Friday, August 31, 2007

10 Steps to Secure and Lock Down a Linux Production Server

After following a simple installation like SuSE or RedHat, there are some steps, that needs to be followed to have peace in mind. After this, you are more ready to move the server onto a production network.

Actually, not all the steps are about security only. Some of them are just nice to have checked, before going on into production.

Let us dive in:
  1. Check dmesg output: Make sure it recognizes all hardware correctly and does not show any nasty errors.
  2. Check filesystem sizes and free space: Any alarming small sizes with respect to the system you are going to be running?
  3. Setup clock synchronization
  4. Turn off not used services: Like cupsd, nfs, alsasound, ...
  5. Uninstall unused software: Starting with the software behind the above turned off services, but don't stop there.
  6. Firewall it: Consider installing a firewall on the host itself.
  7. Restrict access: Make sure access protocols are limited to ssh/sftp. Also, consider locking down sshd to only some IPs, etc.
  8. Cut down on running processes: Check running processes and consider if any of them are unimportant to your system. If so turn them off.
  9. Cut down on open ports: Use netstat and possibly a port scanner to check open ports. Have you closed all but the neccessary ones?
  10. Security updates: Create procedure (manual or automatic) to apply security updates onto the system at regular intervals.
Any other ones that you find important, that I am missing?


kgs97 said...

Maybe it's a good idea to check if log-rotation is active on the logs that could grow to fill up the disk.

Per Olesen said...

@kgs97: Absolutely. logrotate is a must. Good one!