CCP14
Methods, Problems and Solutions
Linux Information for Crystallography
Installing a Redhat 6.0 Linux (Obsolescent - updated by Redhat 6.1) and Win95 Dual Boot System via Local CD-ROM Install on a Generic Desktop PC
The CCP14 Homepage is at http://www.ccp14.ac.uk
Note: As of March 2000, Redhat 6.2 has been released but it took a while to make time to
update the tutorials. Refer to new tutorials on installing Redhat 6.2
unless there is a specific reason you have to use Redhat 6.0 or Redhat 6.1.
Disclaimer
Note: Because of variations in install, multiple toolsets, (never knowing whether
a previous install might have affected the next one); some/all(?) of the following information
might be wrong; and there are probably better methods for doing the following. Keep this in
mind and feel free to think a bit before blindly following the instructions.
Note 2: Redhat does have a reputation of loading more than you really need and running
deamons that you may not really need. After installing, doing a security audit and removing
deamons you do not require is pretty much mandatory. Some of this is explained at the end
of install file. As stated above, this installation tutorial has been modified to try and have
this as hacker safe an installation as possible with by default, no scannable ports open.
Warning: (was advised by local department network support group to insert
the following) In some organisations and departments, installing unauthorized software
or operating systems such as Linux could be a sackable offence. If in doubt, check with
your network support group. Also, take note that some distributions and setup options may
also install software deemed to be "hacker tools". Presence of "hacker tools" on a
computer system could prompt management or criminal action against "offenders".
Also refer:
Backup your old stuff
The following method does the dual boot installation of Linux and Win95 from scratch using
an unpartitioned disk. It is possible to install Linux on an existing Windows system
without destroying the Windows area using FIPS or other similar non-destructive reformatting
software (e.g., Partition Magic). However implementing that is possibly part of a "future" X
hour hacking session; so we are doing "clean the disk - then install" method here.
"FIPS is a program for non-destructive splitting of harddisk partitions" -
FIPs Webpage at: http://www.igd.fhg.de/~aschaefe/fips/
If new to Linux, Expect to Initially Waste a Lot of Time
Like Austen Powers(?), "It's UNIX Baby Yeahhhh!"
Also refer Unix-haters handbook -
http://catalog.com/hopkins/unix-haters/handbook.html
Though one note is that installation of Redhat 6.0 on this desktop was surprisingly slick and easy.
Noting down the PC System Information
Note down all the information on your system including chip-sets, monitor refresh rates, etc.
If Linux makes a wrong choice, or prompts for a decision, you have to give it the
correct information. If you have Win95/Win98 or WinNT installed, you can
gain this information quite easily from the control panel (assuming the PC is
setup with the correct drivers). This also includes all the network information;
IP address, name, domain, gateway/router, NetMask, etc. Too much information
does not hurt, only too little. For network cards and the like, you may have to
go into Win95 or Win98 and get the memory addresses and the IRQs used. You tend to
find out what extra information you need the hard way.
In this case:
- Viglan 300 MHZ Intel Pentium with 128 Meg RAM
- 3COMFast Etherlink XL 10/100 Mb TX Ethernet NIC (3C 905B-TX) on IRQ 9
- ATI Xpert@Work Video Card (ATI 3D RAGE PRO - DirectX) (MACH64 Drivers based for XFree86 Xwindows)
- iiyama 17" MT-9017T video monitor that can do (Frequency: 50/60Hz):
- 1024x768 at 75Hz VESA; 60.02kHz HorizontalFrequency; 75.0kHz Vertical Frequency
- 1280x1024 at 75Hz VESA; 79.98kHz HorizontalFrequency; 75.0kHz Vertical Frequency
- Generic Floppy Disk
- In board SYMBIOS Logic 875XSID (NCR53c8xx) (Hardcopy Manual: SYM8751SP) PCI Ultra SCSI Host adapter (no devices connected)
- SCSI Fujitsu Hard Disk drive with ~8 Gig IDE Hard-disk
- Yamaha OPL3-Sax Sound System
- Atapi CD-ROM: TEAC CD-532E
Either buying or Creating your Own Install CD-ROM
Buying the Redhat CD-ROM would be the easiest option but the following
installation used a home made CD-ROM by downloading the files from an FTP
mirror.
Refer to Redhat Mirrors at http://www.redhat.com/mirrors.html.
If you are working from an academic UK site, the following sites are good:
FTP Load
IP Address = 193.63.255.4
Name = src.doc.ic.ac.uk
/pub/Mirrors/ftp.redhat.com/pub/redhat/current/i386/
or
FTP Load
IP Address = 148.88.2.15 or 148.88.2.11
Name = ftp.mirror.ac.uk
/sites/ftp.redhat.com/pub/redhat/redhat-6.0/i386
(restricted to academic users during normal working hours)
The directory structure of the CD-ROM was as follows (with extras to make it
as freestanding as possible):
- /doc
- /dosutils
- /images
- /linux
- /ranish (freeware Ranish Partition Manager which includes a boot manager)
- /Redhat
- /updates
- Some useful tools are also included like the latest Apache web-server source code, tcl/tk source, etc.
Note: You may not have enough room to put all the updated rpms so may have to optimised
the ones you don't think you will need.
Deciding now on the partitions
Summary: the old Redhat 5.2 manual recommends you partition the hard-disk into segments.
You can if you want to just partition the disk into one large partition that
everything fits into if you want to - this can be much simpler but might hurt you
in the future. I prefer to put everything on one partition with this laptop as
expanding harddisk space is not a practical option - thus everything has to fit.
(Please note that decisions made now can cause much pain and gnashing of teeth later).
The documentation with the old Redhat 5.2 manual can be quite
misleading as if /opt is too small, it can hurt you later.
Some rpm binary installs insist on putting programs in
/opt (such as the KDE desktop (http://www.kde.org) and cannot be redirected elsewhere.
However, KDE now comes native with the Linux 6.0 distribution so things are far more streamlined.
The following PC is configured to have 3 operating systems, Windows, Linux and FreeBSD.
In principle, if you set up a dual boot system, then a multiple boot system is a piece
of cake. The main limitation being that for PCs, each hard-disk can only have 4 primary
bootable partitions.
- 4 Gig for Win95
- 2 Gig for Linux (as /)
- 150 Meg for Linux Swap Area
- 2.4 Gig for FreeBSD (single BSD Slice)
Obtain the Ranish Partition Manager for DOS and create a Win95 Boot disk
After mucking around with a few utilities, the freeware Ranish Partition Manager for DOS
is a work of genius for managing partitions and boot managing.
Menu driven, it is a breeze to create and delete partitions,
multiple primary partitions, configure the MBR area. It easily will fit on a Windows/DOS
boot floppy with the rest of your boot utilities.
Now before you consider deleting Windows, create a boot disk (format a: /u/s) and copy
over the required utility software.
- Copy over the following to the floppy disk:
- Ranish Partition Manager
- format.com
- fdisk.exe
- edit.com
- sys.com
- xcopy.exe
- xcopy32.exe
- himem.sys
- scandisk.exe
- CD-ROM driver and MSCDEX.EXE
- Anything else you fancy and that will fit.
- Configure the config.sys and autoexec.bat on the floppy so that it
will enable the CD-ROM on bootup; plus himem.sys and any country
specific drivers. Set MSCDEX to use D: drive for the CD-ROM. (We will
be formatting the DOS partition of the hard-disk as C: drive.)
In the case of this PC:
- Note: Having a loaded CD-ROM pointing to C: drive can possibly
stuff up the partitioning process later on; though Ranish Partition
Manager will probably warn you that something is going wrong.
If in doubt, remove the CD-ROM booting from the config.sys and autoexec.bat.
Creating the LINUX Boot Images on Floppy Disk
Using the files located on the Redhat Linux CD-ROM or a mirror,
create the three Image disks depending on how you are installing (local or
network) and hardware type (PCMCIA); netboot, pcmcia and rescue. You can try
installing direct from the Redhat 6.0 CD-ROM if your system supports
booting from the CD-ROM. Experiences with the Redhat 5.2
These are generally in the images directory of the media you intend
to install from.
For example, via FTP, Imperial College mirror (choose closest Redhat Linux mirrors via
http://www.redhat.com/mirrors.html or
ftp://ftp.redhat.com/pub/MIRRORS.html
Use rawrite for DOS from the dosutils directory to write/burn the images onto the CD. Standard "copy" command will
not work. Just type rawrite and answer the questions.
