John R Pierce wrote: > On 02/23/12 11:05 AM, Wuxi Ixuw wrote: >> Please suggest a one as I am keep goggling and all result bring books >> dealing with linux as a real server and not a vps. > > you could do worse than starting here... > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/ > > VPS and real hardware work exactly the same once the software is > installed. > > my base level suggestions: > > * start with a *minimal* install of the latest release (currently 6.2) > * create your user account, give both user and root account different > secure passwords I was assuming his provider gave him a working system, not virtual bare metal. > * secure the SSH server (no root, key instead of password > authentication, only allow ssh from your home/office networks or a > few secure 'bastion' hosts, etc) > * yum update right after install and reboot Yup. > * install *just* the services you need, only from trustworthy yum > repositories YES! For about 10 years, I ran an old rh (NOT RHEL) system as a firewall/router for my home network. I ran Bastille Linux over it - which is *not* a distro, but a set of hardening scripts. Great stuff, and NIST recommendations these days refer to it, last time I looked. After running Bastille, *then* I got paranoid: I never installed X (security holes), or *any* compiler, or language I didn't absolutely need (no gcc, yes to perl). No nuttin'... and to the best of my knowledge, though I did see scans, I never had an intrusion, partly due to firewall rules of DROP, and partly because they had nothing to use to run their nasties. If it got installed, and you don't need it, don't only turn it off, yum remove. At work, and home, I certainly don't need either bluetooth or avahi running, on wired boxen. > * secure the services you install as appropriate > * document your configuration, including what packages you needed to > install YES. You do *not* want to be trying to figure out what you'd done, a year from now, at 17:00 on a Friday, or 02:00 some morning. > * script a secure backup of your configuration specific conf and data > files to reliable offsite storage. Yup. Or have the full website, and all configuration files for the system, on your machine at home or work, so you can just upload the whole thing. > * plan on regular yum updates, and staying up on security alerts, such > as CERT <snip> RH, and this offshot I know of, called CentOS, are pretty good at announcing security fixes in a timely manner.... (take a bow, Johnny). mark _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos