Protect the root account
The root, or superuser, account on a Linux system allows access to anything and everything. For this reason, it’s well worth taking extra steps to protect it. Start by setting a hard-to-guess password for this account with the passwd command and change it on a regular basis.
Next, restrict the terminals that can be used for root access, by editing the file /etc/securetty. To avoid users leaving a root terminal “open”, set a timeout for inactive root logins by setting the TMOUT local variable, and ensure that the root command history file (which might contain sensitive information) is disabled by setting the HISTFILESIZE local variable to 0. Finally, enforce a policy of using this account only to perform specific administrative tasks, and discourage users from logging in as root by default.
Next, require that every normal user account must have a password and ensure that passwords do not use easily-recognisable heuristics such as birthdays, user names or dictionary words.
Install a firewall
A firewall lets you filter data packets moving in and out of your server and ensures that only those packets matching pre-defined rules are permitted to enter or exit. A number of excellent firewalls are available for Linux, and firewall code can even be compiled directly into the kernel. Begin by defining input, output and forwarding rules for packets leaving and entering your network, using the ipchains or iptables commands. Rules may be specified on the basis of IP addresses, network interfaces, ports, protocols or combinations of these attributes; these rules also specify what action (accept, reject, forward) to take when a match occurs. Once the rules are installed, test the firewall extensively to ensure that no holes exist in it. A good firewall is your first line of defense against common attacks like distributed denial of service (DDoS).
Use OpenSSH for network transactions
If network transactions take place in plain text, it is possible for a hacker to “sniff” the data packets being transmitted and thus gain access to sensitive information. You can close this hole by using a secure shell utility like OpenSSH to create a secure encrypted “tunnel” for your data to pass through. Encrypting your connections in this manner makes it extremely hard for unauthorized users to read your data over the network.
Disable unwanted services
Most Linux systems are installed with a wide variety of services enabled, such as FTP, telnet, UUCP, etc. In most cases, these services are not used. You can disable these services by commenting them out in the /etc/inetd.conf or /etc/xinetd.conf files and then restarting the inetd or xinetd daemon. Additionally, some services (for example, database servers) may start up by default during the boot process; you can disable these by editing the /etc/rc.d/* directory hierarchy. Many experienced administrators disable all system services, leaving only SSH ports open.
Install an intrusion detection system
Intrusion detection systems (IDS) are early warning systems that let you know if changes occur on your network. They’re a great way to identify (and even prove) attempts to break into your system, although at the cost of increased resource consumption and potential red herrings. There are two fairly well-known IDS’ you could use: tripwire, which tracks file signatures to detect modifications; and snort, which use rules-based directives to perform real-time packet analysis and search and identify attempts to probe or attack your system. Both programs can generate e-mail alerts (among other actions) and are useful when you suspect your network is being compromised but need definitive proof.