{"id":35183,"date":"2023-06-22T17:11:46","date_gmt":"2023-06-22T22:11:46","guid":{"rendered":"https:\/\/www.filecloud.com\/blog\/?p=35183"},"modified":"2023-06-22T17:11:46","modified_gmt":"2023-06-22T22:11:46","slug":"4-filecloud-tips-to-secure-the-host-operating-system","status":"publish","type":"post","link":"https:\/\/www.filecloud.com\/blog\/4-filecloud-tips-to-secure-the-host-operating-system\/","title":{"rendered":"4 FileCloud Tips to Secure the Host Operating System"},"content":{"rendered":"<p>FileCloud is a hyper-secure file sharing and data governance solution. However, any solution is only as secure as the weakest link of the entire infrastructure. In this blog post,\u00a0 we will review 4 FileCloud tips to secure the host operating system; in this example, we will use Linux (RedHat 8.7) as a typical enterprise system of choice to host FileCloud Server.<\/p>\n<p>This document will review the steps involved in securing the operating system, not the FileCloud platform configuration. For FileCloud configuration, check out the documentation available for FileCloud <a href=\"https:\/\/www.filecloud.com\/supportdocs\/fcdoc\/latest\/server\/filecloud-administrator-guide\">administrators<\/a>. You can also learn how to set up FileCloud by watching our <a href=\"https:\/\/www.filecloud.com\/filecloud-university-admin-training\/\">Admin Training<\/a> videos through FileCloud University.\n<\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_63 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title \" >Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.filecloud.com\/blog\/4-filecloud-tips-to-secure-the-host-operating-system\/#OS_Installation_Recommendations\" title=\"OS Installation Recommendations\">OS Installation Recommendations<\/a><ul class='ez-toc-list-level-2' ><li class='ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.filecloud.com\/blog\/4-filecloud-tips-to-secure-the-host-operating-system\/#Installation_Type\" title=\"Installation Type\">Installation Type<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.filecloud.com\/blog\/4-filecloud-tips-to-secure-the-host-operating-system\/#User_Configuration\" title=\"User Configuration\">User Configuration<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.filecloud.com\/blog\/4-filecloud-tips-to-secure-the-host-operating-system\/#1_Create_Admin_Users_with_Root_Level_Permissions\" title=\"1. Create Admin Users with Root Level Permissions\">1. Create Admin Users with Root Level Permissions<\/a><ul class='ez-toc-list-level-2' ><li class='ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.filecloud.com\/blog\/4-filecloud-tips-to-secure-the-host-operating-system\/#Console_Login\" title=\"Console Login\">Console Login<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.filecloud.com\/blog\/4-filecloud-tips-to-secure-the-host-operating-system\/#Create_Custom_Admin_Group\" title=\"Create Custom Admin Group\">Create Custom Admin Group<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.filecloud.com\/blog\/4-filecloud-tips-to-secure-the-host-operating-system\/#Add_Users_to_the_Custom_Admin_Group\" title=\"Add Users to the Custom Admin Group\">Add Users to the Custom Admin Group<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.filecloud.com\/blog\/4-filecloud-tips-to-secure-the-host-operating-system\/#Allow_Only_Admin_Group_Members_to_Access_Root_Level\" title=\"Allow Only Admin Group Members to Access Root Level\">Allow Only Admin Group Members to Access Root Level<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/www.filecloud.com\/blog\/4-filecloud-tips-to-secure-the-host-operating-system\/#Checking_Sudo_Configurations\" title=\"Checking Sudo Configurations\">Checking Sudo Configurations<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/www.filecloud.com\/blog\/4-filecloud-tips-to-secure-the-host-operating-system\/#2_Enable_Key-Pair_Authentication_for_Remote_Login_via_SSH\" title=\"2. Enable Key-Pair Authentication for Remote Login via SSH\">2. Enable Key-Pair Authentication for Remote Login via SSH<\/a><ul class='ez-toc-list-level-2' ><li class='ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/www.filecloud.com\/blog\/4-filecloud-tips-to-secure-the-host-operating-system\/#Generating_the_RSA_Keys\" title=\"Generating the RSA Keys\">Generating the RSA Keys<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/www.filecloud.com\/blog\/4-filecloud-tips-to-secure-the-host-operating-system\/#Copy_Public_Key_on_the_Target_Host\" title=\"Copy Public Key on the Target Host\">Copy Public Key on the Target Host<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/www.filecloud.com\/blog\/4-filecloud-tips-to-secure-the-host-operating-system\/#Turn_off_Password-based_Authentication_for_SSH\" title=\"Turn off Password-based Authentication for SSH.\">Turn off Password-based Authentication for SSH.<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/www.filecloud.com\/blog\/4-filecloud-tips-to-secure-the-host-operating-system\/#3_Harden_Network_Perimeter\" title=\"3. Harden Network Perimeter\">3. Harden Network Perimeter<\/a><ul class='ez-toc-list-level-2' ><li class='ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/www.filecloud.com\/blog\/4-filecloud-tips-to-secure-the-host-operating-system\/#Disable_IPV6\" title=\"Disable IPV6\">Disable IPV6<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/www.filecloud.com\/blog\/4-filecloud-tips-to-secure-the-host-operating-system\/#Firewall_Configuration\" title=\"Firewall Configuration\">Firewall Configuration<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/www.filecloud.com\/blog\/4-filecloud-tips-to-secure-the-host-operating-system\/#4_Set_Up_Brute_Force_Defenses\" title=\"4. Set Up Brute Force Defenses\">4. Set Up Brute Force Defenses<\/a><ul class='ez-toc-list-level-2' ><li