1. Log in as root.

2. Run /usr/sbin/visudo. Add yourself. We recommend you use this

3. Log out.

4. Log in as yourself.

5. Run sudo /usr/sbin/setup. Enter "System Services" and disable everything you don't need. This includes:

- apmd

- gpm

- isdn

- kudzu

- lpd

- nfslock

- pppoe

- pcmcia

- portmap

- rawdevices

- rhnsd

6. As root, edit /etc/ntp.conf to set NTP servers. You may wish to view our file. Use the 'setup' utility to ensure that ntpd is starting at boot.

7. Edit /etc/issue & /etc/issue.net to say:

UNAUTHORIZED ACCESS PROHIBITED

8. Edit /etc/motd to look like .

9. Install rhupdate:

A. lynx

B. download the latest rhupdate

C. Expand the file:

tar -xzlf rhupdate-whatever.tar.gz

D. Install:

cd rhupdate-whatever/

./configure

sudo make install

E. delete that stuff

cd ..

rm -rf rhupdate-whatever*

10. Download and install updates:

A. Create a download directory

mkdir /tmp/updates

B. Download the updates

/usr/local/bin/rhupdate --download /tmp/updates --server mirror.services.wisc.edu --dir /mirrors/linux/distributions/redhat/updates/ --hash

C. Install the updates:

sudo rpm -Uvh /tmp/updates/*.rpm

D. Delete the updates:

rm -f /tmp/updates/*

11. Prevent some attacks. Add the following lines to the end of /etc/rc.d/rc.local:

##### Begin DoS Prevention #####

# shut some DoS stuff down

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# increase the local port range

echo 1024 65535 > /proc/sys/net/ipv4/ip_local_port_range

# increase the SYN backlog queue

echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlog

echo 0 > /proc/sys/net/ipv4/tcp_sack

echo 0 > /proc/sys/net/ipv4/tcp_timestamps

echo 64000 > /proc/sys/fs/file-max

ulimit -n 64000

# stop source routing

for i in /proc/sys/net/ipv4/conf/*/accept_source_route

do

echo 0 > $i

done

# enable reverse-path filtering

for i in /proc/sys/net/ipv4/conf/*/rp_filter

do

echo 1 > $i

done

##### End DoS Prevention #####

12. Edit for the proper settings (compress, etc).

13. Edit /etc/sysctl.conf and change kernel.sysrq to equal 1:

# Enables the magic-sysrq key

kernel.sysrq = 1

14. Edit hosts.{

,}: You will need to configure the hosts files to meet the needs of each individual server. As a rule, only allow what you need from where you need it. The best thing to do is start off denying everything and allow only sshd and then add services as you go. For more information see "man 5 hosts_access".

15. Edit /etc/ssh/sshd_config:

Change "PermitRootLogin yes" to "PermitRootLogin no"

Change "Protocol 1,2" to "Protocol 2"

16. Reboot the machine:

sudo /sbin/shutdown -r now

17. Bask in the glory of an updated and secure Linux installation. :-)