Security and stability tuning on Linux

Most Linux distributions are reasonably secure and stable out of the box. Still, it is good practice to make sure that the default settings are appropriate for your circumstances and change them as needed.

These notes assume a new, out-of-the box Linux installation, and a home or small office user with only modest security needs. If you have higher than normal security requirements, you will find this advice to be inadequate. Likewise I do not here consider the broader picture, but you should: router and network setup and monitoring, external firewalling, user training and monitoring, and organizational best practices are all outside the scope of this article but should not be ignored.

First, consider whether the box might profit from performing a clean install before continuing. Boxes suspected to have been rooted, of unknown provenance, or old versions approaching their end of product lifetime are good candidates for a clean installation of a reputable, up-to-date distribution.

Ensure that the firewall is enabled. Many distributions have tools for this. On Mandriva and derivatives, look in the Mandriva Control Center at Security – Personal Firewall. If you know what you are doing, Webmin’s networking section has two relevant modules: Shorewall Firewall if you use Shorewall, and Linux Firewall otherwise.

Assign the computer a fully qualified domain name.

Remove unneeded or resource-hogging software. I find it helpful to keep a list of software I usually remove. Deactivate or remove unneeded services.

Set up online software repository sources per your distribution. Mandriva users should as a minimum set up official and PLF sources using Easy Urpmi; also consider adding trustworthy third-party repositories like MIB. The process should be straightforward, but you may want to review these package management tips for RPM and APT.

Allow the system to update. This may take a while; plan to leave it running overnight. If there was a kernel update, reboot.

Review the sudoers list and modify if warranted.

Configure postfix and set your email client to receive system mail and notify you upon receipt. Henceforth when setting up critical software or monitors, have it send you a system mail to confirm successful completion (e.g. a daily backup) or upon an alarm condition.

Many distributions have a security tool; configure it and familiarize yourself with its reports. Mandriva has msec, for example, and Red Hat has sectool.

Set up and test automatic backups. For standalone workstations, I like SpiderOak.

Set up hardware monitoring and alarms.

Review relevant logs for issues to resolve:

Systems with higher than normal security requirements might benefit from an intrusion detection system, but most users would find this overkill. Ditto a file integrity checker, and with one of them you will additionally have to deal with false positives and retraining the checker every time your system receives a new update.

Make an image of the root partition and save it as a “system restore” image.

EPILOGUE: RECOVERING FROM FUTURE DISASTERS
Now that you have an image of a secure root partition and periodic backups are being made of /home and /etc, you are protected. When disaster strikes, simply restore the image and the latest clean backup, and be fully recovered in less than an hour.

Advertisements

About Warren Post

So far: Customer support guy, jungle guide, IT consultant, beach bum, entrepreneur, teacher, diplomat, over-enthusiastic cyclist. Tomorrow: who knows?
This entry was posted in Uncategorized and tagged , , , . Bookmark the permalink.

2 Responses to Security and stability tuning on Linux

  1. Pingback: Installing a new distribution | A maze of twisty little passages

  2. Pingback: Using chkrootkit | A maze of twisty little passages

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s