Five minutes to a secure Linux system

You must be thinking that I’m kidding. Nope I’m not. Let me explain. After installing Linux the first thing you should do is turn off all services and deny all incoming traffic till you configured the box securely.

But why…?
A default installation could run many nonessential services. These services can turn into security risks. Do not create a sense of embarrassment for yourself. It would be a shame if cracker use your server before you or your customer/client 😛 The best defense is to turn off all unwanted service, till you apply all patches and setup firewall rules :).

Rule # 1, Stop unwanted services as soon as you boots server
For example STOP the inetd or xinetd service:

# /etc/init.d/inetd stop
# /etc/init.d/xinetd stop

OR Red Hat Linux user can try service command

# service xinetd stop

Rule # 2, Stop ALL unwanted runlevel services which starts automatically when Linux comes up (boots up)
Use tool such as chkconfig under Red Hat / Fedora Linux:

a) List all services

# chkconfig --list | less

b) Remove/Delete service:

# chkconfig --del {service-name}

To disable/remove xinetd at startup use command as follows:

# chkconfig --del xinetd

Tip: You can also use ntsysv menu based utility.

Debian Linux user can try out update-rc.d script. For example to stop xinetd service you can type command as follows:

# update-rc.d -f xinetd remove

You can also manage the removal of unwanted services via /etc/rc?.d symlinks. If you are new use above tools. Also look at the several easy to use utilities that faciliate the managment of system v initialization script in our article Removing Unwanted Startup Debian Files or Services

Step #3, Enable firewall
Setup iptables and deny all incoming traffic but allow outgoing traffic (so that you can download all the patches). Here is sample iptables script:

# My system IP/set ip address of server

# Flush all rules
iptables -F
iptables -X

# Setting default filter policy
iptables -P INPUT DROP
iptables -P FORWARD DROP

# Allow unlimited traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# allow input to only outgoing connection like DNS queries
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# make sure nothing comes in
iptables -A INPUT -j DROP

Save the script and execute it.

Step #4, You are done. What next?
All the above 3 steps will take less than 5 minutes to create a more secure box. Following are general steps you should perform. Now even if it is going to take 4 hours, you don’t have to worry about crackers 😀

  • Add all security related patches (use up2date i.e. RHN or apt-get update command)
  • Remove unwanted software (rpm -e or apt-get remove command)
  • Configure server software such as Apache, Ftp, Mail services
  • Create firewall rules according to your companies security policy
  • Create users and groups
  • Setup all permission
  • Document what has been done and what is running inside the box
  • Finally send an email notification to your IT team or customer/client that he/she can use the server.

Please note that OpenBSD and some other Linux distros follows secure by default design. Especially OpenBSD does not runs out of box unneeded services. Linux by default tries to be little bit user friendly and hence many distribution provides maximize out of box services.

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 4 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
4 comments… add one
  • Joe Oct 18, 2005 @ 21:40

    “Debian Linux user can try out update-rc.d script. For example to stop xinetd service you can type command as follows:
    # update-rc.d -f sshd remove”

    I think that should be

    update-rc.d -f xinetd remove

  • cyberciti Oct 18, 2005 @ 22:26

    Thanks Joe :), it is corrected.

  • Anonymous Oct 19, 2005 @ 2:34

    Sure both Suse/Redhat linux runs lots of unneeded stuff and removing then is more than hours of work. You little guide and script makes it more sense and it is quite usefultooo..good work

  • marco Sep 3, 2008 @ 3:41

    you have a little typo: apahce

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum