Arch Linux

Seb74

Member

Registered: 2006-10-07

Posts: 89

My system is up and ready, now I only need to know...

....how do I stay secure?
Do I check some site where all security-related bugs are posted, or do I run some BSD-style "portaudit" command that lists all affected packages?

Is it divided....you update the OS in some way (usually a very hard way, at least in the BSD-world, for a newbie) and you update packages in a much simpler way, or do you update the whole thing at once?

System is up and running now and everything looks nice...I just need how to stay secure. Before when I ran OpenBSD it was very simple....just check some site once a few months and see that "oh, one new vulnerabilitie since last time I checked, but this one doesn't affect me either, nice ) and that was it
Guess its not exactly the same in Linux, and I need to take more care...I guess...

Thanks

EDIT: Maybe should add I run a base-install server with no X.

Lone_Wolf

Forum Moderator

From: Netherlands, Europe

Registered: 2005-10-04

Posts: 11,922

Re: My system is up and ready, now I only need to know...

....how do I stay secure?
Is it divided....you update the OS in some way (usually a very hard way, at least in the BSD-world, for a newbie) and you update packages in a much simpler way, or do you update the whole thing at once?

Archlinux updates the whole thing at once.
While there are many linux-es that have release cycles and mainly have security/bugfixes between releases, arch uses what is called The Rolling Release System.
Usually there is no distinction between normal and security updates, except security fixes tend to be implemented very fast by devs, often within 1 or 2 days(sometimes even hours)  after upstream released a fix.

---

Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.

(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Seb74

Member

Registered: 2006-10-07

Posts: 89

Re: My system is up and ready, now I only need to know...

Ok, so I just run "pacman -Syu" like once a month or so, and I'll always be updated? I mean, there wont be a time where things get upgraded so much that I need to rebuild the whole kernel or do some very advanced stuff, its always just this simple command to run???
Sounds way to good to be true, so I dont believe it

Gotta try running it now and see what happens....haven't upgraded anything since install of 0.7.2 a few days ago.

ingvildr

Member

From: Brighton, England

Registered: 2005-04-19

Posts: 203

Re: My system is up and ready, now I only need to know...

Ok, so I just run "pacman -Syu" like once a month or so, and I'll always be updated? I mean, there wont be a time where things get upgraded so much that I need to rebuild the whole kernel or do some very advanced stuff, its always just this simple command to run???
Sounds way to good to be true, so I dont believe it

Gotta try running it now and see what happens....haven't upgraded anything since install of 0.7.2 a few days ago.

At most you will have to edit config files sometimes to keep with changing technologies but if anything important needs to be done you will be told when you install or upgrade.

Seb74

Member

Registered: 2006-10-07

Posts: 89

Re: My system is up and ready, now I only need to know...

Does this look good? Am I supposed to upgrade/remove all of this?
Scary shit

pacman -Syu
:: Synchronizing package databases...
connect: Connection timed out
error: cannot connect to ftp.ds.hj.se
current                  [################] 100%      68K    26.1K/s  00:00:02
error: anonymous login failed
Control socket read failed: Success
extra                    [################] 100%     224K    52.7K/s  00:00:04
:: Replace mkinitrd with mkinitcpio from "current"? [Y/n] Y

Remove:  mkinitrd

Targets: klibc-extras-2.1-1 mkinitcpio-0.5.7-1 binutils-2.17-1 coreutils-5.97-1
         dialog-1.0_20060221-1 e2fsprogs-1.39-1 filesystem-0.7.2-5
         freetype2-2.2.1-3 gettext-0.14.6-2 kernel-headers-2.6.18-3 glibc-2.4-4
         groff-1.19.2-1 gzip-1.2.4b-4 initscripts-0.7.2-9 kernel26-2.6.18-5
         klibc-1.4.29-1 klibc-udev-101-1 libpcap-0.9.5-1 lilo-22.7.3-1
         m4-1.4.7-1 man-pages-2.39-1 mkinitrd-1.01-31 openssl-0.9.8d-1
         ppp-2.4.4-3 rp-pppoe-3.8-1 shadow-4.0.18.1-2 sysfsutils-2.1.0-1
         udev-101-1 vim-7.0.118-1 xfsprogs-2.8.10-1

Total Package Size:   58.8 MB

Proceed with upgrade? [Y/n] Y

:: Retrieving packages from current...
connect: Connection timed out
error: cannot connect to ftp.ds.hj.se
klibc-extras-2.1-1       [################] 100%      31K    10.7K/s  00:00:02
mkinitcpio-0.5.7-1       [################] 100%      11K     7.9K/s  00:00:01
.
.
.
.
and so on and so on

ingvildr

Member

From: Brighton, England

Registered: 2005-04-19

Posts: 203

Re: My system is up and ready, now I only need to know...

yes looks resonable, just make sure to read the output to check for messages.

Seb74

Member

Registered: 2006-10-07

Posts: 89

Re: My system is up and ready, now I only need to know...

Are there often security wholes discovered, since Arch is developed as it is (everything is current) and also quite new from what I've understood?
I mean, if I only have port 22 and 80 open to it, ssh and Apache/PHP, do I need to do this often?

I dont like updates like this, its scary

Seb74

Member

Registered: 2006-10-07

Posts: 89

Re: My system is up and ready, now I only need to know...

Above paste continues like this after all is downloaded. Hope its all ok....

checking package integrity... done.
removing mkinitrd...
warning: /etc/mkinitrd.conf saved as /etc/mkinitrd.conf.pacsave
done.
loading package data... done.
checking for file conflicts... done.
upgrading klibc-extras... done.
upgrading mkinitcpio... done.
upgrading binutils... done.
upgrading coreutils... done.
upgrading dialog... done.
upgrading e2fsprogs... done.
upgrading filesystem...
warning: extracting /etc/fstab as /etc/fstab.pacnew
warning: extracting /etc/group as /etc/group.pacnew
warning: extracting /etc/gshadow as /etc/gshadow.pacnew
warning: extracting /etc/ld.so.conf as /etc/ld.so.conf.pacnew
warning: extracting /etc/passwd as /etc/passwd.pacnew
warning: extracting /etc/shadow as /etc/shadow.pacnew
done.
adding new group: network
upgrading freetype2... done.
upgrading gettext... done.
upgrading kernel-headers... done.
upgrading glibc... done.
  ==> ATTENTION INTERNATIONAL USERS:
  ==>
  ==> Locales are no longer included in the glibc package.
  ==> They are generated by /usr/sbin/locale-gen depending on the contents
  ==> of /etc/locale.gen.
  ==> glibc will try to autodetect the required locales now, if you need
  ==> additional locales, please enable them in /etc/locale.gen and run
  ==> /usr/sbin/locale-gen
  ==>
Generating locales...
Generation complete.
upgrading groff... done.
upgrading gzip... done.
upgrading initscripts...
warning: extracting /etc/rc.conf as /etc/rc.conf.pacnew
warning: extracting /etc/rc.local as /etc/rc.local.pacnew
done.
upgrading kernel26... done.
>>>
>>> If you use the LILO bootloader, you should run 'lilo' before rebooting.
>>>
>>> --------------------------------------------------------------
>>> |                          WARNING:                          |
>>> |mkinitrd is not supported anymore in kernel >=2.6.18 series!|
>>> |              Please change to Mkinitcpio setup.            |
>>> --------------------------------------------------------------
>>>
>>> Updating module dependencies. Please wait ...
>>> MKINITCPIO SETUP
>>> ----------------
>>> Please change your bootloader config files:
>>> Grub: /boot/grub/menu.lst | Lilo: /etc/lilo.conf
------------------------------------------------
| - initrd26.img to kernel26.img               |
| - initrd26-full.img to kernel26-fallback.img |
------------------------------------------------
>>> If you use LVM2, Encrypted root or software RAID,
>>> Ensure you enable support in /etc/mkinitcpio.conf .
>>> More information about mkinitcpio setup can be found here:
>>> http://wiki.archlinux.org/index.php/Mkinitcpio

