> I plan on allowing a user to remotely login to my linux box with a GUI. > > How can I best lockdown the system so the can't do any damage? > > > (I know there's a lot to do, links would be appreciated.) A good start would be to: Mount /tmp /var and /usr/local as noexec and nosuid. Tune selinux or go through the pain of installing something easier to understand like RSBAC (http://www.rsbac.org/). If the machine is not a mail server, be sure that Sendmail/Postfix is configured to only send mail to/from the localhost. This greatly depends on what other users will be using this machine of course. Lock down your outgoing ports as well as the incoming on your firewall (hopefully not the same machine). Disable the FTP server or better yet, remove the package altogether. That's all I can think of at the moment. A better understanding of what the user will be expected to do would make it much easier. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
