Telsa's tips on securing RedHat
Written in March 2002
> I just set up my Linux workstation and I've got the extreme fidgets as
> I'm pretty sure I'm wide open to the world right now. I'm running on a
> cable modem that very helpfully needed no configuration to get going
> with Linux. When I installed Red Hat 7.2 there were firewall options
> and I chose high security. I have no idea what that entails and since
> then I've installed the 2.4.18 kernel so I don't know if the settings
> held or not.
Of the choices in that tool, that's the highest-paranoia setting.
The author says "if you used that level, nothing should be able
to connect from outside." I know this because I documented it :)
The tool is called gnome-lokkit.
If you are interested, you can find the documentation for it in
(There is a reason for this apparently meaningless location, yes :))
How did you install a new kernel? With the up2date tool? As an rpm?
Built it yourself? The only thing to watch if you built it yourself
was that you included the firewalling stuff in the configuration
stuff. I think it's under a heading of 'netfilter'. If you got it
from RH as an update, you're fine.
Since you have a cablemodem, your best bet for keeping things
up to date is to run the up2date tool. It has a text-only
mode, but it's horrible. If you have X, definitely run it from
that. KDE, GNOME, or just plain X. (This is the graphical
interface as opposed to the plain text stuff.)
Security updates arrive via up2date.
If you don't want to use up2date (or have a crap modem) then
(and http://www.redhat.com/apps/support/errata/index.html but
that's for everything, not just security) and visit it regularly.
- Plough down that list. For every package, run "rpm -q packagename".
If you get only your prompt back, you don't have it and can
ignore it. If you get "packagename-versionnumber", you have
the package, and will need to get the update.
- Download the lot from a mirror. Mozilla will do it, or Konqueror,
or gftp (Gnome's ftp tool). If you're at a command line, then use
'lftp' or 'ncftp' instead of 'ftp'. The 'high-security' settings
of that firewall tool mean you have to use something called
'passive mode ftp'; and just typing 'ftp' won't do it.
- Put them all in the same directory.
- Go into that directory.
- Do 'rpm -K *rpm'. This will check these are the real packages.
(It's short for 'rpm --check-sigs'.) Unless you get messages saying "md5sum NOT OKAY; gpg sig NOT OKAY"
or something obviously similar, they're fine.
- Then do "rpm -Uvh *.rpm" and go for some coffee. It may whine
and not complete it because of dependency errors. If it does, post
again with details :)
Copyright (c) 2002 by Telsa Gwynne. This material
may be distributed only subject to the terms and
conditions set forth in the Open Publication License,
v1.0 or later (the latest version is presently
available at http://www.opencontent.org/openpub/).