General Security Tips

ok ... go to this point... :D
• AutoRPM on Red Hat and apt-get on Debian can be used to download and install
any packages on your system for which there are updates. Use care when
automatically updating production servers.
• IP Masquerading enables a Linux box with multiple interfaces to act as a gateway to
remote networks for hosts connected to the Linux box on the internal network
interface. See the IP Masquerading HOWTO for implementation information.
• Install nmap to determine potential communication channels. Can determine remote
OS version, perform “stealth” scans by manipulating ICMP, TCP and UDP, and even
potentially determine the remote username running the service. Start with something
simple like:
# nmap 192.168.1.1

• Password-protect LILO for servers in public environments to require authorization
when passing LILO command-line kernel parameters at boot time. Add the password
and restricted arguments to /etc/lilo.conf, then be sure to re-run
/sbin/lilo:
image = /boot/vmlinuz-2.2.17
label = Linux
read-only
restricted
password = your-password

• The OpenWall kernel patch is a useful set of kernel security improvements that
helps to prevent buffer overflows, restrict information in /proc available to normal
users, and other changes. Requires compiling the kernel, and not for newbies.
• Ensure system clocks are accurate. The time stamps on log files must be accurate
so security events can be correlated with remote systems. Inaccurate records make it
impossible to build a timeline. For workstations, it is enough to add a crontab entry:

0-59/30 * * * * root /usr/sbin/ntpdate -su time.timehost.com

• Install and execute the Bastille Linux hardening tool. Bastille is a suite of shell
scripts that eliminates many of the vulnerabilities that are common on default Linux
installations. It enables users to make educated choices to improve security by asking
questions as it interactively steps through securing the host. Features include basic
packet filtering, deactivating unnecessary network services, auditing file permissions,
and more. Try the non-intrusive test mode first.
• Configure sudo (superuser do) to execute privileged commands as a normal user
instead of using su. The administrator supplies his own password to execute specific
commands that would otherwise require root access. The file /etc/sudoers file
controls which users may execute which programs. To permit Dave to only manipulate
the printer on magneto:

Cmnd_Alias LPCMDS = /usr/sbin/lpc, /usr/bin/lprm
dave magneto = LPCMDS

Dave executes sudo with the authorized command and enters his own password
when prompted:

dave$ sudo /usr/sbin/lpc
Password:
lpc>
• Password security is the most basic means of authentication, yet the most critical
means to protect your system from compromise. It is also one of the most overlooked
means. Without an effective well-chosen password, your system is sure to be
compromised. Obtaining access to any user account on the system is the tough part.
From there, root access is only a step away. Run password-cracking programs such as
John the Ripper or Crack regularly on systems for which you’re responsible to ensure
password security is maintained. Disable unused accounts using /usr/bin/passwd
-l. Use the MD5 password during install if your distribution supports it.
• Packet filtering isn’t just for firewalls. Using ipchains, you can provide a significant
amount of protection from external threats on any Linux box. Blocking access to a
particular service from connecting outside of your local network you might try:

# ipchains -I input -p TCP -s 192.168.1.11 telnet -j DENY -l

This will prevent incoming access to the telnet port on your local machine if the
connection originates from 192.168.1.11. This is a very simple example. Be sure
to read the IP Chains HOWTO before implementing any firewalling.