System Lockdown

aragonx at aragonx at
Thu Jan 4 16:44:25 UTC 2007

> I plan on allowing a user to remotely login to my linux box with a GUI.
> How can I best lockdown the system so the can't do any damage?
> (I know there's a lot to do, links would be appreciated.)

A good start would be to:

Mount /tmp /var and /usr/local as noexec and nosuid.

Tune selinux or go through the pain of installing something easier to
understand like RSBAC (

If the machine is not a mail server, be sure that Sendmail/Postfix is
configured to only send mail to/from the localhost.  This greatly depends
on what other users will be using this machine of course.

Lock down your outgoing ports as well as the incoming on your firewall
(hopefully not the same machine).

Disable the FTP server or better yet, remove the package altogether.

That's all I can think of at the moment.  A better understanding of what
the user will be expected to do would make it much easier.

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the users mailing list