LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   Security update and hardware: To Slackware or not to Slackware... (http://www.linuxquestions.org/questions/slackware-14/security-update-and-hardware-to-slackware-or-not-to-slackware-603892/)

Vrajgh 12-02-2007 05:56 AM

Security update and hardware: To Slackware or not to Slackware...
 
I'm strongly considering switching my home desktop PC over to Slackware and could do with some advice to make sure that I know what I'm getting in to.

Background
My first experiments with linux some years ago were with "Vector Linux" (a Slackware derivative) which I chose at the time because it is aimed at older hardware and came on a single CD (I was on dial-up at the time.) Vector served me very well for the educational experience until I trashed my system (a nasty accident with a shell script run as root, containing something a bit like "rm -Rf /", you don't want to know... although perhaps that was the most important lesson!)

After that I went through the "Linux from Scratch" book and learned a great deal more. I ran the resulting BLFS system for a couple of years without any problems and really got to know what was going on. I then came to upgrade my PC and no longer had the time or the inclination to go through the "from scratch" process all over again. I installed a flavour of ubuntu about a year ago and enjoyed it for a while. It certainly did what I needed; it gave me a working system without installing every linux program under the sun but also allowed me to install a wide range of extra packages so that I could get on with work that I needed my PC for.

Over time, however, I've fallen a little out of love with ubuntu. My general approach to running my system is "if it ain't broke don't fix it." I spend the time tweaking ubuntu to make the system more like I want it and then an upgrade comes out and I have to start again. The first upgrade I did was remarkably easy but since then they have appeared less and less robust, suffering from glitches preventing various things from working properly without intervention. I've started to feel that lack of control inherent in using such a distribution. I haven't even upgraded to the 7.10 version because ubuntu appears to be going in a direction that isn't compatible with what I want out of *my* desktop.

So, to slackware. Every time I have distribution woes, slackware seems to catch my eye. Simple things like the BSD style init scripts appeal, the reputation for stability and control too. All this sounds like sound reasoning for experimenting with slackware in the near future.

Questions start here...
After this long background essay, the questions I have are actually relatively simple:
1) Once the system is installed from whatever CD/DVD method I choose, do I then need to install the packages from the "patches" section of the ftp site in order to get up to date with security issues? If I choose not to install one of the extra package managers will subscribing myself to the security mailing list (and acting on the advice) be sufficient to keep me out of trouble?

2) I'm likely to compile my own kernel in order to get the rt2500 wifi module to work. To get the nvidia driver to work, do I just follow the steps on nvidia's website or is there are more slackware oriented way to do it?

Hangdog42 12-02-2007 06:11 AM

My personal choice for keeping my Slackware systems patched is slackpkg, which is in the extras directory of Slackware. If you point it at the stable branch (NOT current), and run it when needed, it works well.

hitest 12-02-2007 08:26 AM

I highly recommend Slackware. Like you I've run a number of distros over the years, but, I always come home to my favourite.
I've just finished a week long experiment running Debian Lenny on my main work station. There's nothing wrong with Debian, I do have one Debian 4.0r1 box at home. But, it isn't Slackware. I'm currently re-installing Slack 12 on my main work station.
It is good to be home:-)

jong357 12-02-2007 09:19 AM

While updating packages with security fixes is good practice in general, I really find it to be unecessary actually.. Usually hiding behind a router is sufficient enough to keep you out of trouble security wise. That and keeping as many services off as possible. I haven't installed a firewall or ran updates on windows for 3 years or more without incident. On linux, your 100 times less likely for anything to happen than you are on Windows. Not interested a debate about my above statements just incase anyone is thinking about it... ;) That's just my preference.

I typically just do a fresh install of a newly released Slackware when it comes out and that's it. I don't even upgrade the stock kernel anymore unless I need some extra support that the stock one doesn't have.

Up to you. But yea. Keep an eye on the Security Updates yourself and 'upgradepkg' when necessary. And their are automated proceedures as mentioned above but I've seen those cause a world of trouble in the past. I'd prefer a hand-on approach personally.

