Most Linux distributions are reasonably secure and stable out of the box. Still, it is good practice to make sure that the default settings are appropriate for your circumstances and change them as needed.
These notes assume a new, out-of-the box Linux installation, and a home or small office user with only modest security needs. If you have higher than normal security requirements, you will find this advice to be inadequate. Likewise I do not here consider the broader picture, but you should: router and network setup and monitoring, external firewalling, user training and monitoring, and organizational best practices are all outside the scope of this article but should not be ignored.
First, consider whether the box might profit from performing a clean install before continuing. Boxes suspected to have been rooted, of unknown provenance, or old versions approaching their end of product lifetime are good candidates for a clean installation of a reputable, up-to-date distribution.
Ensure that the firewall is enabled. Many distributions have tools for this. On Mandriva and derivatives, look in the Mandriva Control Center at Security – Personal Firewall. If you know what you are doing, Webmin’s networking section has two relevant modules: Shorewall Firewall if you use Shorewall, and Linux Firewall otherwise.
Assign the computer a fully qualified domain name.
Set up online software repository sources per your distribution. Mandriva users should as a minimum set up official and PLF sources using Easy Urpmi; also consider adding trustworthy third-party repositories like MIB. The process should be straightforward, but you may want to review these package management tips for RPM and APT.
Allow the system to update. This may take a while; plan to leave it running overnight. If there was a kernel update, reboot.
Review the sudoers list and modify if warranted.
Configure postfix and set your email client to receive system mail and notify you upon receipt. Henceforth when setting up critical software or monitors, have it send you a system mail to confirm successful completion (e.g. a daily backup) or upon an alarm condition.
Many distributions have a security tool; configure it and familiarize yourself with its reports. Mandriva has msec, for example, and Red Hat has sectool.
Set up hardware monitoring and alarms.
Review relevant logs for issues to resolve:
- Dmesg logs the messages of the most recent boot.
- /var/log/messages shows most system messages.
- The Xorg.0.log shows the messages of the graphics server.
Systems with higher than normal security requirements might benefit from an intrusion detection system, but most users would find this overkill. Ditto a file integrity checker, and with one of them you will additionally have to deal with false positives and retraining the checker every time your system receives a new update.
Make an image of the root partition and save it as a “system restore” image.
EPILOGUE: RECOVERING FROM FUTURE DISASTERS
Now that you have an image of a secure root partition and periodic backups are being made of /home and /etc, you are protected. When disaster strikes, simply restore the image and the latest clean backup, and be fully recovered in less than an hour.