www.vsa-services.com

Though Linux systems are quite secure by default, one needs to to put in some effort to ensure that it stays that way.

1. Minimal Install, proper partitioning and mount options(eg: /boot not mounted, /usr mounted ro, /home -noexec for a fileserver)
2. Turn off unwanted services
3. Plan how to update regularly
4. Secure all running services
5. Users: Passwords, policies, SSH keys, aging, minimum length, combinatuion of upper,lower and numeric
6. Log monitoring

Quickly Securing A Linux System:

Ensure that the following is done and you have succeeded in repulsing some of the most common attacks.

1. Stop Unwanted Daemons: For a client PC (non-server), research node, compute node etc. we really do not need any daemons running except Secure Shell for remote administration. Optionally X11 windowing system (along with xfs) may be enabled.

   For example look at the daemons running on a typical research server:

   
   [root@ia64 root]# chkconfig --list|grep ":on"
   atd             0:off   1:off   2:off   3:on    4:on    5:on    6:off
   syslog          0:off   1:off   2:on    3:on    4:on    5:on    6:off
   network         0:off   1:off   2:on    3:on    4:on    5:on    6:off
   random          0:off   1:off   2:on    3:on    4:on    5:on    6:off
   crond           0:off   1:off   2:on    3:on    4:on    5:on    6:off
   xfs             0:off   1:off   2:on    3:on    4:on    5:on    6:off
   sshd            0:off   1:off   2:on    3:on    4:on    5:on    6:off
   iscsi           0:off   1:off   2:on    3:on    4:off   5:on    6:off
   [root@ia64 root]#
   
   

2. Apply all system updates: Ensure all updates released by vendors are applied on time. You can subscribe to bugtraq, your vendor's mailing lists. For some situations, auto-update by scripts may also be acceptable.
3. Enable md5 and shadow passwords: This makes breaking passwords close to impossible for non-root user
4. Use only secure methods for working remotely. eg: Use ssh (OpenSSH) for login, scp or "rsync -e ssh" for file copying Do not use telnet, ftp, rsh, rlogin etc. This step can stop baddies sniffing TCP/IP packets and trying to breakin
5. Use strong passwords. Have a policy for passwords. (eg: Expires after 6 months, mix of letters-numbers-punctuations, min-10chr-long). Protect root password zealously. Never share any password with anyone, Period. Use sudo to delegate authority to trusted admins
6. Never login and work as "root" user. Always create an ordinary Unix account and do all your work from that account. Restrict root usage to strictly system admin work
7. Never read mail, IM, browse web from servers. Use your laptop or desktop PC for that. (Infact, on critical production systems, I do not even install these packages. It is easy to forward all your mail to another account (Use /etc/aliases).
8. Software: Use only trusted project groups, download servers for getting source packages. I normally avoid downloading from URLs that have no name, but provide only IP address. Stick to trusted vendors (RedHat, Novell, Ubuntu, Debian, Apache, samba.org etc ). Before installing or updating any packages check MD5 signatures, compare against published values.
9. Where possible place your system on RFC1918 private address space. (IP ranges 10.x.x.x, 172.16.x.x-172.32.x.x, 192.168.x.x) Though this in itself is not a security measure, (since you may have an intruder on the local net), it does add to the overall security as any cracker on the Internet will not find your system in the first place.
10. Have a firewall with strict rules (Default=deny, no incoming "open" ports, allow outgoing traffic to required TCP ports only, ingress+egress filtering, stateful)
11. Consider having atleast one IDS on the network.With Snort-MySQL+ACID, you can easily monitor traffic from a web browser UI. Even if you do not consider fullscale IDS, this will help you understand the malicious traffic coming in and you can review steps to counter them
12. While installing a system with Linux, consider creating the following partitions:
    

    Partn	Size	Remarks
    ---------------------------------------------------------------------------------------
    /	1000M	root
    /boot	100M	boot files: can be left unmounted or mounted read-only
    /home	*	All users have their files here
    /usr	10GB	All software/documentation
    /var	4GB	logs
    /tmp	2GB	Temp files. If you don't create this root FS can be filled up easily
    /data1	*	If needed create more partitions to hold custom data (eg ftp uploads)
    swap   1000MB   a minimum swap disk of say 1GB. Swapdisks of more than 4GB is insane.
    ---------------------------------------------------------------------------------------
    *=depends on the application
    

13. Backup your system regularly. At the minimum, you should consider the data you own, /etc, any other configuration info You can use "tar" to backup, "gzip" to compress and store the backup on a tape or another server. If the data is sensitive, consider encrypting the files on the archive with GnuPG. Create a MD5 hash and note it down. Backup schedule can run from once every few minutes to once a week. Select what suits you. At the minimum, you must backup your system atleast once a week.

Cellphones, PDAs can reveal a lot of info, take care! http://www.cnn.com/2006/TECH/ptech/08/30/betrayed.byacellphone.ap/index....

Securing SSH: Use

# Refuse root logins 
PermitRootLogin no
# We dont need SSHv1
Protocol 2
# Allow only selected users, add all users needing shell access to shell_users_group
AllowGroups shell_users_group

Resource for Further Learning

• Learn how to fight phishing: http://www.oreillynet.com/lpt/a/6274