Author Topic: Redhat Linux Question... (Read 724 times)

LePaul · « **on:** October 29, 2001, 01:22:00 AM »

I've got a spare computer and wanna install Redhat on it. KDE or Gnome interface? I have the 6.2 box/Cd and know the new 7.2 is out. I downloaded it, burned it to a CD and the install tell me it can't find the CD. Must be something about Easy Creator and the files...the 6.2 stuff worked.

What's this box for? To play. I have a few Linux machines that do DNS and Apache functions and I enough about them just so they can do their duties. This box is going to have a 3dfx Voodoo 3 3000 card in it and I'm just looking to force myself into using/learning Linux.

Computer is a P2 350, 384mb ram, plenty o'power for ole Redhat. Just wanted to know before I tried installing 6.2 on her, what the recommendations were.

Thanks ahead of time

the_hegemon · « **Reply #1 on:** October 29, 2001, 08:25:00 AM »

If this is gonna be connected to the interenet, then upgrade to 7.2 as soon as you can. At http://project.honeynet.org/ they put boxes on the 'net so they can observe the "enemy", and have had RH6.2 boxes comprimised within 24 hours of being put up, since 6.2 has some holes in it.

As for KDE or Gnome, I would suggest trying them both and deciding which you like better. I'm runng FreeBSD 4.3 with KDE2.2 at the moment. KDE comes with KOffice, while for Gnome, if you want Open Office or Star Office, you have to get them seperately (i think, haven't looked in a while).

And as usual, for the sake of security, if you don't need a service running that allows access to your box from the outside, disable it/turn it off, otherwise you will likely get 0w3ned by some 31337 script kiddie.

man is your friend, good luck.

edit: wrong link, fixed it

[ 10-29-2001: Message edited by: the_hegemon ]

Sancho · « **Reply #2 on:** October 29, 2001, 10:06:00 AM »

I use neither KDE or Gnome--both are prone to bloat, as is RedHat, but that's another matter altogether. I use blackbox as my unix window manager of choice. Blackbox is easy on your resources, fast, and looks nice too.

If you're stuck on the choice of KDE or Gnome, I'd say go with KDE. I used to like Gnome more but in the last 6 months or so I'm liking KDE more, from what I've seen. You can always try Blackbox after installing anyways and try it out.

LePaul · « **Reply #3 on:** October 29, 2001, 10:32:00 AM »

Good point about the RedHat 6.2 hacks. My Linux guy couldn't wait to have our Linux machines doing the tasks of our NT ones. He went on and on how great Linux was, free (yet we payed $50 for Redhat several times...go figure!). 2 days after he installed RH 6.2 on both DNS servers, we discovered we'd be hacked. Never been hacked on the NT stations, but 2 days into Redhat, we'd been hit with that Bind issue. Yea, weren't we giving him crap for that

I have a Linksys DSL router/Firewall running, does that give adequate protection if I opt for 6.2? I mean, I can download 7.2 and do a boot-net thing, and upgrade my 6.2 install, right? Or is that a huge pain in the ass?

I just hate using the Text install. All weeekend long, I was trying to do a FTP install on my laptop. As soon as it said it was all set to reboot, the laptop would reboot and come up with "Missing Operating System". LILO was supposedly going on the MBR but something wasn't working right.

So you see, I'm trying real hard to like Linux...but its really being a huge pain, as if daring me to pick up my Windows 98 Boot Disk!

the_hegemon · « **Reply #4 on:** October 29, 2001, 12:09:00 PM »

Quote

I have a Linksys DSL router/Firewall running, does that give adequate protection if I opt for 6.2?

While i'm not an expert on this stuff, I would say that as long as you turn off stuff like bind, sendmail, telnetd, etc. on your RH box, combined with the firewall/router, you should be okay. Do you use NAT?

Quote

I mean, I can download 7.2 and do a boot-net thing, and upgrade my 6.2 install, right? Or is that a huge pain in the ass?

I don't know, haven't touched RH since 5.2, then I switched to FreeBSD, but you can always try it. Worst thing that can happen is that you'll have to reinstall

Also, if your 7.2 CD is not corrupt, you should be able to upgrade off of it(i think).

You might also check out: http://www.linuxdoc.org/ http://www-105.ibm.com/developerworks/papers.nsf/dw/linux-papers-bytitle?OpenDocument&Count=500 http://linux.com/ http://www.securityfocus.com/

Skuzzy · « **Reply #5 on:** October 29, 2001, 12:50:00 PM »

Well LePaul, understand that virtually all Linux distributions come out of the box with minimal security precautions in place.
Once you get a handle on that then you are on your way.

I do not use RedHat due to the inconsistencies in the filesystem hierarchy that deviates from traditional UNIX's.
I like Slackware better for a Linux distribution, but then I know my way around UNIX pretty well.
Slackware does a better job of keeping the installation up to date with the latest releases of the utilites as well.

Anyway, I am an old command line interface guy, but when I use X, I prefer KDE, with the latest X distribution.

There are several things you need to do to secure the box.
Rebuild the kernel with only what you need in it. By default, the kernel has a bunch of support for devices and services you may not need.
Edit inetd.conf and comment out the services you do not want the world to have access to.
Setup the "/etc/hosts.allow" and "/etc/hosts.deny" files to further limit who can have access to what services.
Edit the /etc/services file and comment out what services you do not want to support.
Edit the /etc/ftp* files and turn orr anonymous FTP and further secure the FTP daemon.
If you are running sendmail, the please update it and make sure you have "relaying" turned off.
For BIND, make sure your named.conf file restricts who can update the DNS records you own. Also setup a forwarders entry so your DNS server knows what server immediately upstream can answer queries.

On a side note, there is a bug in the W2K DNS system which basically causes it to ignore the "try again" lookup returned from BIND. w2k treats it as a failure, instead of trying again, or trying the second DNS record for the query. No way to work around this bug and no update on when it will be fixed.
Due to this bug, if you are running a DNS and have a W2K machine in your network, you need to set BIND to notify ("also-notify") your w2k machine when you make a change to the DNS records.

There is more, but I beleive that will get you pretty secure.

LePaul · « **Reply #6 on:** October 29, 2001, 02:35:00 PM »

Cool! Great advice all, and thanks for jumping in, Skuzzy.

Over lunch I went out and picked up Redhat 7.2 and when I get out of work this evening (work 2 jobs...bleah...at least the UPS evening job is somewhat fun) I'll begin the install.

I'm hearing more and more folks not liking Redhat, and I kind of kick myself for buying RH again. Their 30-day support is a farce, of 3 emails I sent, as a registered user, I never got any replies. Its a damn shame so many of these Linux companies went public...they seemed to put out less crap when they weren't! Remember how nice 5.1 was?

I'm going to give KDE a whirl...this is just a stand alone/game machine/learning experience for me...plenty of RAM, cpu power and 3D card should mean a fun little box.

As for am I using NAT, what's that?

Thanks again

[ 10-29-2001: Message edited by: LePaul ]

the_hegemon · « **Reply #7 on:** October 29, 2001, 04:43:00 PM »

NAT is Network Address Translation. You can get router/firewall boxes that will do NAT for you. What it does is you put your LAN behind the router/firewall/NAT and assign IP addresses to the boxes on your LAN that are not routable on the internet, that way if anything ever accidently slips off your LAN onto the 'net, the first router that the packet gets to will drop it. All traffic from the LAN to the outside runs through NAT, where the local IP is changed to the IP of the firewall/router/NAT box, the checksum is recomputed, and the packet is sent on its way. The requested data is then sent back to the r/f/N box, where it keeps track of the connections, decides which LAN IP to send the packet to, changes the IP, recomputes the checksum, and sends it out the original requestor. This keeps anyone outside of your router/firewall/NAT box from being able to talk to any of the machines on your LAN unless you initiate an exchange with them(or set up the r/f/N box poorly).

It's just one more level of security and defense in depth, but I don't know that it would be worth the effort to setup since you don't seem to have had any problems so far with your other computers. Oh, and do what Skuzzy suggested for all the lockdown stuff