Actually I read many times that geek people used to use a Linux computer as a firewall for their network but never figured out how they do so. On 23/02/2012 09:52 PM, m.roth at 5-cent.us wrote: > John R Pierce wrote: >> On 02/23/12 11:05 AM, Wuxi Ixuw wrote: >>> Please suggest a one as I am keep goggling and all result bring books >>> dealing with linux as a real server and not a vps. >> you could do worse than starting here... >> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/ >> >> VPS and real hardware work exactly the same once the software is >> installed. >> >> my base level suggestions: >> >> * start with a *minimal* install of the latest release (currently 6.2) >> * create your user account, give both user and root account different >> secure passwords > I was assuming his provider gave him a working system, not virtual bare > metal. > >> * secure the SSH server (no root, key instead of password >> authentication, only allow ssh from your home/office networks or a >> few secure 'bastion' hosts, etc) >> * yum update right after install and reboot > Yup. > >> * install *just* the services you need, only from trustworthy yum >> repositories > YES! For about 10 years, I ran an old rh (NOT RHEL) system as a > firewall/router for my home network. I ran Bastille Linux over it - which > is *not* a distro, but a set of hardening scripts. Great stuff, and NIST > recommendations these days refer to it, last time I looked. > > After running Bastille, *then* I got paranoid: I never installed X > (security holes), or *any* compiler, or language I didn't absolutely need > (no gcc, yes to perl). No nuttin'... and to the best of my knowledge, > though I did see scans, I never had an intrusion, partly due to firewall > rules of DROP, and partly because they had nothing to use to run their > nasties. > > If it got installed, and you don't need it, don't only turn it off, yum > remove. At work, and home, I certainly don't need either bluetooth or > avahi running, on wired boxen. > >> * secure the services you install as appropriate >> * document your configuration, including what packages you needed to >> install > YES. You do *not* want to be trying to figure out what you'd done, a year > from now, at 17:00 on a Friday, or 02:00 some morning. > >> * script a secure backup of your configuration specific conf and data >> files to reliable offsite storage. > Yup. Or have the full website, and all configuration files for the system, > on your machine at home or work, so you can just upload the whole thing. > >> * plan on regular yum updates, and staying up on security alerts, such >> as CERT > <snip> > RH, and this offshot I know of, called CentOS, are pretty good at > announcing security fixes in a timely manner.... (take a bow, Johnny). > > mark > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos