John R Pierce wrote:
On 02/23/12 11:05 AM, Wuxi Ixuw wrote:
Please suggest a one as I am keep goggling and all result bring books
dealing with linux as a real server and not a vps.
you could do worse than starting here...http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/
VPS and real hardware work exactly the same once the software is
my base level suggestions:
* start with a *minimal* install of the latest release (currently 6.2)
* create your user account, give both user and root account different
I was assuming his provider gave him a working system, not virtual bare
* secure the SSH server (no root, key instead of password
authentication, only allow ssh from your home/office networks or a
few secure 'bastion' hosts, etc)
* yum update right after install and reboot Yup.
* install *just* the services you need, only from trustworthy yum
YES! For about 10 years, I ran an old rh (NOT RHEL) system as a
firewall/router for my home network. I ran Bastille Linux over it - which
is *not* a distro, but a set of hardening scripts. Great stuff, and NIST
recommendations these days refer to it, last time I looked.
After running Bastille, *then* I got paranoid: I never installed X
(security holes), or *any* compiler, or language I didn't absolutely need
(no gcc, yes to perl). No nuttin'... and to the best of my knowledge,
though I did see scans, I never had an intrusion, partly due to firewall
rules of DROP, and partly because they had nothing to use to run their
If it got installed, and you don't need it, don't only turn it off, yum
remove. At work, and home, I certainly don't need either bluetooth or
avahi running, on wired boxen.
* secure the services you install as appropriate
* document your configuration, including what packages you needed to
YES. You do *not* want to be trying to figure out what you'd done, a year
from now, at 17:00 on a Friday, or 02:00 some morning.
* script a secure backup of your configuration specific conf and data
files to reliable offsite storage.
Yup. Or have the full website, and all configuration files for the system,
on your machine at home or work, so you can just upload the whole thing.
* plan on regular yum updates, and staying up on security alerts, such
RH, and this offshot I know of, called CentOS, are pretty good at
announcing security fixes in a timely manner.... (take a bow, Johnny).