Hello

I am based in the UK and have been renting a dedicated server in the US for
some years. The server is running Slackware 8 that was patched fairly
regularly early on but has not been kept up to date recently. The hosting
company sold out a couple of years ago and the slack-gurus on their staff
have long since moved on.

The server hosts websites and email for quite a number of family and close
friends but is not used commercially.

I feel that I really need to upgrade/update/patch up to current standards -
both for my own security and also for the wider internet. The server must be
fairly open to abuse by now.

I am fairly proficient with linux - using debian/ubuntu in the home - but am
not too sure of myself doing a whole server remotely. I have never really
got the hang of slackware's package management - I am really at the
"apt-get: click and let it get on with things" level.

How can I do this with the minimum disruption? Is there a best practise
guide out there? I would be grateful if someone could point me in the right
direction.

Many thanks in advance for any advice.

L

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2006-10-30, Lee <me@privacy.net> wrote:
> The server is running Slackware 8 that was patched fairly
> regularly early on but has not been kept up to date recently.
>
> The server hosts websites and email for quite a number of family and close
> friends but is not used commercially.
>
> I feel that I really need to upgrade/update/patch up to current standards -
> both for my own security and also for the wider internet. The server must be
> fairly open to abuse by now.
>
> I am really at the
> "apt-get: click and let it get on with things" level.
>
> How can I do this with the minimum disruption?

Well you've definitely got a job ahead of you. Package updates for 8.0
haven't been put out for awhile, but there are a ton of updates for
8.1. You may be able to intall these packages on your 8.0 box, ut it'll
be hit or miss. Mostly, you should look at grabbing the source code
for the latest versions of any vulnerable apps you have running, and
compile them into packages using the SlackBuild scripts for 8.0 if they
are available.

Honestly, this task may be a bit above you right now, but what can it
hurt to try?

- --
It is better to hear the rebuke of the wise,
Than for a man to hear the song of fools.
Ecclesiastes 7:5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)

iD8DBQFFRlGkz8zcalmVmBkRAnElAJ9KYdMZjBypCu8UMBQNLx ip6U4ymwCgqAZL
vuH4NHhDdIHjSMKZPtAyHmA=
=0FuK
-----END PGP SIGNATURE-----

"+Alan Hicks+" <alan@lizella.netWORK> wrote in message
news:UNadnZVPcsw8zNvYnZ2dnUVZ_rWdnZ2d@trueband.net ...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 2006-10-30, Lee <me@privacy.net> wrote:
>> The server is running Slackware 8 that was patched fairly
>> regularly early on but has not been kept up to date recently.
>>...
>>
>> How can I do this with the minimum disruption?
>
> Well you've definitely got a job ahead of you. Package updates for 8.0
> haven't been put out for awhile, but there are a ton of updates for
> 8.1. You may be able to intall these packages on your 8.0 box, ut it'll
> be hit or miss. Mostly, you should look at grabbing the source code
> for the latest versions of any vulnerable apps you have running, and
> compile them into packages using the SlackBuild scripts for 8.0 if they
> are available.
>
> Honestly, this task may be a bit above you right now, but what can it
> hurt to try?
>

You are correct. However, what choice to I have? I am loath to spend money
renting a new server and trying to transfer all the data (and many years of
tweaking config) onto that. It would probably take me months.

I assume that there isn't some magic equivalent of dist-upgrade?

L

On 2006-10-30, Lee <me@privacy.net> wrote:

> I assume that there isn't some magic equivalent of dist-upgrade?


Use what I'm about to tell you at your own risk, as mileage may (and does)
vary among different people. It is relatively simple to upgrade from one
version of Slackware to another, but you're looking at *several* version
jumps rather than just one or two, so that puts a major kink in the hose.
With that said, the writing is on the wall - you're going to *have* to do
*something* about that box, and a full upgrade is probably the least work
in the long term. Before you start, get in touch with whomever is your
contact at the CoLo facility and let them know what you're doing and make
sure they can be available just in case. It might be a good idea to call
them first and see about sending them 11.0 ISO's just in case they wind up
being needed. Also, back up all your data, make sure you've got another
(secondary) MX to catch your email (just in case), and all that other good
stuff that I'm forgetting. Once all this is done, then...

Download the Slackware 11.0 tree - you probably want to omit the kde, t, x
and xap package sets (and maybe e/ if you don't use emacs) - to a directory
on the server. It's recommended by Pat to enter single-user mode at this
point (http://slackware.osuosl.org/slackware-11.0/UPGRADE.TXT), but since
you're doing this remotely, that's not an option, as it will kill your
network. Instead, stop as many services as you can (basically everything
but network and sysklogd), and then upgrade the following packages:

# cd /path/to/slackware/package_sets/
# upgradepkg a/glibc-solibs-2.3.6-i486-6.tgz
# upgradepkg a/pkgtools-11.0.0-i486-4.tgz
# upgradepkg a/sed-4.1.5-i486-1.tgz

If something is going to go wrong, it will probably happen in that step,
so if you make it through the last part, then things are probably going
to be fine. Once that's done, upgrade the rest of the package sets:

# upgradepkg --install-new */*.tgz

Make sure you have a kernel image installed that will boot - the kernel
package will have been upgraded in the operations above. The symlink
at /boot/vmlinuz should be pointing at /boot/vmlinuz-ide-2.4.33.3
Be sure to edit /etc/lilo.conf if needed, and run /sbin/lilo to
load the new kernel at the next boot.