Alternatively, if you are already on a LINUX PC, you can use the command:
- dd if=filename.img of=/dev/fd0 bs=1440k
- dd if=bootnet.img of=/dev/fd0 bs=1440k
- dd if=pcmcia.img of=/dev/fd0 bs=1440k
- dd if=rescue.img of=/dev/fd0 bs=1440k
Determine the Install Process/Method you are going to Use
You have a variety of options to install the Redhat 6.0 Linux
distribution. In this case, we are using a CD-ROM. Though a page on
FTP based network installation is also available.
Booting from Your DOS/Windows Floppy Boot Disk, Deleting Existing Partitions and Editing Master Boot Manager (MBR) Options
Boot from your DOS/Windows Floppy Boot Disk and run the menu driven Ranish Partition Manager.
- Delete the existing partitions.
- Highlight the MBR (Master Boot Record) and:
- Set the MBR Executable to "Boot Manager"
- Boot Interface type to "Compact"
- Check for Viruses "No" (otherwise you may not be allowed to save to the MBR)
- Boot prompt timeout = "6" is nice?
- Default Boot Choice of "Prompt User"
- Save (F2), then out of habit from using DOS, reboot to the floppy again. This may or
may not be optional.
Booting from Your DOS/Windows Floppy Boot Disk and Creating Partitions
Note: There are many possible permutations and combinations but the following
seems to work for me. Despite the literature, setting active partitions and
boot managers can be quite quirky due to limitations/nuances in PC hardware and the
various pieces of software.
Boot from your DOS/Windows Floppy Boot Disk and run the menu driven Ranish Partition Manager.
- (If you want a nice graphical boot manager, select Text 25x80
under the MBR config, then add a "small" "Boot Manager" Partition (4 Meg) as the first Primary partition
using the INS key (which gives a menu list of the possible file systems that can be added)) and
set this as the Bootable Partition . Then, taking into account the above, continue on with the following.
- In the first "Primary" Partition, create a 4 Gig Windows FAT-32 Partition (when promped, save
but DO NOT format as results may not be predictable. We use the Windows format.com program later.)
Set this as your default Boot area using the B key. (Don't be too worried at this point if Ranish is
unhappy about not letting it format the partition and says the DOS/Windows Boot Sector does not have valid information.
Once it is formatted using the format.com program, it should have valid information).
- In the second "Primary" Partition, create a 130 Meg Linux SWAP area
Partition (when promped, save)
- In the third "Primary" Partition, create a 2 Gig Linux Partition (this will be "/") (when promped, save)
- Leave the rest for BSD - though if you wanted a dual boot system, you could use the entire 4 Gig
for Linux.
Formatting the C: Drive - Windows FAT-32
Boot from your DOS/Windows Floppy Boot Disk and run the menu driven Ranish Partition Manager.
- From the floppy disk, type format c: /s and when prompted:
Y - you want to proceed. (/s puts the boot files on the hard-disk)
- Give it a volume name of DOS
- If you want to, you can now install Win95; but I would wait until after getting Linux
happily installed in case some partition nuances (didn't allocate enough space to an
important partition) come to haunt you.
- Take the floppy disk out of the disk drive (to check the boot manager is happy).
- Reboot the PC and you should be given a prompt of HD/1. If you have a Compact boot manager
menu, entering 1 should take you into a command line based Win95/DOS prompt. You
can install more elaborate boot manager menus described in this text (Text
25x80 menu system on startup) if you want to but I was in a "minimalist" mood on this particular occassion.
But now the Text 25x80 menu system is my favourite.
Also Refer:
- reading linux ext2fs partitions with DOS/Windows
Redhat Linux Install
- Making sure the network is connected and you have all the relevant information
specified above, insert Rehat Linux Network Boot Loader (boot.img) floppy disk and reboot.
