HOME USER

From: Myles

System Setup And Configuration For The Casual Home User

This is meant to cover the prep work *before* install and what you need to do after install but *before* going online. I won't be going into firewalls or anything like that here, except to say you need to do this.

It is recommended that you read the other sections of the Steps site to help you understand everything you'll need to know. Pay particular attention to Partitions, Security, Swap, Recompiles and Ipchains.

Create separate partitions as follows: (assumes a separate HD for Linux)

 swap - 128MB <- if less than 64MB RAM - 80MB <- if greater than 64MB

 /  ~= 100MB <- doesn't need to be much larger

 /tmp

 /var

 /var/log (optional - separate drive is best)

 /usr

 /usr/local (optional)

 /home

 /opt

Keep your swap at the beginning of the drive for faster access. The next four, /, /tmp, and /var and /var/log are mainly for security [1], the / partition should be kept fairly small (mine is 100MB) /var and /temp can be larger (some software ie: XFCE installs in /var). Everything else will make your life easier if you should ever have to do a reinstall later on.

NOTE: By *not* formatting your /usr/local, /opt and /home partitions during a re-installation, all your personal settings will remain as before the install and software installed in /opt or /usr/local will still be there as well. For a *first* install you should format everything.

When choosing your installation it is recommended that you do a *full* install and then remove individual packages (later) that you don't need. That way when you want to update your kernel, or even rebuild it to suit your needs, all the needed tools are guaranteed to be in place.

Follow through with the rest of the processes, setting up X, the root password and then the user(s) name(s) and password(s) - that would be *you* and anyone else you trust to be alone  with your computer ;-)

----------------------------------------------------
----------------------------------------------------
!!WARNING!! Brain Fart in Progress. Ye gads, can't remember which comes next here in the install process but we can add it in...
----------------------------------------------------
----------------------------------------------------

Once you have rebooted your system after installing, login as "root" (you *do* remember that password, don't you?).

Except for work like you are about to do, you should *NEVER* use the "root" account!! I can't stress this enough. The "root" account is all powerfull, can do anything, run any operation. It can also damage your system if you don't know what you are doing or enter something in error.

After you've logged in as root, open your favorite text editor (I'll not get into a debate about which one is "best" <g>) and open /etc/inetd.conf. This file is where you can prevent allot of unneeded services from starting.

Unless you are running a server you can uncomment (place a # at the beginning of) each line.

All of them!! You don't need them, the more you have available, the greater the likelihood of a successful attack on your system. Or other systems *through* your system giving the impression that *you* initiated the attack. (This is a Bad Thing!(tm))

Here is a portion of /etc/inetd.conf for example:
--
<snip>
# cfinger is for GNU finger, which is currently not in use in RHS Linux
#
#finger  stream  tcp     nowait  nobody  /usr/sbin/tcpd in.fingerd -u
#cfinger stream tcp     nowait  root    /usr/sbin/tcpd  in.cfingerd
#
# Finger, systat and netstat give out user information which may be
# valuable to potential "system crackers."  Many sites choose to disable
# some or all of these services to improve security.
#
#systat stream  tcp     nowait  nobody  /usr/sbin/tcpd  /bin/ps -auwwx
#netstat stream tcp     nowait  nobody  /usr/sbin/tcpd  /bin/netstat --inet
#
# Authentication
#
#auth    stream  tcp     nowait  root    /usr/sbin/tcpd in.identd -t120
#swat    stream  tcp     nowait.400 root    /usr/sbin/tcpd swat
<snip>
--

Next you need to disable Sendmail, Apache, NFS and anything else you do not need. Read the man pages (RTFM) to learn what it is *before* you disable it to avoid any problems later on.

If you look in the directory /etc/sysconfig/daemons/ you'll see files that indicate what is going to be started at boot time.

For example, the entry for Sendmail (mta) looks like this:
--
<snip>
# /etc/sysconfig/daemons/mta
#
# Warning!!
#The VARIANT variable specifies which kind of MTA to use (sendmail
#or smail). Do NOT edit this variable manually; please use
#COAS or run mta-switch.
#Documentation on mta-switch can be found in
#/usr/doc/mtabase-1.0/README
#
IDENT=MTA
DESCRIPTIVE="Mail Transfer Agent"
ONBOOT=yes
VARIANT="sendmail"
<snip>
--

Change the line from ONBOOT=yes to read: ONBOOT=no

Or, if you don't want to get your hands dirty, COAS | System | Daemons is where this can be done by un checking some boxes.

At this point, you can reboot (or killall each of the processes you just disabled above)

Next, you should recompile your kernel following the steps outlined on the Steps site. You are recompiling to enable ip-firewalling, so when you're done with the kernel you can proceed to the IP-Chains page to set up your firewall.

Then go on to setup ppp and diald or kppp. Do *NOT* go online yet.

After your setup is done and you've configured things to your liking, *back up your system* (for home use, one (1) copy should be enough)

You can now go online with little chance (see disclaimer) of someone cracking into your system.

It is your responsibility to keep your system up-to-date with the security announcements found at the Calderasystems web site. Obviously if you aren't running something like FTP you won't want (or need) to update it.

[1] - recommended reading:
 SAMS; Maximum Linux Security, by Anonymous
 And the list goes on.....

searchSearch Index