- Root: Don’t run as root.There are some tasks you must do as the root user. However, make sure you always type “exit” when you are done — or take advantage of sudo, which will automatically require you to re-authenticate as root after a timeout period. Do any and all of your normal tasks as a normal, nonadministrative user. If you don’t already have a regular user account (which should be nearly impossible with most distributions), stop whatever you are doing — RIGHT NOW — and create a regular user account, and then login to that account to do your work.
- Updates: Keep your system patched.The only program that never needs patched is the one that hasn’t been written yet. Pretty much every piece of software ever written has bugs, aka vulnerabilities, in it somewhere. I have seen with my own eyes how easy it is to “pwn” unpatched operating systems. The bottom line here is — keep your system patched! openSUSE’s package management utility, Zypper, let’s you check for patches. Usually, just running the updates does what you need, but sometimes you may feel better going to the patch level.
- Unwanted Services: Review services and disable any unnecessary ones.I can’t tell you how many times I have seen this advice. It’s good, rock solid advice. Go through your packages and see what is installed on the system. Run netstat. Do you see any services you don’t need? Is Telnet running? You don’t need that (except for rare test cases). Shut it down. Shut it down NOW. That goes for any service you don’t need. If you really need the service, great — run it. You can find out how to secure that service. But anything else, shut it down. Uninstall it, even. Seriously, if you don’t need it, get rid of it.
- Ports: Test Open Ports.Learn Nmap and related tools. Learn some other port and vulnerability scanners. Use them. Also learn your distribution’s commands and utilities for managing ports. Shut down any open, unused ports. One company I know has only two, at most three, ports open on the external network. That makes them a very hard target indeed. The bad guys may find and attack those ports. Then again, they may just go looking for easier targets.
- SELinux: don’t disable it.SELinux is a policy-based Mandatory Access Control utility. Basically, it gives you fine-grained control over users and how they interact with files and programs. Some distributions (notably, Red Hat & Fedora) come with SELinux installed by default. Others use it as an add-on option. At the recent SELF conference, one guy said he took a class on SELinux, and found out how to use permissive mode as something of a way to test policy changes. You can learn more about SELinux on the SELinux Project Wiki.
- BackupsMake regular backups and keep them secure. With advances in ransomware (in one case, a company’s backups were held ransom), I recommend finding a way to get those backups off your network as soon as they run. Okay, if you haven’t made a backup lately — you know the drill — stop right now and do so. Then drop and do 100 pushups for Chesty. What’s that? You thought I said 50 pushups earlier? You’re the one who should have been making backups all along. So now you owe double.