I think most people arrive at a crossroads where you are now and Slackware or one of the 3 major BSD's is where you'll end up for good. Nvidia driver should install without incident. Just download the .run file from their web site and run it at the init3 command prompt before you 'startx'. Change your driver line in xorg.conf and that's that. I think the nvidia install process will even do it for you if you want.

hitest 12-02-2007 09:49 AM

I'm just finishing up patching my shiny new install of Slackware 12.0; I just finished downloading all of the security patches that are available that I want from the friendly Utah Slackware mirror ( they have kicking download speeds).
Then all you need to do to install all of them at once is issue one command at a root shell prompt:

#upgradepkg *.tgz

And that is it:-) My Slack box is happily chugging away now upgrading all security patches:-)

H_TeXMeX_H 12-02-2007 09:49 AM

I had a strange dream last night and through it I came to the realization that if you want a stable system you must NOT upgrade everything, only in the case of security issues and never something major. It makes sense. Now I understand why Slackware is so stable and secure. This I think is a major thing that separates Slackware from other distros. For example, Ubuntu, Gentoo, FC, and many other mainstream distros upgrade things as soon as they come out, and later they realize that one thing breaks another and yet another breaks another, and then the system goes down. Debian is an exception, along with a few others in that they don't quite rush to be at the bleeding edge. So, that's also a reasonable choice. But, Slackware helps you learn Linux a lot better than other distros, and the BSD-style init scripts make it very easy to understand what happens in part of the boot-up process and to customize it. I personally don't like package managers with dependency management, because they cause more problems than they solve (at least from my experience). However, you could use slapt-get if you want a better package manager.

Security-wise, remember to install updates when they come out, get an 'rc.firewall' script up and running, add a user other than root and don't run dangerous things as root, and disable processes that don't need to be up and are using or listening on external ports. That's pretty much what I do, and I haven't been haxxored yet. There's also rkhunter to check for rootkits.

Hangdog42 12-02-2007 11:31 AM

Quote:

Security-wise, remember to install updates when they come out, get an 'rc.firewall' script up and running, add a user other than root and don't run dangerous things as root, and disable processes that don't need to be up and are using or listening on external ports. That's pretty much what I do, and I haven't been haxxored yet. There's also rkhunter to check for rootkits.
Good advice. May I also add that installing a file integrity checking system like Aide or Samhain allows you to figure out what has been compromised if the worst does occur.

hitest 12-02-2007 11:57 AM

Quote:

Originally Posted by H_TeXMeX_H (Post 2977546)
I had a strange dream last night and through it I came to the realization that if you want a stable system you must NOT upgrade everything, only in the case of security issues and never something major. It makes sense. Now I understand why Slackware is so stable and secure. This I think is a major thing that separates Slackware from other distros. For example, Ubuntu, Gentoo, FC, and many other mainstream distros upgrade things as soon as they come out, and later they realize that one thing breaks another and yet another breaks another, and then the system goes down. Debian is an exception, along with a few others in that they don't quite rush to be at the bleeding edge. So, that's also a reasonable choice. But, Slackware helps you learn Linux a lot better than other distros, and the BSD-style init scripts make it very easy to understand what happens in part of the boot-up process and to customize it. I personally don't like package managers with dependency management, because they cause more problems than they solve (at least from my experience). However, you could use slapt-get if you want a better package manager.

Security-wise, remember to install updates when they come out, get an 'rc.firewall' script up and running, add a user other than root and don't run dangerous things as root, and disable processes that don't need to be up and are using or listening on external ports. That's pretty much what I do, and I haven't been haxxored yet. There's also rkhunter to check for rootkits.

Good advice, H_TeXMeX_H:-)
Just finished setting up my new Slackware system. I also downloaded rkhunter 1.3.0 from Sourceforge.net. Scanned my system, all clean.

Tinkster 12-02-2007 01:43 PM

Quote:

Originally Posted by Vrajgh (Post 2977397)
1) Once the system is installed from whatever CD/DVD method I choose, do I then need to install the packages from the "patches" section of the ftp site in order to get up to date with security issues? If I choose not to install one of the extra package managers will subscribing myself to the security mailing list (and acting on the advice) be sufficient to keep me out of trouble?

Works for me. That, and the fact that Slacks defaults are far
more sane than those of any of the "friendly" distros.

Quote:

Originally Posted by Vrajgh (Post 2977397)
2) I'm likely to compile my own kernel in order to get the rt2500 wifi module to work. To get the nvidia driver to work, do I just follow the steps on nvidia's website or is there are more slackware oriented way to do it?

Perfectly sane, works a treat. Use Pat's .config for the
generic kernel as the base, and then happily chip away on
it 'til you have what suits you best :}



Cheers,
Tink

Tinkster 12-02-2007 01:47 PM

Quote:

Originally Posted by jong357 (Post 2977525)
While updating packages with security fixes is good practice in general, I really find it to be unecessary actually.. Usually hiding behind a router is sufficient enough to keep you out of trouble security wise. That and keeping as many services off as possible. I haven't installed a firewall or ran updates on windows for 3 years or more without incident. On linux, your 100 times less likely for anything to happen than you are on Windows. Not interested a debate about my above statements just incase anyone is thinking about it... ;) That's just my preference.

