Product SiteDocumentation Site

Chapter 2. Basic Hardening Guide

2.1. General Principles
2.2. Why is this important?
2.3. Physical Security
2.4. Why this is important
2.5. Networking
2.5.1. iptables
2.5.2. IPv6
2.6. Keeping software up to date
2.7. Services
2.8. NTP
The US National Security Agency (NSA) has developed two guides for hardening a default installation of Red Hat Enterprise Linux 5. Many of the tips provided in these guides are also valid for installations of Fedora. This Basic Hardening Guide will cover portions of the NSA's Hardening Tips and will explain why implementing these tips are important. This document does not represent the full NSA Hardening Guide.
As with any change to a system these changes could cause unintended results. Changes should be evaluated for appropriateness on your system before implementing.

2.1. General Principles

Encrypt all data transmitted over the network. Encrypting authentication information (such as passwords) is particularly important.
Minimize the amount of software installed and running in order to minimize vulnerability.
Use security-enhancing software and tools whenever available (e.g. SELinux and IPTables).
Run each network service on a separate server whenever possible. This minimizes the risk that a compromise of one service could lead to a compromise of others.
Maintain user accounts. Create a good password policy and enforce its use. Delete unused user accounts.
Review system and application logs on a routine basis. Send logs to a dedicated log server. This prevents intruders from easily avoiding detection by modifying the local logs.
Never log in directly as root, unless absolutely necessary. Administrators should use sudo to execute commands as root when required. The accounts capable of using sudo are specified in /etc/sudoers, which is edited with the visudo utility. By default, relevant logs are written to /var/log/secure.