shilo, Systematic:

You're absolutely right. Searching some Slack tips&tricks sites I have found a lot of different howtos with a lot of differences between each other. The result is, that I don't know what things are really the must and what is the right order to do them.

I even didn't find an answer to my basic question. When I boot my machine for the first time after installation, is it opened or not? (if I switched off starting of services like httpd, sandmail, etc. during installation). I assume that it is somehow vulnerable...

Isn't then the right way not to configure network during instllation? I mean something like this:
1.) install Slakware (do not configure network)
2.) boot the machine and secure it = start firewall with simple rule: drop everything
3.) configure network
...
x.) open port number 80
y.) download updates
...

Of course, this has no sense, if you use external router/firewall. I don't

Hi brm,

Unless you're planning to use your box as a web server, then of course you don't have to open port 80. Otherwise, your scheme seems good to me. However, if you have every service switched off, it should be no problem to have your network configured and up.

A very simple firewall would be

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

However, this would make your computer pretty useless for connecting to the internet. Add an OUTPUT rule or two:

iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state ! INVALID -j ACCEPT

This accepts everything over the local interface, and everything but invalid packets bound for the outside world. Now, add an INPUT rule:

iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

This lets in anything which is related to a connection that you've set up, but it won't accept incoming connection attempts. If you want to accept incoming connections to some server, i.e. if you let in NEW packets, the following rule is nice:

iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP

This rule kills packets that are new put don't have the SYN bit set; nmap ACK scans, for instance.

Well, quick and crude, but it works.

<EDIT>
This is probably useful too

iptables -A INPUT -i lo -j ACCEPT

Put it at the top of the INPUT chain.
</EDIT>

brn-

I want to expand a little on a comment that Bebo has made. He stated that you do not need to open up port 80 unless you are running a web server. He's exactly right.

A lot of beginners are confused by what we call "client-server" relationships. You do not need port 80 open to surf the web. You need port 80 open to serve to the web. You don't need a mail server to recieve mail, you don't need a ssh server to ssh into another box, you don't need an ftp server to use ftp.

Here's the quick and dirty. Log in as root. Type You are gonna see all of your open ports. Want to close them? Open up /etc/inetd.conf and put a # sybol in front of every line. Now reboot. When you get back up, try nmap localhost again. Should have less open ports. How about closing the rest? At a console, type: If your setup is like mine, some of the names are gonna come up green. For every green name that starts a service you don't want running, type: Be careful which ones you choose. Some of the rc files are required for your computer to even boot. Reboot. run nmap localhost again, kill more processes. Repeat. Soon, you will have no services running.

You'll want to be carefull with all of that. Maybe just run nmap and post the results. We can probably tell you how to shut all of the services down.

Well, the ones that have something to do with servers listening for incoming connections are... Let's see... OK, these:

rc.atalk
rc.bind
rc.cups
rc.httpd
rc.inetd
rc.ip_forward
rc.lprng
rc.mysqld
rc.nfsd
rc.portmap
rc.samba
rc.sendmail
rc.sshd
rc.yp

I'm not sure about CUPS and lprng, though. CUPS can be configured to listen locally only, and lprng I really don't know where it listens. They are printer servers, so you should choose one of them if you want to be able to print.

inetd can be a good thing, maybe, if you want to run some servers listening for remote connections (as opposed to "local", i.e. coming from the box itself). inetd listens for connections in the other server's place, and starts them if a connection request is a received. However, I've read in a few places that sshd can take care of itself and should not be started through inetd.

You should definitely not chmod -x rc.0 rc.6 rc.S rc.M rc.K rc.modules. That may be true also for rc.font and rc.keymap, as it might put you in keyboard troubles.

Just finished the mail server section. you can check it out at http://shilo.is-a-geek.com/slack/sendmail18.html .

The guide is vewy, vewy nice

A comment on the ssh section: as a default, the ssh daemon is configured to use ssh protocol version 1 as a fall-back if version 2 doesn't work. You can see this in /etc/ssh/sshd_config, on the Protocol line. Now, version 1 has some security issues so it should not be used. And in any case it's old, so it's almost never used (except for attacks?). So, remove the # in front of the Protocol line, and then let it just say

Protocol 2

Then restart the ssh daemon.

<EDIT>
No, I got to go to bed now - it's 4 am... See ya tomorrow!
</EDIT>

Sweet. If you don't mind, I'm gonna add that to the ssh section.

Shilo.. have an update for you... i just finished installing Dropline Gnome using the dropline installer.. it didnt update xfree and it works perfectly.. Its a snazzy lil update on the plain gnome interface.. it seems to run a little smoother too.. I still like KDE but this isnt bad.. one thing i cant figure out is how to change the size of the icons on the desktop.. cause they are HUUUUGE!!! lol..

but yes dropline does work fine with an ati card (if you have X setup properly before you install dropline!!!)

