Securing your linux server is important to protect your data from malicious individuals. Here are few tips that help making a linux OS secure and hard to break.
1- upgrade your system to the latest kernel and software stacks using
# yum update
# yum upgrade
2- Minimize installed software: with fresh installations, there are several installed software stacks running. Some of the pre-installed software can be totally useless depending on your requirements. List and remove your installed packages using :
# yum list installed
# yum list packageName
# yum remove packageName
You can optionally keep the installed package, but kill the running process and remove it from the auto-start scripts:
# /etc/init.d/sendmail stop
# chkconfig sendmail off
# /etc/init.d/yum-updatesd stop
# chkconfig yum-updatesd off
# /etc/init.d/cups stop
# chkconfig cups off
# /etc/init.d/gpm stop
# chkconfig gpm off
# /etc/init.d/crond stop
# chkconfig crond off
3- Use Linux Security Extensions: using SELinux provides a standard access control for applications and processes, such as file operations, sockets, and other processes. This will protect the system against flawed applications that can access the file system.
4- Accounts and passwords:
a- enable password expiration:
# chage -M 9999 userName
b- lock user accounts after login fail using the faillog command
c- disable root login by editing sshd.conf
4- Configure IPtables rules to filter out malicicous/unwanted traffic. This could very well reduce the risks of DOS attacks.
5- Harden /etc/sysctl.conf:
# Turn on execshield
# Enable IP spoofing protection
# Disable IP source routing
# Ignoring broadcasts request
# Make sure spoofed packets get logged
net.ipv4.conf.all.log_martians = 1
6- Permissions set by linux are irrelevant if an attacker has a physical access to your hard disks, in this situation you can protect files and partitions using the following tools:
a- gpg command to symmetrically encrypt/decrypt files.
b- TrueCrypt is a free open source disk encryption software that is easy to use.