Steps to secure a RHEL or RH Fedora or Centos or Scientific Linux installation

Check List

• Edit hosts.deny
• Edit hosts.allow
• Modify /etc/cron.daily/ for up2date/yum and time
• Set up iptables
• Turn off services
• Check Logs Daily
• Safely set up MySQL

Install the distribution and choose to turn on the default software firewall
(iptables)

Reboot with network cable unplugged.  Login as root.

1. edit /etc/hosts.deny

ALL: ALL

2. edit /etc/hosts.allow

sshd: xxx.yyy.virginia.edu xdf.rfv.virginia.edu

sendmail: 127.0.0.1

3. Plug in the network cable.

Add files to /etc/cron.daily for up2date (RHEL) or yum (RH FC or Centos or Sci.Linux)
and time sync and chmod them to 755

#datetime.sh
rdate -s time-a.nist.gov &
rdate -s time-b.nist.gov &

#up2date.sh
up2date -u --nox | mail -s up2date.your.server yourid@virginia.edu


#yum.sh
/usr/bin/yum -R 10 -e 0 -d 0 -y update yum
/usr/bin/yum -R 120 -e 0 -d 0 -y update > /tmp/yum.err 2> /tmp/yum.err
tail -22 /var/log/yum.log >> /tmp/yum.err
cat /tmp/yum.err | mail -s YUM.02.your.server yourid@virginia.edu

This script captures the stardard output and standard error
from the yum update process and sends that plus the last 22
lines of the yum log to your email account.

Run the program for your distribution (yum or up2date)
to apply all patches while the firewall
(iptables) blocks all outside traffic.

Instead of running rdate once a day, you can run the 
ntp client.
 
UVa has four ntp servers, and we usually configure three, selected
at random.  If you mount the itc software tree on your Linux box,
/linux/uva/etc/makentp will build the ntp.conf file for you.

4. Set up iptables to allow ssh and http and https (443:tcp) with
the command system-config-securitylevels (as needed)

5. services turned off with system-config-services or
    ntsysv --level 3
    ntsysv --level 5

check with 

chkconfig --list | egrep "3:on|5:on" | sort | less

Choose whether to boot into runlevel 3 or 5 by editing /etc/inittab
and edit the line

id:3:initdefault:

List of services running after configuration

acpid          	0:off	1:off	2:off	3:on	4:on	5:on	6:off
anacron        	0:off	1:off	2:on	3:on	4:on	5:on	6:off
apmd           	0:off	1:off	2:on	3:on	4:on	5:on	6:off
atd            	0:off	1:off	2:off	3:on	4:on	5:on	6:off
autofs         	0:off	1:off	2:off	3:on	4:on	5:on	6:off
cpuspeed       	0:off	1:on	2:on	3:off	4:on	5:off	6:off
crond          	0:off	1:off	2:on	3:on	4:on	5:on	6:off
cups           	0:off	1:off	2:on	3:on	4:on	5:on	6:off
cups-config-daemon
        	0:off	1:off	2:off	3:on	4:on	5:on	6:off
haldaemon      	0:off	1:off	2:off	3:on	4:on	5:on	6:off
irqbalance     	0:off	1:off	2:off	3:on	4:on	5:on	6:off
lm_sensors     	0:off	1:off	2:on	3:on	4:on	5:on	6:off
mdmonitor      	0:off	1:off	2:on	3:on	4:on	5:on	6:off
messagebus     	0:off	1:off	2:off	3:on	4:on	5:on	6:off
microcode_ctl  	0:off	1:off	2:on	3:on	4:on	5:on	6:off
netfs          	0:off	1:off	2:off	3:on	4:on	5:on	6:off
network        	0:off	1:off	2:on	3:on	4:on	5:on	6:off
nfslock        	0:off	1:off	2:off	3:on	4:on	5:on	6:off
portmap        	0:off	1:off	2:off	3:on	4:on	5:on	6:off
rawdevices     	0:off	1:off	2:off	3:on	4:on	5:on	6:off
readahead      	0:off	1:off	2:off	3:off	4:off	5:off	6:off
readahead_early	0:off	1:off	2:off	3:off	4:off	5:off	6:off
rpcgssd        	0:off	1:off	2:off	3:on	4:on	5:on	6:off
rpcidmapd      	0:off	1:off	2:off	3:on	4:on	5:on	6:off
rpcsvcgssd     	0:off	1:off	2:off	3:on	4:on	5:on	6:off
sendmail       	0:off	1:off	2:on	3:on	4:on	5:on	6:off
sshd           	0:off	1:off	2:on	3:on	4:on	5:on	6:off
syslog         	0:off	1:off	2:on	3:on	4:on	5:on	6:off
xfs            	0:off	1:off	2:on	3:on	4:on	5:on	6:off
xinetd         	0:off	1:off	2:off	3:on	4:on	5:on	6:off

6. Check Logs Daily - Log Watch

Install Log Watch and edit /etc/log.d/logwatch.conf

and change the lines 

MailTo = rtg2t@virginia.edu
Detail = Low

to send mail to the admin of your machine.  Pick the detail
level that fits.

7. Starting MYSQL Safely

* Stop the network with

   /etc/rc.d/init.d/network stop

* Start mysqld
   /etc/rc.d/init.d/mysqld start

* Change passwords

# mysql 
mysql> 
mysql> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> select user,host,password from user;
+------------+-------------------------+------------------+
| user       | host                    | password         |
+------------+-------------------------+------------------+
| root       | localhost               |                  |  <--- blank password
| root       | xxxxx.yyy.virginia.edu  |                  | 
|            | localhost               |                  |
|            | xxxxx.yyy.virginia.edu  |                  |
+------------+-------------------------+------------------+

mysql> set password for 'root'@'lcalhost' = password('strong-pwd');
mysql> set password for 'root'@'xxxxx.yyy.virginia.edu' = password('strong-pwd');
mysql> delete from user where user = "";
Query OK, 2 rows affected (0.00 sec)

mysql> select user,host,password from user;
+------------+-------------------------+------------------+
| user       | host                    | password         |
+------------+-------------------------+------------------+
| root       | localhost               | dsaf234fsafds3yg |  <--- encrypted hash
| root       | xxxxx.yyy.virginia.edu  | dsaf234fsafds3yg | 
+------------+-------------------------+------------------+

mysql> flush privileges;
Query OK, 4 rows affected (0.00 sec)

mysql> quit

* Edit $HOME/.mysql_history to remove reference to strong-pwd

* Plug in network cable and turn network on
   /etc/rc.d/init.d/network start