If you get a VPS, be aware that there are LOTS of brute force hackers scanning for port 22. Get your system secured (user other than root with sudo privileges) or at the very least move SSH to a non standard port.
First some basic checks:
netstat ps aux top df -h free -m
which wget yum install elinks //just in case!
rmdir opt rmdir misc http://www.anime.net/~goemon/benchmarks.html ?
cat /etc/passwd yup everything's already set to /sbin/nologin userdel news userdel games
useradd not-root-username
visudo
not-root-username ALL=(ALL) ALL
nano /etc/ssh/sshd_config
port 2345 port 22
MaxAuthTries 6
AllowUsers not-root-username
/etc/init.d/sshd reload /etc/init.d/sshd restart
Test logging in... then comment out #port 22 so that SSH is on the nonstandard 2345
After you're sure your non-default sudo user can login, change /etc/ssh/sshd_config to: PermitRootLogin no
You should be able to complete all of the above in about 10 minutes. If you're curiuos, leave it with default port 22 and root user for a day and then check last -f /var/log/btmp
modify the .bashrc a little
ensure the sudo su user has the right path... (currently only /usr/kerberos/sbin:/usr/kerberos/bin )
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
alias ls='ls --color=auto'
alias ll='ls -ahl --color=auto'
alias free='free -m'
alias df='df -h'
export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
. .bashrc //to load
login with a second connection to test that the above is working
shutdown -r now //test if changes remain after reboot
chkconfig --list //of course all sorts of useless stuff! rpm -qa > software-2010 //more junk: gnome,
yum remove wireless-tools
firstboot-tui rhpl
IPTABLES AND THE FIREWALL
next we need to ensure we don't lock ourselves out... (every 15 minutes reset the iptable to blank?)
sudo iptables -L -n --line-numbers -v
iptables-save > empty-iptables.txt
REMEMBER, CRONTAB SETTINGS with a comment
minute, hour, dayofmonth, month, dayofweek
below is every 15 mintues (that's the divide sign =)
$ crontab -e
/15 * * * /sbin/iptables-restore /path-to/empty-iptables.txt
NOTE ON CENTOS/REDHAT SYSTEMS the SELINUX won't let the iptables-restore work! You must set it to permissive mode for your cron job to work.
DON'T FORGET to set SELINUX back to enforcing (if that's what you want) and to disable or remove the "allow everything" cron job!
Now we will practice a little and ensure that our insurance policy really works.
You can begin adding some "permissive" rules (always give yourself permission first, then deny all!)... note that we deliberately want to spend more than 15 minutes doing this so that the cron overwrites back to blank, then we'll add the deny line and test.
sudo iptables -L -n --line-numbers -v
FIRST, always allow loopback interfaces as many applications "talk to themselves" using the loopback ethernet device... (ifconfig shows you the interface names, -i...)
iptables -I INPUT 1 -i lo -j ACCEPT
Allow established sessions (on all interfaces, all protocols, all ports)
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
if you're not using conntrack (connection tracker plugin) iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I RH-Firewall-1-INPUT 7 -p tcp --dport 7777 -j ACCEPT
Allow standard ssh port
iptables -I INPUT 2 -p tcp --dport 22 -j ACCEPT
Allow non standard ssh port
iptables -I INPUT 2 -p tcp --dport 2345 -j ACCEPT
DENY at the end...
iptables -A INPUT -j DROP
//Note that this has removed the ICMP ping ability... so let's add it back
iptables -I INPUT 2 -p icmp -j ACCEPT