LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 05-15-2004, 06:58 PM   #91
brm
LQ Newbie
 
Registered: Apr 2004
Posts: 18

Rep: Reputation: 0

shilo, Systematic:

You're absolutely right. Searching some Slack tips&tricks sites I have found a lot of different howtos with a lot of differences between each other. The result is, that I don't know what things are really the must and what is the right order to do them.

I even didn't find an answer to my basic question. When I boot my machine for the first time after installation, is it opened or not? (if I switched off starting of services like httpd, sandmail, etc. during installation). I assume that it is somehow vulnerable...

Isn't then the right way not to configure network during instllation? I mean something like this:
1.) install Slakware (do not configure network)
2.) boot the machine and secure it = start firewall with simple rule: drop everything
3.) configure network
...
x.) open port number 80
y.) download updates
...

Of course, this has no sense, if you use external router/firewall. I don't
 
Old 05-15-2004, 07:39 PM   #92
Bebo
Member
 
Registered: Jul 2003
Location: Göteborg
Distribution: Arch Linux (current)
Posts: 553

Rep: Reputation: 31
Hi brm,

Unless you're planning to use your box as a web server, then of course you don't have to open port 80. Otherwise, your scheme seems good to me. However, if you have every service switched off, it should be no problem to have your network configured and up.

A very simple firewall would be

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

However, this would make your computer pretty useless for connecting to the internet. Add an OUTPUT rule or two:

iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state ! INVALID -j ACCEPT

This accepts everything over the local interface, and everything but invalid packets bound for the outside world. Now, add an INPUT rule:

iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

This lets in anything which is related to a connection that you've set up, but it won't accept incoming connection attempts. If you want to accept incoming connections to some server, i.e. if you let in NEW packets, the following rule is nice:

iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP

This rule kills packets that are new put don't have the SYN bit set; nmap ACK scans, for instance.

Well, quick and crude, but it works.

<EDIT>
This is probably useful too

iptables -A INPUT -i lo -j ACCEPT

Put it at the top of the INPUT chain.
</EDIT>



Last edited by Bebo; 05-16-2004 at 05:15 AM.
 
Old 05-15-2004, 08:12 PM   #93
shilo
Senior Member
 
Registered: Nov 2002
Location: Stockton, CA
Distribution: Slackware 11 - kernel 2.6.19.1 - Dropline Gnome 2.16.2
Posts: 1,132

Original Poster
Rep: Reputation: 50
brn-

I want to expand a little on a comment that Bebo has made. He stated that you do not need to open up port 80 unless you are running a web server. He's exactly right.

A lot of beginners are confused by what we call "client-server" relationships. You do not need port 80 open to surf the web. You need port 80 open to serve to the web. You don't need a mail server to recieve mail, you don't need a ssh server to ssh into another box, you don't need an ftp server to use ftp.

Here's the quick and dirty. Log in as root. Type
Code:
nmap localhost
You are gonna see all of your open ports. Want to close them? Open up /etc/inetd.conf and put a # sybol in front of every line. Now reboot. When you get back up, try nmap localhost again. Should have less open ports. How about closing the rest? At a console, type:
Code:
ls  /etc/rc.d/
If your setup is like mine, some of the names are gonna come up green. For every green name that starts a service you don't want running, type:
Code:
chmod -x /etc/rc.d/name_of_green_file
Be careful which ones you choose. Some of the rc files are required for your computer to even boot. Reboot. run nmap localhost again, kill more processes. Repeat. Soon, you will have no services running.

You'll want to be carefull with all of that. Maybe just run nmap and post the results. We can probably tell you how to shut all of the services down.
 
Old 05-15-2004, 08:31 PM   #94
Bebo
Member
 
Registered: Jul 2003
Location: Göteborg
Distribution: Arch Linux (current)
Posts: 553

Rep: Reputation: 31
Well, the ones that have something to do with servers listening for incoming connections are... Let's see... OK, these:

rc.atalk
rc.bind
rc.cups
rc.httpd
rc.inetd
rc.ip_forward
rc.lprng
rc.mysqld
rc.nfsd
rc.portmap
rc.samba
rc.sendmail
rc.sshd
rc.yp

I'm not sure about CUPS and lprng, though. CUPS can be configured to listen locally only, and lprng I really don't know where it listens. They are printer servers, so you should choose one of them if you want to be able to print.

inetd can be a good thing, maybe, if you want to run some servers listening for remote connections (as opposed to "local", i.e. coming from the box itself). inetd listens for connections in the other server's place, and starts them if a connection request is a received. However, I've read in a few places that sshd can take care of itself and should not be started through inetd.

You should definitely not chmod -x rc.0 rc.6 rc.S rc.M rc.K rc.modules. That may be true also for rc.font and rc.keymap, as it might put you in keyboard troubles.
 
