Encrypt all data transmitted over the network. Encrypting authentication information, such as passwords and cookies, is particularly important. |
Minimize the amount of software installed and running in order to minimize vulnerability. |
Use security-enhancing software and tools whenever available (e.g. SELinux and IPTables). |
Run each network service on a separate server whenever possible. This minimizes the risk that a compromise of one service could lead to a compromise of others. |
Maintain user accounts. Create a good password policy and enforce its use. Delete unused user accounts. |
Review system and application logs on a routine basis. Send logs to a dedicated, centralized log server. This prevents intruders from easily avoiding detection by modifying the local logs. |
Never log in directly as root, unless absolutely necessary. Administrators should use sudo to execute commands as root when required. The accounts capable of using sudo are specified in /etc/sudoers , which is edited with the visudo utility. By default, relevant logs are written to /var/log/secure . |