Configuring and Securing Slackware

Introduction

     I always wanted to write a page about the various things I do with Slackware, so here goes.  Mainly this will be a list of tips and tricks that I've learned while using Slackware Linux (started using it at version 9).  I will detail how and why I do certain things while setting up a new Slackware installation (although personally I haven't needed to do such a thing in a while, based on whether I do something dumb or not).

After The Install

     After installing, but before rebooting, you might've noticed that the soon-to-be root ("/") partition is mounted on /mnt.  There are many configuration things that I do before reboot that can pretty easily be accomplished.  Please note that if you are doing these things, put /mnt in front of file names like /etc/lilo.conf (becomes /mnt/etc/lilo.conf if you're configuring before you reboot into your Slackware install).

Configuring Inetd

     This is very important from a security standpoint.  Inetd is a system that allows you to filter what hosts (i.e. computers) can access what services (i.e. ports / servers) on your system.  First there is /etc/inetd.conf.  This is the file that you use to control what servers and services are even available, but this is mainly if you plan on having Inetd itself launch these services.  I prefer to not add anything to this configuration, but to comment out everything unless it's needed and I know what it is.
   Next, there is /etc/hosts.allow.  This should have a line "ALL: 127." which means "allow my own computer to talk to itself".  Trust me, you should add that line.  After that, you can add any servers you want.  I usually allow others to have OpenSSH (secure shell) accounts on my system, so I set that up per their host name or IP address as "sshd: 24.68.39.58" or whatever.  Then, per line, I can add more, like "sshd: friend2.ip.com" or whatever.
     Lastly there is /etc/hosts.deny.  This should be set to "ALL: ALL" meaning "don't let anyone else in besides what's in hosts.allow".  These things together can keep your system rather secure.

Configuring The Filesystem

     Usually this is done, but I add slight modifications, and also add lines for other things.  I'll detail them.
     First, any and all partitions using the Reiser file system include "notail", which prevents any possible problems with using LILO.  You can read up on this using "man mount".
     Second, all true filesystems (as opposed to /sys and /proc, which are not technically "real" filesystems) get "noatime" option, which increases speed slightly because it prevents the filesystems from having to update the "last access time" date every time a file is used.
     Third, I make sure that the cdrom uses the "user" option rather than the "owner" option.  This allows almost any user to mount and unmount the cdrom.  Be warned, I do this on my own home system.  I would not do it on a public system.
     Lastly, I add a line for my USB memory stick: "/dev/sda1 /mnt/sda1 vfat noatime,user,noauto,sync,rw".  The sync option is to make sure all transactions are synchronous (i.e. not cached but written directly).  This helps because that way if something were to happen, I can yank the stick out and not be worried that something didn't get corrupted.  Also, the "noauto" option means "don't mount this at boot time".

Configuring User And File Permissions

     There are some minor touches I do with my user groups and file permissions.  First, to allow users to be added to the "disk" group and therefore be able to mount filesystems such as floppy disks, cds, and USB memory sticks, I make sure all the proper directories in /mnt have been added (like for my USB memory stick, see above) and that they are owned by the disk group (except for /mnt/cdrom, which needs to be owned by the cdrom group).  These two groups, cdrom and disk, allow me to add or not add users to these groups based on their need (or lack thereof) to mount and unmount these filesystems.

Configuring LILO

     Next I tailor LILO.  First, I add the "compact" option to the top.  Second, I remove the append="" line at the top (where it makes itself global, i.e. applies to all kernel boot image options).  Instead I use a per-kernel append (mainly because there are 2.6.x linux kernel options that do not apply to 2.4.x kernels, and because 2.4.x needs ide-scsi for IDE CD-RW drives but it interferes with 2.6.x kernels).  Lastly, I add a default="Linux" line and make sure that the kernel boot image I want to be the default is using that label, etc.

Hotplug And Device Modules

     By default, hotplug has a blacklist, which controls basically what kernel modules get loaded or do not get loaded at boot time only.  This is found in /etc/hotplug/blacklist.  I add kernel modules that I don't want at boot (i.e. automatically), such as snd-intel8x0m, intelfb, and eth1394 to this list.  Another thing that might be interesting is that if you reboot, you might find in /var/log/syslog or /var/log/messages some insmod errors about certain modules not wanting to load.  This is usually because hotplug thinks you have something and the module won't load due to hardware issues or the device actually not existing (or the module not being able to find it).  This is normal, and shouldn't cause problems, but to make hotplug behave better, I go through the logs and find modules that don't like to auto-load (for whatever reason) and blacklist them as well.