Old 05-15-2004, 08:38 PM   #95
shilo
Senior Member
 
Registered: Nov 2002
Location: Stockton, CA
Distribution: Slackware 11 - kernel 2.6.19.1 - Dropline Gnome 2.16.2
Posts: 1,132

Original Poster
Rep: Reputation: 50
Just finished the mail server section. you can check it out at http://shilo.is-a-geek.com/slack/sendmail18.html .
 
Old 05-15-2004, 08:53 PM   #96
Bebo
Member
 
Registered: Jul 2003
Location: Göteborg
Distribution: Arch Linux (current)
Posts: 553

Rep: Reputation: 31
The guide is vewy, vewy nice

A comment on the ssh section: as a default, the ssh daemon is configured to use ssh protocol version 1 as a fall-back if version 2 doesn't work. You can see this in /etc/ssh/sshd_config, on the Protocol line. Now, version 1 has some security issues so it should not be used. And in any case it's old, so it's almost never used (except for attacks?). So, remove the # in front of the Protocol line, and then let it just say

Protocol 2

Then restart the ssh daemon.

<EDIT>
No, I got to go to bed now - it's 4 am... See ya tomorrow!
</EDIT>

Last edited by Bebo; 05-15-2004 at 08:55 PM.
 
Old 05-15-2004, 08:55 PM   #97
shilo
Senior Member
 
Registered: Nov 2002
Location: Stockton, CA
Distribution: Slackware 11 - kernel 2.6.19.1 - Dropline Gnome 2.16.2
Posts: 1,132

Original Poster
Rep: Reputation: 50
Sweet. If you don't mind, I'm gonna add that to the ssh section.
 
Old 05-15-2004, 09:14 PM   #98
Systematic
Member
 
Registered: May 2004
Location: Mechanicsburg, PA
Distribution: Mainly Slackware, but test run various different distros.
Posts: 77

Rep: Reputation: 15
Shilo.. have an update for you... i just finished installing Dropline Gnome using the dropline installer.. it didnt update xfree and it works perfectly.. Its a snazzy lil update on the plain gnome interface.. it seems to run a little smoother too.. I still like KDE but this isnt bad.. one thing i cant figure out is how to change the size of the icons on the desktop.. cause they are HUUUUGE!!! lol..

but yes dropline does work fine with an ati card (if you have X setup properly before you install dropline!!!)
 
Old 05-15-2004, 09:20 PM   #99
shilo
Senior Member
 
Registered: Nov 2002
Location: Stockton, CA
Distribution: Slackware 11 - kernel 2.6.19.1 - Dropline Gnome 2.16.2
Posts: 1,132

Original Poster
Rep: Reputation: 50
Sweet. How huge is HUUUUGE? Post a screenshot. And if you've ever used Gnome before, one tip that I have is create a new user and check out what it looks like for him. Since he won't have any config files in his home directory, everyhting should be stock.
 
Old 05-15-2004, 09:24 PM   #100
Systematic
Member
 
Registered: May 2004
Location: Mechanicsburg, PA
Distribution: Mainly Slackware, but test run various different distros.
Posts: 77

Rep: Reputation: 15
good idea.. ill try that one and see whats up.. screenshot coming soon..



screenshot
http://www.netrox.net/~mjramr/Screenshot.jpg


BAH!!! i spoke to soon on the perfectly working part.. i get a weird error that doesnt seem to do anything but annoy me when i login to gnome..

Code:
Error activating XKB configuration.
Probably internal X server problem.

X server version data:
The X.Org Foundation
60700000

If you report this situation as a bug, please include:
- The result of xprop -root | grep XKB
- The result of gconftool-2 -R /desktop/gnome/peripherals/keyboard/xkb

Last edited by Systematic; 05-15-2004 at 09:36 PM.
 
Old 05-16-2004, 03:55 AM   #101
brm
LQ Newbie
 
Registered: Apr 2004
Posts: 18

Rep: Reputation: 0
Thanks to all for very useful comments on security. Maybe I am a bit paranoid. I just wanted to be sure about this before I start with linux again. Now I should download slack-current and start to play this game.

I'll try to make it step by step following your guide, shilo. I will then give you some feedback
 
Old 05-16-2004, 05:14 AM   #102
atko
Member
 
Registered: Feb 2003
Location: UK
Distribution: Currently Fedora Core 3
Posts: 136

Rep: Reputation: 15
I would recommend adding a ebook (PDF) to your site with a note simply saying if you would rather view this site offline and print out at your leisure download the entire site here. Something like that would be great. Thanks anyway whatever you decide to do, it is a great post and your site is even better. By the way, any chance of adding a bit on connecting a broadband connection in Slackware. I am currently trying to do this at the moment after installing Slackware and cannot get it to work. I have tried checking out other posts with similar probs but calling up ifconfig just reports localhost only and does not obtain an IP address. Thanks again, anyway.

Last edited by atko; 05-16-2004 at 05:19 AM.
 
