Securing Linux/Unix

1. How Secure is Secure?
   • Security is an attitude: Healthy Paranoia
   • Security is never a "Done Deal"
   • Security is a policy: Default Allow or Default Deny

2. ALWAYS install the OS in a Pre-Secured Environment
   Examples of such:
   • A LAN protected by a firewall
   • A LAN disconnected from the WAN/Internet
   • An isolated, self-contained Test LAN

3. Install the latest security patches, updates and packages

4. Install the latest version of the SSH/SSL tools
   • Zlib http://www.gzip.org/zlib/
   • Openssl http://www.openssl.org
   • Openssh http://www.openssh.org

5. Disable ALL unnecessary services
   • netstat -a[n]
   • fuser -uv [service/protocol] (as root)
   • /etc/rc.d/rc.* (Slackware, etc.)
   • /etc/rc.d/init.d/* (RedHat, etc.)
   • /etc/inetd.conf
   • /etc/xinetd*

6. Secure ALL necessary services
   • Use tcp-wrappers
   • Use packet-filters (ipfwadm, ipchains, iptables, etc.)
   • Sendmail No Relaying
   • Apache Limit Access
   • DNS Run as NON-root user

7. Check important file permissions
   • Suid, Sgid programs:
     find / \(-perm -004000 -o -perm -002000 \) -type f -print
   • /var/log/*
   • /etc/*

8. Watch the system
   • /etc/syslog.conf: *.* (or *.debug) /dev/tty12
   • /etc/syslog.conf: *.* (or *.debug) @remote.host
   • tripwire http://www.tripwire.org/
   • COPS http://www.fish.com/cops/
   • nmap http://www.insecure.org/nmap/
   • snort http://www.snort.org

9. Watch the news
   • http://www.cert.org
   • http://www.linuxsecurity.com
   • news://comp.os.linux.security
   • news://comp.security.announce

10. Watch the sites
    • http://www.insecure.org
    • http://packetstormsecurity.org/
    • http://www.rootshell.com
    • http://www.securityfocus.com/
    • http://www.securityportal.com/

11. Read the books
    • Practical UNIX & Internet Security, 2nd Edition 1-56592-148-8
    • Building Internet Firewalls, 2nd Edition 1-56592-871-7