No matter which Linux distribution you choose, there are at least 10 things you do to properly prepare the operating system for day-to-day operation.
As part of a recent IT Soapboxblog post I asked Linux users and evangelists in the TechRepublic community to step up to the plate and take a crack at producing some informative articles and downloads on the Linux operating system. This document is just one of the submissions inspired by that challenge. Just click the Linux challenge tag to track other published submissions stemming from this grass roots project.
1. Install latest patches
There are over 200 different Linux distributions and you will need the patches that are specific to your distribution. Search for needed patches on the web site of your distribution maintainer (example: Debian; Redhat; Lindows, etc.). Other sources for updated software are Freshmeat; Ibiblio; and Linuxberg. Some systems use package managers, such as rpm (Red Hat Package Manager) or deb (Debian Package Manager), while others will require a little more effort. These links should provide access to updated software as well as pretty clear instructions for installation. Be sure to read the documentation since there may be dependencies that will need to be satisfied to ensure a smooth update.
2. Create and configure user accounts
Even if you are the sole user of your system, you still need to create a user account for normal usage. The Root, or super user, account should only be used when absolutely necessary. This improves system security and reduces the possibility of accidentally corrupting portions of the system that would render it unstable.
Most Linux distributions come with an Admin tool that can be used to create and configure user accounts. This is the best way to proceed since it will lower the possibility of typographical or other errors that could cause problems. If you will have multiple users, creation can be simplified by first configuring the Default User.
You should require that all users have secure passwords, at least eight characters long, with multiple types of characters. Do not use words as part of the password since this just makes it easier for potential hackers. Enable shadow passwords so the passwords will not be stored on the system in clear text. Any daemon or service account that does not require shell access should be modified by using the chsh command to change its shell assignment to /bin/false. This will prevent hackers from using default system accounts to login to the machine.
You should also ensure that no accounts other than Root have a user ID of zero and you should prevent remote login access without passwords by not allowing .rhost or /etc/host.equiv files.
3. Secure Root access
Securing Root, also known as Super User, is the single most important action you must take to secure your system. After ensuring you have another user account you can use to login to the system, it is good to disable Root login capability. Thus, you would login with standard user access and, when you needed the administrative capability of Root it would be accessed temporarily with the su command. Direct login by Root can be prevented in most distributions by editing the file /etc/security so there is a hash (#) at the beginning of each line. As part of this step you should:
* Ensure the telnet server package is not installed so telnet access is unavailable.
* Prevent SSH login by editing the file /etc/ssh/sshd_config. For example, in Red Hat you would change the DenyUsers line to read DenyUsers root.
* Limit Root's search path to only those directories needed for administrative tasks. Check Root’s .cshrc, .login, and .profile files to ensure the current directory (.) is not part of the search path.
* Ensure protection for files created by Root. Set Root’s umask to 077 (read, write, and execute permissions only for Root) or 022 (other users can read and execute but not change).
4. Secure physical access
Go into Setup, set a BIOS password and configure your system to boot from the hard drive only. This will prevent an attacker with physical access from simply loading a bootable disk, recycling power on the system, and gaining root access quite easily. Of course they could still accomplish the same thing by clearing the CMOS, but this does make it less likely.
5. Remove and/or disable unnecessary system services
The command ls –l /etc/rc.d/rc3.d/S* or ls –l /etc/rc.d/rc5.d/S* for graphics mode will show startup scripts. You can then verify only necessary services are running and use chkconfig to stop a service from loading at startup. An example command would be:
/sbin/chkconfig –levels 2345 <service_name> off
Where <service_name> is the service which should not run and 2345 refers to the run-levels where the command will apply.
Some distributions will need to have services removed from/etc/xinetdor /etc/xinetd.conf. The service listed in /etc/xinetd.confcan be disabled simply by placing a hash mark (#) at the beginning of the line that loads it.
6. Control network access
Most distributions automatically include TCP wrappers which may be used to control services based on IP addresses and host names. Edit /etc/hosts.allow to read ALL: LOCAL to permit local logins and edit /etc/hosts.deny to read ALL: ALL to deny remote connections. Specific ports may be listed if you need to allow some remote connections.
IPTABLES regulate the ports from which packets will be allowed to access your system. Some distributions, including RedHat, automatically configure this based on which system services are specified as required during system installation. Please consult the documentation for your particular distribution to ensure this important "firewall" is enabled.
If you must have FTP enabled, make sure it’s as secure as possible. Reference CERT Tech Tips for instructions on FTP configuration.
7. Configure auditing and system logs
Log files can be your most important tool in resolving any difficulties that arise. Syslog is the daemon that controls the Linux log files and its configuration is controlled by /etc/syslog.conf. All log files should be owned by Root.
There is a new generation logging daemon that allows greater sorting capability, thereby making management easier. Review its capabilities at FreshmeatSyslog-ng
Logwatch or Swatch are well-known, tested and tried utilities for automatically monitoring log files and alerting you to possible problems.
8. Configure file security
Only Root should have access to CRON. Otherwise, anyone gaining access to the system could schedule a damaging process to run at any time. Root should be the owner and group for /etc/fstab, /etc/passwd, /etc/group, /etc/shadow. Verify the permissions for these files are 644, except for /etc/shadow, which should be 400.
9. Prepare for disaster recovery
Create a boot disk for your newly configured system. Most distributions include the utility Mkbootdisk which makes this a simple endeavor.
You should plan to backup important data on a regular basis. To create a tarball of a specific list of directories, issue the command:
tar -cvf archive-name.tar dir1 dir2 dir3...
Where archive_name.tar is the name of the tarball you are creating and dir1, dir2, etc. are the directories being copied to it.
Suggestions for more comprehensive backups may be found at this "HowTo" and serious fault tolerance can be provided by creating a system image of your ideal load.
10. Plan for system maintenance
Get yourself added to some mailing lists that will notify you of updates for your Linux distribution. Distribution maintainers usually have a mailing list for notifying users when a new stable distribution or important patches have been released.