python server hardening tutorial

you try to install this module

pip install pyseccomp
import pyseccomp

github.com › insidious-security › server-hardening

GitHub - insidious-security/server-hardening: Linux server hardening

# Git clone this repository: $ git clone https://github.com/insidious-security/server-hardening.git # Install python dependency: $ pip3 install requests # Run the code: python3 harden.py

Author insidious-security

GeeksforGeeks

geeksforgeeks.org › python › python-system-hardening-and-compliance-reports-using-lynis

Python | System hardening and compliance reports using Lynis - GeeksforGeeks

November 8, 2021 - #!/bin/bash # script to scrape/parse the report file and # extract the relevant details and run the # python script to display the details in a server. echo "running......" echo "" sudo ./lynis audit system --quick # execute warnings.

Stack Exchange

security.stackexchange.com › questions › 78676 › python-security-hardening

Python security hardening - Information Security Stack Exchange

verlekarsachin.medium.com › automate-your-cis-server-hardening-baseline-documentation-using-python-e59da5ff0a78

1 of 2

You could turn your python scripts into windows executables using py2exe. That way it would be treated the same way you restrict other system binary. Be aware that it is possible to reverse-engineer by "uncompiling" it, showing the script functions and all. But as your question in only about enforcing execution authorization, i think that it will fulfill your need.

2 of 2

How about the use of PyPy with its sandboxing mode?

I'm afraid I'm not that familiar so I'm uncertain that it would be fully secure but certainly worth a look.

As far as I can see, your only options are:

PyPy sandboxing
A Python to executable compiler
Giving users a Virtual Machine which allows Python
Using a PC sandboxing solution to isolate Python and the file system.

Find elsewhere

Google Bing Mojeek

Medium

Automate Your CIS Server Hardening Baseline Documentation using Python | by Sachin Verlekar | Medium

January 7, 2024 - As security professionals, we know the importance of server hardening and following industry best practices like CIS benchmarks. But let’s be honest, manually extracting every recommendation from those hefty documents can be tedious and time-consuming. It eats into valuable hours that could be spent on analysis, remediation, and other critical tasks. Enter the power of automation! I’m excited to share with you my custom Python script I’ve developed that streamlines the CIS baseline documentation process, saving you up to a whopping 70% of your time.

Medium

medium.com › @obaff › 10-python-scripts-to-automate-security-hardening-in-devops-dd6434cf374f

10 Python Scripts to Automate Security Hardening in DevOps | by Obafemi | Medium

April 8, 2025 - 10 Python Scripts to Automate Security Hardening in DevOps automate various security hardening tasks 1. Password Strength Checker This script validates passwords against common rules (length …

github.com › topics › security-hardening

security-hardening · GitHub Topics · GitHub

application application-security web-security security-vulnerability security-hardening appsec vulnerability-scanners security-scanner security-tools web-security-research security-testing endpoint-security mobilesecurity mdm-server developer-security security-advisory ... UDP port knocking suite with HMAC-PSK authentication. security networking network security-hardening stealth post-quantum-cryptography port-knocker firewall-management post-quantum port-knock ... Want to see how something like Internet Chemotherapy works without bricking your own vms? This is a jail to reduce the python runtime from doing bad things on the host when running untrusted code.

github.com › topics › hardening

hardening · GitHub Topics · GitHub

python cis tool audit python3 python-3 hardening score cis-benchmark python38 cis-hardening python3-8 cis-benchmarks cis-center-for-internet-security cis-linux-benchmark cis-debian-benchmark cis-ubuntu-benchmark ... BAT is a tool to help everyone to securing their web-servers.

Stack Exchange

security.stackexchange.com › questions › 33194 › custom-python-server-how-to-secure-it

ssh - Custom Python Server - how to secure it? - Information Security Stack Exchange

reddit.com › r/selfhosted › basic server hardening steps

How can I implement secure connection between client and my python server? I guess I could use SSH or SSL, but which one will be better suited for the job? And If I choose SSH then wouldn't it interfere with SSH login service I use to manage my (whole) server?

If it is only you that will be connecting to the server, I would secure the whole process using a VPN.

Is opening multiple ports very insecure? What kind of attacks could it bring on me? How can I prevent them?

The ports are only as secure as the services listening on them. Opening multiple unneeded ports serve to increase the attack surface of your server, as there are many more points of failure possible. Disable all unused services on your server.

Do you have any other tips regarding own server implementation?

Keep your server up to date. This involves running a command like sudo apt-get update && sudo apt-get dist-upgrade on Ubuntu-like distros or yum update on RHEL-based distros.

Have proper iptable rules configured. See this link for a good baseline. Configure as necessary.

Configure ssh to use key-based authentication instead of passwords. This helps to increase the difficulty of bruteforce attacks against the ssh service. Disable root login using ssh.

r/selfhosted on Reddit: Basic Server Hardening Steps

June 5, 2021 -

I recently leased a VPS to host a few services, and took the first steps towards locking down the server (Ubuntu Server 20.04).

What I have done so far:

Update & Upgrade the system
Install / enable unattended-upgrades & apt-listchanges (automatically install important updates daily, and monitor/list changes automatically)
Create a non-root user, add to sudoers
Lock down SSH
- Change to a nonstandard port
- Create & configure key based SSH login (key protected with password)
- Disable root login via SSH
- Disable password login via SSH
Configure Firewall
- Create rule to allow but limit SSH in on new port
- Create rules to allow in, on other necessary ports (for me just 80 and 443)
- Set default deny for everything else.
- Rule to drop ping requests
- Enable firewall
Setup fail2ban for SSH
- Rather relaxed 15/15/15 rule (15 failed logins, in 15 minutes = 15 minute ban)
Check to make sure apparmor is enabled and in enforcement mode

On the to-do / research list are (1) setting up mail so important system mail is sent (or forwarded from 'root') to my actual e-mail address (2) figuring out backups of some sort

What additional steps would you take?

