Articles

Infrastructure Attack Surface: Shrink It, Stop Escalation

March 24, 2026 5 min read

The most surprising thing about reducing attack surface to prevent privilege escalation is that the primary goal isn’t always to remove potential vulnerabilities, but to limit the blast radius when one is inevitably found.

Imagine a server running a web application. By default, it might have SSH, a database client, a mail server, and a Python interpreter installed. The web app itself is the intended entry point, but if an attacker finds a way to execute code on the server, they suddenly have access to all those other services. This is the attack surface. If the web app is compromised, the attacker can potentially use SSH to pivot to other machines, the database client to steal sensitive data, or the Python interpreter to compile malicious code.

Here’s a simplified view of a server’s services and how an attacker might exploit them:

# Current running services on a typical web server
$ systemctl list-units --type=service --state=running
  apache2.service                                                      loaded active running Apache HTTP Server
  ssh.service                                                          loaded active running OpenSSH server daemon
  mysql.service                                                        loaded active running MySQL Community Server
  python3.service                                                      loaded active running Python 3 interpreter service (hypothetical)
  cron.service                                                         loaded active running Regular background program processing daemon

If an attacker compromises the apache2.service (e.g., through a vulnerability in the web application), they might then attempt to:

  1. Access sensitive files: Using the web server’s privileges, they might try to read configuration files for mysql.service or SSH keys.
  2. Execute commands: If the web application allows file uploads, they could upload a malicious script that uses the python3.service to perform more complex actions, like attempting to connect to the database.
  3. Exploit local services: If ssh.service is running and accessible from the web server’s network interface, they might try to brute-force credentials or exploit known SSH vulnerabilities.

This is where reducing the attack surface comes in. It’s about making the system less interesting and harder to navigate after an initial breach.

The Core Principle: Principle of Least Privilege, Applied Broadly

Every service, every user, every file, and every network port represents a potential entry point or a tool for an attacker. Reducing the attack surface means systematically asking: "Does this absolutely need to be here and accessible for the system to perform its intended function?"

Consider the python3.service example. If the web application only needs to serve static files and handle simple HTTP requests, does it need a full Python interpreter running as a service? Probably not. Removing it shrinks the attack surface. Similarly, if the web server doesn’t need to directly access the database, the mysql.service client tools could be removed or restricted.

Practical Steps to Reduce Attack Surface:

  1. Uninstall Unnecessary Software: This is the most straightforward. If a package isn’t actively used, get rid of it.

    • Diagnosis: dpkg -l | grep -v '^ii' (for Debian/Ubuntu) or rpm -qa (for RHEL/CentOS) to list installed packages. Manually review the list for anything not related to the primary function of the server.
    • Fix: sudo apt-get remove --purge <package_name> (e.g., sudo apt-get remove --purge vsftpd) or sudo yum remove <package_name> (e.g., sudo yum remove nfs-utils).
    • Why it works: Removing the executable binary and configuration files eliminates the possibility of that software being exploited.

  2. Disable Unused Services: Even if installed, services can be stopped and disabled to prevent them from running.

    • Diagnosis: sudo systemctl list-unit-files --state=enabled shows all services configured to start on boot.
    • Fix: sudo systemctl stop <service_name> followed by sudo systemctl disable <service_name> (e.g., sudo systemctl stop bluetooth.service && sudo systemctl disable bluetooth.service).
    • Why it works: The service process is no longer running, so it cannot be targeted by attackers.

  3. Restrict Network Access (Firewalling): Limit which ports are open to the network.

    • Diagnosis: sudo ss -tulnp shows listening network sockets.
    • Fix: Configure ufw (Uncomplicated Firewall) or firewalld. For example, to only allow SSH (port 22) and HTTP/HTTPS (ports 80, 443):
      sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
sudo ufw enable
    • Why it works: Prevents attackers from even attempting to connect to services that don’t need to be publicly accessible.

  4. Harden SSH Configuration: Limit SSH access to only necessary users and methods.

    • Diagnosis: Review /etc/ssh/sshd_config.
    • Fix:
      • PermitRootLogin no (Never allow root login over SSH)
      • PasswordAuthentication no (Force key-based authentication)
      • AllowUsers user1 user2 (Only allow specific users to log in)
      • Restart SSH: sudo systemctl restart sshd
    • Why it works: Makes brute-force attacks on SSH credentials impossible and limits the scope of what a compromised SSH session can do by restricting user accounts.

  5. Application-Specific Hardening: Many applications have their own configuration files that can reduce their attack surface.

    • Diagnosis: Consult the documentation for your specific web server, database, etc.
    • Fix (Apache Example): In /etc/apache2/apache2.conf or a virtual host file, remove unnecessary modules and directives. For instance, disable directory listings if not needed:
      <Directory /var/www/html>
    Options -Indexes
    AllowOverride None
    Require all granted
</Directory>
      And if certain CGI scripts are not used, disable their execution.
    • Why it works: Reduces the functionality exposed by the application itself, making it harder for attackers to find exploitable features.

  6. User and Group Management: Ensure users and services run with the minimum necessary privileges.

    • Diagnosis: ps aux to see which user each process is running as.
    • Fix: If a web server process is running as root but only needs to serve files from /var/www/html, reconfigure it to run as a less privileged user (e.g., www-data). This often involves changing User and Group directives in the service’s configuration.
    • Why it works: If the web server process itself is compromised, the attacker inherits the limited privileges of the www-data user, rather than full root access.

The most counterintuitive aspect of attack surface reduction is that you might disable a feature that could be useful, but isn’t essential. For example, a web server might have a module for handling .shtml files, but if your application only uses .html and .php, disabling the .shtml module is a net win for security. You’re not just removing code that has vulnerabilities; you’re removing code that could have vulnerabilities, and that code might also provide attackers with additional ways to interact with or pivot on the system.

The next step after reducing the attack surface is often implementing robust intrusion detection and response mechanisms, because even the most hardened system can still be breached.

Want structured learning?

Take the full Infrastructure Security course →