Startup Scripts And Servers

     If you look at /etc/rc.d/* you will find startup scripts for various system services.  Note: for some, this is just so that they load at boot time (i.e. you can have them not load and then load them manually later).  However, do NOT tamper with any that you are unsure of, especially not rc.0 rc.6 rc.4 rc.M rc.K.  Me, I make sure (at least before rebooting) that I shut off rc.httpd (rc.apache), rc.nfsd, rc.sshd, rc.pcmcia, rc.serial, rc.wireless, etc.  If I don't need it during the first boot, it's disabled.  After that I might enable some.
    NEW: I found that if you edit /etc/rc.d/rc.inet1.conf you can control the DHCP timeout value for any network device in that file.  Just set DHCP_TIMEOUT[X]=YY, where X is the # of the ethernet device (eth1 = 1, eth0 = 0, etc) and YY is the numeric value of the timeout, in seconds, that you desire.  This can help prevent Slackware from taking excessive time starting up due to a disconnected network device for which USE_DHCP[X]="yes".
     As for modules that load during boot, these are part of hotplug (the plug'n'play server in linux, basically).  However, there is a rc.modules script that loads other modules.  You might want to look through that.  Me, I comment out agpgart and ide-scsi because I don't need these for my 2.6.x kernel.
     As for rc.local, this is where you can add your own commands that run as part of startup.  I usually put an entry in there to clean out /tmp and to put my laptop Pentium-M into On Demand mode (where CPU frequency is based on load; "echo ondemand > /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor).  You can try out my script out if you want....

Updates

     No operating system is perfect.  If you look on Slackware mirrors, you see a directory where updates go, namely  slackware-13.1/patches/packages.  I usually create an rsync script for this so that I can have it periodically grab any updates for Slackware.

Securing X.org

     One of the only things I do to the X.org system is that I edit /usr/X11R6/bin/startx and add the "-nolisten tcp" option to serverargs= parameter.  This prevents it from "listening".

Removing Unnecessary Programs

    One thing you should do is remove unnecessary programs and services.  For example, you cannot remove the tcpip package, but you should consider delete the rlogin/rftp/rcp/rsh programs located in /usr/bin to keep your system more secure; remove sendmail if you do not require a mail server, etc.

Add The Firewall

     Then I add my own custom firewall to /etc/rc.d/rc.firewall and make sure whatever script is calling this file ("grep rc.firewall /etc/rc.d/*") uses the "start" option, as I have mine set up as a case...esac logic for whatever option is used to launch it.  There's start, restart, stop, and panic options in mine.
     Mainly this file is a stateful firewall.  This is usually enough for home users.

Custom Module Loading Options

     Next I edit /etc/modprobe.conf.  This file allows you to give modules load-time options.  Options, you say?  To find out if a module has options you can configure, run "modinfo psmouse" where psmouse is the name of the module.  I found that this helped me find and set a nice option for my laptop's ALPS touchpad.  To set options you basically use a line similar to "options psmouse proto=exps".  The "options" means "hey, this is an option", "psmouse" is the module, and "proto=exps" is the option and the value you want.

Assigning Device Nodes To Network Cards Using Udev (OBSOLETE)

    Slackware 10.2 and after started using the udev daemon.  Basically, this loads modules and assigns their device node in /dev automatically.  However, sometimes you want a specific network card to be assigned to a specific device node.  In which case, if you look in /etc/udev/rules.d/network-devices.rules, you will see:

#KERNEL=="eth?", SYSFS{address}=="00:0f:7b:4b:47:17", NAME="eth0"
#KERNEL=="eth?", SYSFS{address}=="00:0f:35:3c:92:cb", NAME="eth1"

    Basically, this is where udev put a helpful configuration.  I detected two network cards, and assigned them, but included a configuration to set which device node they get assigned to.  Like when I booted, my wireless card was eth0, and my ethernet card was eth1.  In the configuration above, however, if I uncomment it, this would make my wireless card eth1 and my ethernet card eth0.  What you need to do if you are not sure is look at the MAC addresses of the ethernet cards using a command like this:

KERNEL=="eth?", SYSFS{address}=="MAC ADDRESS", NAME="DEVICE NODE"

Configuring XFCE / Thunar

    See this article I wrote on how to configure Thunar and XFCE in general to make it more "homely".

The Sky Is The Limit

     This is just an example of the types of things I do.  There's an old saying that goes "Give a man a fish, feed him for a day.  Teach a man to fish, feed him for a lifetime".  The idea is that you need to go and read if you have questions.  Unlike Windows, Linux distributions ship with a lot of documentation.  In Slackware you can find these by using "man rm" where "rm" is the name of the program you want to read the manual of.  Also, there's /usr/doc/* area, which has little areas for each program that is installed.  This is the documentation that came with each program.  There is also /usr/doc/Linux-HOWTOs which is a list of all the documentation from The Linux Documentation Project.  They are a wealth of information.  Teach yourself to fish now :D.

Valid HTML 4.01 Strict