1. Featured Whitepaper
   

   5 Best Practices for Smartphone Support
   Apply a firewall to prevent access to potentially vulnerable services, using iptables. This is a big topic which could not be adequately covered here. Fortunately, Bastille’s explanations do an admirable job. In one sense, this is redundant; if the service has been disabled as we discussed above, there won’t be anything listening on the port which can be exploited. However, you might later restore a service for testing or for internal use. Or it may be restored inadvertently. Whatever the reason, Bastille errs on the side of tougher security by protecting your system from the same exploits via more than one method.
   
2. Retrieve and apply available operating system patches, as discussed above.
   
3. Audit the system tools which have the SUID flag set and which run as the superuser, even for ordinary users. The danger of SUID apps is they perform actions with full superuser powers no matter who executes them. This is essential in some cases: for instance, if the passwd command couldn’t write back to the shadowed password file then nobody could actually change their password. However, you may not want ordinary users running the dump and restore commands, both of which come with SUID status out-of-the-box.
   
4. Tighten up account security. Here, Bastille first asks to create a second account with root-level access. This means you can disable root if desired, or at the very least if you exclusively use the second account, you can tell if someone else is trying to log in as root because you know it won’t be you. This section of Bastille also prompts to enforce password aging and some other items like assigning a restricted or useless shell to non-user accounts. There’s wisdom in this last point. Here’s a true story: back in 1991, I myself gained root access to the Computer Science department SunOS server at the University of Newcastle (which I reported.) It all began because I was casually looking through /etc/passwd for accounts which didn’t have a password. I logged in as sync and came across an exploit.
   
5. Enhance boot security. This helps restrict the computer even if someone can get physical access to it and try starting it up in single-user mode.
   
6. Deactivate or restrict unnecessary services, as discussed above.

From this point, the remaining modules are less significant (though still beneficial) and include disabling program compilation, limiting system usage, increasing logging, installing SSH, tightening up DNS and Apache, disabling printing and a couple of other things.

Bastille now exits, but has not yet made any changes. All your choices have been saved to a configuration file. Run ./BackEnd.pl to actually enforce them. Reboot and test out your hardened server. Any malicious attackers will find far less vulnerabilities and options against your computer.

Security is something we all need to take seriously. Many people may not even be aware that they have possible insecurities. Fortunately, the above steps are easy to understand and simple to implement. You should also check out Linux By Scratch's excellent guide to building a hardened Linux system from scratch.