This document attempts to explain how to install RedHat Linux 7.2 on a workstation over the UNC Campus network while keeping security in mind. It is meant for novice Linux users who know some basic commands and can edit files, compile software, etc. This is meant to be a reference guide to help the user lock down a workstation, and should not be used as the only source for a system that requires a greater level of security like a confidential database server. You should also make sure that you do NOT leave your system connected to the network until you have sufficiently secured it. After the install you can run the following command:
ifdown eth0 (where eth0 is your ethernet device)
to disable your network connection until you can lock everything down.
You can run:
to restore your connection after you are secure.
First you will need to format a floppy disk so you can write a clean boot image.
In order to write the image (from Windows 9x) you will need to download rawrite.exe (here). Note that if you are using Windows NT, 2000, or XP you will need to download ntrw.exe available here. There are many mirrors for RedHat distributions, but since ibiblio.org is on the UNC campus, you will get a much faster connection by downloading your materials from there.
For the FTP or HTTP install you will need to download the bootnet.img file:
Note that for a laptop you will want to download the pcmcia.img (here) file.
After writing the image to the floppy disk with rawrite, (or ntrw), insert the disk into your target machine and power it up. For more information on system installation and using rawrite/ntrw read the Installation HOWTO at http://www.linuxdoc.org.
Beginning the Installation
Type ‘text’ to begin the install (text-only for FTP and HTTP installs)
Select ‘English’, ‘us’ keyboard, then choose FTP or HTTP.
If you are using DHCP, leave it checked (the default). If you already have an IP address reserved (and registered with DNS, firstname.lastname@example.org) then you should fill in your IP address. Your default gateway and netmask will vary based on the subnet of your IP address.
You will then have to point the installer to the correct FTP server (in this case, distro.ibiblio.org) and the directory that contains the installation images (currently, /pub/Linux/distributions/redhat/current/en/os/i386)
Choosing the generic two-button PS/2 mouse and choosing to emulate 3 buttons gives you greater flexibility with the mouse, as you can assign a number of tasks to the “third button”, which is simulated by clicking both the right and the left buttons simultaneously.
Pick the ‘Custom Installation’ as this will allow you to put on only what you need, or may need in the near future. RedHat has already tailored certain setups with the “Workstation” and “Server” options, but choosing Custom gives you a greater variety and more choices when you install your system.
Note that this is the portion of the install that will vary greatly among different users. You will find after installing RedHat Linux several times that you may want to add or remove things from your installation packages based on your usage (or lack thereof) in the past. The custom package set described here are an example of a typical setup on a desktop machine for general use and research.
Next you will need to choose how your hard drive gets partitioned. This is the first step in securing your machine. You want to choose separate partitions for important files on your system. In order to manually do this, select “Disk Druid” as it’s a little friendlier than FDisk and gives you more flexibility than the Auto-Partition scheme. Again, this section will vary depending on the size of your hard drive and where you want to store your data.
For a fresh install, delete all the current partitions by selecting the partition and hitting F4. You then select your primary drive (usually hda1, but a SCSI drive will report sda1) and hit F2 to create a new partition.
Historically, you need twice the amount of Swap space as you have RAM (e.g. 32Mb of RAM, 64Mb of Swap space). However with today’s systems having faster processors, abundant hard drive space, and incredibly cheap RAM, this is not as important. You may follow the convention of creating a Swap space by tabbing down to “Filesystem Type” and selecting “Swap” and enter your allotted space.
Note that if you are installing a system for the first time, it’s best to check “Check for bad blocks”. This will dramatically increase the partitioning time, but it will repair, or skip any damaged sectors on the drive.
Create a boot partition that’s about 10Mb, which will hold the kernel and other files required for booting. You can have a smaller slice than 10Mb, though don’t go too far below 5Mb.
Make a / directory which will store just about everything for the system, so you’ll want that to be quite large.
Finally, create a /home partition which will store most of your data files and any other user documents and settings. Select fill remaining space for this partition and reserve a significant portion of your drive for this slice as well. This partition comes in handy if you ever have to reinstall or upgrade because your user data does not have to be touched by the installer if you choose to save this partition on a subsequent install.
Completing the Installation
After partitioning, choose to install the Grub boot loader, and have it install on the Master Boot Record (MBR).
A few screens later (after accepting the defaults making sure to select Shadowed and MD5 passwords) choose a Grub password, which will improve the physical security on the machine. Note that this password can be bypassed with a boot floppy, so you may wish to disable the floppy drive’s ability to boot the machine in the BIOS. The most secure machines will also have a BIOS password, though take extra caution not to forget this password.
You will then need to select the hostname of your machine. This is only the part before your subnet. For example, the hostname for a machine can be ‘myhost’ though the fully qualified domain name will be myhost.xxx.unc.edu.
You then must decide if you want to install a personal firewall for your system. One option is to select no firewall then use a packet filter like IPTables to control network traffic in and out of the system. The firewall provides a basic level of security, and is based on IPTables, but you can get so much more by writing your own customized rules.
Choose to install your appropriate language support and time zone.
Next you must create a *good* root password, at least 8 characters (preferably more) with a mixture of letters, numbers, and other ASCII characters (e.g. @,!,%, etc.) See our document Choosing an Effective Password.
Then create a normal user account that you will use most of the time for your normal activities. Make sure that you create a good password for this account as well.
Select the default selections for the next few screens until you get to the Package Group Selection prompt. This is where you will select the packages you want on your system.
After everything installs, you will need to configure X Windows with the correct settings for your video card and monitor. You may also wish to NOT have the default login to be graphical in case you have problems getting X to run. You can start X after you log in to the text prompt by typing ‘startx’.
Now that you have successfully installed Red Hat Linux, you need to work on security. Continue on with our document Securing a Linux Workstation.
If you would like a vulnerability scanner run on your machine on-campus, the ITS Security office will be happy to send you a report. Please email us at email@example.com for a scan request or for any questions.