class='ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-18\" href=\"https:\/\/www.filecloud.com\/blog\/4-filecloud-tips-to-secure-the-host-operating-system\/#Installation\" title=\"Installation\">Installation<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-19\" href=\"https:\/\/www.filecloud.com\/blog\/4-filecloud-tips-to-secure-the-host-operating-system\/#Protecting_SSH_Service_Against_Brute_Force_Password_Guessing\" title=\"Protecting SSH Service Against Brute Force Password Guessing\">Protecting SSH Service Against Brute Force Password Guessing<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-20\" href=\"https:\/\/www.filecloud.com\/blog\/4-filecloud-tips-to-secure-the-host-operating-system\/#Protecting_FileCloud_from_Password-Guessing_Attacks\" title=\"Protecting FileCloud from Password-Guessing Attacks\">Protecting FileCloud from Password-Guessing Attacks<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-21\" href=\"https:\/\/www.filecloud.com\/blog\/4-filecloud-tips-to-secure-the-host-operating-system\/#Secure_Host_Operating_Systems_Conclusion\" title=\"Secure Host Operating Systems: Conclusion\">Secure Host Operating Systems: Conclusion<\/a><\/li><\/ul><\/nav><\/div>\n<h1><span class=\"ez-toc-section\" id=\"OS_Installation_Recommendations\"><\/span>OS Installation Recommendations<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p>This blog post is not intended to serve as instructions on how to configure an OS; however there are a few important points worth mentioning before exploring the hardening steps outlined below.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Installation_Type\"><\/span>Installation Type<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>For our example OS, the Linux system (RedHat), the general approach of \u201cless is more\u201d can be quite helpful for the \u201cSoftware Selection\u201d step to build an efficient, secure, and reliable server. Less software means:<\/p>\n<ul>\n<li>Fewer security patches,<\/li>\n<li>Fewer background processes and services<\/li>\n<li>Better OS performance,<\/li>\n<li>Reduced risk of server exposures.<\/li>\n<\/ul>\n<p>An ideal server installation will only include packages that are clearly understood. To achieve this with Linux Redhat software, select \u201cServer\u201d or \u201cMinimal Install\u201d for the base environment.<\/p>\n<p>The \u201cServer\u201d option brings the minimal set of packages required for a server system that functions with common packages installed that support applications like FileCloud (without a variety of unnecessary packages). The \u201cMinimal Install\u201d option is also good but requires some manual packages installation on the later stages (especially during FileCloud installation) as some dependencies are not satisfied. This option is only recommended for advanced Server Administrators.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"User_Configuration\"><\/span>User Configuration<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>During the installation, it\u2019s required to set the root password. Choose a strong password for this account.\u00a0It is also recommended to create an additional user, which will be used to access the system. Never treat the root account as the one from which you login and work. The root account is for configuration and setup. In our example, we\u2019ll use the fcadmin user as the default account to remotely access the server.<\/p>\n<h1><span class=\"ez-toc-section\" id=\"1_Create_Admin_Users_with_Root_Level_Permissions\"><\/span>1. Create Admin Users with Root Level Permissions<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<h2><span class=\"ez-toc-section\" id=\"Console_Login\"><\/span>Console Login<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>After successful RedHat installation, log in to the console using the root account and perform some initial system configuration tweaks.<\/p>\n<pre>Red Hat Enterprise Linux 8.7 (Ootpa)\r\nKernel 4.18.0-425.12.1.e18_7 .x86_64 on an x86_64\r\n\r\nActivate the web console with: systemctl enable --now cockpit.socket\r\n\r\nrhel8-secure-54 login: root\r\nPassword:\r\nLast login: Fri Feb 24 22:15:28 on ttyl\r\n[root@rhel8-secure-54 ~]#<\/pre>\n<p>First, we will prevent remote root login over the SSH. This step eliminates the risk of brute-force attacks targeting the root account directly.<\/p>\n<p>Open the sshd configuration file using the editor of your choice (vi, nano, etc):\u00a0<strong>vi \/etc\/ssh\/sshd_config<\/strong><\/p>\n<pre>[root@rhel8-secure-54 ~]# vi \/etc\/ssh\/sshd_config<\/pre>\n<p>Find the line:<\/p>\n<pre>PermitRootLogin yes<\/pre>\n<p>Change to:<\/p>\n<pre>PermitRootLogin no<\/pre>\n<p>Save the file and close the editor. Then restart the sshd daemon using the following command: <strong>systemctl restart sshd<\/strong><\/p>\n<pre>[root@rhel8-secure-54 ~]#\r\n[root@rhel8-secure-54 ~]# systemctl restart sshd\r\n[root@rhel8-secure-54 ~]#<\/pre>\n<h2><span class=\"ez-toc-section\" id=\"Create_Custom_Admin_Group\"><\/span>Create Custom Admin Group<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Create the group that will contain users who can reach the root level on the server. It is possible to have more than one administrative user for the server. It is good practice to have a personal ID assigned to each admin user and to use these unique IDs to reach the server instead of using a shared admin ID. This personal accountability is important from any compliance or cybersecurity perspective.<\/p>\n<p>groupadd -g 10000 fcadmins<\/p>\n<pre>[root@rhel8-secure-54 ~]# groupadd -g 10000 fcadmins\r\n[root@rhel8-secure-54 ~]#<\/pre>\n<p>Parameter -g says that this group will have the GID number 10000. The group name is fcadmins.