(bootnet.img is for network install)
- Redhat Linux will then give you a Welcome to Red Hat Linux screen. As you
want to install, press [ENTER]. In this case, REDHAT detects the hard-disk and
CD-ROM, as well as other peripherals (which is a good sign)
(if you do not get above, but instead get a kernel panic and can't read file system message;
check that you have not accidentally inserted the "Linux Boot (recovery) Disk" you made during
the last attempt to install Redhat Linux before you wiped it)
- When prompted Press OK to continue
- When prompted, choose the language you would prefer to use during
the installation (English seems best for me) Note: Tab toggles between menu
options.
- When prompted, select your keyboard type (in my case, UK)
- When prompted for the Installation Method, choose Local CDROM
- Redhat will then prompt you to make sure the CD-ROM is inserted. Make sure it is then
press OK
- Redhat will then check that the CD-ROM is OK, then will prompt whether you want to install or upgrade.
- When prompted, we want to install a new system, so select Install
- For Installation Class, I tend to go for Custom to get flexibility in
what I want (especially when working on a laptop with limited space, but may want
to use as a server later on). Thus select custom.
- Redhat then scans for SCSI adapters and finds the "NCR 53C8xx PCI" system. When prompted
whether you have any other SCSI adapters, (in this case) select NO and continue on.
- When Prompted for "Disk Setup", I tend to go for Disk Druid though it is
a kludgy program so be wary (but less kludgy than fdisk). Use it by all means, but don't trust it. When in
doubt, delete all partitions and start from scratch; this will also allow you to
have an illusion of power and authority over your computer.
- Now that you are in Disk Druid (assuming you correctly followed the instructions
under "Booting from Your DOS/Windows Floppy Boot Disk and Creating Partitions" in
creating the Windows/DOS Partition as well as a 5 Meg Linux Primary Partition):
- Edit the DOS partition and give it the name of /dos
- Edit/Add an ~120 Meg Linux Swap file/partition
- Edit/Add the Linux partition as / (root partition - everything goes under here)
- (There are probably other better ways of doing the above but I found it
this is the most flexible for relatively small amounts of disk space)
- After Editing Disk Druid, select OK to continue and then select YES to
save changes to the partition changes.
- When prompted about Active Swap Space, format and check for bad blocks
- Redhat will then start retrieving the base/hdlist. This may take a while.
- When prompted by Partitions to Format, format all and check for bad blocks on all.
- When prompted for packages to Install, in the list of options I tend to go for the KDE desktop but
it is up to you to choose the desktop of your liking (Gnome or KDE). KDE presently seems slicker
and more oriented towards users.
- Change from old documentation for the following - select the extra Extra Documentation
as it may have information required to tighten up on security.
- When prompted for packages to Install, I tend to go for everything except:
- News Server (select this at you own risk
as by default, once installed, your /var/log/messages will be continually trying to tell you of
its progress in trying to contact a news server in Denmark(?) no matter how hard you try to
turn anything to do with news off)
- SMB Samba Server (I like to install this from the latest source myself if I am using this)
- IPX/Netware (no netware stuff here so don't want to try it)
- Anonymous FTP server (if you need an FTP Deamon, installing ProFTPD later from scratch is my choice)
- Web Server (if you need a Web Server, installing Apache 1.3.x later from scratch is my choice)
- Postgres (SQL) Server
- Network Management Workstation
- Emacs (I am a "vi" type of person)
- Emacs with X windows (nuff said though this can be quite user friendly if you don't like the UNIX "vi" editor)
- Everything
- (If you are in the mood, you can select and de-select individual packages - but these can be easily
deleted later using the GUI linuxconf manager).
- It can be important to install X development if you are intending to compile some crystallographic programs such as Platon/System S
(I have heard of at least one very intelligent scientist who supposedly went
mad (i.e., crazy, insane) trying to add an X-GUI to his program.
Keep your sanity, just say No! - and port your program to
GUI under MS-Windows where it may actually work properly -
(Refer: http://catalog.com/hopkins/unix-haters/x-windows/disaster.html)
Though the freely available OS indepedent wxWindows or V++ GUI building kits might be good options to look into).
- Important: to get all the compilers (C, C++ and Fortran), select the
C development, Development Libraries, C++ Development
then at the end, go into Select Individual Packages and select OK,
using the space bar, expand Development/Languages
and manually select egcs-g77 otherwise you will
not have a Fortran 77 compiler for compiling up crystallographic programs.
- Then select DONE to continue.