That attitude is the first step on the way to being
rooted... How is your router/firewall going to stop
an exploit in firefox? Or if you happen to run any
service like smtp or http open to the great unwashed,
will your router do deep packet inspection, and protect
you from Layer-7 attacks?

And feel free not to discuss this, but I think that readers
need to be warned
, and am most happy to ignore your lack of
interest in a discussion, and post my view on the matter anyway.



Cheers,
Tink

shadowsnipes 12-02-2007 04:38 PM

Yes, security should always be a multi-layered approach from networks, applications, system, and most importantly the user.

Sure Slackware is definitely more stable and secure than most other distros by default, "but you are only as strong your weakest link" (usually that seems to be the user).

I think joining the security mailing list is a good idea. Even if you don't use (or have installed) the software that is patched you at least have an idea of what's going on. Bookmark the server of your choice because ftp.slackware is usually slow.

I keep all my packages separated by Slackbuilds, OfficialSlackPackages, etc. When I need to install or upgrade a system I can just use them straight up.

jong357 12-02-2007 11:36 PM

Quote:

Originally Posted by hitest (Post 2977635)
downloaded rkhunter 1.3.0 from Sourceforge.net. Scanned my system, all clean.

Ofcourse it was. ;)

Quote:

Originally Posted by Tinkster
That attitude is the first step on the way to being
rooted...

4 years of running as root 24/7 and nothing so far.

Quote:

Originally Posted by Tinkster
How is your router/firewall going to stop
an exploit in firefox?

That is one thing I religiously update. I run my own gnome build and firefox is included in the line up. I'm quicker to update than Pat is.

Quote:

Originally Posted by Tinkster
Or if you happen to run any
service like smtp or http open to the great unwashed,
will your router do deep packet inspection, and protect
you from Layer-7 attacks?

Quote:

Originally Posted by jong357 already said
That and keeping as many services off as possible.

Code:

Starting Nmap 4.20 ( http://insecure.org ) at 2007-12-03 00:32 EST
Warning:  OS detection for 127.0.0.1 will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Warning:  OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
All 1697 scanned ports on darkstar.example.net (127.0.0.1) are closed
Too many fingerprints match this host to give specific OS details
Network Distance: 0 hops

OS detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 5.815 seconds

Might I suggest you install f-prot antivirus on your system as well?

Yes, I agree. Users should be warned. Yes, I'm being stupid by running as root. Yes, I'm complacent with security updates. But If someone finds a way to exploit me because of an old png version then so be it. Chances of that happening are slim indeed. In 6 to 8 months I'll be caught up because of the new Slackware version that I install.

Hangdog42 12-03-2007 07:28 AM

Quote:

But If someone finds a way to exploit me because of an old png version then so be it.
So do I now have permission to forward all the spam I get to you? Crackers live for computers like yours. Old, unpatched security holes make for easier pickings.

Quote:

4 years of running as root 24/7 and nothing so far.
That and $10 will get you a cup of Starbucks.

cwwilson721 12-03-2007 08:20 AM

Quote:

Originally Posted by Vrajgh (Post 2977397)
...2) I'm likely to compile my own kernel in order to get the rt2500 wifi module to work. To get the nvidia driver to work, do I just follow the steps on nvidia's website or is there are more slackware oriented way to do it?

Nvidia is dang easy.
  1. Get the source from nvidia
  2. Run 'xorgsetup' as root. That will get you a bare bones x setup going
  3. Make sure the kernel sources are installed (If using the huge kernel from the install, make sure that the smp kernel source is installed
  4. Backup your /etc/X11/xorg.conf just in case
  5. Run the Nvidia installer as root or su to root at a cli, no xwidows server running
  6. Answer 'no' to the question about 'Do you want a module downloaded'
  7. Run xwindows
Looks long and hard, but it is VERY easy.

There's alot more detail in my DRI link in my sig.

hitest 12-03-2007 08:25 AM

Quote:

Originally Posted by jong357 (Post 2978117)
Ofcourse it was. ;)

Sarcasm?:)
Well, my box is as secure as I can make it with all of the latest security patches. I run my unit as a regular user. I try to practice safe surfing:-)
I love Slackware.:cool:


All times are GMT -5. The time now is 08:43 AM.