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Add_Users_to_the_Custom_Admin_Group\"><\/span>Add Users to the Custom Admin Group<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Having a group without any users doesn\u2019t make much sense. We created a user during the installation process, so now we can add this user to the newly created admin group. First confirm that the user exists:<br \/>\nid fadmin<\/p>\n<pre>[root@rhel8-secure-54 ~]# id fadmin\r\nuid=1001(fadmin) gid=1001(fadmin) groups=1001(fadmin)<\/pre>\n<p>Add fadmin user to the fcadmins group and verify:<\/p>\n<pre>[root@rhel8-secure-54 ~]# usermod -a -G fcadmins fadmin\r\n[root@rhel8-secure-54 ~]# id fadmin\r\nuid=1001(fadmin) gid=1001(fadmin) groups=1001(fadmin), 10000(fcadmins)\r\n[root@rhel8-secure-54 ~]# _<\/pre>\n<p>We can see that user fadmin is a member of 2 groups: fadmin (corresponding group is created automatically for each user) and fcadmins.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Allow_Only_Admin_Group_Members_to_Access_Root_Level\"><\/span>Allow Only Admin Group Members to Access Root Level<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Only system administrators should have root level access permissions. This step will limit this access to the minimum required.<\/p>\n<p>Open the file with the editor of your choice: <strong>\/etc\/sudoers<\/strong><br \/>\nvi \/etc\/sudoers<br \/>\nFind the line:<\/p>\n<pre>%wheel\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ALL=(ALL)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ALL<\/pre>\n<p>Comment the line out by adding the # sign at the beginning, and then add a new line below:<\/p>\n<pre>%fcadmins\u00a0\u00a0\u00a0\u00a0\u00a0 ALL=(ALL)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ALL<\/pre>\n<p>Save the file.<\/p>\n<p>Warning:<br \/>\nThe sudoers file has read-only permissions for everyone (including root). However, the root user has the potential to force most every action (usually). For example, in the vi editor, it is possible to force a file save. As the root user, you can enter:<br \/>\n:w!<br \/>\nThen:<br \/>\n:q<br \/>\nThis will save the file, even if read-only permissions are granted.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Checking_Sudo_Configurations\"><\/span>Checking Sudo Configurations<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Log out of the root user account and log in as the fadmin user.<\/p>\n<pre>Red Hat Enteprrise Linux 8.7 (Ootpa)\r\nKernel 4.18.0-425.13.1.e18_7 .x86_64 on an X86_64\r\n\r\nActivate the web console with: systemctl enable --now cockpit.socket\r\n\r\nrhel8-secure-54 login: fadmin\r\nPassword:\r\n[fadmin@rhel8-secure-54 ~1$<\/pre>\n<p>When logged in, call command: <strong>sudo su \u2013<\/strong><\/p>\n<p>Provide the fadmin user password when prompted.\u00a0If everything is correct, the shell with # sign should be displayed, confirming that the user has achieved root level permissions. This can be additionally confirmed by entering the command: <strong>whoami<\/strong><\/p>\n<pre>[root@rhel8-secure-54 ~]# whoami\r\nroot\r\n[root@rhel8-secure-54 ~]# _<\/pre>\n<p>Now we can set up the remote login. Log out of the console by typing exit two times.<\/p>\n<h1><span class=\"ez-toc-section\" id=\"2_Enable_Key-Pair_Authentication_for_Remote_Login_via_SSH\"><\/span>2. Enable Key-Pair Authentication for Remote Login via SSH<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<h2><span class=\"ez-toc-section\" id=\"Generating_the_RSA_Keys\"><\/span>Generating the RSA Keys<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The most common method to log in remotely to Linux systems is via Secure Shell (ssh). This protocol uses an encrypted channel to establish communication and is considered a secure mechanism. It can be even more secure when authentication uses key pairs (private-public RSA key). This will eliminate the risk of weak passwords and will completely eliminate password guessing with brute force attacks \u2013 covered later in this post.<\/p>\n<p>The key pair generation looks very similar on Windows (10 and 11) and Linux. To generate the keys in Windows, first open the cmd window; in Linux (workstation), open the terminal. Our example will be presented using Linux (Fedora 37).<\/p>\n<p>Open terminal session and type: <strong>ssh-keygen<\/strong><\/p>\n<p>On all questions, hit enter. Doing so will generate two files. In our case, these files are as follows:<\/p>\n<ul>\n<li>public key: \/home\/user1\/.ssh\/id_rsa.pub<\/li>\n<li>private key: \/home\/user1\/.ssh\/id_rsa<\/li>\n<\/ul>\n<p>A detailed example on Windows is also available by visiting the Microsoft <strong><a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-server\/administration\/openssh\/openssh_keymanagement\">documentation<\/a><\/strong>.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Copy_Public_Key_on_the_Target_Host\"><\/span>Copy Public Key on the Target Host<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>To allow for the possibility of authenticating using the key pair, the public key must be placed on the target host. This can be done easily from a Linux workstation by calling command: <strong>ssh-copy-id fadmin@secure.filecloud.plIn<\/strong><\/p>\n<p>For our example, we will be enabling remote login for <em>fadmin<\/em> to the destination host. For our example, the destination host is the full DNS name of my target system: <em>secure.filecloud.pl.<\/em> The destination can also be a direct IP address.<\/p>\n<p>The command will ask if the fingerprint of the target host should be saved (yes by default) and will prompt for the password for the target user <em>fadmin<\/em>. The next login attempt should not require the password at all \u2013 this user will now have full remote access without relying on password-based security methods.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Turn_off_Password-based_Authentication_for_SSH\"><\/span>Turn off Password-based Authentication for SSH.<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>When we are logged in to the target system as user <em>fadmin<\/em>, we can switch to the root.