Disable SMBV1 on Windows server 2012/2016

 Server side:

Get smbv1 status
get-SmbServerConfiguration
Get-WindowsFeature | Where-Object {$_.name -eq "FS-SMB1"} | ft Name,Installstate

Active audit
Set-SmbServerConfiguration –AuditSmb1Access $true
Applications and Services -> Microsoft -> Windows -> SMBServer -> Audit and see if any clients accessed the file server over SMB1.

Remove SMB1
disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -Remove

Disable SMB1
set-SmbServerConfiguration -EnableSMB1Protocol $False -Force

Enable SMB1
set-SmbServerConfiguration -EnableSMB1Protocol $True -Force


Client side
Test w10
Dism /online /Get-Features /format:table | find "SMB1Protocol" 

Restrict PHP Information Leakage

1 - To restrict PHP information leakage disable expose_php.
Edit /etc/php.d/secutity.ini and set the following directive:

expose_php=Off

2 - Do not expose PHP error messages to all site visitors.
Edit /etc/php.d/security.ini and set the following directive:

display_errors=Off

Make sure you log all php errors to a log file:

log_errors=On
error_log=/var/log/httpd/php_scripts_error.log


3 - Limit PHP Access To File System

The open_basedir directive set the directories from which PHP is allowed to access files using functions like fopen(), and others. If a file is outside of the paths defined by open_basdir, PHP will refuse to open it. You cannot use a symbolic link as a workaround. For example only allow access to /var/www/html directory and not to /var/www, or /tmp or /etc directories:

; Limits the PHP process from accessing files outside
; of specifically designated directories such as /var/www/html/
open_basedir="/var/www/html/"
; ------------------------------------
; Multiple dirs example
; open_basedir="/home/httpd/vhost/cyberciti.biz/html/:/home/httpd/vhost/nixcraft.com/html/:/home/httpd/vhost/theos.in/html/"
; ------------------------------------
 


More:
https://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html

Apache deny access IPs

Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Allow from 192.168.1.0/24

APT install only security updates

Check security updates:

sudo unattended-upgrade --dry-run -d

If previous command show packages to update:

sudo apt-get -s dist-upgrade | grep "^Inst" | grep -i securi | awk -F " " {'print $2'} | xargs apt-get install

Locking a directory

For privacy of my data I wanted to lock down /downloads on my file server. So I ran:

chmod 0000 /downloads

The root user can still has access and ls and cd commands will not work. To go back:

chmod 0755 /downloads

SSH timeout interval

A user can log in to the server via ssh, and you can set an idle timeout interval to avoid unattended ssh session. Open sshd_config and make sure following values are configured:
ClientAliveInterval 300
ClientAliveCountMax 0

You are setting an idle timeout interval in seconds (300 secs == 5 minutes). After this interval has passed, the idle user will be automatically kicked out (read as logged out).

Find and fix World-Writable Files

Anyone can modify world-writable file resulting into a security issue. Use the following command to find all world writable and sticky bits set files:

find /dir -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print

You need to investigate each reported file and either set correct user and group permission or remove it.

Linux partitions security

Create separate partitions for Apache and FTP server roots.
Edit /etc/fstab file and make sure you add the following configuration options:

noexec – Do not set execution of any binaries on this partition (prevents execution of binaries but allows scripts).  
nodev – Do not allow character or special devices on this partition (prevents use of device files such as zero, sda etc).  
nosuid – Do not set SUID/SGID access on this partition (prevent the setuid bit).

Sample /etc/fstab entry to to limit user access on /dev/sda5 (ftp server root directory):

/dev/sda5  /ftpdata          ext3    defaults,nosuid,nodev,noexec 1 2

Open port windows firewall

netsh advfirewall firewall add rule name="RULE_NAME" dir=in action=allow protocol=PROTOCOL localport=PORT

ex:
netsh advfirewall firewall add rule name="ZABBIX" dir=in action=allow protocol=TCP localport=10050

Secure SSH

1 – Edit sshd_config file
vi /etc/ssh/sshd_config

# Allow only listed users
AllowUsers adam bob carl

# SSH port
Port 22

# Deny root login
PermitRootLogin no

# Deny login without password
PermitEmptyPasswords no

Hide Squid info

Add at the end of error pages

<br clear="all">
<hr noshade size=1>
Generated %T
<!-- %h (%s) -->

tcpdump

To filter eth1 interface
tcpdump -i eth1

To filter eth1 interface without resolv DNS
tcpdump -i eth1 -nn

To filter one IP
tcpdump -i eth1 -nn host 192.168.0.7

To filter eth1 and destination port
tcpdump -i eth1 -nn dst port 2967

To filter more that one destination port
tcpdump -i eth1 -nn dst port 2967 or 80

To filter one source IP
tcpdump -i eth1 -nn src 10.20.181.55

To filter a destination IP
tcpdump -i eth1 -nn dst 207.46.26.23

To filter one IP and port
tcpdump -i eth1 -nn host 192.168.0.7 and port 80

To filter one source IP and port
tcpdump -i eth1 -nn src 10.20.181.55 and port 1863

nmap advanced

discover all IPs connected in our network, use lan ip of default gateway
nmap -sP $( ip route | grep '^default' | egrep -o '([0-9]{1,3}\.){3}' )0/24 | awk '/^Nmap.*[0-9]$/{print $NF}' | sort -n -t . -k 4

get information from hosts through windows sharing
nmap -script smb-os-discovery -p 445 -open 192.168.0.0/24

show hosts with port 631 open
nmap 192.168.0.0/24 -p 631 -open | awk '/)$/ {print $NF}'

Limits two simultaneous connections on port 80 to each host connected to the network
nmap -sP 192.168.0.0/24 | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort -n -t . -k 4 | xargs -I% iptables -A INPUT -s % -p tcp --dport 80 -m connlimit --connlimit-above 2 -j DROP

Failed ssh login attempts

On Debian/Ubuntu

awk '/sshd.*Failed/ { for (f=1; f<NF; f++) if ( $f ~ "from" ) print $2, $1, $(f-1), $(f+1) }' /var/log/auth.log*