|
|
| Linux news | Newbie's Linux manual | Linux links | Link us | ||
| The Linux columns | Book reviews | ||
| DistroWatch + TuxReports | October 14, 2002 | |
by , 12 March, 2002
They say that patience is a virtue, and in Linux that is especially true. It is easy to fall into the trap of just wanting to throw that CD in, boot-up, and start the install. To do so is almost always a mistake. If you don't know about your hardware, you won't be able to set it up to work properly under Linux.
If you missed the previous installments of this column, then here they are: part 1; part 2
What I'm about to do is to give you a generic set of procedures and suggestions that will work no matter what Linux distribution you decide to install. Or have already installed. :) You'll want to have as much information as possible about your hardware, and your system BIOS settings.
Once you've gathered all this information together, find yourself a notebook and put it in there. This will be your Systems Notebook and you keep only system-related information in there. Going a long way to keeping things neat, and your sanity intact. :)
There is a lot of friendly debate as to the best way to do things. Actually, there is no one best way to layout your system. What's best is what works for you.
As Laurence said in his review of Red Hat 7.2, a "full-on install it all" approach took almost 3GB. Included in that of course were both KDE and GNOME, as well as things you do not need in a home installation. Even if you have the space to do this kind of an install, I do not recommend it. From a security standpoint this is a disaster waiting to happen on a home system. Especially with someone new to Linux.
No matter which distribution you decide to install, there are some things that have no business on a home system. Apache of course. You've really no need for an FTP server either do you?
So on the initial install try not to select too much. Just as much as to the best of your knowledge, provides a useable system for your needs. Not something you reckon you may need a year down the line, when in fact your extremely likely to reinstall many times before then. (An SQL database or two being the perfect example.) Some distributions make installation easier for you by providing no package selection, whilst others select by default what is commonly needed. Best you go with the default, and add or remove the odd thing here and there as you gain more and more knowledge of what all those packages do; and why you need or do not need them.
After the install program does its thing, and you've done your initial configuration to have a workable system, the real fun begins. :) If you keep these basic concepts in mind your Linux use will be a much more enjoyable experience:
Laurence: Remember all system-wide configuration files (all text files) are located in the /etc directory, and you need to be the root user to modify them; and all local configuration files (again always text files) are located in your home directory, e.g. /home/laurence. And where applicable, local configuration options take precedence over system-wide options, e.g. what your command-prompt looks like.
If you go to the /etc directory you will find a file named inetd.conf. This is one of the configuration files used to determine what services get started at boot time by the init script. After making a backup of it, load this into your favorite editor.
In Linux configuration text files, the # symbol denotes the start of a comment that continues to the end of that line, and is ignored for processing. Look for a program called "finger" and put a comment character at the beginning of the line, to disable loading of it at boot time.
Finger is one of those programs that might have made sense 20 years ago but no longer does. It is also a program that every Linux distribution I have tried so far, has not only installed, but enabled by default. What does it do? It provides a means for you to provide information on yourself to other people. It also allows other people to get information on you from your system. If it's running. I prefer to decide for myself who does or does not get personal information on me.
systat, netstat, telnet, ftp, and tftp (trivial ftp) are other areas of concern, that should be disabled unless you need to have them.
Basically you should go through this file and if you see anything you have the slightest suspicion about not being necessary, then comment it out, reboot, see if the system still works like it should. If it does leave it out. If it doesn't and you forget what you changed, that's why you made a backup of the original, right? :)
Three worthy additions from Psionic to aid securing your system, are:
PortSentry serves the same function as ZoneAlarm on the Windows side, i.e., it's a firewall program. LogCheck and HostSentry are also intrusion detection aids but I will only discuss setting up PortSentry here as that is the single most important program you can add, easily configured, and will not require installation of anything else in order to work correctly.
Some things worth mentioning...
When PortSentry is started with the -tcp flag, it goes into a listening mode on the ports named in portsentry.conf. That means that all those ports appear to be open. Of course PortSentry will block attempts to connect. But to me, those apparently open ports are just an invitation to keep trying, and probe deeper.