<br \/>\nCall command: <strong>sudo su \u2013<\/strong><\/p>\n<p>Open the sshd configuration file using your preferred editor:\u00a0<strong>vi \/etc\/ssh\/sshd_config<\/strong><\/p>\n<p>Find the line containing:<\/p>\n<pre>PasswordAuthentication yes<\/pre>\n<p>Change to:<\/p>\n<pre>PasswordAuthentication no<\/pre>\n<p>Save the file and restart the sshd service: <strong>systemctl restart sshd<\/strong><\/p>\n<p>After completing this step, it will no longer be possible to log in as any system user based on password authentication. Only key-pair authentication is allowed. If you lose your private key, the only way to log into the system will be via console.<\/p>\n<p>Now log out completely and log back in to confirm key-pair authentication is functioning correctly.<\/p>\n<h1><span class=\"ez-toc-section\" id=\"3_Harden_Network_Perimeter\"><\/span>3. Harden Network Perimeter<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<h2><span class=\"ez-toc-section\" id=\"Disable_IPV6\"><\/span>Disable IPV6<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>IPV6 is the next-generation IP address family but not the only family. A majority of internet resources are still available on IPV4. Most setups utilize the IPV4 address family, so the IPV6 family can be disabled.<\/p>\n<p>Log into your system using ssh and switch to root using the sudo su \u2013 command. Then create a new file: <strong>vi \/etc\/sysctl.d\/ipv6.conf<\/strong><\/p>\n<p>Add this line:<\/p>\n<pre>net.ipv6.conf.all.disable_ipv6 = 1<\/pre>\n<p>Then save and close the file.<\/p>\n<p>Apply the new kernel parameters:<strong> sysctl -p \/etc\/sysctl.d\/ipv6.conf<\/strong><\/p>\n<pre>[root@rhel8-secure-54 ~]# sysctl -p \/etc\/sysctl.d\/ipv6.conf\r\nnet.ipv6.conf.all.disable_ipv6 = 1\r\n[root@rhel8-secure-54 ~]#<\/pre>\n<p>The next step is to rebuild the initial RAM disk used during the OS boot process: <strong>dracut -f -v<\/strong><\/p>\n<p>Multiple messages can be displayed during this process. The end of the process should look similar to the screen capture below:<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-35184\" src=\"https:\/\/www.filecloud.com\/blog\/wp-content\/uploads\/2023\/06\/Rebuilding-RAM-disk.png\" alt=\"\" width=\"1617\" height=\"580\" srcset=\"https:\/\/www.filecloud.com\/blog\/wp-content\/uploads\/2023\/06\/Rebuilding-RAM-disk.png 1617w, https:\/\/www.filecloud.com\/blog\/wp-content\/uploads\/2023\/06\/Rebuilding-RAM-disk-1024x367.png 1024w, https:\/\/www.filecloud.com\/blog\/wp-content\/uploads\/2023\/06\/Rebuilding-RAM-disk-768x275.png 768w, https:\/\/www.filecloud.com\/blog\/wp-content\/uploads\/2023\/06\/Rebuilding-RAM-disk-1536x551.png 1536w\" sizes=\"(max-width: 1617px) 100vw, 1617px\"><\/p>\n<p>When the image is created successfully, reboot the system.<\/p>\n<p>Once the system is back, login as fadmin and switch to root using sudo su \u2013<\/p>\n<p>Then verify if the IPV6 has been disabled by entering the command: <strong>ip a s<\/strong><br \/>\nThis command should only return IPV4 addresses:<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-35185\" src=\"https:\/\/www.filecloud.com\/blog\/wp-content\/uploads\/2023\/06\/Disabling-IPV6.png\" alt=\"\" width=\"1702\" height=\"388\" srcset=\"https:\/\/www.filecloud.com\/blog\/wp-content\/uploads\/2023\/06\/Disabling-IPV6.png 1702w, https:\/\/www.filecloud.com\/blog\/wp-content\/uploads\/2023\/06\/Disabling-IPV6-1024x233.png 1024w, https:\/\/www.filecloud.com\/blog\/wp-content\/uploads\/2023\/06\/Disabling-IPV6-768x175.png 768w, https:\/\/www.filecloud.com\/blog\/wp-content\/uploads\/2023\/06\/Disabling-IPV6-1536x350.png 1536w\" sizes=\"(max-width: 1702px) 100vw, 1702px\"><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Firewall_Configuration\"><\/span>Firewall Configuration<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>RedHat 8.x uses the firewalld mechanism to manage the internal firewall rules. All the rules translate to corresponding iptables.<br \/>\nFirst, we will remove unneeded services listed in the firewall. As the root user, call command: <strong>firewall-cmd \u2013list-all<\/strong><\/p>\n<pre>[root@rhel8-secure-54 ~]# firewall-cmd --list-all\r\npublic (active)\r\n\u00a0\u00a0\u00a0\u00a0 target: default\r\n\u00a0\u00a0\u00a0\u00a0 icmp-block-inversion: no\r\n\u00a0\u00a0\u00a0\u00a0 interfaces: enpls0\r\n\u00a0\u00a0\u00a0\u00a0 sources:\r\n\u00a0\u00a0\u00a0\u00a0 services: cockpit dhcpv6-client ssh\r\n\u00a0\u00a0\u00a0\u00a0 ports:\r\n\u00a0\u00a0\u00a0\u00a0 protocols:\r\n\u00a0\u00a0\u00a0\u00a0 forward: no\r\n\u00a0\u00a0\u00a0\u00a0 masquerade: no\r\n\u00a0\u00a0\u00a0\u00a0 forward-ports:\r\n\u00a0\u00a0\u00a0\u00a0 source-ports:\r\n\u00a0\u00a0\u00a0\u00a0 icmp-blocks:\r\n\u00a0\u00a0\u00a0\u00a0 rich rules:\r\n[root@rhel8-secure-54 ~]#<\/pre>\n<p>In the services list, we can see: cockpit, dcpv6-client and ssh. Out of these, we only need ssh for our server. Remove all other services from our configuration. Call commands:<\/p>\n<pre>firewall-cmd --remove-service cockpit --permanent\r\nfirewall-cmd --remove-service dhcpv6-client --permanent\r\nfirewall-cmd --reload<\/pre>\n<p>List all the rules again to see if the unnecessary services have been removed: <strong>firewall-cmd \u2013list-all<\/strong><\/p>\n<pre>[root@rhel8-secure-54 ~]# firewall-cmd --list-all\r\npublic (active)\r\n\u00a0\u00a0\u00a0\u00a0 target: default\r\n\u00a0\u00a0\u00a0\u00a0 icmp-block-inversion: no\r\n\u00a0\u00a0\u00a0\u00a0 interfaces: enpls0\r\n\u00a0\u00a0\u00a0\u00a0 sources:\r\n \u00a0\u00a0\u00a0 services: ssh\r\n\u00a0\u00a0\u00a0\u00a0 ports:\r\n\u00a0\u00a0\u00a0\u00a0 protocols:\r\n\u00a0\u00a0\u00a0\u00a0 forward: no\r\n\u00a0\u00a0\u00a0\u00a0 masquerade: no\r\n\u00a0\u00a0\u00a0\u00a0 forward-ports:\r\n\u00a0\u00a0\u00a0\u00a0 source-ports:\r\n\u00a0\u00a0\u00a0\u00a0 icmp-blocks:\r\n\u00a0\u00a0\u00a0\u00a0 rich rules:\r\n[root@rhel8-secure-54 ~]#<\/pre>\n<p>With these changes, we can see that only ssh is allowed in the services section. This means that our server is allowing only ssh incoming traffic, which is quite secure; however, it will not allow FileCloud users to reach the FileCloud interface or resources.