...be granted or refused based on some easily configurable rules. Quite often for desktop Linux PC's it is very useful to place the following line in the /etc/hosts.deny file:
ALL: ALL
This will deny access to all services from all hosts. It seems pretty restrictive at first glance, but we then add hosts to the /etc/hosts.allow file that will allow us to access services. The following are examples that allow some hosts remote secure shell access:
sshd: 192.168.0.1 #allow 192.168.0.1 to access ssh
sshd: somebox.somedomain.com #allow somebox.somedomain.com to access ssh
These two files provide powerful host based filtering methods for your Linux PC.
5. Shutoff or remove non-essential services
Just like
Windows there can be services running in the background that you either
don't want or don't have a purpose for. By using the Linux command
"chkconfig" you can see what services are running and turn them on and
off as needed. Services that are not running don't provide security
holes for potential hackers and don't take up those precious CPU cycles.
6. Secure your required services
If your new Linux PC has some services that will receive connections
from the Internet make sure you understand their configurations and
tune them as necessary. For example, if your Linux PC will receive
secure shell connections make sure you check the sshconfig file (for
Mandriva it is /etc/ssh/sshd_config) and disable options like root
login. Every Linux PC has a root user so you should disable root login
via ssh in order to dissuade brute force password crack attempts
against your super-user account.
7. Tune kernel networking security options
The Linux
kernel itself can provide some additional networking security.
Familiarise yourself with the options in the /etc/sysctl.conf file and
tune them as needed. Options in this file control, for example, what
type of network information is logged in your system logs.
8. Connect the PC to a router
A hardware router is a
pretty common piece of household computer hardware these days. This is
the front line security to any home or business network and provides
multiple PC's to share one visible or external Internet address. This
is generally bad news for any hacker or otherwise malicious program
that may take a look at your new Linux PC as it blocks any and all
network traffic that you don't specifically allow. Home networking
routers are just smaller versions of what the big companies use to
separate their corporate infrastructure from the Internet.
9. Update
Always keep the software on your computer up to date with the latest
security patches should you be running Linux, Windows, BSD or
WhoKnowsWhat. Your distribution will release regular security patches
that should be applied and are available off the Internet. As with
Windows, this should always be your first Internet destination.
10. Other software
Your second Internet stop may be to install some other hardening or system monitoring software.
Bastille-Linux is a program that can be used to "harden" or secure certain aspects of your new Linux PC. It interactively develops a security policy that is applied to the system and can produce reports on potential security shortcomings. On top of that it is a great tool to use for learning the ins and outs of securing your Linux PC.
Tripwire is a software package that monitors your system binaries for unauthorised modifications. Often a hacker may modify system binaries that may be useful in detecting a system intrusion. The modified programs would then report false information to you allowing the hacker to maintain his control over your system.
Talkback
You're link to Tripwire doesn't work.
It works, just wrongly written in HTML. Edit it smartly.
Why isn't there no mention of a virus scanner ? When I install a Windows PC I install a firewall and a virus scanner by default. It shouldn't be any different for Linux.
I admit tripwire has some overlap with what a virus scanner does. But doesn't scanning for virusses and other malicious code deserve a point of its own instead of being somewhere in the 'other' section?
Note: I personally have no virus scanner on my Linux PC either - so I'm criticizing myself here too.
There are tools like ClamAV if you want a virus scanner. Most of us don't feel the need yet. Virus scanners use a lot of CPU cycles and memory.
Why would you need a virus scanner in linux unless you're serving mail or files to Windows clients?