What have I left out / forgotten / got wrong?

An excellent source of security benchmark and best practices https://www.cisecurity.org/benchmark/ubuntu_linux/

1 of 5

102

2 of 5

For any machine that allowed incoming requests from the public internet I put a rootkit checker to run periodically,usually once a day. Also Backups!

Stack Overflow

stackoverflow.com › questions › 234590 › solving-the-shared-server-security-problem-for-python

php - Solving the shared-server security problem for Python - Stack Overflow

Well, there is a system called virtualenv which allows you to run Python in a sort of safe environment, and configure/load/shutdown these environments on the fly. I don't know much about it, but you should take a serious look into it; here is the description from its web page (just Google it and you'll find it):

The basic problem being addressed is one of dependencies and versions, and indirectly permissions. Imagine you have an application that needs version 1 of LibFoo, but another application requires version 2. How can you use both these applications? If you install everything into /usr/lib/python2.4/site-packages (or whatever your platform's standard location is), it's easy to end up in a situation where you unintentionally upgrade an application that shouldn't be upgraded.

Or more generally, what if you want to install an application and leave it be? If an application works, any change in its libraries or the versions of those libraries can break the application.

Also, what if you can't install packages into the global site-packages directory? For instance, on a shared host.

In all these cases, virtualenv can help you. It creates an environment that has its own installation directories, that doesn't share libraries with other virtualenv environments (and optionally doesn't use the globally installed libraries either).

github.com › decalage2 › awesome-security-hardening

GitHub - decalage2/awesome-security-hardening: A collection of awesome security hardening guides, tools and other resources · GitHub

CryptoLyzer - Fast, flexible and comprehensive server cryptographic protocol (TLS, SSL, SSH, DNSSEC) and related setting (HTTP headers, DNS records) analyzer and fingerprint (JA3, HASSH tag) generator with Python API and CLI.

Starred by 6.3K users

Forked by 646 users

github.com › ossf › wg-best-practices-os-developers › issues › 481

[New SIG] Create Python Hardening Guide · Issue #481 · ossf/wg-best-practices-os-developers

May 6, 2024 - Our friends at Ericsson have developed a set of code examples and guidance grounded in the MITRE CWE framework (https://cwe.mitre.org/). This work was originally inspired by SEI Cert's secure coding material, with the intention of translating those to Python to educate new and experienced developers and enable future automation with valid code examples.

Author SecurityCRob

Cyfuture Cloud

cyfuture.cloud › kb › howto › how-to-secure-a-python-server-best-practices--tls-setup

How to Secure a Python Server: Best Practices & TLS Setup

Configure Nginx to Proxy to Gunicorn or uWSGI server { ... Force HTTPS Add a redirect block in your Nginx config to force all HTTP traffic to HTTPS. For testing or internal apps, you can serve HTTPS directly using Python’s built-in ssl module: ... Again, don’t use this in production—it lacks performance optimizations and hardening ...

Stack Exchange

security.stackexchange.com › questions › 226095 › pythons-http-server-library-basic-security-checks

web application - Python's http.server library "basic security checks" - Information Security Stack Exchange

The problem isn't that there are known security vulnerabilities.

The problem is that there is not really an effort to address less common but critical vulnerabilities.

For example, many web servers will display error messages. Until quite recently, Apache Httpd would include some of the request data in the error pages, which allowed cross-site scripting in default configurations of mod_proxy (CVE-2019-10092), with no way for the application developers to mitigate this threat against the site users.

The major web servers, such as Apache Httpd, Nginx, IIS, and Lighttpd each have hundreds of active contributors (or in IIS's case, a large corporate structure behind it), dozens of core developers who understand security best practices, and a team dedicated specifically to reviewing code for potential vulnerabilities. As you can tell by browsing the CVEs of any of those projects, there are still things that people catch after versions are released.

The developers who write HTTP servers for programming languages are small sub-projects, developing tools to support the main product: The language. There might be a dozen people who have contributed code to that tool, and one or two core developers on that project.

They do not have the resources available to search for vulnerabilities, so while there aren't any known vulnerabilities (or at the very least, it is very bad form here to point out known vulnerabilities that are likely to remain unaddressed), there are most certainly vulnerabilities in it, simply due to the complex nature of HTTP servers.

Some of these vulnerabilities might be extremely critical, such as allowing an attacker to have complete control over your server, including executing arbitrary code with a privileged account. Such a vulnerability might not exist, but without a thorough code review—and with the large, red-boxed warning at the top of Python's documentation page—it is plausible that such a vulnerability might exist.

In your specific case, the CIO signed off on it.

It is the CIO's responsibility to ensure that risk assessments are done. As the sysadmin, it's your job to execute the company's officers' instructions, and your responsibility to ensure that the officers have the information they need to be able to make informed decisions.

Because of the boundary in responsibilities, the pushback that I would do is ask to see the risk assessment. If the risk assessment doesn't include a very high probability (due to automated tools quickly finding the vulnerable server in hours) that the server gets infected with malware and used as a Command and Control repeater node for a bot farm, offer to help them make a realistic risk assessment.