>>> Generating initial ramdisk, using mkinitcpio.  Please wait...
:: Begin build
:: Parsing hook [base]
:: Parsing hook [udev]
:: Parsing hook [autodetect]
:: Parsing hook [ide]
:: Parsing hook [scsi]
:: Parsing hook [sata]
:: Parsing hook [filesystems]
:: Generating module dependancies
:: Generating image '/boot/kernel26.img'...SUCCESS
:: Begin build
:: Parsing hook [base]
:: Parsing hook [udev]
:: Parsing hook [ide]
:: Parsing hook [scsi]
:: Parsing hook [sata]
:: Parsing hook [usbinput]
:: Parsing hook [raid]
:: Parsing hook [filesystems]
:: Generating module dependancies
:: Generating image '/boot/kernel26-fallback.img'...SUCCESS
upgrading klibc... done.
upgrading klibc-udev... done.
upgrading libpcap... done.
upgrading lilo...
warning: extracting /etc/lilo.conf as /etc/lilo.conf.pacnew
done.

If you use the LILO bootloader, you should run 'lilo' after upgrading.

upgrading m4... done.
upgrading man-pages... done.
installing mkinitrd... done.
upgrading openssl... done.
upgrading ppp... done.
upgrading rp-pppoe... done.
upgrading shadow... done.
Fixing gshadow file ...
upgrading sysfsutils... done.
ATTENTION UDEV:
----------
udev >=098 rules syntax has changed, please update your own rules.
udev >=099 Added persistent network and CD/DVD Symlink generator rules.
Please read the instructions carefully before reboot.
They are located in /etc/udev/readme-udev-arch.txt
----------
upgrading udev... done.
upgrading vim... done.
Updating vim help tags...done.
upgrading xfsprogs... done.

I dont know what these locales are???
And what do I need to change in my grub config-file???
Dont know about these udev-rules that have changed either???

detto

Member

Registered: 2006-01-23

Posts: 510

Re: My system is up and ready, now I only need to know...

concerning grub: change your initrd26 line into "/kernel26.img".

you can configure your locales by uncommenting them in /etc/locale.gen and running locale-gen afterwards.
then change locale inside /etc/rc.conf and /etc/profile and your all set

ingvildr

Member

From: Brighton, England

Registered: 2005-04-19

Posts: 203

Re: My system is up and ready, now I only need to know...

in grub change initrd26.img to kernel26.img on the kernel line and as for locales go into /etc/locale.gen and uncomment the ones you want i have en_GB.utf8 (english, great britain) and then run locale-gen as root and all should be fine.

Seb74

Member

Registered: 2006-10-07

Posts: 89

Re: My system is up and ready, now I only need to know...

Oh noes, something seems to be wrong. I shut it down and started again just to make sure it would boot after the update, and now its been stuck somewhere at boot for minutes, working a lot on the harddrive

EDIT: Ok, maybe should have changed that grub-stuff before reboot then.
Oh well, I'll have to reinstall all shit again. Dont think I'll update system anymore though...miss a tiny change in some config (which doesn't even say WHAT and HOW to change) and it wont boot properly anymore

Better just update ssh and Apache/PHP since thats all I'm really using and that is open outwards.

detto

Member

Registered: 2006-01-23

Posts: 510

Re: My system is up and ready, now I only need to know...

You dont have to install new and go through it all again. If you want to, fine
But if not: boot with your archlinux cd into your system (look at the info texts thare are presented from the cd on booting it) and when you are in your system, edit /boot/grub/menu.lst and reboot

Seb74

Member

Registered: 2006-10-07

Posts: 89

Re: My system is up and ready, now I only need to know...

You dont have to install new and go through it all again. If you want to, fine
But if not: boot with your archlinux cd into your system (look at the info texts thare are presented from the cd on booting it) and when you are in your system, edit /boot/grub/menu.lst and reboot

Means I'll have to shut it down on the powerbutton, and from what I've heard Linux doesn't like that as much as Windows does.
I think I'll reinstall this shit a third time, then try not to touch it at all (or just update ssh and Apache/PHP if securityholes are found).

