Rule # 1, Stop unwanted services as soon as you boots server
For example STOP the inetd or xinetd service:
# /etc/init.d/inetd stop
# /etc/init.d/xinetd stop
OR Red Hat Linux user can try service command
# service xinetd stop
Rule # 2, Stop ALL unwanted runlevel services which starts automatically when
Linux comes up (boots up)
Use tool such as chkconfig under Red Hat / Fedora Linux:
a) List all services
# chkconfig --list | less
b) Remove/Delete service:
# chkconfig --del {service-name}
To disable/remove xinetd at startup use command as follows:
# chkconfig --del xinetd
Tip: You can also use ntsysv menu based utility.
Debian Linux user can try out update-rc.d script. For example to stop xinetd
service you can type command as follows:
# update-rc.d -f xinetd remove
You can also manage the removal of unwanted services via /etc/rc?.d symlinks.
If you are new use above tools. Also look at the several easy to use utilities
that faciliate the managment of system v initialization script in our article
Removing Unwanted Startup Debian Files or Services
Step #3, Enable firewall
Setup iptables and deny all incoming traffic but allow outgoing traffic (so
that you can download all the patches). Here is sample iptables script:
#!/bin/sh
# My system IP/set ip address of server
SERVER_IP="202.54.1.25"
# Flush all rules
iptables -F
iptables -X
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# Allow unlimited traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# allow input to only outgoing connection like DNS queries
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# make sure nothing comes in
iptables -A INPUT -j DROP
Save the script and execute it.
Step #4, You are done. What next?
All the above 3 steps will take less than 5 minutes to create a more secure
box. Following are general steps you should perform. Now even if it is going to
take 4 hours, you don't have to worry about crackers
