OK, this section should be comparatively short, simple and straightforward
compared to the above, but no less important.
The very first thing after a new install you should check your
distribution's updates and security notices and apply all patches
. Only a year old you say? That's a long
time actually, and not current enough to be safe. Only a few months or few
weeks? Check anyway. A day or two? Better safe than sorry. It is quite
possible that security updates have been released during the pre-release
phase of the development and release cycle. If you can't take this step,
disable any publicly accessible services until you can.
Linux distributions are not static entities. They are updated with new,
patched packages as the need arises. The updates are just as important
as the original installation. Even more so, since they are fixes. Sometimes
these updates are bug fixes, but quite often they are security fixes because
some hole has been discovered. Such "holes" are
immediately known to the cracker community, and they are
quick to exploit them on a large scale. Once the hole is known, it is quite
simple to get in through it, and there will be many out there looking for it.
And Linux developers are also equally quick to provide fixes. Sometimes the
same day as the hole has become known!
Keeping all installed packages current with your release
is one of the most important steps you can take in maintaining a secure
system. It can not be emphasized enough that all installed packages should be
kept updated -- not just the ones you use. If this is burdensome, consider
uninstalling any unused packages. Actually this is a good idea anyway.
But where to get this information in a timely fashion? There are a number of
web sites that offer the latest security news. There are also a number of
mailing lists dedicated to this topic. In fact, your vendor
most likely has such a list where vulnerabilities and the corresponding fix
is announced. This is an excellent way to stay abreast of
issues effecting your release, and is highly
recommended. http://linuxsecurity.com is a good
site for Linux only issues. They also have weekly newsletters available:
http://www.linuxsecurity.com/general/newsletter.html.
Also, many distributions have utilities that will automatically update your
installed packages via ftp. This can be run as a
cron job on a regular basis and is a painless
way to go if you have ready Internet access.
This is not a one time process -- it is ongoing. It is important to stay
current. So watch those security notices. And subscribe to
your vendor's
security mailing list today! If you have cable modem, DSL, or other
full time connection, there is no excuse not to do this religiously.
All distributions make this easy enough!
One last note: any time a new package is installed, there is also a
chance that a new or revised configuration has been installed as well.
Which means that if this package is a server of some kind, it may be
enabled as a result of the update. This is bad manners, but it can
happen, so be sure to run netstat or
comparable to verify your system is where you want it after any
updates or system changes. In fact, do it periodically even if there are no
such changes.