[opensuse] Rankin's Review of 11.0 Sever Install
Devs, You guys did a great job getting 11.0 together and it is installed and functioning as a great file server as we speak. The only observation is that it seemed so much effort was directed toward KDE 4 being included, that not enough resources were garnered to make sure the core of the distro received the same level of attention as well. Aside from the "boot installed system" item, the remaining are just nits, etc. On to the install into a fairly harsh install environment. The box has a MSI KM2M motherboard, Athlon 2400, 2G of DDR/266 memory, (2) 80G ata drives that contain wXP, w98, and a 60G install of openSuSE 10.3. It also has (2) additional 500G SATA drives attached to a Promise 4 port SATA -> PCI card. The 500G drives are set up in Raid 1 using software raid creating a 20G / array and a 454G /home array. Partitioning and mount point assignment was a snap. The formatting was very timely, no outrageous amount of time spend looking at the screen. I did a highly customized software install given what the duties of this server will be. DNS,DHCP w/dyn updates to DNS, mySQL, pptpd and all Apache, php, and perl with a few sprinkles of coding libraries thrown for fun. Wanting to get work out without having to put an extra-ordinary amount in, I chose KDE 3.5 and compiz. The fglrx 4.973 worked straight from the packages at the ATI rpm site. xorg.conf was copied from the 10.3 install without any problems. The system install went like a breeze, fast too. All packages and drivers were correctly installed and all that was required was a quick follow-up on hardware configuration. The reboot was unremarkable. Grub apparently put the pieces together correctly on this install. I guess having windows there staring at grub during the install routine gives it a big target to shoot at and get stage-one put in the right place. On first boot, first order of business was a clean kill of beagle with "rpm -e $(rpm -qa | grep beagle | sed -e '/^lib/d') $(rpm -qa | grep kerry) && rm -r ~/.beagle", done.. Mounting the 10.3 drive gave easy access to samba, apache, dhcpd, named and dovecot configs, so samba is happily providing shares and CIFS is behaving nicely. After getting the initial "suse Udater" updates (7 in all), it was time to use Yast to bring all packages from BuildService up to current. So I left the box downloading and went back to a laptop to finish some cleanup on the install vi ssh. To my dismay, "ssh box", did nothing, ssh IP.to.box. did nothing as well? "ping box" worked fine. A diff of sshd_config from the 10.3 partition confirmed that there were no meaningful differences there. Shutting down SuSEFirewall2 corrected the first snafu, but left me wonder why port 22 is closed by default? I haven't investigated it yet to confirm, but that looked like what happened. The update of all packages for "packages that were newer" showed 300M of new files to be installed. No problems there either. A basic run-through of chkconfig took only about 4 changes -- not bad at all. An update is currently running to see how our packman frieds are doing. I don't expect any issues there either. Bottom line: for integrating 11.0 into a box with full raid 1, where 3 other operating systems remained installed (W98, Wxp, openSuSE 10.3) and now 11.0 says this was a great install. Now had I had a grub problem and a need to "boot boot installed system" things would have been more frustrating, but I had no need on this install. Install was notably faster than 10.3. I don't have exact comparison times, but this install from "boot w/CD" to "done with security updates" took about 1:25. I have also found that either a dvd install or nfs install (both without any additional on-line repositories) speeds things up a lot if you are doing individual software package selection. Dependency checking with on-line files slows the process down otherwise. Job well done. Now you guys selecting kde4, ..... -- David C. Rankin, J.D., P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sun, Jun 22, 2008 at 10:38 AM, David C. Rankin <drankinatty@suddenlinkmail.com> wrote:
Devs,
You guys did a great job getting 11.0 together and it is installed and functioning as a great file server as we speak.
