About hardening (securing)
For hardening activities to be most successful, you should:
Do hardening activities before the system is connected to the network to avoid attacks.
Base configuration on the least-privilege model: the system should grant access only to the degree necessary for proper functionality. Similarly, users should be allowed only the minimum set of access rights they need.
After completing the preliminary planning and preparation and performing the minimal installation (see Part 2), you need to consider several configuration steps. These steps are generally referred to as hardening Linux:
Part 1 – Securing the boot process
Configure the boot loader (LILO or Grub) so that it does not allow any user intervention at boot time; this prevents users from passing kernel parameters at boot prompt. Configured it to require a password unless you need to perform remote reboots (such as in a remote datacenter). This is an additional precaution against people who have physical access to the machine; it prevents casual hacks of such events as booting with the parameters single or init=/bin/sh to obtain a root shell, etc. Note, however, that with additional efforts (like removing the hard drive and mounting it on another system), this can be dodged easily unless you also encrypt your filesystems.
For LILO, replace the parameter prompt with password in the lilo.conf configuration file (usually in /etc). For Grub, the relevant parameters are hiddenmenu, default 0, and password in the Grub configuration file (usually in /boot/grub/grub/conf).
Ensure that the run-level configuration requires the root password when switching to single user mode by adding sp:S:respawn:/sbin/sulogin to /etc/inittab.
Prevent users from invoking a reboot using Ctrl-Alt-Del: disable the ctrlaltdel entry in /etc/inittab by commenting out the line with the ctrlaltdel. By adding a hash (#) sign similar to this — #ca::ctrlaltdel:/sbin/shutdown -t5 -rf now — you can prevent that key combination from ever triggering a reboot.