Re-installing Red Hat Linux

This procedure is to ensure a clean system after an attack.

1. Backup configuration files etc., or the whole of the /etc/, /home, /root and /var directories.
2. Re-install the Red Hat operating system (don't upgrade, in case some binaries are not replaced).
3. Enable the use of rsync with ssh, in order to be able to copy files between machines
   1. Install rsync if necessary (should have been chosen in the list of packages to install).
   2. Install ssh
4. Apply all the recent patches and upgrades listed at Red Hat errata (www.redhat.com/support/errata/).
   • It may be much faster to download the RPMs from a local mirror of the Red Hat updates FTP site (ftp.mirror.ac.uk/sites/ftp.redhat.com/pub/redhat/updates/6.2/).
   • If these updates include updating the kernel, update the kernel RPMs first. Note that special procedures are required - see the Red Hat kernel upgrade instructions (www.redhat.com/support/docs/howto/kernel-upgrade/kernel-upgrade.html).
   • Update the remaining non-kernel RPMs using    rpm -Fvh *.rpm   
   • Make a new boot/rescue floppy (see kernel upgrade instructions above)
5. Restore the /etc, /home, /root and /var directories.
   1. For safety, copy the newly installed versions of the /etc, /home/, /root and /var directories to the backup system.
   2. Edit the /etc/fstab file amd do    mount -a    or reboot, to gain access to any partitions previously hidden from the install process.
   3. Copy the original versions of the /etc/, /home, /root and /var directories from the backup system, if they are not separately mounted partitions.
   4. Note that it is necessary to check carefully for any unauthorised "backdoors" that may have been inserted. It may be safest to copy the necessary configuration files from the backup system one at a time, checking each one in turn.
6. Disable all inessential services. (Don't just shut them down, or they may restart when the system reboots.)
   1. List services currently running using    netsat -ta   
   2. Edit /etc/inetd.conf to eliminate unnecessary services started by inetd.
   3. Reboot and check again that only the required services are operating.
7. Contact SUCS to reconnect to the outside world.
8. Check that correct web sites, ssh access etc. are operating.
9. Housekeeping
   • Using rsync, copy the /tmp/install.log to the backup system.
   • Create a list of packages installed, using    rpm -qa | sort    and copy it to the backup system.
   • Carry out any tidying and relocating of backups.
10. Set up monitoring.

    Copyright © 2000 by Dr R.J. White, School of Biological Sciences, University of Southampton. All rights reserved. This page was designed and prepared by Richard White and last edited on 4 September 2000. It resides on a server run by the University of Southampton. Any views expressed in these pages are not necessarily those of the University.