This discussion of securing Linux assumes Red Hat 7.3, which is the latest version officially supported by Check Point. It should be similar for other versions of Red Hat.
Make sure you have the latest security fixes applied. The latest ones for Red Hat are available at http://www.redhat.com/apps/support/errata/.
A recommended partitioning scheme includes the following:
/boot: 256MB (should be first partition)
/ (root filesystem): everything else
/var: 400MB (for logging)
swap: larger of 256MB or twice the physical RAM
/var/opt: 15GB or a separate drive (FireWall-1 logs and configuration files)
Using the graphics-based or text-based installer, choose which grouping of packages to install. Choose Custom, then choose the package groups Network and Router/Firewall. Also select Choose Packages to Install.
In the graphical installer, there is a flat view that shows all the packages to load outside of their normal grouping. Ensure only the following packages are selected (you will have to disable a few):
bind-utils ftp gmp gnupg libcap libpcap lsof lynx m4 make minicom mtr ncftp nmap ntp perl rdate rmt sash statserial strace stunnel sudo sysinit tcp_wrappers tcpdump telnet traceroute tripwire unzip vlock wget whois xinetd zip zebra (if you need dynamic routing)
If you follow my package recommendations above, there should be almost no unnecessary services. However, sendmail gets installed by default and there is no way to prevent it from installing by default. The command rpm ?e sendmail should remove the package.
Tweaking involves some file administration. You should first secure your /etc/passwd file (this is the database file that holds your user accounts and passwords). Ensure that your system is using /etc/shadow, which securely stores all passwords as hashes in a file that only root can access. This protects your passwords from being easily accessed and cracked (one of the first exploits for which a hacker searches). The use of shadow passwords is the default as of Red Hat 6.0; however, it never hurts to be sure. All you have to do is type pwconv as root. This automatically converts your passwords to the /etc/shadow file.
Next, remove most of the default system accounts in /etc/passwd. Linux provides these accounts for various system activities that you may not need. If you do not need the accounts, remove them. The more accounts you have, the easier it is to access your system. An example is the "news" account. If you are not running NNTP, a newsgroup server, you do not need the account (be sure to update /etc/cron.hourly because this looks for the user "news"). Also, make sure you remove the "FTP" account because this is the account used for anonymous FTP.
Create the file /etc/issue. This file is an ASCII text banner that appears for all Telnet logins.
It is recommended that you use TCP Wrappers. TCP Wrappers, although it does not encrypt, does log and control who can access your system. It is a binary that wraps itself around inetd services, such as Telnet or FTP. With TCP Wrappers, the system launches the wrapper for inetd connections, logs all attempts, and then verifies the attempt against an access control list. If the connection is permitted, TCP Wrappers hands the connection to the proper binary, such as Telnet. If the connection is rejected by the access control list, the connection is dropped.
Fortunately for Linux users, TCP Wrappers is already installed; you only need to edit the /etc/hosts.allow and /etc/hosts.deny files. The syntax is relatively simple. Put the IP addresses or networks in the file /etc/hosts.allow that you want to permit connections from. Put IP addresses or networks in the file /etc/hosts.deny that you do not want to permit access from. By default, Linux allows connections from everyone, so you need to modify these files.
The following sample /etc/hosts.allow file allows a few services from specific hosts.
# Allow a few things sshd:ALL ALL:10.0.0.0/255.255.255.0 ALL:10.0.1.0/255.255.255.0 ALL:10.0.10.0/255.255.255.0 ALL:10.0.43.0/255.255.255.0 ALL:10.0.69.0/255.255.255.0 ALL:192.168.43.40/255.255.255.248 ALL:127.0.0.1/255.0.0.0
This /etc/hosts.deny file denies everything not allowed by /etc/hosts.allow.
ALL:ALL:DENY