During a security assessment, it is discovered that a Linux server has unnecessary services running, including Telnet and FTP. The server is also missing critical security patches. Which of the following is the MOST effective approach to harden this server according to industry best practices?
Trap 1: Move the server to a more secure network segment and implement…
Network segmentation is a compensating control, not a direct hardening measure for the server itself.
Trap 2: Enable SELinux and configure a host-based firewall using iptables.
While SELinux and firewall are good, they do not address the removal of unnecessary services or missing patches.
Trap 3: Install a host-based intrusion detection system (HIDS) to monitor…
HIDS adds monitoring but does not remove insecure services or patch vulnerabilities.
- A
Move the server to a more secure network segment and implement network access controls.
Why wrong: Network segmentation is a compensating control, not a direct hardening measure for the server itself.
- B
Enable SELinux and configure a host-based firewall using iptables.
Why wrong: While SELinux and firewall are good, they do not address the removal of unnecessary services or missing patches.
- C
Install a host-based intrusion detection system (HIDS) to monitor for attacks.
Why wrong: HIDS adds monitoring but does not remove insecure services or patch vulnerabilities.
- D
Disable Telnet and FTP services, and apply all critical security patches.
Disabling unnecessary services and patching are fundamental hardening steps.