The Five Keys To Locking Your Linux System Down
Really, there are only five things needed to keeping a Linux system secure. This goes for both servers and client systems -- desktops and laptops. The first is to keep up-to-date with patches. This is easy to do yet is critical. First, pick a distribution that provides timely security patches, which is most Linux distributions. Mandrake, SuSE, Slackware, Gentoo, and Red Hat all do this as do most other Distros. If your Distro and version of it does not provide prompt security patches (within 48 hours) upgrade or switch Distros.
Some vendors refuse to provide patches for any given release after a short time, forcing you to upgrade to new versions more frequently, sometimes at great cost but always at an inconvenience. Also, Red Hat now charges for security patches on a per-system basis. Factor this into your selection of vendors.
The only alternative if patches for your system are not available in a timely manner from the Distro is to download the sources yourself, e.g., from www.kernel.org/mirrors/, httpd.apache.org/download.cgi, etc. and build and install yourself. Red Hat's Enterprise series does not always release timely patches. By the way, if you are not running the 220.127.116.11 or 2.4.30 kernels, it is time to upgrade (unless your vendor has back-patched a previous kernel that you are running).
Red Hat was the first to come out with a program that you can run to automatically check for new patches and install them, the up2date program. It works well so simply enable it if you use Red Hat. If you run a different Distro that has an equivalent program, use it. SuSE has yast2. Fedora has yum. Gentoo has emerge. The gentoo.org web site has great documentation to help beginners get started with emerge.
An alternative, used by some Distros such as Slackware is to invite you to subscribe to a mailing list alerting you to new patches. You then can decide which ones affect you and then download and install applicable patches. You can subscribe to Slackware's by hitting:
Deciding which to install usually is obvious. If you do not use it and it does not run set-UID then it is not a risk. I generally will remove the program or set its permissions to 0 if I am not going to patch it to prevent a problem if someone "accidentally" tries to use it later.
You Call That A Password?
Pick good passwords. A password should be at least 10 characters long and should not consist solely of one or two words in any dictionary. It should not consist solely of lower-case letters or solely of digits. Do not get around the one- or two-word prohibition via the trivial changing of the letter 'o' to the digit '0' or the letter 'l' to the digit '1', etc. Hackers know that trick too.
Do not use obvious numbers such as 3.1416 or 42, words like secret, root, or wheel, a word repeated, names from science fiction, or names or other data from your current personal life, such as your girlfriend's or pet's names, automobile tag, or phone number. Use two or three unrelated words or names interspersed with two or three non-alphanumerics or something equally hard to guess or brute-force crack.
Don't Blame Sendmail