Two NIC cards per server machine
At least one server with complete local IP (no valid IP) to act as a log server. Each other server will be running a log client which report to the log server. Popular logging software on Unix is syslog. Consider using Splunk as well.
Set boot loader (lilo, grub) to require password
Set bios to disable booting from floppy & require password
Never create a .rhost for root
/etc/securetty contains a list of terminals that root can log in from
Edit /etc/fstab to use nosuid, nodev, and noexe on /home, and /var
configure umask setting
@users hard core 0 // prohibit creation of core file @users hard nproc 50 // restrict the number of process to 50 @users hard rss 5000 // restrict memory usage to 5M
/var/log/wmtp and /var/log/utmp contains login record for all users. These file should have permission 644.
Set immutable bit on files to prevent accidental delete, and prevent someone from creating symbolic link. See chattr(1) man page for information on immutable bit.
Check for suid and sgid programs:
find / -type f \(-perm -0400 -o -perm -0200\)
You can remove SUID and SGID permission on suspicious program with chmod.
To find all world-writable files on your system:
find / -perm -2 ! -type l -ls
To find file that have no owner:
find / -nouser -o -nogroup -print
find /home -name .rhost -print
Setting umask to 077 in /etc/profile and take away the write permission on those skeleton files. Be sure to make root's umask 077. In this case, newly created directory would have 744, and newly created file would have permission 644.
Set the sticky bit on world-writable directory /tmp. With the sticky bit on directory, the user may only delete files that he owns or for which he has write permission granted, even when he has the write access to the directory.
SGID on directory (chmod g+s): file created in this directory will have the group id set to the directory group id.
System configuration file (usually in /etc) are usually mode 640 and owned by root.
finger, showmount, rpcinfo, whois, smtp, ftp, uucp
showmount -e victim.com
mount victim.com !/export/foo /foo
echo guest:x:1000:1:temporary breakin account:/: » /etc/passwd
Never leave any system file writable by group or everyone else. Some system file (including /etc/shadow) should be readable by root, and directories in /etc should not be accessible by others.
Integrity checker / Intrusion detection: snort, Tripwire, Aide, Osiris, SATAN, COPS, tiger, ISS
disable rsh, rlogin, rcp (including login, shell, and exec) from /etc/inetd.conf
netstat -ta to find a list of all services that your machine is offering
Use software such as SystemImager (see Tools) to make installation and deployment of new server easier.
Run identd but block all request except for your requests.
SATAN from metalab
Crack and John the Ripper