CIS Benchmark Implementation - Production Server Assessment and Remediation
Comprehensive security audit and hardening of an ISPConfig production server, addressing 19 security findings while maintaining zero downtime for 6 live websites and email services.
| Metric | Before | After | Improvement |
|---|---|---|---|
| Lynis Score | Not assessed | 70/100 | Baseline established |
| Pending Updates | 93 packages | 0 | All patched |
| Expired SSL Certs | 3 critical | 0 | Service restored |
| World-Writable Files | 16 found | 0 | Vulnerability eliminated |
| SSH Hardening | Password auth enabled | Key-only | Attack surface reduced |
| X11 Forwarding | Enabled | Disabled | Unnecessary service removed |
Security Posture: Improved from D (vulnerable) to B+ (hardened)
Time Investment: ~6 hours over 3 days | Server Uptime: 100% maintained
Following security best practices, I performed a complete audit and hardening of a production ISPConfig web server using NIST SP 800-115 methodology and CIS Benchmark controls. This project documents the entire process—from initial baseline assessment through vulnerability remediation to final verification.
Key Highlights:
- Real production server (6 websites, email services, 12GB RAM)
- All findings verifiable through baseline and after-state files
- Automated scripts with safety mechanisms
- Zero downtime during implementation
- Professional documentation suitable for portfolio presentation
Duration: Aproximately 6 hours (January 20-23, 2026)
Server: ISPConfig 3.x on Ubuntu 24.04 LTS (ARM64)
Standards: CIS Benchmarks, NIST Cybersecurity Framework, OWASP
Automated baseline collection (424 checks) |
Final hardening score: 70/100 |
SSL certificate status verification |
Remediation complete, services verified |
-
Clone the repository
git clone https://github.com/robertpreshyl/ispconfig-security-audit.git cd ispconfig-security-audit -
Review the documentation
- Start with
docs/00-quick-start.mdfor orientation - Review the 7-phase audit process documentation
- Start with
-
Execute baseline assessment
sudo ./scripts/system-audit.sh
-
Follow the audit phases as documented in the
docs/folder -
Adapt for your environment - Modify scripts and configs as needed
ispconfig-security-audit/
├── README.md # Project overview and results
├── docs/ # Detailed phase documentation
│ ├── 00-quick-start.md # Getting started guide
│ ├── 01-initial-assessment.md # System baseline
│ ├── 07-final-report.md # Executive summary
│ └── 08-lessons-learned.md # Challenges and solutions
├── scripts/ # Automation scripts
│ ├── system-audit.sh # Baseline collection
│ └── sanitize-data.sh # Data sanitization
├── results/
│ ├── before/ # Pre-audit baseline (42 files)
│ ├── after/ # Post-audit verification (4 files)
│ ├── lynis-report.txt # Security scan results
│ └── world-writable-files.txt # Permission audit findings
└── media/ # Evidence screenshots (24 images)
- ✅ All critical vulnerabilities fixed - 3 expired SSL certificates renewed, 16 world-writable files corrected
- ✅ SSH hardened - Password authentication disabled, X11 forwarding removed, security banners added
- ✅ Zero downtime - All changes implemented without service interruption
- ✅ Complete audit trail - 42 baseline files + 4 after-state verification files
- ✅ Automated workflows - Reusable scripts for future audits
See docs/08-lessons-learned.md for challenges encountered and solutions.
│## Technologies & Tools
Server Stack: Ubuntu 24.04 LTS • ISPConfig 3.x • Apache 2.4 • MariaDB • Postfix • Dovecot
Security Tools: Lynis • RKHunter • Fail2ban • ModSecurity • acme.sh • testssl.sh
Standards: CIS Ubuntu Linux Benchmark v2.0 • NIST SP 800-115 • OWASP Guidelines
-
Clone the repository
git clone https://github.com/robertpreshyl/ispconfig-security-audit.git cd ispconfig-security-audit -
Review documentation
- Start with docs/00-quick-start.md
- Review docs/07-final-report.md for executive summary
-
Execute baseline assessment
sudo ./scripts/system-audit.sh
-
Adapt for your environment - Modify scripts and configurations as needed
- docs/00-quick-start.md - Quick start guide and safety checklist
- docs/01-initial-assessment.md - Complete system baseline (424 checks)
- docs/07-final-report.md - Executive summary and final report
- docs/08-lessons-learned.md - Challenges and solutions
- Linux System Administration (ISPConfig, Apache, MySQL, Postfix)
- Security Auditing & Vulnerability Assessment
- CIS Benchmark Implementation & Compliance
- Bash Scripting & Automation
- Technical Documentation & Reporting
- Production System Management (Zero Downtime)
All sensitive data has been sanitized before publishing:
- Passwords and API keys redacted
- Private IP addresses replaced with RFC 5737 TEST-NET ranges
- User information anonymized
- Generic examples used in documentation
This project is licensed under the MIT License - see LICENSE for details.
Status: Complete (January 23, 2026)
All 7 audit phases finished. See docs/ for complete documentation.
This project took aproximately 6 hours spread over 3 days. The most valuable lesson was understanding the difference between fixing actual security vulnerabilities vs improving security audit scores—they don't always align. The Lynis score (70/100) reflects kernel-level configurations that require system rebuilds, but all critical and high-severity issues that actually mattered for production security were successfully addressed.