You will have *lots* of config files on your system with .new suffixes;
you will need to merge these with or replace the old ones with the new
ones. In most cases, you're almost certainly better off by using the
new ones and merging your modifications to the old ones into the new
ones. To find all of the *.new config files, this should work:

# find / -name "*.new"

There are most likely going to be quite a few *old* packages installed
that are no longer present in Slackware 11.0 at all. You can probably
do some creative scripting with the "PACKAGE NAME" variable in this file:
http://slackware.osuosl.org/slackware-11.0/PACKAGES.TXT
and compare the results to the contents of /var/log/packages/ after the
upgrade (removing anything that's not present in PACKAGES.TXT).
Also note that if kde or anything else that you might have skipped
downloading is installed on the box, then those packages will still be
the older 8.0 versions and should be removed (they should be removed
from a mail server anyway).

Note that *very* little of the information above is original - the vast
majority of it is credited to Pat Volkerding, as it comes from his
UPGRADE.TXT document, and is slightly modified to support your situation..
Good luck with whatever you decide.

RW

--

http://rlworkman.net

Lee wrote:

> Many thanks in advance for any advice.

OK, if I would have to do it, I'd first download the whole thing, put it
on a box just next to my desk and try to do the upgrade in "safe
environment" (following Robby's good advice).

My $0.02.
Yeti
--
This message is best viewed with open eyes.

Robby Workman wrote:

(good advice for upgrading a system across oceans ...)

I would recommend, in order to reduce the amount of trouble you have
doing this, to try it first on a similarly configured system you have
local access to. That way you can take repeated stabs at it, and build
yourself a procedure that you can be confident in before you start
working on the system across the pond ...

--
----------------------------------------------------------------------
Sylvain Robitaille syl@alcor.concordia.ca

Systems and Network analyst Concordia University
Instructional & Information Technology Montreal, Quebec, Canada
----------------------------------------------------------------------

On Tue, 31 Oct 2006 05:11:47 +0000, Robby Workman wrote:
> Note that *very* little of the information above is original - the vast
> majority of it is credited to Pat Volkerding, as it comes from his
> UPGRADE.TXT document, and is slightly modified to support your situation..
> Good luck with whatever you decide.

Especially read UPGRADE.TXT from 8.1, since the package naming format has
changed from 8.0 to 8.1. I'd advise you to try and reproduce this upgrade
localle a few times, because there are bound to be some problems.

-- Daniel

"Daniel de Kok" <daniel@nowhere.nospam> wrote in message
news:45471c66$0$64262$dbd4d001@news.wanadoo.nl...
> On Tue, 31 Oct 2006 05:11:47 +0000, Robby Workman wrote:
>> Note that *very* little of the information above is original - the vast
>> majority of it is credited to Pat Volkerding, as it comes from his
>> UPGRADE.TXT document, and is slightly modified to support your
>> situation..
>> Good luck with whatever you decide.
>
> Especially read UPGRADE.TXT from 8.1, since the package naming format has
> changed from 8.0 to 8.1. I'd advise you to try and reproduce this upgrade
> localle a few times, because there are bound to be some problems.
>
> -- Daniel

Alan, Robby, Sylvain, Daniel and Yeti

Many thanks for the pointers. I am *really* grateful for your assistance.

I have an old PII box here in my home and will have a practise on that.

Again, very many thanks. I appreciate the effort.

L

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2006-10-31, Lee <me@privacy.net> wrote:
> I have an old PII box here in my home and will have a practise on that.
>
> Again, very many thanks. I appreciate the effort.

One other thing I might add, but I'm not sure how difficult this will
be for you, is to build a statically linked OpenSSH under /opt and make
sure you setup manual ifconfig statements in rc.local, as well as
starting this static build of OpenSSH on an alternative high port.

- --
It is better to hear the rebuke of the wise,
Than for a man to hear the song of fools.
Ecclesiastes 7:5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)

iD8DBQFFR9yYz8zcalmVmBkRAkT1AKCgNbrFTZb9jSxLUlLAu4 JsQf/94ACfVPEk
usmQgTFnzqHHikwdPWgXpAw=
=SK/M
-----END PGP SIGNATURE-----

On 2006-10-31, Daniel de Kok <daniel@nowhere.nospam> wrote:
> On Tue, 31 Oct 2006 05:11:47 +0000, Robby Workman wrote:
>> Note that *very* little of the information above is original - the vast
>> majority of it is credited to Pat Volkerding, as it comes from his
>> UPGRADE.TXT document, and is slightly modified to support your situation..
>> Good luck with whatever you decide.
>
> Especially read UPGRADE.TXT from 8.1, since the package naming format has
> changed from 8.0 to 8.1. I'd advise you to try and reproduce this upgrade
> localle a few times, because there are bound to be some problems.


Aha, I forgot about that. I wasn't "in the know" about Slackware (or even
Linux) back during the 8.x days, so I had forgotten about the old package
naming format. Good catch :-)

Good point about the 'practice it locally before doing it remotely' idea
too - that can save a *lot* of heartache...

RW

--

http://rlworkman.net