Skip to content

Hardening Guide

Jump to bottom
Spencer McIntyre edited this page Nov 29, 2018 · 6 revisions

This resource describes how the King Phisher server can be configured with additional security protections. These are meant to be used in addition to standard Linux security best practices.

Server Hardening Checklist

  • Configuration settings to apply
    • require_id: True (Set by default) Require valid message IDs from visitors
    • setuid_username: nobody (Set by default) Drop privileges to this user
    • authentication.group: king-phisher Set this to require local users to be members of this group in order to authenticate to the server
    • rest_api.enabled: False (Set by default) Leave the REST API disabled unless it is being used
  • Enroll users in TOTP for two-factor authentication
  • Configure SSH to require key-based authentication
  • Prevent SSH users from running commands by setting their shell to /sbin/nologin
  • Configure iptables to only allow trusted IPs to access the SSH service

Client Hardening Checklist

  • Do not run the client as root
  • Disable automatically installing plugin dependencies from PyPi with pip (Enabled by default)

Home | Blog | Install | Technical Docs | IRC | Slack | Copyright © 2013-2019 SecureState LLC

Wiki Home

Frequently Asked Questions

Jinja Variables

Want King Phisher Hosted For You?

Videos

Using King Phisher

  1. Getting Started
  2. Running A Campaign
  3. Creating Server Content
  4. Creating Message Content
  5. Updating King Phisher

Additional Resources

Clone this wiki locally