Exposure Reduction Guideline

Achieving a secure infrastructure is a serious undertaking, costing non-trivial time and resources. The cost to value ratio of any decision and mechanism has to be heavily considered before they could be implemented. This guideline provides opinionated recommendations on: which property of the infrastructure to focus on primarily for exposure reduction; an all-too theoretical approach to optimizing that property, and finally two technical measures for solving parts of the situation.

29 Sep 2025 Ádám Ruman IT Admins

Priority #1: Infrastructure Exposure & Optimizing it in Theory

❓ Did you just come up with new terminology?

🗣️ Maybe 🤷‍♂️

Even though you might not be familiar with Exposure, the term Attack Surface is probably not alien to you. Now if you isolate the social, psychological and humane aspects of Attack Surface, you are left with purely technical subset, which is exactly Infrastructure Exposure.

Why should I care about exposure?

❓ Can you come up with an unwritten cybersecurity rule?

🗣️ Any asset reachable by malicious entities will (sooner or later) be attacked.

In other words, if its exposed, it will be targeted by a threat actor. What does this mean when designing a secure infrastructure?

A high value-to-cost ratio mechanism for securing your infra is decreasing exposure.
You need to think about exposure in a multi dimensional way, consider the different contact surfaces of your infra and devices.
Don't forget about usability. Too strict exposure limitations will start meddling with it in all the wrong ways. (Always consider confidentiality, integrity and availability in unison.)

🥜 Limiting exposure means (in a nutshell): making only the crucial fragments of the infrastructure available on the right contact surfaces, with proper governance, while taking care that access to these fragments does not get complex for authorized parties.

Contact surfaces

Contact surfaces can be defined on a per-device-per-service basis, but are most often generalizable to machines with similar "missions". Defining contact surfaces means defining outside entity groups, inside which all entities have the same set of attributes.
The first attribute to consider is the need-to-reach: whether an entity should be able to communicate with the machine. This attribute divides all entities into two sets: wanted & unwanted.

When choosing which entities should be wanted, obey the rules of Least Privilege and Need to know principles.

The entities must be further attributed with trust: entities are either untrusted or slightly-trusted. Untrusted entities are those which we do not know anything about, while slightly trusted are either part of the intranet (including those that can connect via VPN), owned or used by an authorized personnel, ...

When engineering the attribute of trust, obey the rules of Zero Trust where possible.

Based on these attributes different technical opportunities arise to secure the contact surfaces, at least in theory. Unwanted entities should be isolated from the subjects on the network, while trust-based differentiation should be done in the service.

Contact surfaces can help you prioritize the tasks of exposure limitation.

Exposure in Practice

While in theory the optional mechanisms of exposure limitation are straightforward, in practice the dynamic nature and complexity of networks & infra will "throw forks" into the process. Network appliances, firewalls are not armed with enough processing power to keep separate sets of rules for each contact surface. Therefore, machines that are similar in contact surfaces should be put into subnets, therefore contact surfaces can be - at least partially - secured on the subnet borders.

The contact surface for unwanted & untrusted entities overlaps for most of the machines, or rather it is a good idea to manage it at the infrastructure perimeter via network reachability =~ firewalls. Generally you want to disallow any reachability on this surface and use exceptions when needed. For a university, we have compiled the following list of meaningful exceptions with use-cases:

Possible untrusted accesses by machine MISSION

Port	Protocol	Acceptable Reasons for Exceptions
25	SMTP	Machine is a dedicated mail server.
53	DNS	Machine is a dedicated DNS server.
80	HTTP	This is a dedicated web server and migration to HTTPS is not possible.
110	POP3	Machine is a dedicated mail server.
123	NTP	Machne is a dedicated NTP server providing service to external customers.
143	IMAP	Machine is a dedicated mail server.
165	SMTP over SSL	Machine is a dedicated mail server.
179	BGP	Machine is a BGP AS perimeter router.
209	qmail	Machine is a dedicated mail server.
220	IMAP	Machine is a dedicated mail server.
443	HTTPS	This is a dedicated webserver. This is a dedicated VPN concentrator.
500	IKE	Machine is a network appliance or dedicated VPN concentrator.
853	Secure DNS	Machine is a dedicated DNS server.
993	IMAP-S	Machine is a dedicated mail server.
995	POP3-S	Machine is a dedicated mail server.
1194	OpenVPN over UDP	Machine is a dedicated VPN concentrator.

