Secure Linux install?

Brian Densmore DensmoreB at ctbsonline.com
Wed Oct 31 18:11:09 CST 2001 

> >... it is more like did you leave your front door open with a list of
> >valuables, and where they are, sitting on the entry way table. 
> 
> Ahem -- but yes, there still is a point to be made here.  
> These people are
I think the word is "criminals", aka bottom-feeders, scum of the ...
etc.

> going up and down the street . . . "oh this house has a Masterlock
> deadbolt, this one has a Kwickset deadbolt, this one a blah 
> blah". 
Yes, sadly you are right. 

> Red Hat looks about like Windows as far as security is 
> concerned. 
No, and yes. It is sad to say that some Linux distros come 
with high security turned off. I feel they should have different
configurations if you choose say "server install" or "desktop install".

> What you are saying is I didn't follow 
> precautions -- yes and no.  I went with Linux
> because I didn't want my server down all the freakin' time, 
> but I didn't
> think I was going to have to reinstall most of the stuff just 
> to lock it up
> tight.  What a joke?   How can you advocate using something 
> that someone
> will have to re-learn just to re-install all the boffed files 
> with security
> holes?????   
> 
You needn't relearn everything, there are tools to help with this.
What I did when I configured my system is this (I highly recommend it):

1) install {your distro here} with no network connection;
2) install and run Bastille (a Linux system hardening script for
RedHat/Mandrake);
3) test result, rerun Bastille to turn on anything you turned off that
is needed;
4) configure networking applications (Apache, Sendmail, etc);
5) retest and rerun Bastille if necessary;
6) connect to network and finish network configuration.

This took me a couple of days in my spare time to do, about 4-8 hours. 
It was a lot of work but not hard, and I was a total newbie about
internet
servers when I did it. Albeit, I did read/buy some books first (Apache,
Sendmail). 
If you know what ports you are going to use and what services you are
going
to offer, then Bastille will be very easy and quick.

I hope some of this is useful. Linux is far and away a better internet
server than
Windoze is likely ever to be. But Linux is a lot C/C++. The great thing
about Linux
is, that you can do just about anything with it. The terrible thing
about Linux is,
that you can do just about anything with it.

Now that's my $2 on the subject of security,
Brian

More information about the Kclug mailing list