IronBits
11-08-2003, 01:45 PM
A Quick Guide to Setting Up a Secure, Internet Connected Mandrake 9.1 Box
by Dyyryath
This is just a quick walkthrough of how I setup a non-desktop Mandrake box that will be directly connected to the Internet. Generally, this means it would be used as a server of some type (i.e. web, ftp, etc). The partitioning scheme would be adjusted based on what it was going to be used for, but as a starting point, this is pretty close.
At the end, I would install whatever specialized software the box required (i.e Apache if it was going to be a web server). I'd also configure iptables to restrict all but SSH and whatever services the box would be providing. A remote syslog is also a good idea. That's somewhat beyond the scope of this short list, though. ;)
Keep in mind that this is just a simple list. It doesn't take RAID arrays, multiple drive setups, or exotic security requirements into account.
------
Put the Mandrake Disc 1 in the CD-ROM & boot the machine.
Hit ENTER when the splash screen comes up.
Select your language, then ACCEPT the license, then select your mouse type.
Select HIGHER for your security level, leave the security admin password blank.
Select Custom Disk Partitioning. When the partitioning tool comes up, select 'Expert Mode'.
Clear any existing partitions.
Create a partition, type 'Linux Swap', preference 'Primary', size between 250-500mb. You can adjust the swap size to your preference. I generally don't go less than 250mb or more than 500mb, though this depends on the box.
Create another partition, type 'Reiser', preference 'Primary', mount point '/' using the remaining space on the drive. You can create several partitions instead of one (/var,/home, and /etc are good candidates for their own partitions). For most people a single large partition is fine, though this depends on what you will use the server for. I'm using Reiser here since it *tends* to be faster than ext3. I use both and either would be fine. I haven't used JFS enough to have a valid opinion of it yet.
Click DONE, then agree to let it write the parition table to disk.
Uncheck all the boxes on the software package selection screen. We'll start with the bare minimum and work our way up from there.
On the next screen, make sure the 'minimal with docs' option is selected and continue.
If you see a screen about installed servers, that's fine, just continue through it.
Install the bootloader to the master boot record on the primary hard drive.
Enter your root password.
Create an account for yourself. Make sure you click the option to add this account to the 'wheel' group so you can 'su' to root with it. The other options aren't important.
Now configure the network interfaces. You'll need to know certain things about your network to do this.
Next configure the installed services. Disable everything except:
cron, keytable, network, random, syslog, xfs (if you want to use X), xinetd, and internet.
You're finished with the options page. Click no when asked to download updates on the next page and then wait for it to reboot.
It should reboot with the linux-secure kernel.
When you get a console, log in as yourself (root can't log in directly), and then su to root.
You can now use urpmi to install any additional software you need:
For SSH do:
urpmi openssh openssh-clients openssh-server
service sshd start
To log in to this machine from other systems, you need to edit /etc/hosts.allow and add the following:
sshd:ALL
You can restrict that further by using something like the following instead:
sshd:192.168.1.0/255.255.255.0
You can put multiple addresses or networks in there by separating them with commas
If you are going to access this system remotely and don't want to deal with Install CDs (or you've removed the cdrom drive) and you have a fast Internet connection, do the following as root:
urpmi.removemedia "Installation CD 1"
urpmi.removemedia "Installation CD 2"
urpmi.removemedia "International CD"
urpmi.addmedia main ftp://mirrors.secsup.org/pub/linux/mandrake/Mandrake/9.1/i586/Mandrake/RPMS with ../base/hdlist.cz
urpmi.addmedia contrib ftp://mirrors.secsup.org/pub/linux/mandrake/Mandrake/9.1/contrib/RPMS with ../../i586/Mandrake/base/hdlist2.cz
urpmi.addmedia --update updates ftp://mirrors.secsup.org/pub/linux/mandrake/Mandrake/updates/9.1/RPMS/ with ../base/hdlist.cz
From that point on, urpmi will use remote sources to load software. You can adjust the servers I used in commands above to reflect mirrors closer to your own physical location. A good online tool for generating these commands can be found at http://plf.zarb.org/~nanardon/index.php
Some other packages you might want:
drakconf: Mandrake's graphical control panel tools. Use the following to install drakconf & it's dependencies (most notably X & twm):
urpmi drakconf
nmap: A good port scanner, useful to do 'nmap localhost' and see what you've got running. ;)
urpmi nmap
iptables: Tools for working with the kernel's netfilter code. It's basically the linux firewall stuff.
urpmi iptables
lynx: A console based web browser. Very useful for downloading DC clients & whatnot.
urpmi lynx
From here, you'll need to load and configure any additional software that you need to use. As of now, you've got a fairly secure starting point with just the basics.
by Dyyryath
This is just a quick walkthrough of how I setup a non-desktop Mandrake box that will be directly connected to the Internet. Generally, this means it would be used as a server of some type (i.e. web, ftp, etc). The partitioning scheme would be adjusted based on what it was going to be used for, but as a starting point, this is pretty close.
At the end, I would install whatever specialized software the box required (i.e Apache if it was going to be a web server). I'd also configure iptables to restrict all but SSH and whatever services the box would be providing. A remote syslog is also a good idea. That's somewhat beyond the scope of this short list, though. ;)
Keep in mind that this is just a simple list. It doesn't take RAID arrays, multiple drive setups, or exotic security requirements into account.
------
Put the Mandrake Disc 1 in the CD-ROM & boot the machine.
Hit ENTER when the splash screen comes up.
Select your language, then ACCEPT the license, then select your mouse type.
Select HIGHER for your security level, leave the security admin password blank.
Select Custom Disk Partitioning. When the partitioning tool comes up, select 'Expert Mode'.
Clear any existing partitions.
Create a partition, type 'Linux Swap', preference 'Primary', size between 250-500mb. You can adjust the swap size to your preference. I generally don't go less than 250mb or more than 500mb, though this depends on the box.
Create another partition, type 'Reiser', preference 'Primary', mount point '/' using the remaining space on the drive. You can create several partitions instead of one (/var,/home, and /etc are good candidates for their own partitions). For most people a single large partition is fine, though this depends on what you will use the server for. I'm using Reiser here since it *tends* to be faster than ext3. I use both and either would be fine. I haven't used JFS enough to have a valid opinion of it yet.
Click DONE, then agree to let it write the parition table to disk.
Uncheck all the boxes on the software package selection screen. We'll start with the bare minimum and work our way up from there.
On the next screen, make sure the 'minimal with docs' option is selected and continue.
If you see a screen about installed servers, that's fine, just continue through it.
Install the bootloader to the master boot record on the primary hard drive.
Enter your root password.
Create an account for yourself. Make sure you click the option to add this account to the 'wheel' group so you can 'su' to root with it. The other options aren't important.
Now configure the network interfaces. You'll need to know certain things about your network to do this.
Next configure the installed services. Disable everything except:
cron, keytable, network, random, syslog, xfs (if you want to use X), xinetd, and internet.
You're finished with the options page. Click no when asked to download updates on the next page and then wait for it to reboot.
It should reboot with the linux-secure kernel.
When you get a console, log in as yourself (root can't log in directly), and then su to root.
You can now use urpmi to install any additional software you need:
For SSH do:
urpmi openssh openssh-clients openssh-server
service sshd start
To log in to this machine from other systems, you need to edit /etc/hosts.allow and add the following:
sshd:ALL
You can restrict that further by using something like the following instead:
sshd:192.168.1.0/255.255.255.0
You can put multiple addresses or networks in there by separating them with commas
If you are going to access this system remotely and don't want to deal with Install CDs (or you've removed the cdrom drive) and you have a fast Internet connection, do the following as root:
urpmi.removemedia "Installation CD 1"
urpmi.removemedia "Installation CD 2"
urpmi.removemedia "International CD"
urpmi.addmedia main ftp://mirrors.secsup.org/pub/linux/mandrake/Mandrake/9.1/i586/Mandrake/RPMS with ../base/hdlist.cz
urpmi.addmedia contrib ftp://mirrors.secsup.org/pub/linux/mandrake/Mandrake/9.1/contrib/RPMS with ../../i586/Mandrake/base/hdlist2.cz
urpmi.addmedia --update updates ftp://mirrors.secsup.org/pub/linux/mandrake/Mandrake/updates/9.1/RPMS/ with ../base/hdlist.cz
From that point on, urpmi will use remote sources to load software. You can adjust the servers I used in commands above to reflect mirrors closer to your own physical location. A good online tool for generating these commands can be found at http://plf.zarb.org/~nanardon/index.php
Some other packages you might want:
drakconf: Mandrake's graphical control panel tools. Use the following to install drakconf & it's dependencies (most notably X & twm):
urpmi drakconf
nmap: A good port scanner, useful to do 'nmap localhost' and see what you've got running. ;)
urpmi nmap
iptables: Tools for working with the kernel's netfilter code. It's basically the linux firewall stuff.
urpmi iptables
lynx: A console based web browser. Very useful for downloading DC clients & whatnot.
urpmi lynx
From here, you'll need to load and configure any additional software that you need to use. As of now, you've got a fairly secure starting point with just the basics.