<\/p>\n<p>At this stage, FileCloud installation can be performed according to these <a href=\"https:\/\/www.filecloud.com\/supportdocs\/fcdoc\/latest\/server\/filecloud-administrator-guide\/installing-filecloud-server\/installation\/direct-installation\/installation-of-filecloud-on-linux-using-the-repository\"><strong>instructions<\/strong><\/a>. When the installation is completed, we can allow https traffic with the following commands:<\/p>\n<pre>firewall-cmd --add-service https --permanent \r\nfirewall-cmd --reload \r\nfirewall-cmd --list-all<\/pre>\n<p>Confirm that the services have been updated to include https:<\/p>\n<pre>[root@rhel8-secure-54 ~]# firewall-cmd --add-service https \u2013permanent\r\nsuccess\r\n[root@rhel8-secure-54 ~]# firewall-cmd --reload\r\nsuccess\r\n[root@rhel8-secure-54 ~]# firewall-cmd --list-all\r\npublic (active)\r\n     target: default\r\n\u00a0\u00a0\u00a0\u00a0 icmp-block-inversion: no\r\n\u00a0\u00a0\u00a0\u00a0 interfaces: enpls0\r\n\u00a0\u00a0\u00a0\u00a0 sources:\r\n \u00a0\u00a0  services: https ssh\r\n\u00a0\u00a0\u00a0\u00a0 ports:\r\n\u00a0\u00a0\u00a0\u00a0 protocols:\r\n\u00a0\u00a0\u00a0\u00a0 forward: no\r\n\u00a0\u00a0\u00a0\u00a0 masquerade: no\r\n\u00a0\u00a0\u00a0\u00a0 forward-ports:\r\n\u00a0\u00a0\u00a0\u00a0 source-ports:\r\n\u00a0\u00a0\u00a0\u00a0 icmp-blocks:\r\n\u00a0\u00a0\u00a0\u00a0 rich rules:\r\n[root@rhel8-secure-54 ~]#<\/pre>\n<h1><span class=\"ez-toc-section\" id=\"4_Set_Up_Brute_Force_Defenses\"><\/span>4. Set Up Brute Force Defenses<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p>To protect the OS and FileCloud against brute force password guessing attacks, we are going to install and configure the fail2ban mechanism.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Installation\"><\/span>Installation<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>To install fail2ban on RedHat 8.x systems, we need to add the EPEL repository. Log in to the system as fadmin and switch to the root user using sudo su \u2013<br \/>\nCall command: <strong>dnf -y install https:\/\/dl.fedoraproject.org\/pub\/epel\/epel-release-latest-8.noarch.rpm<\/strong><\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-35186\" src=\"https:\/\/www.filecloud.com\/blog\/wp-content\/uploads\/2023\/06\/Installing-fail2ban-on-RedHat.png\" alt=\"\" width=\"1601\" height=\"705\" srcset=\"https:\/\/www.filecloud.com\/blog\/wp-content\/uploads\/2023\/06\/Installing-fail2ban-on-RedHat.png 1601w, https:\/\/www.filecloud.com\/blog\/wp-content\/uploads\/2023\/06\/Installing-fail2ban-on-RedHat-1024x451.png 1024w, https:\/\/www.filecloud.com\/blog\/wp-content\/uploads\/2023\/06\/Installing-fail2ban-on-RedHat-768x338.png 768w, https:\/\/www.filecloud.com\/blog\/wp-content\/uploads\/2023\/06\/Installing-fail2ban-on-RedHat-1536x676.png 1536w\" sizes=\"(max-width: 1601px) 100vw, 1601px\"><\/p>\n<p>When the EPEL repository is enabled, we can install fail2ban: <strong>dnf install -y fail2ban<\/strong><\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-35187\" src=\"https:\/\/www.filecloud.com\/blog\/wp-content\/uploads\/2023\/06\/Installing-fail2ban.png\" alt=\"\" width=\"1567\" height=\"690\" srcset=\"https:\/\/www.filecloud.com\/blog\/wp-content\/uploads\/2023\/06\/Installing-fail2ban.png 1567w, https:\/\/www.filecloud.com\/blog\/wp-content\/uploads\/2023\/06\/Installing-fail2ban-1024x451.png 1024w, https:\/\/www.filecloud.com\/blog\/wp-content\/uploads\/2023\/06\/Installing-fail2ban-768x338.png 768w, https:\/\/www.filecloud.com\/blog\/wp-content\/uploads\/2023\/06\/Installing-fail2ban-1536x676.png 1536w\" sizes=\"(max-width: 1567px) 100vw, 1567px\"><\/p>\n<p>After fail2ban has been installed, we can enable the service:<\/p>\n<pre>systemctl start fail2ban\r\nsystemctl enable fail2ban<\/pre>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-35188\" src=\"https:\/\/www.filecloud.com\/blog\/wp-content\/uploads\/2023\/06\/Enabling-fail2ban-service.png\" alt=\"\" width=\"1565\" height=\"516\" srcset=\"https:\/\/www.filecloud.com\/blog\/wp-content\/uploads\/2023\/06\/Enabling-fail2ban-service.png 1565w, https:\/\/www.filecloud.com\/blog\/wp-content\/uploads\/2023\/06\/Enabling-fail2ban-service-1024x338.png 1024w, https:\/\/www.filecloud.com\/blog\/wp-content\/uploads\/2023\/06\/Enabling-fail2ban-service-768x253.png 768w, https:\/\/www.filecloud.com\/blog\/wp-content\/uploads\/2023\/06\/Enabling-fail2ban-service-1536x506.png 1536w\" sizes=\"(max-width: 1565px) 100vw, 1565px\"><\/p>\n<p>Initially, we need to prepare the global fail2ban customization. The software has some default settings, but we are going to tweak them a little. It is not recommended to edit the global default config, so we will prepare a local config.<\/p>\n<p>Call command: <strong>cp \/etc\/fail2ban\/jail.conf \/etc\/fail2ban\/jail.local<\/strong><\/p>\n<p>Open the file: <strong>\/etc\/fail2ban\/jail.local<\/strong> with your preferred editor:<br \/>\nvi \/etc\/fail2ban\/jail.local<br \/>\nFind the line containing: ignoreip = 127.0.0.1\/8<br \/>\nRemove # from the beginning of the line to un-comment.<\/p>\n<p>You can then add the IPs or subnets that you are absolutely sure should never be blocked and will not be a source of any attacks. Once you have added the IPs, save and close the file. Then reload fail2ban with the command: <strong>systemctl restart fail2ban<\/strong><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Protecting_SSH_Service_Against_Brute_Force_Password_Guessing\"><\/span>Protecting SSH Service Against Brute Force Password Guessing<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Log into the system as fadmin and switch to the root user using sudo su \u2013<\/p>\n<p>Create a local config for the sshd protection mechanism: <strong>vi \/etc\/fail2ban\/jail.d\/sshd.local<\/strong><\/p>\n<p>Add the following lines:<\/p>\n<pre>[sshd]\r\nenabled = true\r\nmaxretry = 3\r\nbantime = 5m<\/pre>\n<p>Save and close the file.