Product SiteDocumentation Site

Chapter 2. Basic Hardening Guide

2.1. General Principles
2.2. Physical Security
2.3. Why this is important
2.4. Networking
2.4.1. iptables
2.4.2. IPv6
2.5. Keeping software up to date
2.6. Services
2.7. NTP
Every computer system should be hardened against threats found both over the network as well as those found physically at the computer. The system changes are necessary based on default settings usually being set to allow software to work over the software being secure. As with any change to a system these changes could cause unintended results. Changes should be evaluated for appropriateness on your system before implementing.

2.1. General Principles

Encrypt all data transmitted over the network. Encrypting authentication information, such as passwords and cookies, is particularly important.
Minimize the amount of software installed and running in order to minimize vulnerability.
Use security-enhancing software and tools whenever available (e.g. SELinux and IPTables).
Run each network service on a separate server whenever possible. This minimizes the risk that a compromise of one service could lead to a compromise of others.
Maintain user accounts. Create a good password policy and enforce its use. Delete unused user accounts.
Review system and application logs on a routine basis. Send logs to a dedicated, centralized log server. This prevents intruders from easily avoiding detection by modifying the local logs.
Never log in directly as root, unless absolutely necessary. Administrators should use sudo to execute commands as root when required. The accounts capable of using sudo are specified in /etc/sudoers, which is edited with the visudo utility. By default, relevant logs are written to /var/log/secure.