- If Redhat says there are some Unresolved Dependencies, select "Install packages to satisfy
dependencies".
- Redhat Install might(?) tell you it will be keeping a log of everything in /tmp/install.log With this
reassurance, continue by selecting OK
- Redhat will then format the partitions and install the selected files off the CDROM.
- After ~18 minutes, the download has finished and the Redhat Install announces
it has a "Probe Result" and detected a PS/2 mouse on port psaux.
- Select OK. Confirm the mouse type and if it is only a two button mouse, select
Emulate 3 Buttons (clicking and holding left mouse button, then clicking right will
bahave as though you clicked the "middle" paste button); then continue by selecting OK.
- When Prompted to whether you want to configure your network card, select Yes
- Redhat 6.0 then detects the 3com 3c59x network card. Press [ENTER] to continue.
- When prompted for "boot protocol", Static IP is the thing to choose for me but go
for the one suitable for your network. Enter your IP, Netmask, gateway and DNS addresses.
- Then when prompted, enter your Domain name (dl.ac.uk in my case) and the computer name.
Secondary and tertiary name servers are optional.
- Under "Configure Timezone", select it. (Europe, London for me)
- Now you should be Prompted to configure Services:
the following is an attempt to turn of all services that could be scanned and
possibly exploited in the future
(unless you are running X, where Port 6000 will be scanable).
The idea being you enable the services you
need explicitely at a later date. You can press F1 when highlighting the service to
get an explanation of what the service does.
- Disable inet (this does telnet, ftp, login deamons - by default you do not want
them but are best advised to install secure versions such as Secure Shell, etc)
- Disable linuxconf
- Disable lpd
- Disable nfs
- Disable portmap
- Disable rstatd
- Disable ruserd
- Disable rwhod
- Disable sendmail (if you want sendmail capability, it is recommended you use alternatives such as
Postfix or Qmail)
- Disable ypbind
- In theory, after this installation, a scan by a hacker scanning program should find no open ports (assuming X
is not running).
- When prompted for "Configure Printer", if you have one, configure it best you can or
do this later via the snazzy GIU "Linuxconf" tool; or the config via the KDE interface.
- When prompted for "Root password", enter one that others cannot hack all that
easily.
- When prompted for authentification configuration, go for shadowed passwords and MD5 password.
Keep NIS (Network Information Systems Protocol) off as this looks unncessary.
- Create a Boot Disk when prompted (if only for the joy of accidentally using this
instead of the install disk when you next wipe and re-install Linux)
- IMPORTANT BIT: Here we come to the whole point of mucking around
with Ranish Partition Manager for DOS. When prompted about the "Lilo Installation", put
the bootloader in the First sector of the boot partition (not the Master boot record).
This way, things actually have a good change of "dual"-booting up as desired on a restart. When
asked about "special options"; unless you know of some that you have to use, just select OK
which should work.
- When prompted about Bootable partitions; Linux at this point does not know that
we have "spat upon" its LILO loader for "dual booting", and that we are using Ranish Partition Manager's
MBR based program for dual booting. So just keep Linux happily deluded and select OK to
continue. Go with defaults (If you get the "Edit Boot Label" option, you pressed ENTER instead
of TAB, then ENTER to the OK button) and things should be happy.
- NOTE: If you have troubles with the native X support, have a look
at XIG Commercial Xserver for Linux/UNIX
- Good at detecting a wide variety of graphics cards.
- Time limited demonstration version is available
- At
http://www.xig.com
- The install then does a "PCI Probe" and says it detects the video card, (in this case a
PCI Entry: Mach64 GB X Server : Mach64A)
A happy event indeed given getting X-windows to actually work can be a major pain and this is
encouraging. Thus select OK to continue; after which the relevant XFree-86 program will
be downloaded for installation.
- When prompted over "Monitor Setup", if you cannot see yours, select Custom.
Though this is a IIYAMA Monitor and is in the Redhat list of monitors.
- Redhat will then prompt that Xconfigurator will now probe the video card.
- Xconfigurator will then give a default mode. In this case, 32 bits per pixel
and a resolution of 1024x768. If you want to differ,
select Let Me Choose. For me, (under "Select Video Mode") select 16 bit, 1280x1024.