<\/p>\n<p>Restart the fail2ban service: <strong>systemctl restart fail2ban<\/strong><\/p>\n<p>After applying these changes, unsuccessful login attempts will be limited to three times before the IP address is blocked for five minutes. Take care while testing, as your management system may cut you off.<\/p>\n<p>The status of the fail2ban can be displayed using this command: <strong>fail2ban-client status sshd<\/strong><\/p>\n<p>Preventing password guessing on the ssh service gives us the ability to recognize and block threatening hosts. With password authentication disabled, there is no risk that any attacking host will guess the password for any user. This kind of activity may lead to DoS, so cutting them off is a good way to optimize system security and stability.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Protecting_FileCloud_from_Password-Guessing_Attacks\"><\/span>Protecting FileCloud from Password-Guessing Attacks<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The same mechanism can be adopted to protect the FileCloud application layer against password guessing and DoS attacks by multiple password entry. For this purpose, we need to perform some fail2ban configuration steps.<\/p>\n<p>First, we need to create a new filter that will recognize failed authentication in the Apache logs.<br \/>\nPlease create the following file: <strong>vi \/etc\/fail2ban\/filter.d\/filecloud.conf<\/strong><\/p>\n<p>Add the following content to the file:<\/p>\n<pre>[Definition]\r\nfailregex = &lt;HOST&gt;.*\"POST \\\/.*\\\/(adminlogin|loginguest)\\?.* HTTP\\\/1\\.\\d\" 400.*<\/pre>\n<p>Then create another file: <strong>vi \/etc\/fail2ban\/jail.d\/filecloud.local<\/strong><\/p>\n<p>In this file, we will add information for the following parameters (defined below):<\/p>\n<ul>\n<li><strong><em>filter<\/em><\/strong> \u2013 the name of the filter that will classify the log entries (created in previous step)<\/li>\n<li><strong><em>logpath<\/em><\/strong> \u2013 the log file location that will be monitored by the filter<\/li>\n<li><strong><em>maxretry<\/em><\/strong> \u2013 how many events in the row will trigger the action<\/li>\n<li><strong><em>findtime<\/em><\/strong> \u2013 the time frame in which maxretry must occur for the activity to be treated as suspicious<\/li>\n<li><strong><em>Bantime<\/em><\/strong> \u2013 the time (in seconds) for the suspicious host to be cut off, after which the IP will be un-banned.<\/li>\n<\/ul>\n<p>We will set these parameters by adding the following content to the filecloud.local file:<\/p>\n<pre>[filecloud]\r\nenabled = true\r\nfilter = filecloud \r\nlogpath = \/var\/log\/httpd\/access_log \r\nmaxretry = 3\r\nfindtime = 300\r\nBantime = 300<\/pre>\n<p>Restart the fail2ban daemon: <strong>systemctl restart fail2ban<\/strong><\/p>\n<p>Display the failcloud jail statistics. These statistics identify which log file is monitored by this jail rule, how many times any IP was banned, and the current ban list. For testing purposes, perform a failed login at least three times in the FileCloud admin panel or user interface. Repeat this failed login three times and then open the fail2ban filecloud jail statistics to confirm the list reflects currently banned IP addresses.<\/p>\n<h1><span class=\"ez-toc-section\" id=\"Secure_Host_Operating_Systems_Conclusion\"><\/span>Secure Host Operating Systems: Conclusion<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p>In the IT world, one of the biggest traps is considering any system 100% secure. Each system should always be considered vulnerable if enough effort or money is spent to breach a protected system.<\/p>\n<p>One of the many responsibilities of a system administrator is to make a breach as difficult as possible. By following the steps detailed above, you can support a secure host operating system that will be a little harder to scan, investigate, and plan a potential directed attack.<\/p>\n<p>All typical and standard protection solutions are also known to potential attackers, so custom and self-developed mechanisms can be considered a front-line defense to secure a host operating system. Securing operating systems against common attack types such as password guessing and DoS attacks is the beginning of system security. Implementing these measures can also serve to prevent weak passwords and to disable password-based login mechanisms entirely.<\/p>\n<p>Additionally, it is important to regularly check for security advisories and install security patches for your operating system and hosted software. Security advisories are released on a cycle according to the OS vendor (like RedHat) and should be implemented promptly.<\/p>\n<p>For more FileCloud cybersecurity tips, check out our white paper on <a href=\"https:\/\/www.filecloud.com\/security-faq\/\">Security FAQs<\/a> or contact our <a href=\"https:\/\/www.filecloud.com\/filecloud-support\/\">support team<\/a>!<\/p>\n<p>\u00a0<\/p>\n<p><strong>Article written by <a href=\"https:\/\/www.linkedin.com\/in\/frueauff\/?originalSubdomain=pl\">Marek Frueauff<\/a>, Solutions Architect<\/strong><\/p>\n<p><strong>Edited by <a href=\"https:\/\/www.linkedin.com\/in\/katie-gerhardt-88541791\/\">Katie Gerhardt<\/a>, Jr. Product Marketing Manager<\/strong><\/p>\n<p>\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>FileCloud is a hyper-secure file sharing and data governance solution. However, any solution is only as secure as the weakest link of the entire infrastructure. In this blog post,\u00a0 we will review 4 FileCloud tips to secure the host operating system; in this example, we will use Linux (RedHat 8.7) as a typical enterprise system [&hellip;]<\/p>\n","protected":false},"author":31,"featured_media":35196,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[18,72],"tags":[1865,1864,1862,1863,1861],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v20.13 (Yoast SEO v20.13) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>4 