Linux Securing Tips

First step, look for your vulnerabilities.

Sure there might be more sophisticated ways, but there is a way to do the job.
I have a non secured systems for devel and testing purposes, so is a great bunch of security risks.
This procedure is being ilustrated as a just restarted system:
First step:
Llook where your risks are going to come:

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      940/mysqld
tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN      1271/inetd
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      2025/apache2
tcp        0      0 0.0.0.0:1521            0.0.0.0:*               LISTEN      1313/tnslsnr
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      507/sshd
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      771/cupsd
tcp        0      0 0.0.0.0:8888            0.0.0.0:*               LISTEN      1313/tnslsnr
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1776/master
tcp        0      0 0.0.0.0:49152           0.0.0.0:*               LISTEN      1010/mediatomb
tcp        0      0 0.0.0.0:44803           0.0.0.0:*               LISTEN      1558/xe_d000_XE
tcp        0      0 0.0.0.0:995             0.0.0.0:*               LISTEN      1271/inetd
tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      957/slapd
tcp6       0      0 :::143                  :::*                    LISTEN      1087/couriertcpd
tcp6       0      0 :::22                   :::*                    LISTEN      507/sshd
tcp6       0      0 :::993                  :::*                    LISTEN      1116/couriertcpd
tcp6       0      0 :::389                  :::*                    LISTEN      957/slapd
ocm@achtung:~$

Other way..
ocm@achtung:~$ sudo lsof -ni | grep TCP
sshd       461      root    3r  IPv6   6522      0t0  TCP *:ssh (LISTEN)
sshd       461      root    4u  IPv4   6524      0t0  TCP *:ssh (LISTEN)
mediatomb  738 mediatomb    6u  IPv4   7416      0t0  TCP *:49152 (LISTEN)
mysqld     774     mysql    9u  IPv4   7553      0t0  TCP *:mysql (LISTEN)
slapd      820  openldap    8u  IPv4   7457      0t0  TCP *:ldap (LISTEN)
slapd      820  openldap    9u  IPv6   7458      0t0  TCP *:ldap (LISTEN)
couriertc  952      root    3u  IPv6   7803      0t0  TCP *:imap2 (LISTEN)
couriertc 1004      root    3u  IPv6   7912      0t0  TCP *:imaps (LISTEN)
cupsd     1182      root    8u  IPv4   8891      0t0  TCP 127.0.0.1:ipp (LISTEN)
oracle    1605    oracle  125u  IPv4  10646      0t0  TCP *:55231 (LISTEN)
master    1727      root   12u  IPv4  11034      0t0  TCP 127.0.0.1:smtp (LISTEN)
apache2   1966      root    4u  IPv4  11514      0t0  TCP *:www (LISTEN)
apache2   1977  www-data    4u  IPv4  11514      0t0  TCP *:www (LISTEN)
apache2   1979  www-data    4u  IPv4  11514      0t0  TCP *:www (LISTEN)
apache2   1981  www-data    4u  IPv4  11514      0t0  TCP *:www (LISTEN)
apache2   1983  www-data    4u  IPv4  11514      0t0  TCP *:www (LISTEN)
apache2   1985  www-data    4u  IPv4  11514      0t0  TCP *:www (LISTEN)
sshd      2016      root    3r  IPv4  11658      0t0  TCP 192.168.56.101:ssh->192.168.56.1:4997 (ESTABLISHED)
sshd      2123       ocm    3u  IPv4  11658      0t0  TCP 192.168.56.101:ssh->192.168.56.1:4997 (ESTABLISHED)
ocm@achtung:~$

It seems so bad, many test databases and default media apps listening.. so We want to choose the essential services to start by default:

0.0.0.0:3306--940/mysqld  Required 
0.0.0.0:110--1271/inetd  NOT  
0.0.0.0:80--2025/apache2    Required
0.0.0.0:1521--1313/tnslsnr    NOT
0.0.0.0:22--507/sshd    Required
127.0.0.1:631--771/cupsd    NOT
0.0.0.0:8888--1313/tnslsnr    NOT
127.0.0.1:25--1776/master    NOT
0.0.0.0:49152--1010/mediatomb    NOT
0.0.0.0:44803--1558/xe_d000_XE    NOT
0.0.0.0:995--1271/inetd    NOT
0.0.0.0:389--957/slapd    NOT
:::143--1087/couriertcpd    NOT
:::22--507/sshd    Required
:::993--1116/couriertcpd    NOT
:::389--957/slapd    NOT

There are many standard apps which all we want is turn off them at boot time, and start manually: they are mediatomb… courier-imap slapd lightdm
This "standard steps" are the same as oracle:
ocm@achtung:/usr/lib/oracle$sudo service oracle-xe stop
Shutting down Oracle Database 10g Express Edition Instance.
Stopping Oracle Net Listener.
ocm@achtung:/usr/lib/oracle$

securing POP3 through inetd
securing oracle
securing apache2
securing sshd
securing mysql
.
We have closed all the manual apps which were been started by default, and secured all which were possible, and now we have this scene:
ocm@achtung:/etc/mysql$ sudo netstat -tnlp | grep -v 127.0.0.1
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 192.168.56.101:80       0.0.0.0:*               LISTEN      2299/apache2
tcp        0      0 192.168.56.101:443      0.0.0.0:*               LISTEN      2299/apache2
tcp        0      0 192.168.56.101:9922     0.0.0.0:*               LISTEN      9784/sshd
tcp6       0      0 :::993                  :::*                    LISTEN      921/couriertcpd
ocm@achtung:/etc/mysql$

This not means we are to uninstall and discard these apps, only we are going to turn them on "manual mode", and for sure we need to filter more the available listening origins, because 0.0.0.0 mask means "wherever you came", not much secure.
Note this is only showing the TCP risks, so later we will learn to identify UDP and other risks.