You must be thinking that I'm kidding. Nope I'm not. Let me explain. After installing Linux the first thing you should do is turn off all services and deny all incoming traffic till you configured the box securely.
But why...?
A default installation could run many nonessential services. These services can turn into security risks. Do not create a sense of embarrassment for yourself. It would be a shame if cracker use your server before you or your customer/client :P The best defense is to turn off all unwanted service, till you apply all patches and setup firewall rules :).
Rule # 1, Stop unwanted services as soon as you boots server
For example STOP the inetd or xinetd service:
# /etc/init.d/inetd stop # /etc/init.d/xinetd stop
OR Red Hat Linux user can try service command
# service xinetd stop
Rule # 2, Stop ALL unwanted runlevel services which starts automatically when Linux comes up (boots up)
Use tool such as chkconfig under Red Hat / Fedora Linux:
a) List all services
# chkconfig --list | less
b) Remove/Delete service:
# chkconfig --del {service-name}To disable/remove xinetd at startup use command as follows:
# chkconfig --del xinetd
Tip: You can also use ntsysv menu based utility.
Debian Linux user can try out update-rc.d script. For example to stop xinetd service you can type command as follows:
# update-rc.d -f xinetd remove
You can also manage the removal of unwanted services via /etc/rc?.d symlinks. If you are new use above tools. Also look at the several easy to use utilities that faciliate the managment of system v initialization script in our article Removing Unwanted Startup Debian Files or Services
Step #3, Enable firewall
Setup iptables and deny all incoming traffic but allow outgoing traffic (so that you can download all the patches). Here is sample iptables script:
#!/bin/sh # My system IP/set ip address of server SERVER_IP="202.54.1.25" # Flush all rules iptables -F iptables -X # Setting default filter policy iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP # Allow unlimited traffic on loopback iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # allow input to only outgoing connection like DNS queries iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # make sure nothing comes in iptables -A INPUT -j DROP
Save the script and execute it.
Step #4, You are done. What next?
All the above 3 steps will take less than 5 minutes to create a more secure box. Following are general steps you should perform. Now even if it is going to take 4 hours, you don't have to worry about crackers :D
- Add all security related patches (use up2date i.e. RHN or apt-get update command)
- Remove unwanted software (rpm -e or apt-get remove command)
- Configure server software such as Apache, Ftp, Mail services
- Create firewall rules according to your companies security policy
- Create users and groups
- Setup all permission
- Document what has been done and what is running inside the box
- Finally send an email notification to your IT team or customer/client that he/she can use the server.
Please note that OpenBSD and some other Linux distros follows secure by default design. Especially OpenBSD does not runs out of box unneeded services. Linux by default tries to be little bit user friendly and hence many distribution provides maximize out of box services.
You should follow me on twitter here or grab rss feed to keep track of new changes.
Featured Articles:
- 30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X
- Top 30 Nmap Command Examples For Sys/Network Admins
- 25 PHP Security Best Practices For Sys Admins
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- Linux: 20 Iptables Examples For New SysAdmins
- Top 20 OpenSSH Server Best Security Practices
- Top 20 Nginx WebServer Best Security Practices
- 20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors
- 15 Greatest Open Source Terminal Applications Of 2012
- My 10 UNIX Command Line Mistakes
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- The Novice Guide To Buying A Linux Laptop
![Red Hat Enterprise Linux 5 IMPORTANT Security Update [ 4-Nov-2008 ]](http://s13.cyberciti.org/images/shared/rp/3/10.jpg)
{ 4 comments… read them below or add one }
“Debian Linux user can try out update-rc.d script. For example to stop xinetd service you can type command as follows:
# update-rc.d -f sshd remove”
I think that should be
update-rc.d -f xinetd remove
Thanks Joe :), it is corrected.
Sure both Suse/Redhat linux runs lots of unneeded stuff and removing then is more than hours of work. You little guide and script makes it more sense and it is quite usefultooo..good work
you have a little typo: apahce