FileCloud Tips to Secure the Host Operating System - FileCloud blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.filecloud.com\/blog\/4-filecloud-tips-to-secure-the-host-operating-system\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"4 FileCloud Tips to Secure the Host Operating System\" \/>\n<meta property=\"og:description\" content=\"FileCloud is a hyper-secure file sharing and data governance solution. However, any solution is only as secure as the weakest link of the entire infrastructure. In this blog post,\u00a0 we will review 4 FileCloud tips to secure the host operating system; in this example, we will use Linux (RedHat 8.7) as a typical enterprise system [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.filecloud.com\/blog\/4-filecloud-tips-to-secure-the-host-operating-system\/\" \/>\n<meta property=\"og:site_name\" content=\"FileCloud blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/tonidopage\" \/>\n<meta property=\"article:published_time\" content=\"2023-06-22T22:11:46+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.filecloud.com\/blog\/wp-content\/uploads\/2023\/06\/Security-Hardening-OS-banner.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1920\" \/>\n\t<meta property=\"og:image:height\" content=\"1280\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Katie Gerhardt\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@getfilecloud\" \/>\n<meta name=\"twitter:site\" content=\"@getfilecloud\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Katie Gerhardt\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"13 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.filecloud.com\/blog\/4-filecloud-tips-to-secure-the-host-operating-system\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.filecloud.com\/blog\/4-filecloud-tips-to-secure-the-host-operating-system\/\"},\"author\":{\"name\":\"Katie Gerhardt\",\"@id\":\"https:\/\/www.filecloud.com\/blog\/#\/schema\/person\/ea3506ea3e9eb7bb2036e6c7c8fc05ea\"},\"headline\":\"4 FileCloud Tips to Secure the Host Operating System\",\"datePublished\":\"2023-06-22T22:11:46+00:00\",\"dateModified\":\"2023-06-22T22:11:46+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.filecloud.com\/blog\/4-filecloud-tips-to-secure-the-host-operating-system\/\"},\"wordCount\":2518,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.filecloud.com\/blog\/#organization\"},\"keywords\":[\"brute force defense\",\"network hardening\",\"operating system security\",\"remote login via SSH\",\"security hardening\"],\"articleSection\":[\"Admin Tools and Tips\",\"Security\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.filecloud.com\/blog\/4-filecloud-tips-to-secure-the-host-operating-system\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.filecloud.com\/blog\/4-filecloud-tips-to-secure-the-host-operating-system\/\",\"url\":\"https:\/\/www.filecloud.com\/blog\/4-filecloud-tips-to-secure-the-host-operating-system\/\",\"name\":\"4 FileCloud Tips to Secure the Host Operating System - FileCloud blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.filecloud.com\/blog\/#website\"},\"datePublished\":\"2023-06-22T22:11:46+00:00\",\"dateModified\":\"2023-06-22T22:11:46+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.filecloud.com\/blog\/4-filecloud-tips-to-secure-the-host-operating-system\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.filecloud.com\/blog\/4-filecloud-tips-to-secure-the-host-operating-system\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.filecloud.com\/blog\/4-filecloud-tips-to-secure-the-host-operating-system\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.filecloud.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"4 FileCloud Tips to Secure the Host Operating System\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.filecloud.com\/blog\/#website\",\"url\":\"https:\/\/www.filecloud.com\/blog\/\",\"name\":\"FileCloud blog\",\"description\":\"Topics on Private cloud, On-Premises, Self-Hosted, Enterprise File Sync and Sharing\",\"publisher\":{\"@id\":\"https:\/\/www.filecloud.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.filecloud.com\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.filecloud.com\/blog\/#organization\",\"name\":\"FileCloud\",\"url\":\"https:\/\/www.filecloud.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.filecloud.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.filecloud.com\/blog\/wp-content\/uploads\/2016\/02\/filecloud_logo_comparison.jpg\",\"contentUrl\":\"https:\/\/www.filecloud.com\/blog\/wp-content\/uploads\/2016\/02\/filecloud_logo_comparison.jpg\",\"width\":155,\"height\":40,\"caption\":\"FileCloud\"},\"image\":{\"@id\":\"https:\/\/www.filecloud.com\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/tonidopage\",\"https:\/\/twitter.com\/getfilecloud\",\"https:\/\/www.linkedin.com\/company\/codelathe\",\"https:\/\/www.pinterest.com\/filecloud\/filecloud\/\",\"https:\/\/www.youtube.com\/channel\/UCbU5gTFdNCPESA5aGipFW6g\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.filecloud.com\/blog\/#\/schema\/person\/ea3506ea3e9eb7bb2036e6c7c8fc05ea\",\"name\":\"Katie Gerhardt\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.filecloud.