1. Only run the services that you need to run for the services provided by the machine. For instance if the server is a database server you most likely don't need the same box to run apache, ftp and sendmail. every extra service running on a box steals performance from the systems primary function and possibly opens up new security vulnerabilities.
2. you can use lsof or a similar tool to determine what ports are listening on the computer.
ns003:~# lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
named 17829 root 4u IPv6 12689530 UDP *:34327
named 17829 root 6u IPv4 12689531 UDP *:34329
named 17829 root 20u IPv4 12689526 UDP ns003.psi.net:domain
named 17829 root 21u IPv4 12689527 TCP ns003.psi.net:domain (LISTEN)
named 17829 root 22u IPv4 12689528 UDP 10.4.20.46:domain
named 17829 root 23u IPv4 12689529 TCP 10.4.20.46:domain (LISTEN)
lighttpd 17841 www-data 4u IPv4 12689564 TCP *:www (LISTEN)
sshd 17860 root 3u IPv6 12689580 TCP *:ssh (LISTEN)
sshd 17880 root 3u IPv6 12689629 TCP *:8899 (LISTEN)
sshd 30435 root 4u IPv6 74368139 TCP 10.4.20.46:8872 10.4.20.1:3262 (ESTABLISHED)
3. Shut down any unknown or unneeded services, using the appropriate tools for your Linux distribution, such as update-rc.d on Debian systems, or in some cases editing the /etc/inetd.conf or /etc/xinetd.d/* files.
4. Don't allow root logins on your primary sshd port 22 (set PermitRootLogin to "no"); many automated tools run brute-force attacks on that. Set up a secondary port for root access that only works by shared keys, disallowing passwords:
* Copy the sshd_config file to root_sshd_config, and change the following items in the new file:
o Port from 22 to some other number, say 8899 (don't use this! make up your own!)
o PermitRootLogin from "no" (you were supposed to set it to "no" for port 22, remember?) to "yes"
o AllowUsers root add this line, or if it exists, change it to allow only root logins on this port
o ChallengeResponseAuthentication no uncomment this line if it's commented out, and make sure it says "no" instead of "yes"
* Test this command:
sshd -D -f /etc/ssh/root_sshd_config
and see if it works correctly -- try logging in from another computer (you must have already set up shared-key authentication between the two computers) using:
ssh -p8899 root@my.remote.server
and if so, control-C at the above (sshd) command to stop the sshd daemon, then add this to the end of /etc/inittab:
rssh:2345:respawn:sshd -D -f /etc/ssh/root_sshd_config
* Restart the init task: # init q This will run your "root ssh daemon" as a background task, automatically restarting it in case of failure.
