My checklist is: 1.- custom install (do not select tasks) w/ shadow passwords 2.- go through deselect and remove packages before doing a install, leave bare-minimum 3.- (the things in the debian-hardening-howto: quotas, login definitions, lilo) 4.- check init.d scripts, remove unwanted with package (check with dpkg -S do dpkg --purge), if they are useful but not interesting to enable on startup use update-rc.d XXX remove 5.- Install services that will be used in bastioned host 6.- check services enabled: ps aux, netstat -n --inet, lsof -i 7.- Remove RPC (if not using NFS or any other RPC service, i.e. always) 8.- check inetd services: grep -v "^#" | sort |uniq. remove unwanted with update-inetd 9.- check if inetd services are wrapped (tcpd) configure hosts.deny hosts.allow 10.- check which services are running as root (with ps aux, netstat). Consider change to a given user/group (start-stop-daemon -- -u XXX -g XXX) Consider chrooting. 11.- (if services changed to another user) Check files from services (dpkg -L) and change ownership. 12.- Recheck services enabled. 13.- Test install: services work as expected 14.- Check setting with network scanner, analysis of vulnerabilities 15.- Install problem detectors (snort, logging...) 16.- Recheck with network scanner. Do detectors warn you? (for the truly paranoid ;)
17.- Add firewall capabilities. Offer only selected services. 18.- Recheck install (13) 19.- Recheck with network scanner. And no, I'm not in a mental institution ;) Javi