The Five Keys To Locking Your Linux System Down
Really, there are only five things needed to keeping a Linux system secure. This goes for both servers and client systems -- desktops and laptops. The first is to keep up-to-date with patches. This is easy to do yet is critical. First, pick a distribution that provides timely security patches, which is most Linux distributions. Mandrake, SuSE, Slackware, Gentoo, and Red Hat all do this as do most other Distros. If your Distro and version of it does not provide prompt security patches (within 48 hours) upgrade or switch Distros.
Some vendors refuse to provide patches for any given release after a short time, forcing you to upgrade to new versions more frequently, sometimes at great cost but always at an inconvenience. Also, Red Hat now charges for security patches on a per-system basis. Factor this into your selection of vendors.
The only alternative if patches for your system are not available in a timely manner from the Distro is to download the sources yourself, e.g., from www.kernel.org/mirrors/, httpd.apache.org/download.cgi, etc. and build and install yourself. Red Hat's Enterprise series does not always release timely patches. By the way, if you are not running the 22.214.171.124 or 2.4.30 kernels, it is time to upgrade (unless your vendor has back-patched a previous kernel that you are running).
Red Hat was the first to come out with a program that you can run to automatically check for new patches and install them, the up2date program. It works well so simply enable it if you use Red Hat. If you run a different Distro that has an equivalent program, use it. SuSE has yast2. Fedora has yum. Gentoo has emerge. The gentoo.org web site has great documentation to help beginners get started with emerge.
An alternative, used by some Distros such as Slackware is to invite you to subscribe to a mailing list alerting you to new patches. You then can decide which ones affect you and then download and install applicable patches. You can subscribe to Slackware's by hitting:
Deciding which to install usually is obvious. If you do not use it and it does not run set-UID then it is not a risk. I generally will remove the program or set its permissions to 0 if I am not going to patch it to prevent a problem if someone "accidentally" tries to use it later.
You Call That A Password?
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.