation - Security Tips
- GeekFlare - Apache Web Server Hardening and Security Guide
- Apache Config - Apache Security Hardening Guide
- Apache Tomcat 9 Security Considerations - 8.0-doc/security-howto.html) / [v7](https://tomcat.apache.org/tomcat-7.0-doc/security-howto.html)
- OWASP Securing tomcat
- How to get Tomcat 9 to work with authbind to bind to port 80
- Eclipse Jetty - Configuring Security
- Jetty hardening
- CIS Microsoft IIS Benchmarks
-
Mail Servers
- MDaemon - 15 Best Practices for Protecting Your Email - Generic recommandations but based on MDaemon Security Gateway for Email Servers
-
FTP Servers
- JSCAPE - Guide for securing FTP - Generic recommandations but based on JSCAPE MFT Server
-
Database Servers
-
Active Directory
- Microsoft - Best Practices for Securing Active Directory
- ANSSI CERT-FR - Active Directory Security Assessment Checklist - [other version with changelog](https://www.cert.ssi.gouv.fr/uploads/ad_checklist.html) - 2022 (English and French versions)
- "Admin Free" Active Directory and Windows, Part 1- Understanding Privileged Groups in AD
- "Admin Free" Active Directory and Windows, Part 2- Protected Accounts and Groups in Active Directory
- "Admin Free" Active Directory and Windows, Part 1- Understanding Privileged Groups in AD
-
ADFS
-
Kerberos
-
LDAP
- OpenLDAP Software 2.4 Administrator's Guide - OpenLDAP Security Considerations
- Best Practices in LDAP Security
- LDAP: Hardening Server Security (so administrators can sleep at night)
- LDAP Authentication Best Practices - retrieved from web.archive.org
- Hardening OpenLDAP on Linux with AppArmor and systemd - slides
- zytrax LDAP for Rocket Scientists - LDAP Security
- How To Encrypt OpenLDAP Connections Using STARTTLS
-
DNS
-
NTP
-
NFS
- Linux NFS-HOWTO - Security and NFS - a good overview of NFS security issues and some mitigations
- Red Hat - RHEL7 Storage Administration Guide - Securing NFS
- NFSv4 without Kerberos and permissions - why NFSv4 without Kerberos does not provide security
- CertDepot - RHEL7: Use Kerberos to control access to NFS network shares
-
CUPS
-
-
Authentication - Passwords
-
Hardware - CPU - BIOS - UEFI
-
CUPS
- ANSSI - Hardware security requirements for x86 platforms - recommendations for security features and configuration options applying to hardware devices (CPU, BIOS, UEFI, etc) (Nov 2019)
- NSA Info Sheet: UEFI Lockdown Quick Guidance (March 2018)
- NSA Tech Report: UEFI Defensive Practices Guidance (July 2017)
- ANSSI - Hardware security requirements for x86 platforms - recommendations for security features and configuration options applying to hardware devices (CPU, BIOS, UEFI, etc) (Nov 2019)
-
-
Cloud
-
CUPS
- NSA Info Sheet: Cloud Security Basics (August 2018)
- DISA DoD Cloud Computing Security
- asecure.cloud - Build a Secure Cloud - A free repository of customizable AWS security configurations and best practices
-
-
Tools to check security hardening
-
CUPS
- Chef InSpec - open-source testing framework by Chef that enables you to specify compliance, security, and other policy requirements. can run on Windows and many Linux distributions.
-
GNU/Linux
- Lynis - script to check the configuration of Linux hosts
- OpenSCAP Base - oscap command line tool
- SCAP Workbench - GUI for oscap
- Tiger - The Unix security audit and intrusion detection tool
-
Windows
- PingCastle - Tool to check the security of Active Directory
-
TLS/SSL
-
-
Tools to apply security hardening
-
TLS/SSL
-
Cloud
- DevSec Hardening Framework - a framework to automate hardening of OS and applications, using Chef, Ansible and Puppet
-
GNU/Linux
- Bastille Linux - outdated
-
Windows
- mackwage/windows_hardening.cmd - Script to perform some hardening of Windows 10
- Microsoft Security Compliance Toolkit 1.0 - set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products
-
-
Password Generators
-
Cloud
- How-To Geek - 10 Ways to Generate a Random Password from the Linux Command Line
- Vitux - 8 Ways to Generate a Random Password on Linux Shell
- SS64 - Password security and a comparison of Password Generators
- Awesome Cybersecurity Blue Team - A curated collection of awesome resources, tools, and other shiny things for cybersecurity blue teams.
-
-
Other Awesome Security Lists
-
Cloud
- Awesome Honeypots - An awesome list of honeypot resources.
- Android Security Awesome - A collection of android security related resources.
- Awesome CTF - A curated list of CTF frameworks, libraries, resources and software.
- Awesome Hacking - A curated list of awesome Hacking tutorials, tools and resources.
- Awesome Malware Analysis - A curated list of awesome malware analysis tools and resources.
- Awesome PCAP Tools - A collection of tools developed by other researchers in the Computer Science area to process network traces.
- Awesome Linux Containers - A curated list of awesome Linux Containers frameworks, libraries and software.
- Awesome Incident Response - A curated list of resources for incident response.
- Awesome Crypto Papers - A curated list of cryptography papers, articles, tutorials and howtos.
- Awesome Security - A collection of awesome software, libraries, documents, books, resources and cools stuffs about security.
-
Programming Languages
Categories
Services
56
GNU/Linux
22
Windows
20
Virtualization - VMware
13
Hardening Guide Collections
11
Containers - Docker - Kubernetes
11
Other Awesome Security Lists
10
Tools to check security hardening
7
Network Devices
7
Authentication - Passwords
5
Tools to apply security hardening
5
Password Generators
4
Hardware - CPU - BIOS - UEFI
4
Cloud
3
macOS
2
Sub Categories
Keywords
security
8
awesome
8
awesome-list
7
windows
5
list
4
hardening
3
cybersecurity
2
audit
2
linux
2
chinese-translation
1
domain-analysis
1
drop-ice
1
dynamic-analysis
1
malware-analysis
1
malware-collection
1
malware-research
1
malware-samples
1
network-traffic
1
static-analysis
1
threat-intelligence
1
threat-sharing
1
threatintel
1
best-practices
1
containers
1
linux-containers
1
dfir
1
incident-response
1
iptables-rules
1
blue-team
1
computer-security
1
iptables-firewall
1
defensive-security
1
infosec
1
iptables-configurations
1
iptables
1
honeyd
1
honeypot
1
firewall-rules
1
android
1
ctf
1
penetration
1
hacking
1
analysis-framework
1
automated-analysis
1
chinese
1
cc-by-sa
1
hardening-steps
1
linux-server
1
security-hardening
1
server
1