Sweet. How huge is HUUUUGE? Post a screenshot. And if you've ever used Gnome before, one tip that I have is create a new user and check out what it looks like for him. Since he won't have any config files in his home directory, everyhting should be stock.

good idea.. ill try that one and see whats up.. screenshot coming soon..



screenshot
http://www.netrox.net/~mjramr/Screenshot.jpg


BAH!!! i spoke to soon on the perfectly working part.. i get a weird error that doesnt seem to do anything but annoy me when i login to gnome..

Thanks to all for very useful comments on security. Maybe I am a bit paranoid. I just wanted to be sure about this before I start with linux again. Now I should download slack-current and start to play this game.

I'll try to make it step by step following your guide, shilo. I will then give you some feedback

I would recommend adding a ebook (PDF) to your site with a note simply saying if you would rather view this site offline and print out at your leisure download the entire site here. Something like that would be great. Thanks anyway whatever you decide to do, it is a great post and your site is even better. By the way, any chance of adding a bit on connecting a broadband connection in Slackware. I am currently trying to do this at the moment after installing Slackware and cannot get it to work. I have tried checking out other posts with similar probs but calling up ifconfig just reports localhost only and does not obtain an IP address. Thanks again, anyway.

Hello again, shilo

I've just made a thorough read of your guide, and I'm really impressed. I have some comments, though; maybe it seems massive, but its just some friendly remarks


Throw in Some Nvidia Drivers

The paragraph in the ATI subsection right above the three modprobe's is a bit, well, strange. Also, I can tell you that ATI's driver for Radeon Mobility 9000 work nicely with kernel 2.6.x for me. But that might be that one driver, I don't know. I've not dared trying to use XFree 4.4, so that I don't know anything about. I remember having troubles before the 4.3 supporting version was released, though.


Moving on to Dropline

I really think you should point out that Dropline is definitely not necessary, especially if you plan to use some other window manager (i.e. Fluxbox, XFCE) or desktop environment (KDE). Moreover, Dropline is not easy to get rid of once it's installed and if you try it you might mess up your system quite badly. I have succeeded twice in removing Dropline (see my posts here) but it was not obvious. I think a warning would be a Good Thing.


Time for a New Kernel

The symlink to /usr/src/linux do not have to be changed every time you upgrade your kernel, and some say that you should not do it. There is a discussion in the Kernel Compile Guide for 2.6.0 thread, starting at post 89 and going on to (at least) post 115. I have skipped changing the symlink my last ten upgrades or so without problems. The only thing was when I had to recompile the nVidia driver(s) - that installer needs to find the current kernel on your box, and it is looking for it in /usr/src/linux. Here the symlink is good. However, the conclusion in that discussion seems to be that it doesn't matter for Slack, so it might be a non-issue.


SSH, be vewy,vewy, quiet

Oh, I see that you have included my comment about Protocol 2; nice I don't know, but is it worth pointing out that some might have problems with this if they use a really old ssh version? Perhaps not, in that case they just got to upgrade!


Make it Scream/Get Things Crankin'

OK, first, this section has two names Next, should people really chmod -x rc.0 rc.4 rc.6 and so on, as I remarked above? It might get difficult


Slack-a-Mania

I couldn't find www.linuxpackages.net on your list there. That's a nice place. Also, I have another link for you: www.slackcare.com


Cheers!

Systematic-

Not to worry, your's is an easy problem. Open up /etc/X11/xorg.conf. Find the section that looks like this
and turn it into this
brm-

Let us know how it goes

Atko-

Yeah, I need to get around to the PDF thing. Any way to easily convert all of my html to PDF? On the broadband issue, I have broadband and Slackware automatically took care of everything for me. I read your other post, and I think that everyone is right about the issue being the USB. I never use USB network adapters since I couldn't get one working with Windows back in the day. Switch over to the Ethernet card and you should be golden.

Bebo-

I'll get to work on all of that except the kernel/symlink. I think people debate too much. You probably don't need the symlink and you probably don't need co copy .config to /boot/config, but the one time that it turns out that you did need those things, it really makes things easy. The people that debate this are usually like, "Hey this is what I did, and my computers not broke, so it must be the right way."

The tweak section, yeah, I gotta look that over. I was kinda tired and rambled on. Probably the worst section yet.

Thanks for all the advice. Looks right on. Thank, too, for the links. That slackcare sitye looks pretty good.

********Edit********
Wow, that section IS confusing in the Nvidia/ATI section. I'm really gonna have to re-write that. Hope dawizman doesn't mind. Also hope I can make it less confusing!!

Systematic-

Just checked out your screen shot. Looks nice. So the icons don't seem to be an issue. I think yuo have some kind of permissions problem, though. It looks like you don't have permission for your own home directory. Let us know if you need a hand with that.