# Security Configuration of Our Servers

#### General Security and Hardening Principles <a href="#h_01jdq3m5nh6xcfqavyrxfq705y" id="h_01jdq3m5nh6xcfqavyrxfq705y"></a>

* **Minimisation**\
  Only components strictly necessary for the system’s functionality are installed.
  * All services, especially those actively listening on the network, are considered sensitive. Only those essential for system operation and maintenance are installed. Unjustified services are disabled, uninstalled, or removed.
  * Features configured at the level of active services must be limited to the bare minimum required.
* **Least Privilege**\
  Every object or entity managed by the system is granted only the permissions strictly necessary for its operation—no more, no less.
* **Defence in Depth**\
  Network services are hosted on separate environments whenever possible. This prevents other services from being affected if one becomes compromised within the same environment.
* **Monitoring and Maintenance**\
  Regular updates are performed, and the stable Debian distribution is used.

***

#### System Installation <a href="#h_01jdq3m5nh930q45f2fbmhke58" id="h_01jdq3m5nh930q45f2fbmhke58"></a>

* **Minimal Package Installation**\
  Only essential packages are installed, ensuring the system setup is as minimal as possible, selecting only what is necessary for the intended purpose.
* **Repository Selection**\
  Only up-to-date official repositories of the distribution are used.
* **Root Password and Administrator Accounts**
  * The root password is chosen with the utmost care, following current recommendations, and is known only to those who need access.
  * Each administrator has a dedicated account (local or remote) and does not use the root account for system administration access. Privilege escalation operations are carried out using tools like `sudo`, ensuring activities are traceable.

***

#### System Configuration and Services <a href="#h_01jdq3m5nh6hd7y93g0nfa84eb" id="h_01jdq3m5nh6hd7y93g0nfa84eb"></a>

* **Hardening and Monitoring of Services Handling Arbitrary Traffic**
  * SSH access is permitted only via VPN.
  * Root login is prohibited, and authentication is performed using SSH keys.
* **Network Sysctl Settings**
  * IP forwarding is systematically disabled for servers that do not act as routers.
* **Dedicated Service Accounts**\
  Each service has its own exclusive system account, dedicated solely to its operation.
* **Access Rights for Sensitive Files**\
  Files containing sensitive information (e.g., certificates) are readable only by users who need access.
* **Resident Services and Daemons**
  * Only network daemons strictly necessary for the system’s operation and the services they provide are active and listening on appropriate network interfaces.
  * All other daemons are disabled and, wherever possible, uninstalled.