A great report David. The oddity of ssh being closed in strange, given that you started the service, you would expect it to open the firewall. I take it this is also your primary router machine? (Sitting between your network and the internet?). -- ----------JSA--------- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
John Andersen wrote:
On Sun, Jun 22, 2008 at 10:38 AM, David C. Rankin <drankinatty@suddenlinkmail.com> wrote:
Devs,
You guys did a great job getting 11.0 together and it is installed and functioning as a great file server as we speak.
A great report David.
The oddity of ssh being closed in strange, given that you started the service, you would expect it to open the firewall.
Yes, that's what I thought as well. I even confirmed sshd was running and it was. I still haven't had time to take a closer look (currently building a swing set/wooden castle in 96 degree heat)
I take it this is also your primary router machine? (Sitting between your network and the internet?).
No, this is actually just a stray hanging off the network. It serves as backup DNS and DHCP, Apache operates independently on port 8084 with imaps configured on 8085. It's basically an additional 500G of local storage that mirrors the primary server for everything, family photos, etc. that now grow in size like wildfire after the wife got an 8 megapixel camera... sheesh. -- David C. Rankin, J.D., P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sun, Jun 22, 2008 at 3:02 PM, David C. Rankin <drankinatty@suddenlinkmail.com> wrote:
John Andersen wrote:
On Sun, Jun 22, 2008 at 10:38 AM, David C. Rankin <drankinatty@suddenlinkmail.com> wrote:
Devs,
You guys did a great job getting 11.0 together and it is installed and functioning as a great file server as we speak.
A great report David.
The oddity of ssh being closed in strange, given that you started the service, you would expect it to open the firewall.
Yes, that's what I thought as well. I even confirmed sshd was running and it was. I still haven't had time to take a closer look (currently building a swing set/wooden castle in 96 degree heat)
I take it this is also your primary router machine? (Sitting between your network and the internet?).
No, this is actually just a stray hanging off the network. It serves as backup DNS and DHCP, Apache operates independently on port 8084 with imaps configured on 8085. It's basically an additional 500G of local storage that mirrors the primary server for everything, family photos, etc. that now grow in size like wildfire after the wife got an 8 megapixel camera... sheesh.
Ah, so why run the suse firewall at all? (Since you shut it down, perhaps you've come to the same conclusion). As best I can tell its never needed unless you want to use it as a router, an if you do there are much easier packages to configure for that, such as shorewall. A non-open port is as much protection as you need, and a software firewall really adds nothing as long as you know what each and every thing labled LISTENING in netstat is. -- ----------JSA--------- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sun, 22 Jun 2008 12:38:47 -0500, David C. Rankin wrote:
but left me wonder why port 22 is closed by default? I haven't investigated it yet to confirm, but that looked like what happened.
The default for 11.0 is no ssh and the firewall closes the port. In the summary screen you get before starting the actual installation you have the choice to change that. Philipp -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sun, Jun 22, 2008 at 11:56 AM, Philipp Thomas <philipp.thomas2@gmx.net> wrote:
On Sun, 22 Jun 2008 12:38:47 -0500, David C. Rankin wrote:
but left me wonder why port 22 is closed by default? I haven't investigated it yet to confirm, but that looked like what happened.
The default for 11.0 is no ssh and the firewall closes the port. In the summary screen you get before starting the actual installation you have the choice to change that.
But he did change that, he started the service. Why the requirement for also opening the port in the firewall? Seems too easy to fire up sshd at the remote site, drive home, only to find you have to drive back again. For the record, unless the machine is a router, I see little need for suse firewall at all. A port not open is just as effective, and services (mostly/always?) have a means to control which interfaces they will serve. This is why I asked David if this machine was his firewall. Remind me again why a secure service like ssh is off by default? -- ----------JSA--------- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
John Andersen wrote:
On Sun, Jun 22, 2008 at 11:56 AM, Philipp Thomas <philipp.thomas2@gmx.net> wrote:
On Sun, 22 Jun 2008 12:38:47 -0500, David C. Rankin wrote:
but left me wonder why port 22 is closed by default? I haven't investigated it yet to confirm, but that looked like what happened.
