Do not use obvious numbers such as 3.1416 or 42, words like secret, root, or wheel, a word repeated, names from science fiction, or names or other data from your current personal life, such as your girlfriend's or pet's names, automobile tag, or phone number. Use two or three unrelated words or names interspersed with two or three non-alphanumerics or something equally hard to guess or brute-force crack.
Don't Blame Sendmail
The third key to good Linux security is not using programs in an insecure way and not using insecure programs. After a less than stellar security history, Sendmail now rarely suffers a security vulnerability being discovered. In defense of Sendmail, it predates the modern Internet and widespread hacking by about 20 years.
Sendmail now will check for obvious configuration errors when it starts up and will refuse to operate until the poor configuration is fixed or if you set the "dontblamesendmail" flag. This is a very clever solution to allow someone who really wants to - and presumable knows what he is doing or has a death wish - to disable Sendmail's minimum security checks. Yet, one hardly could set this flag accidentally.
Most of the major subsystems that come with Linux, such as Sendmail, the Apache web server, and the Samba file server come with abundant documentation and default configuration files that usually need just a tiny bit of tweaking to help you configure the subsystem correctly.
Some programs cannot be made secure and must not be used, no way, no how. Heading this list is NFS and its cohorts, portmap, and the Sun Remote Procedure Call (RPC) library that still are turned on by default on some Linux Distros. Unless NFS and portmap are thoroughly protected with firewalling, they should not be used. Period. Number two on the list is PHP. I realize that many web sites have lots of time invested in PHP but I'm sorry, it continues to have security bugs discovered frequently and these affect even those using it "properly". Find another solution or risk being hacked. I have dealt with such a likely hacked site as recently as last week.
These days, most systems other than mail servers do not receive email via SMTP (TCP/IP port 25). Thus, please do not allow Sendmail to listen on port 25. This is done by not including the "-bd" when invoking Sendmail. For Red Hat and Mandrake, edit the /etc/sysconfig/sendmail file and change:
and restart sendmail with the command:
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.