Xaero_Vincent wrote:
Here are some useful tips a guy on slashdot posted to help protect your Linux severs in addition to the things I've mentioned:

  • Run a hardware NAT firewall/router. Any ol' Linksys, Dlink or Netgear thang will do. Just remember it's not the be all and end all to security problems.
  • Open as few ports as absolutely possible. I have nothing open on my router except port 22 and BitTorrent, and I don't leave BitTorrent running all the time
  • Check your logs at least once a day. Look for any suspicious signs -- missing log entries, ssh connects you weren't expecting, services running that you don't normally have running, NICs going into promiscuous mode unexpectedly, excessive mail being pumped through any MTAs, etc.
  • When running OpenSSH, I disallow password authentication. This prevents problems with users due to the use of stupid passwords. My sshd only accepts a valid RSA key exchange as acceptable authorization.
  • Regularly update and run rootkit checkers. These are not be all end all, but they help spot obvious rootkits
  • Make cron jobs that regularly scan your system for unusual permissions -- world writeable, binaries that are setuid, etc. and for suspicious files. There are programs and scripts that will do this for you. STFW or check with your distro.
  • Perform MD5 checking on your files and executables, espcially.
  • Regularly check your /etc/passwd and /etc/group files for new or unusual entries.
  • Don't run NIS -- it's inherently insecure. You should be using OpenLDAP if you need directory authorization on your network.

umm ... Excuse me -- I really don't want to do all of that.  I really don't want to do all of that every day.  I don't know about you but I spend all day seeing sick people for a living; and I program computers its so I can do that better.  When I sit down at my computer I want to do what I want to do, not defend my pc against the evil internet I cannot live without.

If linux requires me to do all of the above just to be safe on the internet then linux is broken.