NOTE: Be wary that 256 X-Windows displays can have weird
things happen to them because of dodgy programs, mainly incompatiable colour tablets(?), etc.
If you have the option, avoid 256 colours if possible and go for high colour - and get the
nicer graphics as well) If you choose too high a resolution, Redhat may say there is
a problem and let you go back and choose again.
- Xconfigurator will then do a test and query whether you can see the test message. Press YES
if you can.
- Xconfigurator will then query whether you want Redhat Linux to automatically start running X
upon booting. For me the answer is No, as I normally like to start in ASCII mode then type
"StartX" if I want to go into Xwindows. (if you want to toggle between starting up in a command
line and starting up in Xwindows, edit the /etc/inittab file to change this behaviour)
- At this point, the Installer should be saying something like Congratulations. (If not,
such is life and it implies things are not happy - most likely in the file partitions)
Before selecting OK to continue, take out the
Boot Floopy you created otherwise, the following may be a bit different. If you do end
up booting from the Boot Floppy, let it happen, either log in as root, then give the reboot command or
press [CNTRL] [ALT] [DELETE] to restart.
- When the PC restarts, you should now be prompted with HD/1 Press 3 (the third
primary partition) to boot up linux. (A minimalist boot manager I have already admitted but
it should get the job done in a reproduceable manner - But installing a more visually
exiting menu implementation of the boot manager is described above)
- To have it that on starting Xwindow, Xwindows does not listen on Port 6000
- as root on a root shell, type, which startx (this should tel you that startx is at
"/usr/X11R6/bin/startx"
- Edit (normally using vi - unless you have a user-frienly editor installed) the "/usr/X11R6/bin/startx"
file and under both clientargs and serverargs add -nolisten tcp
- DONE! :-) Now when you start Xwindows, Port 6000 will not be open.
- To start the X GUI, type startx, which give you a 800x600, high-colour GUI display. By
default, a GUI "Control Panel" should be visible, allowing you to relatively easily create users,
and fine tune the system. (If you took the above suggestions, the desktop will most likely be KDE)
- To start the X GUI, type startx, which give you a 800x600, high-colour GUI display. By
default, a GUI "Control Panel" should be visible, allowing you to relatively easily create users,
and fine tune the system. (If you took the above suggestions, the desktop will most likely be KDE)
- If you are using KDE, click on the KDE Control Center icon to access the customisation options
for Windows. CLick on the "K" icon, System, User Manager to add, configure user status.
- To Access linuxconf via the KDE interface, open up a Xterminal and type linuxconf &
- One thing I would suggest is via the linuxconf program is to
(possibly confirm) the name your system (you only put an IP address during install). Scroll down to Config,
Networking, Client Tasks, Basic Host Information and add your hostname to the "Hostname"
and for "Adaptor 1". Then set your default domain.
Then scroll down to "Control, Control Panel, Activate configuration" to get the system to use
the changes ("Make it so Number one!"). This is one of the Brilliant features in the
"Linux Conf" Program. Adding groups and users is just as easy. Note that if you are adding
users and groups; check if they have to conform to some UID/GID naming scheme consistent over
the entire site.
If it complains about the config files having times set in the future. It could be the system
might not know about daylight savings. (Will have to check this out later - was not a problem with
Redhat 5.2 - but was installing that during winter)
- If in the mood, now have fun reinstalling MS Windows (when prompted with HD/1 Press 1
(the first primary partition) to boot up to Windows/DOS. Again, info on installing a more visually
exciting menu implementation of the boot manager is described above. If Windows blows away some of the boot/MBR
information, reinstalling Ranish Partition Manager into the MBR should get things going as per normal. After you
are happy with the partition setup, you may like to use Ranish Partition Manager to get the MBR checking for
viruses again.
- A relatively user friendly manner of activating and deactivating services is to run the
/usr4/sbin/setup program and go into System Services to enable and disable things like
sendmail, portmapper, inetd, nfs deamon, etc.
Things to do Now that Basic Linux has been Installed
- For some strange reason, Redhat put updates in a separate area and has no transparent way to
check for updates during and after installation. So when installing a version of Redhat fresh
off the internet, you may still be getting the old, buggy programs that may have security flaws. Thus
go to the Redhat website and find out what updates are available and relevant for your installation.
