Posted by: Eric Hansen
Continuations are fun! Part 2 is here: http://itknowledgeexchange.techtarget.com/security-admin/how-have-security-practices-changed-2009-now-part-2/
Then: #11: Configure Iptables and TCPWrappers
Having a firewall properly configured will help both the network and the server be secure. You can perform better load balancing on the server as well as make sure requests going to/from the server are what it expects. This should be done once the server is set up properly, however, as it can cause major headaches if not.
Then: #12: Linux Kernel /etc/sysctl.conf Hardening
I’m not an RPM-system person, I prefer deb and I use Arch Linux at times. But, I know on my installs /etc/sysctl.conf never exists.
Then: #13: Separate Disk Partitions
Unless there’s some dire reason not to, this is always a good idea. Being lazy isn’t dire, by the way.
This helps in a few ways. One, it makes backing up information easier (instead of backing up folders on the same partition, you can just back up the entire partition). If you’re wanting to set up RAID for /home and /var but not /tmp, this is about the only way I know of to do it safely.
It also makes disk management easier. Need to resize /home without worrying about corrupting data on the / partition? This will let you do it!
Then: #14: Turn Off IPv6
As much as I hate it, and as much as I enjoy using it, IPv6 has no benefits.
There have been reports that disabling IPv6 improves network performance due to lowering the overhead on the networking drivers, but not sure if that’s true now. Whenever I did it, I noticed very little difference anyways.
IPv6 is really like 64-bit processors…unless you have a hardware requirement for it, it’s not going to benefit you any.
The transition to IPv6 is taking forever and is safe to say almost nullified. There’s nothing natively supporting it that would make it beneficial and tools like ping6 are there for testing purposes more than “this is why you should have IPv6!”
Then: #15: Disable Unwanted SUID and SGID Binaries
I’m not knowledgeable enough about the sticky bits to make a judgement. However, I rarely seem to find an exploit that utilizes these.