Ill answer it here, cuz this is the appropriate place. Quite cool, you posting this "advert" for your post elsewhere borders on cross-posting, but IMO can't be marked as that :-]
Basically security comes in basically 3 levels:
- box integrity: setting (shell/pam/access/quota) limits on accounts or disabling unnecessary ones, perhaps use kernel patches like Open Wall (2.2x) or Grsecurity (2.4x) for stack and process protection, disable users permissions to run system tasks or run em tru sudo, finer grained logging, protecting your libraries and binaries by either running em off a read-only mounted partition or else chattr +iu em, and adding (and using) a system integrity detector like Aide, Tripwire, Samhain, chkrootkit. If thats settled check up on system application vulnerabilities, and register for the rhnetwork to be able to run up2date if you don't like manual upgrading. IMO manual upgrading has the pro you can tweak the source, turn features on or off and compile static binaries if necessary. *Some vulnerabilities youve got to live with, like svgalib, for instance.
* If this is a firewall, router or server: strip off X, gcc, user shell accounts, any unnecessary services and server apps.
- network security: if you run remote sytem maintenance, run OpenSSH instead of telnet, and limit account access to a few trusted hosts if possible and *dont* log in as root. Use sysctl to change TCP/IP behaviour (/proc/sys/net/ipv*) like forwarding, fragmenting, router discovery etc.
Make sure your firewall rules mirror/are in sync with the TCP Wrapper files, and add detection tru Snort, possibly complemented with an "active" part like Guardian to add firewall rules OTF, and set up cron to do regular reporting, cleaning out "dead" rules, etc. If you use X, make sure it's using Xauth, Xhost and the serverarg "-nolisten tcp" if you're not using it for connection to/from other hosts. Set up remote logging so if shit happens no one will be able to zap em logs.
- network application security: Don't run services you don't need, comment em out in (x)inetd.conf, and stop em in your runlevels (SYSV stuff in /etc/rc.d). If you have services that are only used by a few privileged users, limit account access to those. Check your network binaries' configs for possible loopholes. Limit where possible, like if you don't want sendmail to handle incoming attachments of 500Mb or be used as a relay, BIND version queries, etc. Limit daemon accounts, chroot apps if necessary. Play safe, run "stable" binaries.
Here's three things to give a bit more overview/make Linux security easier:
Bastille Linux, The
Linux Administrator's Security Guide and the
CERT tech tips on improving security[/url].
The rest of my security reference list is in the second reply here:
possibly a dumb(..).
*Btw, Im sorry this one of my prefab posts, but then again this way I dont have to worry Im forgetting something.
**Don't forget to patch Snort-1.8.3 for the small ICMP packet bug, or get the new one from CVS/snort.org