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/07bbf4097008eebfdc680520a6973c6e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/07bbf4097008eebfdc680520a6973c6e?s=96&d=mm&r=g\",\"caption\":\"Katie Gerhardt\"},\"description\":\"Product Marketing Manager\",\"sameAs\":[\"1\",\"https:\/\/www.linkedin.com\/in\/katie-gerhardt-88541791\/\"],\"url\":\"https:\/\/www.filecloud.com\/blog\/author\/katie\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"4 FileCloud Tips to Secure the Host Operating System - FileCloud blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.filecloud.com\/blog\/4-filecloud-tips-to-secure-the-host-operating-system\/","og_locale":"en_US","og_type":"article","og_title":"4 FileCloud Tips to Secure the Host Operating System","og_description":"FileCloud is a hyper-secure file sharing and data governance solution. However, any solution is only as secure as the weakest link of the entire infrastructure. In this blog post,\u00a0 we will review 4 FileCloud tips to secure the host operating system; in this example, we will use Linux (RedHat 8.7) as a typical enterprise system [&hellip;]","og_url":"https:\/\/www.filecloud.com\/blog\/4-filecloud-tips-to-secure-the-host-operating-system\/","og_site_name":"FileCloud blog","article_publisher":"https:\/\/www.facebook.com\/tonidopage","article_published_time":"2023-06-22T22:11:46+00:00","og_image":[{"width":1920,"height":1280,"url":"https:\/\/www.filecloud.com\/blog\/wp-content\/uploads\/2023\/06\/Security-Hardening-OS-banner.jpg","type":"image\/jpeg"}],"author":"Katie Gerhardt","twitter_card":"summary_large_image","twitter_creator":"@getfilecloud","twitter_site":"@getfilecloud","twitter_misc":{"Written by":"Katie Gerhardt","Est. reading time":"13 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.filecloud.com\/blog\/4-filecloud-tips-to-secure-the-host-operating-system\/#article","isPartOf":{"@id":"https:\/\/www.filecloud.com\/blog\/4-filecloud-tips-to-secure-the-host-operating-system\/"},"author":{"name":"Katie Gerhardt","@id":"https:\/\/www.filecloud.com\/blog\/#\/schema\/person\/ea3506ea3e9eb7bb2036e6c7c8fc05ea"},"headline":"4 FileCloud Tips to Secure the Host Operating System","datePublished":"2023-06-22T22:11:46+00:00","dateModified":"2023-06-22T22:11:46+00:00","mainEntityOfPage":{"@id":"https:\/\/www.filecloud.com\/blog\/4-filecloud-tips-to-secure-the-host-operating-system\/"},"wordCount":2518,"commentCount":0,"publisher":{"@id":"https:\/\/www.filecloud.com\/blog\/#organization"},"keywords":["brute force defense","network hardening","operating system security","remote login via SSH","security hardening"],"articleSection":["Admin Tools and Tips","Security"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.filecloud.com\/blog\/4-filecloud-tips-to-secure-the-host-operating-system\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.filecloud.com\/blog\/4-filecloud-tips-to-secure-the-host-operating-system\/","url":"https:\/\/www.filecloud.com\/blog\/4-filecloud-tips-to-secure-the-host-operating-system\/","name":"4 FileCloud Tips to Secure the Host Operating System - FileCloud blog","isPartOf":{"@id":"https:\/\/www.filecloud.com\/blog\/#website"},"datePublished":"2023-06-22T22:11:46+00:00","dateModified":"2023-06-22T22:11:46+00:00","breadcrumb":{"@id":"https:\/\/www.filecloud.com\/blog\/4-filecloud-tips-to-secure-the-host-operating-system\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.filecloud.com\/blog\/4-filecloud-tips-to-secure-the-host-operating-system\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.filecloud.com\/blog\/4-filecloud-tips-to-secure-the-host-operating-system\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.filecloud.com\/blog\/"},{"@type":"ListItem","position":2,"name":"4 FileCloud Tips to Secure the Host Operating System"}]},{"@type":"WebSite","@id":"https:\/\/www.filecloud.com\/blog\/#website","url":"https:\/\/www.filecloud.com\/blog\/","name":"FileCloud blog","description":"Topics on Private cloud, On-Premises, Self-Hosted, Enterprise File Sync and Sharing","publisher":{"@id":"https:\/\/www.filecloud.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.filecloud.com\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.filecloud.com\/blog\/#organization","name":"FileCloud","url":"https:\/\/www.filecloud.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.filecloud.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.filecloud.com\/blog\/wp-content\/uploads\/2016\/02\/filecloud_logo_comparison.jpg","contentUrl":"https:\/\/www.filecloud.com\/blog\/wp-content\/uploads\/2016\/02\/filecloud_logo_comparison.jpg","width":155,"height":40,"caption":"FileCloud"},"image":{"@id":"https:\/\/www.filecloud.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/tonidopage","https:\/\/twitter.com\/getfilecloud","https:\/\/www.linkedin.com\/company\/codelathe","https:\/\/www.pinterest.com\/filecloud\/filecloud\/","https:\/\/www.youtube.com\/channel\/UCbU5gTFdNCPESA5aGipFW6g"]},{"@type":"Person","@id":"https:\/\/www.filecloud.com\/blog\/#\/schema\/person\/ea3506ea3e9eb7bb2036e6c7c8fc05ea","name":"Katie Gerhardt","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.filecloud.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/07bbf4097008eebfdc680520a6973c6e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/07bbf4097008eebfdc680520a6973c6e?s=96&d=mm&r=g","caption":"Katie Gerhardt"},"description":"Product Marketing Manager","sameAs":["1","https:\/\/www.linkedin.com\/in\/katie-gerhardt-88541791\/"],"url":"https:\/\/www.filecloud.com\/blog\/author\/katie\/"}]}},"_links":{"self":[{"href":"https:\/\/www.filecloud.com\/blog\/wp-json\/wp\/v2\/posts\/35183"}],"collection":[{"href":"https:\/\/www.filecloud.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.filecloud.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.filecloud.com\/blog\/wp-json\/wp\/v2\/users\/31"}],"replies":[{"embeddable":true,"href":"https:\/\/www.filecloud.com\/blog\/wp-json\/wp\/v2\/comments?post=35183"}],"version-history":[{"count":7,"href":"https:\/\/www.filecloud.com\/blog\/wp-json\/wp\/v2\/posts\/35183\/revisions"}],"predecessor-version":[{"id":35195,"href":"https:\/\/www.filecloud.com\/blog\/wp-json\/wp\/v2\/posts\/35183\/revisions\/35195"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.filecloud.com\/blog\/wp-json\/wp\/v2\/media\/35196"}],"wp:attachment":[{"href":"https:\/\/www.filecloud.com\/blog\/wp-json\/wp\/v2\/media?parent=35183"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.filecloud.com\/blog\/wp-json\/wp\/v2\/categories?post=35183"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.filecloud.com\/blog\/wp-json\/wp\/v2\/tags?post=35183"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}