For the other contact surfaces, governance via network reachability is a possible solution. When many contact surfaces overlap, aggregations over machines and the entities into (virtual)subnets might be available. The engineering of these subnets, the aggregation is a tedious work, and it heavily depends on the usage and design of the infrastructure. Therefore, we won't provide any generic advice here.

In cases where governance via network reachability between subnets fails, we have to look at the machines and the services themselves. There are too many services to aid you in securing all of them, so we chose the SSH protocol (as the most used representant in remote management services) on which we show you some general principles and some protocol-specific configurations to make it as secure as possible.

Exposure Reduction for SSH & Securing SSH

Depending on the particular state & needs, reducing exposure for SSH might be a different process for every infrastructure, however there are common points for many:

If SSH is not needed to be reached on a machine by anyone, it should be disabled.
If wanted entities are easy to aggregate into a few subnets, network or host firewalls should be set up.
Configure SSH in a secure way, that withstands intentional attacks by either insider threats or compromised slightly-trusted entities. Follow the recommended SSHD Configuration primer (below)
Use SSHs' authentication scheme to govern the contact surface via users and public key cryptography.
For very complex or voluminous networks, implement the bastion security principle.

SSHD configuration primer

SSHD configuration primer.

Rule	Config Item	Item Rule (Ruby notation)	Security Rationale
The sshd configuration must be placed under the expected path /etc/ssh/sshd_config.	-	-	Placing the configuration where its expected eases auditing.
The sshd configuration must be owned by root:root and have the acess rights rw-r--r-- or more restrictive.	-	-	Users must not be able to edit sshd configurations. Reading is fine for secure configurations.
SSH host private keys must be in the expected locations /etc/ssh/ssh_host_<type>_key.	-	-	Auditability.
SSH host private keys must be owned by root:root and have access mode rw-------.	-	-	Private keys must be protected for integrity and confidentiality.
SSH host public keys must be in the expected locations /etc/ssh/ssh_host_<type>_key.pub	-	-	Auditability.
SSH host private keys must be owned by root:root and have access mode rw-r--r--	-	-	Public keys must be protected for integrity.
The following weak encryption schemes must not be used: 3des-cbc aes128-cbc aes192-cbc aes256-cbc	Ciphers	!~/cbc/	These cipher suites are considered breakable by an attacker.
The following weak key exchange algorithms must not be used: diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1	KexAlgorithms	!~/sha1/	These key exchange algorithms are considered breakable by an attacker
The following weak MAC algorithms must not be used: hmac-md5 hmac-md5-96 hmac-sha1 hmac-sha1-96 umac-64@openssh.com hmac-md5-etm@openssh.com hmac-md5-96-etm@openssh.com hmac-sha1-96-etm@openssh.com umac-64-etm@openssh.com umac-128-etm@openssh.com	MACs	!~/umac\|sha1\|md5/	Bitlength too short. An attacker could break the MAC and then do MITM.
SSH access is limited by whitelists.	AllowUsers \| AllowGroups	not nil && != '*'	Only the users which need to access the machine over ssh should be able to do so. Whitelists are less prone to configuration error backlash.
Use proper SSH banners.	Banner	not nil	The banner should include site policies, hostname.
Limit client connections.	ClientAliveInterval	in (1..600)	An interval after which keepalive requests should be sent upon client inactivity. Can help mtigate resource exhaustion.
Limit client connections.	ClientAliveCountMax	in (1..5)	The maximum amount of keepalive requests sent before disconnecting the client. Mitigates resource exhaustion.
Restrict forwarding capabilities.	DisablePortForwarding	== 'yes'	Limits SSH misuse for hiding adversary communications.
Limit authentication methods.	GSSAPIAuthentication	== 'no'	Attack surface reduction.
Limit authentication methods.	HostBasedAuthentication	== 'no'	Attack surface reduction.
Do not use .rhosts.	IgnoreRhosts	== 'yes'	Attack surface reduction.Force users to enter a password even from "trusted" hosts.
Limit unsuccessful logins.	LoginGraceTime	== 60	Minimize the risk of bruteforce attacks.
Set proper logging levels.	LogLevel	=~/VERBOSE\|INFO/	Helps with incident investigation.
Limit unsuccessful logins perconnection.	MaxAuthTries	<= 4	Minimizes the risk of bruteforce attacks.
Limit pending authentication requests.	MaxStartups	== '10:30:60'	Mitigates resource exhaustion attacks.
Limit concurrent sessions.	MaxSessions	<= 10	Mitigates resource exhaustion attacks.
