Wednesday, March 30, 2005

compiling kernel the Debian way

No, I'm not avid fan of Debian, but I use it in work and I like it's speed and simplicity. For a note, here's how to compile kernel with Debian (Woody) in a flash.

First login to your Debian machine on the command line as root. Install the prerequisites that we need to compile the new kernel:

#apt-get install kernel-package ncurses-dev fakeroot wget bzip2

Then go to /usr/src:

#cd /usr/src

Then get the latest Linux kernel source (or the kernel source you need) from http://www.kernel.org/pub/linux/kernel/v2.4/:

#wget http://www.kernel.org/pub/linux/kernel/v2.4/linux-2.4.23.tar.bz2

Unpack the kernel sources:

#tar xjf linux-2.4.23.tar.bz2

#cd linux-2.4.23/

It is normally a good idea to take the configuration of your existing (working!) kernel as a starting point for the configuration of your new kernel. Usually the current kernel configuration is saved in a file under /boot, e.g. /boot/config-2.4.18-bf2.4. We will load this configuration and then do the changes we desire (e.g. add quota support, iptables support, etc.).

make menuconfig

Then run the following commands:

make dep
make-kpkg clean
fakeroot make-kpkg –revision=custom.1.0 kernel_image

If the compilation stops with an error, run

make clean

and then re-run the previous commands starting with

make menuconfig

Change the kernel configuration where the error occurs (e.g., the compilation often gives back errors for some WAN modules, so leave them out if you do not need them). If no error occurs you will find the new kernel as a Debian package called kernel-image-2.4.23_custom.1.0_i386.deb under /usr/src.

cd ../

Now you can install the new kernel by doing the following:

dpkg -i kernel-image-2.4.23_custom.1.0_i386.deb

We are almost finished now. Reboot your machine:

shutdown -r now

and if everything is ok your machine should come up with the new kernel. You can run

uname -a

to verify that.

Good luck!

Saturday, March 26, 2005

Linux lags Windows in new security report

A report released today (by Security Innovations) indicates Windows Server 2003 may actually be more secure than its most popular Linux competitor when it comes to vulnerabilities
and the time it takes to patch them. Paper is at,

http://www.securityinnovation.com/resources/linux_windows.shtml

Another Microsoft funded research..according to Thompson:
“We’ve gotten funding from Microsoft ..”

The study is limited:

“This study appears to be more concerned with vulnerability counts and patch-release cycles than in actual security or securability.”

here’s the method:

In the Security Innovation report, the trio took requirements for three typical enterprise Web server environments and scrutinized known vulnerabilities and subsequent patches. The Windows Server 2003 platform included ASP.NET for scripting, a SQL Server 2000 database server and Microsoft Internet Information Services 6.0 Web server. Any function was accepted by default during installation (assuming many admins just keep clicking the Next button during the process). On the Linux side, the team used two different configurations for Red Hat Enterprise Linux 3.0. Both ran PHP for scripting, a MySQL database server and an Apache Web server. But one version included high modularity, where essentially the researchers installed whatever Red Hat had available; the other was minimally configured to include only core components.

the problem is..

“Most of us in the Linux security community have been saying for years that the average Linux distribution — Red Hat, SuSE, etc. — isn’t terribly secure ‘by default.’ Good security comes from careful configuration, not by running an installer,”

and RedHat data doesn’t seem to follow the study:

The Red Hat Security Response Team publish the data allowing anyone to run these metrics for themselves, see http://people.redhat.com/mjc/

some comments from the community:

Todays Security advice from Secunia for Mandrake 10.1 is that all known vulnerabilities are patched see http://secunia.com/product/4198/ Todays Security advice from Secunia for Windows Server 2003 has 13% of known vulnerabilities not patched see http://secunia.com/product/1173/ and 4 of these problems date back to 2003! So the maximum time MS takes to patch vulnerabilities in Server 2003 is 2 years and still counting - where is that mentioned in this “research”?

from:

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1069985,00.html?track=NL-105&ad=509123

Sunday, March 20, 2005

old PROM SPARC32 problem during Debian Woody installation

Got an ancient Ultra Sparc II (sun4m) whose task before is a firewall running on Solaris 2.6, it's got 448MB RAM and 10Mpbs Quad Ethernet port. I decided to install Debian on it as it's the only distro that supports sun4m, AFAIK. I had a hard time looking for Gentoo support but it was my first choice. I initially installed Debian3 Woody for SPARC. But I went into problems during the reboot to continue my installation for the base packages, because of the old PROM that does not support more than one 1GB under the /boot partition, the error was:

SILO buggy old PROMs don't allow reading past 1GB from start of the disk..
Read error on block 327684
Cannot find /etc/silo.conf (Attempt to read block from filesystem resulted in short read)
Couldn't load /etc/silo.conf

To solve this, I need to boot from my Debian CD installer on rescue mode, and mount / and /boot partition.
Then do the following steps:

ln -s . /boot/etc
ln -s . /boot/boot
mv /etc/silo.conf /boot
ln -s /boot/silo.conf /etc/silo.conf

path may vary as "target" may be appended before the directories for the mount point.

Then, edit /etc/kernel-img.conf, and add
link_in_boot = Yes

There was no vi editor installed yet, so I need to use nano-tiny.

Reboot my system and installation continued successfully.

I'd like to thank Ben Collins and Nathan Norman of debian-sparc mailing list for the help.