Here's a great article on Linux Security Tips
I didn't see the most important step: 1) Unplug your network cable BEFORE doing a new OS install
It's actually not unlikely that the system will be hacked while you are loading the OS if it's directly connected to the Internet. You shouldn't plug in the network until you've turned off all unnecessary and insecure daemons. I recommend that you do the following:
1) Install the new OS
2) Disable ALL services that are listening
3) If you MUST run Xwindows then run it with the following command: startx -- -nolisten tcp
4) Apply all vendor security patches or at least those for the services you wish to run
5) Secure and start the services you desire
Remember that Linux is no more secure than an other OS right out of the box...they're all insecure in that state.
Great information guys. Really useful. My Mandrake was full of holes I had no idea about.
Not any more though.
One thing I'd do is editing /etc/inittab. There are lines like
1:2345:respawn:/sbin/agetty tty1 9600
2:2345:respawn:/sbin/agetty tty1 9600
total of six, usually. That's how many consoles there are. When only one person is using the computer and remote access (via telnet for example) isn't needed, the number could be reduced. I had three consoles when I had not installed XFree86 yet, now that I have, I only use one.
You can either delete the unnecessary lines or (safer method) comment out with '#'.
To apply changes, type telinit q. It tells init to reread inittab without changing the runlevel.
This is GREAT info guys. I've been looking for a good newbie-ized source of this information that tells you HOW and WHY instead of just "Go secure your box. Shut down services. Etc." This will be GREAT info for me to check, even if my box is no longer on a network. Good practices lead to good results after all, right?
One thing I didn't see mentioned: While you recommend a firewall, it certainly can't hurt to configure hosts.deny/hosts.allow (whatever your appropriate file(s) are) to deny anything except connections you know should come in (as strictly as possible). As well as httpd.conf for apache, since it doesn't obey those rules. This applies to Red Hat at least, I think for many other distros as well. I know doing that saved my backend when I didn't have a firewall available for use. Edit: I assume this is what you meant by IpChain rules.. sorry for being dense... I'd never heard it in those terms..
Again, though, thanks for a bunch of great info guys!!! Any extra suggestions are certainly welcome.
Kind of new at doing commands at Linux, but how exactly do you disable the things running?
Hmm.... best thing for you, if you are running Red Hat or Mandrake, is log in as root, and then run
this will let you control what services are loaded at startup.
Make sure that you know WHAT you are turning off before you do it.
I recommend reading it all the way through
Thanx for posting this thread Phantasm. It's a pretty nice guide; even though it's a little old (ipchains has been replaced by iptables some time ago...) it gives quite a few good pointers.
This stresses a very basic seecurity rule - run the bare minimum. kill all the services that you don't need.
Someone also posted a suggestion to disable connections to X server, after "startx" command. A lot of new users to linux, are not familiar with X, and besides they use login managers, so they never actually run "startx". They might need to modify:
or xf86config depending on which way they're set up for X.
This has been the default for quite some time AFAIK. None of the distros I've tried for at least 4 years left the X server authentication process open (they were at my school though, and that was "fun", kind of).
To check this out, just run the xhost command with no arguments. It should reply this:
fg@rtfm ~ $ xhost
access control enabled, only authorized clients can connect
If you see this message you're safe: no one can connect to your X server unless you type xhost +some_host.
great tips thanks