Hardening Guide

This resource describes how the King Phisher server can be configured with additional security protections. These are meant to be used in addition to standard Linux security best practices.

The client does not require root privileges to run.

Server Hardening Checklist

Configuration settings to apply
require_id: True (Set by default) Require valid message IDs from visitors
setuid_username: nobody (Set by default) Drop privileges to this user
authentication.group: king-phisher Set this to require local users to be members of this group in order to authenticate to the server
rest_api.enabled: False (Set by default) Leave the REST API disabled unless it is being used
Enroll users in TOTP for two-factor authentication
Configure SSH to require key-based authentication
Prevent SSH users from running commands by setting their shell to /sbin/nologin
Configure iptables to only allow trusted IPs to access the SSH service

Wiki Home

Frequently Asked Questions

Jinja Variables

Want King Phisher Hosted For You?

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Hardening Guide

Server Hardening Checklist

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Videos

Using King Phisher

Additional Resources

Clone this wiki locally