Old 05-16-2004, 06:08 AM   #103
Bebo
Member
 
Registered: Jul 2003
Location: Göteborg
Distribution: Arch Linux (current)
Posts: 553

Rep: Reputation: 31
Hello again, shilo

I've just made a thorough read of your guide, and I'm really impressed. I have some comments, though; maybe it seems massive, but its just some friendly remarks


Throw in Some Nvidia Drivers

The paragraph in the ATI subsection right above the three modprobe's is a bit, well, strange. Also, I can tell you that ATI's driver for Radeon Mobility 9000 work nicely with kernel 2.6.x for me. But that might be that one driver, I don't know. I've not dared trying to use XFree 4.4, so that I don't know anything about. I remember having troubles before the 4.3 supporting version was released, though.


Moving on to Dropline

I really think you should point out that Dropline is definitely not necessary, especially if you plan to use some other window manager (i.e. Fluxbox, XFCE) or desktop environment (KDE). Moreover, Dropline is not easy to get rid of once it's installed and if you try it you might mess up your system quite badly. I have succeeded twice in removing Dropline (see my posts here) but it was not obvious. I think a warning would be a Good Thing.


Time for a New Kernel

The symlink to /usr/src/linux do not have to be changed every time you upgrade your kernel, and some say that you should not do it. There is a discussion in the Kernel Compile Guide for 2.6.0 thread, starting at post 89 and going on to (at least) post 115. I have skipped changing the symlink my last ten upgrades or so without problems. The only thing was when I had to recompile the nVidia driver(s) - that installer needs to find the current kernel on your box, and it is looking for it in /usr/src/linux. Here the symlink is good. However, the conclusion in that discussion seems to be that it doesn't matter for Slack, so it might be a non-issue.


SSH, be vewy,vewy, quiet

Oh, I see that you have included my comment about Protocol 2; nice I don't know, but is it worth pointing out that some might have problems with this if they use a really old ssh version? Perhaps not, in that case they just got to upgrade!


Make it Scream/Get Things Crankin'

OK, first, this section has two names Next, should people really chmod -x rc.0 rc.4 rc.6 and so on, as I remarked above? It might get difficult


Slack-a-Mania

I couldn't find www.linuxpackages.net on your list there. That's a nice place. Also, I have another link for you: www.slackcare.com


Cheers!
 
Old 05-16-2004, 12:50 PM   #104
shilo
Senior Member
 
Registered: Nov 2002
Location: Stockton, CA
Distribution: Slackware 11 - kernel 2.6.19.1 - Dropline Gnome 2.16.2
Posts: 1,132

Original Poster
Rep: Reputation: 50
Systematic-

Not to worry, your's is an easy problem. Open up /etc/X11/xorg.conf. Find the section that looks like this
Code:
#    Option "XkbDisable"

    Option "XkbRules"	"xfree86"
    Option "XkbModel"	"itouch"
    Option "XkbLayout"	"us"
and turn it into this
Code:
#    Option "XkbDisable"

    Option "XkbRules"	"xorg"
    Option "XkbModel"	"itouch"
    Option "XkbLayout"	"us"
brm-

Let us know how it goes

Atko-

Yeah, I need to get around to the PDF thing. Any way to easily convert all of my html to PDF? On the broadband issue, I have broadband and Slackware automatically took care of everything for me. I read your other post, and I think that everyone is right about the issue being the USB. I never use USB network adapters since I couldn't get one working with Windows back in the day. Switch over to the Ethernet card and you should be golden.

Bebo-

I'll get to work on all of that except the kernel/symlink. I think people debate too much. You probably don't need the symlink and you probably don't need co copy .config to /boot/config, but the one time that it turns out that you did need those things, it really makes things easy. The people that debate this are usually like, "Hey this is what I did, and my computers not broke, so it must be the right way."

The tweak section, yeah, I gotta look that over. I was kinda tired and rambled on. Probably the worst section yet.

Thanks for all the advice. Looks right on. Thank, too, for the links. That slackcare sitye looks pretty good.

********Edit********
Wow, that section IS confusing in the Nvidia/ATI section. I'm really gonna have to re-write that. Hope dawizman doesn't mind. Also hope I can make it less confusing!!

Last edited by shilo; 05-16-2004 at 12:59 PM.
 
Old 05-16-2004, 01:33 PM   #105
shilo
Senior Member
 
Registered: Nov 2002
Location: Stockton, CA
Distribution: Slackware 11 - kernel 2.6.19.1 - Dropline Gnome 2.16.2
Posts: 1,132

Original Poster
Rep: Reputation: 50
Systematic-

Just checked out your screen shot. Looks nice. So the icons don't seem to be an issue. I think yuo have some kind of permissions problem, though. It looks like you don't have permission for your own home directory. Let us know if you need a hand with that.
 
  


Reply

Tags
kernel


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 01:08 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration