11 Telsa's tips on securing RedHat

Written in March 2002

> I just set up my Linux workstation and I've got the extreme fidgets as
> I'm pretty sure I'm wide open to the world right now.  I'm running on a
> cable modem that very helpfully needed no configuration to get going
> with Linux.  When I installed Red Hat 7.2 there were firewall options
> and I chose high security.  I have no idea what that entails and since
> then I've installed the 2.4.18 kernel so I don't know if the settings
> held or not.
Of the choices in that tool, that's the highest-paranoia setting. The author says "if you used that level, nothing should be able to connect from outside." I know this because I documented it :) The tool is called gnome-lokkit.

If you are interested, you can find the documentation for it in /usr/share/gnome/help/gnome-lokkit/C/index.html (There is a reason for this apparently meaningless location, yes :)) How did you install a new kernel? With the up2date tool? As an rpm? Built it yourself? The only thing to watch if you built it yourself was that you included the firewalling stuff in the configuration stuff. I think it's under a heading of 'netfilter'. If you got it from RH as an update, you're fine.

Since you have a cablemodem, your best bet for keeping things up to date is to run the up2date tool. It has a text-only mode, but it's horrible. If you have X, definitely run it from that. KDE, GNOME, or just plain X. (This is the graphical interface as opposed to the plain text stuff.)

Security updates arrive via up2date.

If you don't want to use up2date (or have a crap modem) then

  1. Bookmark
    http://www.redhat.com/support/errata/rh72-errata-security.html
    (and http://www.redhat.com/apps/support/errata/index.html but that's for everything, not just security) and visit it regularly.
  2. Plough down that list. For every package, run "rpm -q packagename". If you get only your prompt back, you don't have it and can ignore it. If you get "packagename-versionnumber", you have the package, and will need to get the update.
  3. Download the lot from a mirror. Mozilla will do it, or Konqueror, or gftp (Gnome's ftp tool). If you're at a command line, then use 'lftp' or 'ncftp' instead of 'ftp'. The 'high-security' settings of that firewall tool mean you have to use something called 'passive mode ftp'; and just typing 'ftp' won't do it.
  4. Put them all in the same directory.
  5. Go into that directory.
  6. Do 'rpm -K *rpm'. This will check these are the real packages. (It's short for 'rpm --check-sigs'.) Unless you get messages saying "md5sum NOT OKAY; gpg sig NOT OKAY" or something obviously similar, they're fine.
  7. Then do "rpm -Uvh *.rpm" and go for some coffee. It may whine and not complete it because of dependency errors. If it does, post again with details :)

Copyright (c) 2002 by Telsa Gwynne. This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, v1.0 or later (the latest version is presently available at http://www.opencontent.org/openpub/).