For that reason, I prefer to start PortSentry with the -stcp flag, that starts the stealth mode (at least in Linux). Now the ports do not appear to be open, yet any attempt to connect will still be blocked.
If you want to see all this in action, and get a quick-and-dirty check of your system before and after PortSentry, go to the "Shields UP!!" site at Gibson Research. You can get a port scan of the usual ports here, that is harmless, but which will test your PortSentry install. It's a really informative site, even if it is oriented toward Windows.
Regardless of which mode is used to start PortSentry, you'll soon notice that your log file, /var/log/messages in my case, is getting filled with a long list of ports that PortSentry is watching. If you just have a dial-up connection like I do, and you start PortSentry on say, a daily basis, that log file will really grow fast. Here's what I did to alter that behavior.
In the file, portsentry_config.h, change the default line:
#define SYSLOG_FACILITY LOG_DAEMON
...to:
#define SYSLOG_FACILITY LOG_LOCAL0
...and recompile. The result will be a PortSentry binary that classifies its messages to the log as local0, instead of the default, daemon. Now you can segregate all PortSentry messages into a new syslog file by putting these lines:
local0.* /var/log/portsentry local0.none /var/log/messages
...into /etc/syslog.conf.
The resulting PortSentry log file, /var/log/portsentry will contain nothing but PortSentry messages, and can be rm'd when it gets too big; syslogd will recreate it at the next boot, or after a killall -HUP syslogd.
There are other things you could add, such as OpenSSH, a secure replacement for rsh, but with PortSentry running, you now have enough to be reasonably secure on a dialup connection.
Just like on the Windows side of things, the key now is to "stay informed" by getting on a mailing list or two. Also, if the distribution you are using has a security mailing list, you should get on it. Alternatively you could visit the LWN Security Alerts archive, which covers thirteen Linux distributions.
If you find out that your distribution has a security fix for a program you use then download and install it. While most of the Linux distributions are pretty good about getting fixes out the door in a timely manner--days instead of weeks--no fix is of any use unless it is installed.
Linux install procedures have improved tremendously in the recent past. Some include all the eye-candy a die-hard Microsoft fan could ever want (as well as easy to follow instructions during each step of installation, improved hardware detection, and more intuitive partitioning tools). But no install procedure is able to correctly setup everything about your system during the install. That's why I've asked you to gather everything together in your System Notebook. :) Readily to hand when it's needed, out of the way when it's not.
Just bear in mind that no matter what you do, unless you keep your system locked-up somewhere with no access to the Internet, or any network for that matter, the time will come when all your precautions are in vain. This is a given. Any security professional will tell you the same things:
While it may be tempting to just "install it all" because you, "don't know if you need it," it is better to install the minimum necessary, and then add what you need later.
An "Internet Workstation" or "GNOME/KDE Workstation" if you have that option, should give you a fairly good mix of applications to start with. Things like internet client software (to make a connection, surf the web, email, chat, and use the newsgroups), an office suite, multimedia players and a host of simple games. Everything required for everyday desktop use, whilst refraining from installing server software like Apache, that has no place on a workstation.
This series of articles has tried to show that when it comes to security, you are the most important part of that. Not someone off in Redmond, or North Carolina, or Germany, or...
There are numerous books on every aspect of security, covering many operating systems. My aim has not been to compete with these. Space won't allow that.
If I've managed to get you to stop and think about how you do things, and to realize that since it's your system, you are in charge of its security, I'll consider this a success.
There are many aspects of Linux security that were not covered. OpenSSH, OpenSSL, I could go on and on. The things I have discussed are enough to get you started and that is good enough.
Most of all, have fun! :)
| About us | |
| Latest stable kernel: 2.4.19 | Latest development kernel: 2.5.42 Copyright © 1998-2002 Linuxdot.org. Linux ® is a registered trademark of Linus Torvalds. |
|