Building Systems Secure From The Start
Default operating system installs on a server are almost always wrong. Unfortunate, but true. In an attempt to build a generic system that appeals to as many situations as possible, the default install is often overloaded with software that is not necessary, and a filesystem layout that would allow one rogue daemon to fill up the entire drive. This is wrong, but easily remedied. A little extra care during the installation and initial setup of the server will result in a system that is smaller, cleaner, easier to maintain, and more secure than what ships on a default install.
I’ve mentioned before how to setup a filesystem to allow for maximum control and flexibility, so I won’t dive into the details here. Suffice to say that the basic idea is to put as much as possible into a volume manager like LVM, and then give each partition only as much as it needs.