Do not allow empty passwords.	PermitEmptyPasswords	== 'no'	Reduce the risk of unauthorized access.
Do not allow the root account to login via SSH.	PermitRootLogin	== 'no'	Limits non-repudiation for authenticated usage. Hinders bruteforces.
Disallow user environment changes in SSH sessions.	PermitUserEnvironment	== 'no'	Mitigates security control bypasses.
Use the PAM module.	UsePAM	== 'yes'	Enable account and session checks. Crucial if password or challenge-response authentication is allowed for some reason.
Use the modern protocol version.	Protocol	== 2	This version provides better security primitives.
Use strict mode.	StrictMode	== 'yes'	Prevents users from using insecure home directories and key file permissions.
Connect with syslog.	SyslogFacility	== 'AUTH'	Forward login accounting info to auth.log
Limit host keys to the default ones.	HostKey	== %w[/etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ed25519_key]	Protects from Man-in-the-Middle attacks.
Limit authentication methods.	UseLogin	== 'no'	This is alegacy method.
Use privilege separation.❗	UsePrivilegeSeparation	== 'yes'	Run ssh sessions in a limited child process.
Ignore users' known hosts files.	IgnoreUserKnownHosts	== 'yes'	Weak way of authentication.
Use public key authentication	PubkeyAuthentication	== 'yes'	Rely on this safe method for authentication.
Limit authentication methods.	PasswordAuthentication	== 'no'	Do not allow standard password authentication.
Limit authentication methods.	ChallengeResponseAuthentication	== 'no'	Disable as this is password-based.
Limit authentication methods.	KerberosAuthentication	== 'no'	Considered less secure than publickey.
Automatically destroy KRB ticket cache upon logout.	KerberosTicketCleanup	== 'yes'	Credential exposure limitation.
Automatically destroy GSSAPI cache upon logout.	GSSAPICleanupCredentials	== 'yes'	Credential exposure limitation.
Do not use TCP keepalive.	TCPKeepAlive	== 'no'	These messages are unencrypted and spoofable. USe the encrypted keepalive requests instead.
Do not allow the provisioning of full-fledged tunnels over ssh.	PermitTunnel	== 'no'	Tunneling should be done with purpose-built software.
Do not allow TCP forwarding.	AllowTcpForwarding	== 'no'	Could allow firewall bypasses.
Do not allow agent forwarding.	AllowAgentForwarding	== 'no'	Allows identity takeovers for atackers.
Do not allow hosts to connect to forwarded ports.	GatewayPort	== 'no'	Reverse tunneling should not be allowed.
Disable X11 forwarding.	X11Forwarding	== 'no'	Limit the attack surface.
Use localhost for X11.	X11UseLocalhost	== 'yes'	Limit the attack surface.
Do not use Message of the Day.	PrintMotd	== 'no'	Do not read and print from an optionally compromised file.
Do not show lastlogin data.	PrintLastLog	== 'no'	Unnecessary information disclosure.
Use proper-length (4096bit) RSA host keys.	-	-	RSA with smaller moduluses are more prone to attacks.
Do not override sshd_config setting on the command line.	ps aux \| grep '.*sshd -D'	!~/-oCiphers\|-oKexAlgorithms\|-oHostKeyAlgorithms/
Ensure /root/.ssh/known_hosts is empty.	-	-	This should be checked periodically as the root user should not be used to connect to other servers.
Ensure /root/.ssh/authorized_keys is empty.	-	-	Another layer of 'no root over ssh' safeguards.
Ensure sshd runs on port 22.	Port	== 22	Auditability. Better co-operation with network appliance provided safeguards.

❗Only available in versions prior to 7.5.

Bastion

The bastion principle means placing an intermediary entrypoint into the infrastructure to handle governing multiple contact surfaces for all machines providing the same service. Then, reachability is between the machines and the bastion, and the bastion and the outside entities. This way, the bastion aggregates all machines under one IP address, and can aggregate the wanted entities for all protected machines.

Bastions are usually made up of a cluster of servers for availability, but for the parties they seem like a single proxy point.

Further contact surfaces are then managed via the bastion host itself, in a centralized manner. It provides an authentication & authorization interface that can be independent of network identificators, might support Role-based access control (RBAC) and aggregate outside entities of matching contact surfaces into groups. Furthermore, it provides heavy accounting capabilities.

Implementing bastions is a fragile and tedious process. Fortunately, some out-of-the-box solutions exist, such as the open-source Bastion from OVH, the partially open-source teleport from Gravitational or HashiCorp Boundary.

This result was supported by the SOCCER project, funded under Grant Agreement No. 101128073, with the support of the European Cybersecurity Competence Center (ECCC).