To to the updates directory at the FTP site you are downloading from; grab and install any updates
for programs you are using. These are in the form of RPMs. Thus install via rpm -Uvh filename.rpm.
An automatic/pseudo-transparent way of doing automatic updates or packages and RPMs with Redhat Linux
(and other versions of Linux) is to use autorpm that will do all of this for you once it
has been installed.
Debian Linux does a much better job of this having an automated update system warning that newer programs
are available. (http://www.debian.org using the apt program
- refer: http://www.debian.org/security/).
- Warning: Doing the following - and even just downloading nmap - may be a sackable offense
in many organisations. Check with your network support group first before downloading nmap and any other related
tools.
You can now try running a "scanner/probe" on the new Linux machine once it is connected to
the network such as nmap (http://www.insecure.org/nmap/).
Nmap should say there are no open ports. Then run Xwindows (using the startx command), nmap should
still state that there are no open ports.
The nmap command line to use is nmap -sS -O -vv 127.0.0.1
-
Get and compile the excellent snarf program for being able to quickly get programs via FTP and HTTP via a command line -
http://www.xach.com/snarf/
ftp://ftp.mint.net/pub/snarf/snarf-latest.tar.gz
One of the advantages for UNIX is that it can work on a command line. Useful when you have limited memory or are
remotely logging in. Snarf can be a lifesaver to quickly pull over install files off the internet,
saving you loading up a GUI netscape or bothering with Lynx which can occassionaly be quite finicky for downloading.
- Compile/Install Secure Shell (SSH) for Linux
and disable superfluous inetd.conf based deamons - telnetd, logind, rshd - which should not be running
as inetd was disabled in the installation. On Modern Linux systems - OpenSSH should be included - type
the ssh command to check this
- Add a user or two (yourself for one). As per the above note: if you are adding
users and groups; check if they have to conform to some UID/GID naming scheme consistent over
the entire site.
- The above install makes this superfluous but just in case you did not go this way:
Disable unnecessary deamons in the portmapper, inetd.conf
(pretty much everything you don't need; ftpd, telnetd, fingerd, etc)
This means edit the /etc/inetd.conf file and remove everything you don't like the
look of. If you have installed SecureShell, you can pretty much REM out everything.
Then type killall -HUP inetd to restart inetd deamon.
- Refer to the TinityOS documentation which is quite excellent on how to
secure up and administer Linux - http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS.wri
- For limiting hacking on your system, by default, Redhat Linux comes with TCPWrappers enabled (tcpd) - which
can protect defined services or a global ALL for programs run from within inetd.
Again, superfluous if you followed the above in disabling inetd but you may have ignored this advice.
Do a man tpcd which sort of describes what this is about and gives some examples.
If you only want people from your domain to be able to access services, following are examples of
/etc/hosts.allow and /etc/hosts.deny that you can modify. You can create a banner depending on whether
the user is authorized or not to use this service from the particular domain they are logging in from.
- /etc/hosts.deny
ALL: ALL : banners /usr/etc/tcpwrap/banner1
- /etc/hosts.deny
ALL: LOCAL, 127.0.0.1 : banners /usr/etc/tcpwrap/banner2
ALL: .dl.ac.uk, .ccp14.ac.uk : banners /usr/etc/tcpwrap/banner2
- Where the /usr/etc/tcpwrap/banner1 directory has files depending on the service you wish to
give a message about - ftpd nul rlogind telnetd
e.g, for telnetd:
*********************************************************
* UNAUTHORIZED ACCESS TO THIS MACHINE IS PROHIBITED *
(and very naughty) *
*********************************************************
- Where the /usr/etc/tcpwrap/banner2 directory has files depending on the service you wish to
give a message about - ftpd nul rlogind telnetd
e.g., for telnetd: Hello, Hello %u@%h.
- Unlike the standard UNIX portmapper, the Redhat linux portmapper is protected by TCP Wrappers as described above.
This is important if you are running NFS and allowing some systems to nfs mount your directory areas; and
limit probes on your system.
- Check around some Securing Linux sites for extra info on keeping your system "unhacked":
- Fill up hard-disk with stuff (StarOffice office/word processing suite, etc)