
info@openbyte.co.za
0860 222 111
We transform default server configurations into audit-defended infrastructure.
Server hardening is needed by anyone concerned that their standard server installation isn't secure and definitely anyone that has a server located directly on the internet, whether it is a VPS or physical server. Most default installations of many different applications are very insecure in the default configuration. We start at the base, which is of course, the operating system, and move onto hardening specific software installations. We often combine server hardening with a security assessment to identify all risks upfront, deploy Wazuh SIEM for ongoing threat detection, and move workloads to cloud infrastructure where appropriate — serving businesses across Johannesburg, Cape Town, and South Africa.
An intrusion prevention program used to stop the bad guys from trying multiple passwords on a system (brute force attempt) to log on. Works in conjunction with firewall rules and secure logs by logging and banning the IP address of the assailant. Protocols protected include SSH, FTP, HTTP, and more.
Deployment of Rootkit Hunter and Chkrootkit tracking engines intended to scan file networks for active rootkits, hidden backdoors, and potential local execution exploits.
A specialized tracking tool which tracks changes to ports and sockets (both network and inter-process) by comparing snapshots taken. It alerts you when new sockets are created which is often linked to undesirable activity.
A secure method to open an external port which is normally kept completely closed. Requires connection attempts to a series of predefined closed ports. Think of it as a secret knock to open the door—highly effective for SSH.
Enforcing rigorous check and correction procedures including certificate directory permissions, ssh root login removal, ssh v2 only implementation, changing the default ssh port, implementing allow_user/allow groups parameters, and ssh warning banners.
Purging and removing completely unnecessary software, libraries, and packages. Disabling unused operational background processes. Removing IPv6 profiles if not actively used and stopping any listening daemons attached to those vectors.
Analyzing daily activity via automated summary reporting. Securing vital /tmp directories with strict nodev, nosuid, and noexec mount options to prevent unauthorized payload execution.
Deleting unused operating system users and enforcing non-executable shells. We search out and remove SUID and GUID attributes from binaries not in use. Implementation of parameters to harden the kernel networking stack—ignoring ICMP/broadcast storms, randomizing space to stop memory execution exploits, and disabling IP spoofing.
Maintaining continuous O.S. patching and updating matrices to keep core kernels secure. Deploying and scheduling ClamAV antivirus solutions for Linux filesystems to inspect and sanitize localized content.
Public-facing web architectures bear the brunt of automated scans and targeted exploits. Default web server deployments inherently disclose operational intelligence that attackers use to profile your systems. We eliminate these attack vectors entirely across Nginx and Apache ecosystems.
Remediation of default surface vectors via strict information disclosure parameters. Removal of version banners (ServerTokens Prod) and server-status exposure modules. Restricting unauthorized directory listings, securing headers against XSS and clickjacking, enforcing secure flags on session cookies, and isolating Apache processes within highly confined, non-privileged system profiles.
Disabling server tokens to mask Nginx runtime versions. Implementing robust request-rate limiting rules within nginx.conf to prevent Layer 7 DoS attempts. Enforcing buffer-size limitations to neutralize buffer overflow scripts and stripping away unnecessary HTTP verbs and unused modular compiled extensions.
Total decommissioning of weak, vulnerable ciphers, legacy SSLv2/v3 frameworks, and insecure legacy HTTP protocol revisions. Implementation of strict Perfect Forward Secrecy (PFS), modern TLS 1.2/1.3 operational wrappers, and optimized HTTP Strict Transport Security (HSTS) integration.
Modern microservice deployments shift the infrastructure profile into isolated runtimes, but a vulnerable container engine can expose the underlying Linux host kernel. Our team hardens container engines and images to prevent breaking orchestration boundaries.
Configuring Docker daemon profiles to prevent container escape exploits. Disabling default root runtime access inside container filesystems, utilizing user namespace remapping (userns-remap) to match root within a container to an unprivileged account on the host Linux machine, and binding internal sockets securely.
Stripping standard container base distributions down to minimalistic, distroless footprints to remove dangerous tools like package managers and shells. Continuous deployment of static vulnerability analysis scanners to inspect application dependencies before containerization.
Enforcing immutable read-only root filesystems (`--read-only`) for running images to deny persistent malware drops. Explicitly dropping unnecessary Linux kernel capabilities (such as CAP_SYS_ADMIN or CAP_NET_RAW) and imposing hard memory and CPU quota constraints to defend against resource exploitation.
Common questions about Linux server hardening from South African businesses.