// Infrastructure Security

Infrastructure Security Engineering: Hardening Data Center and Network Infrastructure

📅 June 2025🕐 20 min readInfrastructure Security

Introduction

Infrastructure security is the practice of protecting the underlying technology components that an organization depends on — servers, network devices, hypervisors, storage systems, and the interconnections between them. As Assistant Manager of the Data Center at PostEx, infrastructure security is not just a parallel responsibility to cybersecurity — it is inseparable from it.

This article documents the security engineering practices implemented across the PostEx data center, covering hardening baselines, network segmentation, access control, monitoring integration, and the lessons learned managing enterprise infrastructure security in a fintech environment.

CIS Benchmark Hardening

We apply CIS (Center for Internet Security) benchmark hardening to all servers and workstations in the environment. The CIS benchmarks provide a detailed, prescriptive set of security configuration recommendations for every major OS and application.

Linux Server Hardening (CIS Ubuntu 22.04)

# Key hardening configurations

# Disable unused services
systemctl disable bluetooth
systemctl disable cups
systemctl disable avahi-daemon

# SSH hardening
cat >> /etc/ssh/sshd_config << EOF
PermitRootLogin no
PasswordAuthentication no
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2
AllowUsers sysadmin,jumpuser
EOF

# Enable auditd for logging
apt install auditd -y
auditctl -w /etc/passwd -p wa -k passwd_changes
auditctl -w /etc/shadow -p wa -k shadow_changes
auditctl -w /usr/bin/sudo -p x -k sudo_usage

# Kernel hardening
cat >> /etc/sysctl.conf << EOF
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.send_redirects = 0
kernel.randomize_va_space = 2
kernel.dmesg_restrict = 1
EOF
sysctl -p

Windows Server Hardening

# PowerShell hardening script
# Disable SMBv1
Set-SmbServerConfiguration -EnableSMB1Protocol $false

# Disable RDP if not needed, or restrict
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Value 1

# Enable Windows Defender
Set-MpPreference -DisableRealtimeMonitoring $false
Set-MpPreference -SignatureScheduleDay Everyday

# Enable audit policies
AuditPol /Set /SubCategory:"Logon" /Success:Enable /Failure:Enable
AuditPol /Set /SubCategory:"Account Logon" /Success:Enable /Failure:Enable
AuditPol /Set /SubCategory:"Process Creation" /Success:Enable /Failure:Enable

# Local firewall rules
New-NetFirewallRule -DisplayName "Block Inbound SMB" -Direction Inbound -Protocol TCP -LocalPort 445 -Action Block -RemoteAddress Any

MikroTik Security Hardening

# MikroTik hardening best practices

# 1. Disable unnecessary services
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
# Keep only: ssh (22), winbox (8291) - and restrict by IP

# 2. Restrict management access by IP
/ip service
set ssh address=192.168.30.0/24  # Management VLAN only
set winbox address=192.168.30.0/24

# 3. Firewall input chain - block everything except whitelisted
/ip firewall filter
add chain=input src-address=192.168.30.0/24 action=accept comment="Allow management VLAN"
add chain=input connection-state=established,related action=accept
add chain=input action=drop comment="Drop all other input"

# 4. Port knocking for SSH (optional)
/ip firewall filter
add chain=input protocol=tcp dst-port=7000 action=add-src-to-address-list   address-list=knock1 address-list-timeout=5s
add chain=input src-address-list=knock1 protocol=tcp dst-port=8000 action=add-src-to-address-list   address-list=knock2 address-list-timeout=5s
add chain=input src-address-list=knock2 protocol=tcp dst-port=22 action=accept

Proxmox VE Security

# Proxmox hardening
# 1. Enable 2FA for web UI
# Datacenter -> Users -> Edit -> Enable TOTP

# 2. Restrict API access
# Create API tokens with minimal permissions
pveum user token add admin@pam monitoring-token   --privsep 1 --expire 0

# 3. Network isolation - assign VMs to correct VLANs
# Bridge with VLAN-aware enabled
# Each VM NIC tagged to appropriate VLAN

# 4. Backup encryption
# Configure backup jobs with AES-256 encryption
# Use separate backup server not reachable from production VLAN

# 5. Audit logging to SIEM
# /var/log/pveproxy/access.log --> Filebeat --> Elasticsearch
# /var/log/auth.log --> Wazuh agent

Privileged Access Management

Privileged access management (PAM) is one of the most critical controls in any data center environment. Compromised administrative credentials allow attackers to move from a single compromised host to complete infrastructure control.

  • Principle of Least Privilege - Every account has only the permissions needed for its specific function
  • Jump Host - All administrative access routes through a hardened jump server, no direct admin access from endpoints
  • MFA on all privileged accounts - No exceptions for IT staff
  • Separate admin accounts - Admin accounts are distinct from daily-use accounts; never use admin credentials for email or web browsing
  • Session recording - All privileged sessions are recorded for audit and forensic purposes
Infrastructure SecurityMikroTikProxmoxCIS Hardening