About nixCraft

• Daily Linux tips, hacks, news, ideas and much more »
• 
  
• 

Topics

• News
• See all topics...

Five minutes to a secure Linux system

You must be thinking that I'm kidding. Nope I'm not. Let me explain. After installing Linux the first thing you should do is turn off all services and deny all incoming traffic till you configured the box securely.

But why...?
A default installation could run many nonessential services. These services can turn into security risks. Do not create a sense of embarrassment for yourself. It would be a shame if cracker use your server before you or your customer/client The best defense is to turn off all unwanted service, till you apply all patches and setup firewall rules :).

Rule # 1, Stop unwanted services as soon as you boots server
For example STOP the inetd or xinetd service:

# /etc/init.d/inetd stop
# /etc/init.d/xinetd stop

OR Red Hat Linux user can try service command

# service xinetd stop

Rule # 2, Stop ALL unwanted runlevel services which starts automatically when Linux comes up (boots up)
Use tool such as chkconfig under Red Hat / Fedora Linux:

a) List all services

# chkconfig --list | less

b) Remove/Delete service:

# chkconfig --del {service-name}

To disable/remove xinetd at startup use command as follows:

# chkconfig --del xinetd

Tip: You can also use ntsysv menu based utility.

Debian Linux user can try out update-rc.d script. For example to stop xinetd service you can type command as follows:

# update-rc.d -f xinetd remove

You can also manage the removal of unwanted services via /etc/rc?.d symlinks. If you are new use above tools. Also look at the several easy to use utilities that faciliate the managment of system v initialization script in our article Removing Unwanted Startup Debian Files or Services

Step #3, Enable firewall
Setup iptables and deny all incoming traffic but allow outgoing traffic (so that you can download all the patches). Here is sample iptables script:

#!/bin/sh
# My system IP/set ip address of server
SERVER_IP="202.54.1.25"

# Flush all rules
iptables -F
iptables -X

# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

# Allow unlimited traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# allow input to only outgoing connection like DNS queries
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# make sure nothing comes in
iptables -A INPUT -j DROP

Save the script and execute it.

Step #4, You are done. What next?
All the above 3 steps will take less than 5 minutes to create a more secure box. Following are general steps you should perform. Now even if it is going to take 4 hours, you don't have to worry about crackers

• Add all security related patches (use up2date i.e. RHN or apt-get update command)
• Remove unwanted software (rpm -e or apt-get remove command)
• Configure server software such as Apache, Ftp, Mail services
• Create firewall rules according to your companies security policy
• Create users and groups
• Setup all permission
• Document what has been done and what is running inside the box
• Finally send an email notification to your IT team or customer/client that he/she can use the server.

Please note that OpenBSD and some other Linux distros follows secure by default design. Especially OpenBSD does not runs out of box unneeded services. Linux by default tries to be little bit user friendly and hence many distribution provides maximize out of box services.

E-mail this to a Friend    Printable Version

Linux Powered Asus EEE Laptop PC From $299

• How do I secure and audit shell access with Enterprise Audit Shell?
• OpenBSD - quick and dirty introduction
• How Do I secure Grub boot loader?
• Is Linux server more secure than Windows server?
• Comparison: Opensouce Linux / OpenBSD firewall vs proprietary firewall

Discussion on This Article:

1. Joe Says: October 18th, 2005 at 9:40 pm

   “Debian Linux user can try out update-rc.d script. For example to stop xinetd service you can type command as follows:
   # update-rc.d -f sshd remove”

   I think that should be

   update-rc.d -f xinetd remove

2. cyberciti Says: October 18th, 2005 at 10:26 pm

   Thanks Joe :), it is corrected.

3. Anonymous Says: October 19th, 2005 at 2:34 am

   Sure both Suse/Redhat linux runs lots of unneeded stuff and removing then is more than hours of work. You little guide and script makes it more sense and it is quite usefultooo..good work

4. marco Says: September 3rd, 2008 at 3:41 am

   you have a little typo: apahce

Leave a Reply

We encourage your comments, and suggestions. But please stay on topic, be polite, and avoid spam. Thank you very much for stopping by our site!

Search

Advertisements

more ~/options

• About us
• Testimonials
• Advertise
• Contact us

Archives

• Select Month November 2008 October 2008 September 2008 August 2008 July 2008 June 2008 May 2008 April 2008 March 2008 February 2008 January 2008 December 2007 November 2007 October 2007 September 2007 August 2007 July 2007 June 2007 May 2007 April 2007 March 2007 February 2007 January 2007 December 2006 November 2006 October 2006 September 2006 August 2006 July 2006 June 2006 May 2006 April 2006 March 2006 February 2006 January 2006 December 2005 November 2005 October 2005 September 2005 August 2005 July 2005 June 2005 May 2005 April 2005 March 2005 February 2005 January 2005 December 2004 November 2004 October 2004 August 2004 July 2004 June 2004 May 2004 April 2004 March 2004

nixCraft RSS Feeds

Copyright © 2004-2008 nixCraft. All rights reserved - TOS/Disclaimer - Privacy policy - Sitemap - Powered by Open source software.