No matter which Linux distribution you choose, there are at least 10 things you need to do properly to prepare the operating system for day-to-day use.
Editor's note: As part of a recent IT Soapboxblog post, TechRepublic asked Linux users and evangelists to step up to the plate and take a crack at producing some informative articles and downloads on the Linux operating system. This document is just one of the submissions inspired by that challenge.
1. Install latest patches
There are over 200 different Linux distributions and you will need the patches that are specific to your distribution. To search for required patches, visit your distribution maintainer's Web site (example: Debian; Red Hat; Lindows, etc).
Other sources for updated software are Freshmeat; Ibiblio; and Linuxberg. Some systems use package managers, such as rpm (Red Hat Package Manager) or deb (Debian Package Manager), while others will require a little more effort. These links should provide access to updated software as well as pretty clear instructions for installation. Be sure to read the documentation since there may be dependencies that will need to be satisfied to ensure a smooth update.
2. Create and configure user accounts
Even if you are the sole user of your system, you still need to create a user account for normal usage. The Root, or super user, account should only be used when absolutely necessary. This improves system security and reduces the possibility of accidentally corrupting portions of the system that would render it unstable.
Most Linux distributions come with an Admin tool that can be used to create and configure user accounts. This is the best way to proceed since it will lower the possibility of typographical or other errors that could cause problems. If you will have multiple users, creation can be simplified by first configuring the Default User.
You should require that all users have secure passwords, at least eight characters long, with multiple types of characters. Do not use words as part of the password since this just makes it easier for potential hackers. Enable shadow passwords so the passwords will not be stored on the system in clear text. Any daemon or service account that does not require shell access should be modified by using the chsh command to change its shell assignment to /bin/false. This will prevent hackers from using default system accounts to login to the machine.
You should also ensure that no accounts other than Root have a user ID of zero and you should prevent remote login access without passwords by not allowing .rhost or /etc/host.equiv files.
3. Secure Root access
Securing Root, also known as Super User, is the single most important action you must take to secure your system. After ensuring you have another user account you can use to login to the system, it is good to disable Root login capability. Thus, you would login with standard user access and, when you needed the administrative capability of Root it would be accessed temporarily with the su command. Direct login by Root can be prevented in most distributions by editing the file /etc/security so there is a hash (#) at the beginning of each line. As part of this step you should:
- Ensure the telnet server package is not installed so telnet access is unavailable.
- Prevent SSH login by editing the file /etc/ssh/sshd_config. For example, in Red Hat you would change the DenyUsers line to read DenyUsers root.
- Limit Root's search path to only those directories needed for administrative tasks. Check Root's .cshrc, .login, and .profile files to ensure the current directory (.) is not part of the search path.
- Ensure protection for files created by Root. Set Root's umask to 077 (read, write, and execute permissions only for Root) or 022 (other users can read and execute but not change).
4. Secure physical access
Go into Setup, set a BIOS password and configure your system to boot from the hard drive only. This will prevent an attacker with physical access from simply loading a bootable disk, recycling power on the system, and gaining root access quite easily. Of course they could still accomplish the same thing by clearing the CMOS, but this does make it less likely.
5. Remove and/or disable unnecessary system services
The command ls -l /etc/rc.d/rc3.d/S* or ls -l /etc/rc.d/rc5.d/S* for graphics mode will show startup
scripts. You can then verify only necessary services are running and use chkconfig to stop a service from loading at
startup. An example command would be:
/sbin/chkconfig -levels 2345 <service_name> off
Where <service_name> is the service which should not run and 2345 refers to the run-levels where the command will apply.
Some distributions will need to have services removed from/etc/xinetdor /etc/xinetd.conf. The service listed in /etc/xinetd.confcan be disabled simply by placing a hash mark (#) at the beginning of the line that loads it.
1%
2%
huh? I think those are post-installation tips. How can I install the latest updates before installing the OS?