Some hints for systems running Unix in the Internet
This information is provided 'as is' - no warranty at all.
Before testing these hints on a productive system, please test them in your test-lab!
Every administrator should exactly know, which services
are offered by his system. At least the administrator should know about the
offered services and their configuration - and about the possible vulnerabilities
resulting from these services.
Only the services absolutely necessary should be running. Every
additional service might result in a security risk for the system and its data.
Every service offered should be documentated exactly.
This includes not only the documentation about the service itself, but also
the documentation of its configuration and which programs (including its
vulnerabilities) are active.
The basic rule should be:
Everything not allowed explicitely, is forbidden!
Only with this approach it can be made sure that when configuring the system no interdiction is forgotten.
So with this aproach the administrator is on the 'safe side'.
It's much better when internal users can't use a service than attackers (and the whole Internet) knowing,
that the administrator has forgotten to forbid a specific service.
The administrator should know about new vulnerabilities, security risks, and patches
for his or her system. So the administrator knows early about vulnerabilities of the system and is
able to install the latest patches or workarounds.
Due to security reasons only the latest version should be used.
Read more about it in our hints about sendmail