The default for 11.0 is no ssh and the firewall closes the port. In the summary screen you get before starting the actual installation you have the choice to change that.
But he did change that, he started the service. Why the requirement for also opening the port in the firewall? Seems too easy to fire up sshd at the remote site, drive home, only to find you have to drive back again.
For the record, unless the machine is a router, I see little need for suse firewall at all. A port not open is just as effective, and services (mostly/always?) have a means to control which interfaces they will serve. This is why I asked David if this machine was his firewall.
Remind me again why a secure service like ssh is off by default?
Actually, I found it was already enabled and ready to go, as soon as I shut down the firewall. -- Use OpenOffice.org <http://www.openoffice.org> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
John Andersen wrote:
Remind me again why a secure service like ssh is off by default?
I beg because ssh being so widely used is prone to be attacked, and ssh is not the only service that can listen this port (no other should, but who know what a malicious thing can do?) however this can be a real problem. I'm not so experienced as server admin, but have to manage my own hosted server. recently, being in yast, I noticed than the firewall was not started and, stupidly, thought "oups... I forgot it" and clic "start". of course, by default all is closed, so I had no more access to the machine, needed a hard reboot and recovery console... now my firewall is stopped (really unusefull on a single machine) but still the ssh port is said to be open, just in case I'm too dumb :-)) jdd -- Jean-Daniel Dodin Président du CULTe www.culte.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Mon, Jun 23, 2008 at 09:12:49AM +0200, jdd sur free wrote:
John Andersen wrote:
Remind me again why a secure service like ssh is off by default?
I beg because ssh being so widely used is prone to be attacked, and ssh is not the only service that can listen this port (no other should, but who know what a malicious thing can do?)
however this can be a real problem.
I'm not so experienced as server admin, but have to manage my own hosted server.
recently, being in yast, I noticed than the firewall was not started and, stupidly, thought "oups... I forgot it" and clic "start".
of course, by default all is closed, so I had no more access to the machine, needed a hard reboot and recovery console...
now my firewall is stopped (really unusefull on a single machine) but still the ssh port is said to be open, just in case I'm too dumb :-))
well, SSHD is still started by default. However, the network overview page which points to "open ssh port" might no longer be shown during the default install, so you need to go manually into the firewall dialog. (not sure though) Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Mon, Jun 23, 2008 at 12:12 AM, jdd sur free <jdanield@free.fr> wrote:
John Andersen wrote:
Remind me again why a secure service like ssh is off by default?
I beg because ssh being so widely used is prone to be attacked, and ssh is not the only service that can listen this port (no other should, but who know what a malicious thing can do?)
Well, they have to get to your machine before they can start a malicious daemon there, and having sshd occupy port 22 pretty well assures that nothing else will get installed there. But Like I say, if "they" are already inside, you are toast anyway. You can change the ssh port in the sshd to some obscure port this just makes it unlikely the script kiddies will find it, giving you time to close it if some ssh exploit gets in the wild. You can also rate-limit connections to ssh, which pretty much kills off those ssh scripts. On some machines I disable password authentication after installing my public key in authorized keys. This works best of all IMO... -- ----------JSA--------- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Philipp Thomas wrote:
On Sun, 22 Jun 2008 12:38:47 -0500, David C. Rankin wrote:
but left me wonder why port 22 is closed by default? I haven't investigated it yet to confirm, but that looked like what happened.
The default for 11.0 is no ssh and the firewall closes the port. In the summary screen you get before starting the actual installation you have the choice to change that.
Philipp
No, I missed that one Phillip. 3 kids, I didn't even get to start the install until 2 AM. Good to know I wasn't going crazy. -- David C. Rankin, J.D., P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (6)
-
David C. Rankin -
James Knott -
jdd sur free -
John Andersen -
Marcus Meissner -
Philipp Thomas