6. Control network access
Most distributions automatically include TCP wrappers which may be used to control services based on IP addresses and host names. Edit /etc/hosts.allow to read ALL: LOCAL to permit local logins and edit /etc/hosts.deny to read ALL: ALL to deny remote connections. Specific ports may be listed if you need to allow some remote connections.
IPTABLES regulate the ports from which packets will be allowed to access your system. Some distributions, including Red Hat, automatically configure this based on which system services are specified as required during system installation. Please consult the documentation for your particular distribution to ensure this important "firewall" is enabled.
If you must have FTP enabled, make sure it's as secure as possible. Reference CERT Tech Tips for instructions on FTP configuration.
7. Configure auditing and system logs
Log files can be your most important tool in resolving any difficulties that arise. Syslog is the daemon that controls the Linux log files and its configuration is controlled by /etc/syslog.conf. All log files should be owned by Root.
There is a new generation logging daemon that allows greater sorting capability, thereby making management easier. Review its capabilities at FreshmeatSyslog-ng
Logwatch or Swatch are well-known, tested and tried utilities for automatically monitoring log files and alerting you to possible problems.
8. Configure file security
Only Root should have access to CRON. Otherwise, anyone gaining access to the system could schedule a damaging process to run at any time. Root should
be the owner and group for /etc/fstab, /etc/passwd, /etc/group, /etc/shadow. Verify the permissions for these files are 644, except for /etc/shadow, which should be 400.
9. Prepare for disaster recovery
Create a boot disk for your newly configured system. Most distributions include the utility Mkbootdisk which makes this a simple endeavour.
You should plan to backup important data on a regular basis. To create a tarball of a specific list of directories, issue the command:
tar -cvf archive-name.tar dir1 dir2 dir3...
Where archive_name.tar is the name of the tarball you are creating and dir1, dir2, etc. are the directories being copied to it.
Suggestions for more comprehensive backups may be found at this "HowTo" and serious fault tolerance can be provided by creating a system image of your ideal load.
10. Plan for system maintenance
Get yourself added to some mailing lists that will notify you of updates for your Linux distribution. Distribution maintainers usually have a mailing list for notifying users when a new stable distribution or important patches have been released.
Some sites that will alert you of current security issues include:
TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to firewalls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.
©2005 TechRepublic, Inc.
huh? I think those are post-installation tips. How can I install the latest updates before installing the OS?