Thanks for the help anyway, you guys are great
You should have been build into Arch, giving these comments before something bad happens....not just saying "change grub-config" but saying "change grub-config like this BEFORE YOU REBOOT" !!!

elasticdog

Member

From: Washington, USA

Registered: 2005-05-02

Posts: 995

Website

Re: My system is up and ready, now I only need to know...

If you're going to reinstall, you should probably grab one of the newer ISOs.  Here's a great thread about it: New ISOs for i686

Basically there have been a bunch of major changes since the 0.7.2 iso and these are what caused you some issues.  For the most part, once you get used to Arch's way, you'll find that it's hardly ever an issue to do a <code>pacman -Syu</code> even on a daily basis.  For major changes, it's always good to check the news on the homepage, or here in the forums as you can usually figure out what needs to be done before you run into problems.

detto

Member

Registered: 2006-01-23

Posts: 510

Re: My system is up and ready, now I only need to know...

Means I'll have to shut it down on the powerbutton, and from what I've heard Linux doesn't like that as much as Windows does.

Linux does that better than windows ever did
You also could press just ctrl+alt+delete or type "reboot".

I think I'll reinstall this shit a third time, then try not to touch it at all (or just update ssh and Apache/PHP if securityholes are found).

As mentioned above you dont have to do this. Look here: http://wiki.archlinux.org/index.php/Res … oot_loader
1) prompt comes up, boot with the CD's kernel, but specify the root partition to boot from:
2) Once inside your new system, you can install a bootloader just as if you had successfully booted into your main system.
3) If you're fixing GRUB, edit /boot/grub/menu.lst if you need to. IF you need to re-install GRUB entirely, use the install-grub script:

# install-grub /dev/hda

Thanks for the help anyway, you guys are great Smile
You should have been build into Arch, giving these comments before something bad happens....not just saying "change grub-config" but saying "change grub-config like this BEFORE YOU REBOOT" !!!

I think the message that pacman gave you after succesfull upgrade has done this already

cheers,
deTTo

Seb74

Member

Registered: 2006-10-07

Posts: 89

Re: My system is up and ready, now I only need to know...

Means I'll have to shut it down on the powerbutton, and from what I've heard Linux doesn't like that as much as Windows does.

Linux does that better than windows ever did
You also could press just ctrl+alt+delete or type "reboot".

Nope, not when I cant log in to the server.

I'll take a look for newer ISO's then, if there are any for AMD64 also....which are official and not some strange unofficial testing-release.
I'll check that link someone posted above

EDIT: Nope didn't seem to be 64-bit images so I'll go on with my old 0.7.2 again.

EDIT2: Its so god damn fast to install, if you've just done it twice and printed down all the details. I mean, installing the whole OS, including grabbing and configuring OpenSSH, Apache, PHP, Samba, takes less time than just formatting the disc under WinXP. Incredible

Lone_Wolf

Forum Moderator

From: Netherlands, Europe

Registered: 2005-10-04

Posts: 11,922

Re: My system is up and ready, now I only need to know...

Next time you install archlinux (maybe on a desktop),  after the first boot get networking up and run pacman -Syu BEFORE you install anything else.
That way you will have up-to-date base packages.

As to the new isos from tpowa : the 0.7.2 install cd lacks severely in hardware detection.
tpowa's isos use udev/mkinitcpio  (the same combo that an uptodate arch installation uses)  and work a lot better.
Until the official isos for the next version are out, tpowa's isos are the best install method we have.

---

Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.

(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Seb74

Member

Registered: 2006-10-07

Posts: 89

Re: My system is up and ready, now I only need to know...

Have no problems with any hardware, what I know of at least. Network seems to work fine, my system doesn't draw all to much power, and gfx and sound is nothing I use.

I do update/sync some database before downloading/installing my apps (Samba Apache PHP OpenSSH MySQL) so I guess those installs are up to date, and that, I hope, is what is most important when talking security, since only 22 and 80 is open outwards and I have no securityissues in my LAN (its not a server at some office or school or anything, its just my small home LAN server).