Go Back   Singapore Web Hosting Talk > LEARNING CENTER > 1-2-3 Linux/Unix > Securing

Securing Main steps in securing your server.

Reply
 
Thread Tools
Old 25-07-2004, 19:51   #1
shawnho
SGWHT Premium Member
 
Join Date: 24-07-2003
Location: Singapore
Posts: 1,541
shawnho is a jewel in the roughshawnho is a jewel in the roughshawnho is a jewel in the roughshawnho is a jewel in the rough
Step 1 - Update Your System

Why should the system be updated ?

system update keeps all the packages(softwares) installed in the server to the recommended stable version. When your server is up2date, a hacker who scans your server for old and outdated daemons will not find it and hence, move on to the next server in the network or the next server in his list. The main reason for this step is to prevent the hacker from making your server a target and trying to hack in at the first place. This gives out the picture "There is nothing in this system that can be exploited. It is updated with the latest softwares, and trying to hack in will just be a waste of time"
__________________________________________________ _______________

For Red Hat 9 :

We need the latest updated version of up2date in the system,
else you will end up getting ssl error ! If your OS is not redhat 9, download the appropriate up2date from redhat website. The following is for redhat 9.
Code:
wget http://updates.redhat.com/9/en/os/i386/up2date-3.1.23.2-1.i386.rpm
rpm -Uvh up2date-3.1.23.2-1.i386.rpm
First, let use register our system

Code:
up2date --register

This will ask you a couple of questions, which you need to answer. At a point, you need to enter a username, password and an email-address. Just think of a unique username, password and enter your email address, and continue with the rest of the questions. At the final state, it will send the profile to Redhat Network. after successful registration, as suggested, run the following command:

Code:
 rpm --import /usr/share/rhn/RPM-GPG-KEY 

Now, let's configure up2date

Code:
up2date --configure
you just need to look for 2 things: pkgSkipList and removeSkipListBy default, you will see kernel there. If you don't use a customized kernel, and want to have up2date automatically update your kernel, go ahead and remove the kernel from both the options. That is what I also recommend.. let up2date update your kernel automatically. for example, on redhat 9, number for pkgSkipList is 8 and removeSkipList is 29so, to clear the contents do this



What the above command does is it will remove "kernel" from the skip package list, and hence, everything, including the kernel can now be upgraded automatically. Unless you are using a custom-made kernel, upgrading the kernel via up2date is the recommended method. Your setting will look something like the following:



Press ENTER once again to save and exit the up2date configuration. Time to update our system

Code:
up2date -u

If the system says it is busy, try again later.
From next time onwards, all you need to do is remember to issue the
up2date-u command once a week to update your system.
__________________________________________________ _______________

For Fedora :

You can use up2date with Fedora, but you can use Yum, which I personally recommend.
Code:

wget http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/i386/yum-2.0.5-1.noarch.rpm

rpm -Uvh yum-2.0.5-1.noarch.rpm 

Yum is now installed.

We simply update fedora by giving the command:

Code:
yum update
__________________________________________________ _______________

For Debian :

I have the following in my /etc/apt/sources.list



Code:

apt-get -u update
apt-get -u dist-upgrade
__________________________________________________ _______________

For FreeBSD :

Remember: The following steps takes a considerable amount of time to complete!

Code:
cd /usr/ports/net/cvsup-without-gui
make install && make clean

cp /usr/share/examples/cvsup/ports-supfile /root
cd /root
vi ports-supfile


Change

*default host=CHANGE_THIS.FreeBSD.org

To

*default host=cvsup1.FreeBSD.org

Code:
cd /root
/usr/local/bin/cvsup ports-supfile
__________________________________________________ _______________




Courtesy of admin0
shawnho is offline   Reply With Quote

Old 25-07-2004, 20:14   #2
salmonella
SGWHT Veteran Member
 
Join Date: 27-07-2003
Posts: 1,470
salmonella is on a distinguished road
For debian users in Singapore, I recommend using the following in your /etc/apt/sources.list instead of listing 4 or 5 identical mirrors in other parts of the world -
Code:
deb ftp://mirror.averse.net/debian/ stable main non-free contrib
#deb-src ftp://mirror.averse.net/debian/ stable main non-free contrib
deb ftp://mirror.averse.net/debian-non-US stable/non-US main contrib non-free
#deb-src ftp://mirror.averse.net/debian-non-US stable/non-US main contrib non-free

deb ftp://mirror.averse.net/debian-security stable/updates main contrib non-free
deb http://security.debian.org/ stable/updates main contrib non-free
Don't forget to add the line for security updates!

Replace stable with testing/unstable if that's what you're using. And uncomment the deb-src lines only if you're actually rolling your own binary .deb's.

For FreeBSD, I recommend changing the supfile to point to cvsup.sg.freebsd.org.

You may also want to use a local mirror for your fedora yum updates from mirror.averse.net, ftp.oss.eznetsols.org, mirror.nus.edu.sg...
salmonella is offline   Reply With Quote
Old 26-07-2004, 05:48   #3
choon
SGWHT Senior Member
 
Join Date: 01-07-2002
Location: Singapore
Posts: 488
choon has a spectacular aura aboutchoon has a spectacular aura about
For the FreeBSD part, you only show how to use cvsup to sync its ports tree. After updating, one method is to use portupgrade to update those applications or keep your installed software up to date.
__________________
Giam Teck Choon
System Administrator
Join my community today at choon.NET Community to share server related tips and tricks!
External/One-Year WHM/cPanel licenses | Linux/FreeBSD Server Management | Xen VPS Solutions (with/without WHM/cPanel or DirectAdmin)
choon is offline   Reply With Quote
Old 07-09-2006, 11:08   #4
memoriess
SGWHT Newbie
 
Join Date: 03-09-2006
Posts: 50
memoriess is on a distinguished road
Hi Expertises,

Just a question, after patching, should we reboot the server for the patches to take effect?

Thanks
memoriess is offline   Reply With Quote
Old 07-09-2006, 12:08   #5
tanfwc
SGWHT Premium Member
 
Join Date: 12-12-2003
Location: Singapore
Posts: 2,350
tanfwc has a spectacular aura abouttanfwc has a spectacular aura abouttanfwc has a spectacular aura about
If you upgrade kernel, yes you need to reboot for the new kernel to be run on.

Upgrading of software you dont need to reboot your system
__________________
tanfwc
tanfwc is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump




All times are GMT +8. The time now is 01:32.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Copyright (C) 2002-2015 Brought to you by Singapore Web Hosting Talk (SGWHT). All Rights Reserved.