Locking Down Your Linux Box

Securing a Linux box is about the same as any other Unix machine. With that in mind, here are the steps to really locking it down good. Do this immediately after you install the OS.

Basic Installation

• Install minimum operating system packages.
• Upgrade the OS with the Current Patches.
• Set a BIOS Security Password.
• Disable Root Login Capability.
• Restrict Root's Search Path.
• Check files sourced by root's login files.
• Set root's umask to 077 or 027.
• Disable trusted host capability.
• Provide A Security Warning Banner.
• Remove Sharp Objects.

Configure User Accounts

• Make Sure Passwords Are Required for Login to All Accounts.
• Force Passwords to be at Least Eight (8) Characters Long.
• Disable or Remove All Unnecessary Accounts.
• Make Sure Disabled Accounts are Assigned an Invalid Shell.
• Prevent ftp Access With Disabled User IDs.
• Review User Accounts for Common Configuration Errors.
• Good Passwords.

Configure Network Access Control

• Set Up iptables.
• Install tcp wrappers to provide access control for TCP/IP services.
• Install and Use Port Probing and Vulnerability Testing Tools.

Configure System Auditing

• Restrict Access to Audit Files.
• Log All su Activity .

Configure System Services

• Remove Startup Scripts for Unneeded Services.
• Remove Unneeded Network Service Entries From /etc/inetd.conf
• Disable NFS .
• Test all boot file changes by rebooting and checking for extraneous processes in ps -elf output and examining the /var/log/messages file.

Probe For Holes

• Use server security probing tools from a trusted source to check your system for weaknesses from the inside!
• Use security probing tools from a trusted source to check your system for weaknesses (before someone else does)!

Subscribe To Security Mailing Lists

• Subscribe to security-focused mailing lists that will inform you promptly of security problems: