Here's a checklist to go though when you set up a new system, when you take responsibility for a system, and periodically after that. You'll learn more about each of these steps in the rest of this chapter.
Maintain good physical security.
Use only strong passwords, and change them regularly.
Configure the built-in firewall software to block access to all ports you are not using. (Choose the Sharing pane in System Preferences.)
Give as few people admin (root) access as is practical.
Change all admin passwords at least once every three months.
If the machine provides any services (such as Post Office Protocol [POP], Internet Mail Access Protocol [IMAP], or File Transfer Protocol [FTP]) that use unencrypted passwords, set up special shells for the users of those services so that they cannot log in to a standard shell. This defends against password-sniffing attacks by preventing a sniffed user name and password from being used to log in to a regular shell.
Do not allow Telnet access (it uses an unencrypted connection to provide shell access, so everything sent in the connection, including passwords, is susceptible to interception by bad people).
Only run servers you actually need. For example, do not run an e-mail server unless you need to.
Keep your software ( especially servers) up-to-date.
Monitor the Computer Emergency Response Team Web site (www.cert.org) or e-mail lists.
Periodically search your system for setuid root files.
Create MD5 checksums of all files in /etc and in each of the directories in your PATH . Save these on a CD-ROM, and run an md5sum check against the list every month.