Securing Linux Production Systems

robyannetta writes "Securing Linux Production Systems: A Practical Guide to Basic Security in Linux Production Environments is a practical step-by-step guide for securing Linux production systems. It shows how to meet basic security requirements for Linux systems that need to pass security audits. If you have been assigned to come up with a corporate Linux Security Standard, then you should definitely read on."

Re:Firewall?

[caseih]

There is almost no reason to run iptables on production servers if you've followed all the correct steps. Remember that iptables is not an application-level firewall and as such cannot do anything to protect your server. That is because you want your server to serve stuff. No iptables firewall can protect you from bad guys exploiting your services that you exposed intentionally! Instead you should disable every service that you don't want to expose to the outside world. In some cases, like sendmail, you have services you need internally to the server itself and so you bind them to localhost. My server is live on the internet and runs no firewall. Every port open on it (http, https, pop3, imap, smtp) is open because I want it open. It would be mostly pointless to turn on iptables. The only case I can see iptables being useful is to restrict the source ip address for ssh.