Domino on Linux series: Server Hardening tips #1

Another quick tip for those out there that are still new to Linux – server hardening. Server hardening is an important part of putting your new Linux server into production, you can’t just set up a server, install Domino and then “just put it out there” – you need to do some more basic security first.

Here some tips:

Don’t use [root]

Do not use the root account for any normal work – create an admin user and use that account for your daily work. You can assign sudo rights and get all work done that you need done. I suggest to disable the root account – that is the safest solution.

Run only necessary software:

Every piece of software that is running and that you do not really need consumes system resources and also presents a potential security hole.  I always advise to strip off all unnecessary weight:

Red Hat:

yum list installed
yum list [packageName]
yum remove [packageName]


dpkg --list
dpkg --info [packageName]
apt-get remove [packageName]

Linux Security Extensions:

I advise to use either SELinux or Apparmor. grsecurity is another program that is out there.  Personally I usually use SELinux and it comes installed default on Red Hat. With either of these programs you can set up some very good security that will help keep your server(s) safe. Seriously – you need to install one of these products and turn it on.

Password Policies and Password Aging

If yo are used to Active Directory and all the built-in password policies, then this is not a new issue.rules with minimum password length, special characters, restricting the use of previous passwords, lock-outs of accounts after multiple false log-ins, etc. .. you must have heard it all already.

You can use to enforce password policies. Use programs such as [Jack the Ripper] to crack weak passwords.Alternatively you can look into adding your Linux servers (and Desktops if you have any) to AD and use the accounts there for authentication. I plan to blog no that specific feature sometime in the near future.

More on further ideas for server hardening will follow soon.