Services and daemons running at boot time
All that could be briefly said is: disable anything you don't need, or don't plan on using and also don't install anything you don't need.
One thing is certain, if you need a certain service, like telnet or FTP, think about it. Are they really needed? Are they safe to use, and is there a supplement to them, even more reliable? For instance, SSH replaces telnet perfectly, and FTP is pretty much obsolete, with all those web forms
these days, and, yes, even SCP from the SSH package.
Need an MTA? Why not think Qmail or some other instead of sendmail? A lot of issues exist when planning what services you will provide, and more important how.
Think how you're going to organize your machines in production, as it's pretty much useless to setup a perfect firewall, lose a lot of time on perfecting it, just to put an FTP behind it. Deploy servers rationally, using the least possible number of services exposed to the outside of your LAN, no matter how simple or harmless the service might be. If you really need services that have known past security issues, a wise idea would be to put them in DMZ, and separate them from all other machines, in any possible way.
If you plan to use LILO as your boot loader, some things can be achieved by adding some extra lines to your /etc/lilo.conf, and these are 'restricted' and 'password="somepassofyourchoice"'. After making any alterations to /etc/lilo.conf make sure to re-run lilo by typing /sbin/lilo' to have them take effect when booting next time. Adding line restricted makes it neccessary for the user to provide a password when trying to pass additional boot parameters to lilo. The password option restricts the booting of linux to local users who have the password, but the password isn't encrypted so make the /etc/lilo conf owned by root and set to mode 600. That's 'chmod 600'. As always, you can 'man lilo' to find out more about additional options. The ultimate choice is to make lilo boot from a floppy, so nobody without that floppy can boot the system. Nothing like a dose of physical security measures! :) But still, be sure to have a backup lying somewhere safe because floppies aren't that reliable...
Of course, there are other ways of booting linux, so make sure that you read more documentation on the subject, so that you can make some good choices to enhance the security of your system.
Think about running a scanner on your system to check it for vulnerabilities, wrong file permissions, SUID, or other wrongly set UID's, open services, ports, etc. Network scanners test your host, as would a possible attacker do, and in most cases will, looking for any services and ports open and searching for any known vulnerability. Most scanners are easy to use and configure, so I'd recommend using the ones listed below:
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.