Installing BSD Remotely Under Linux

horos1 writes "hey all, I was wondering if this was possible: Right now, I'm running redhat 6.2 colocated at an ISP, and have had my box compromised twice because I was slow to apply security patches to the box. So I'm thinking that I'm going to switch to OpenBSD and not worry about the security aspect anymore (or at least less). Anyways, normally I'd get a CD and install it... however, the box in question is in another state so I need to do it remotely via console. So -- any helpful tips on how to go about doing this? I'd like to archive linux and replace it with OpenBSD, such that the next time the computer boots up, I'll be sitting at a OpenBSD prompt to log in. I have a very fast connection, just no ability to sit down at the console. I realize that its a rather risky proposition to do this remotely (ie: that the computer may not boot) but am willing to take the chance. Thanks much for any advice. horos" This sounds like something that should be labeled "only try this at home".

It's not perfect

[RevDigger]

Installing a BSD is merely better, it's not a panacea for lazy administration. Getting all your security alerts from one place certainly makes things easier, but if you don't pay attention, you're just gonna get hacked again

Just secure the machine

[Drew M.]

I always say, a properly secured linux installation will be much more secure than a half secured openbsd install. It only takes me about 5 minutes to completely secure a box, it would be worth your time to learn how to do it because it saves much time in cleaning up after a system compromise. It's so easy, that I'm going to list out all the steps that I use to secure a redhat 6.2 machine

1. nmap 127.0.0.1
2. /usr/sbin/ntsysv (turn off all un-needed services that show in the nmap scan)
3. shut down those services, ala /etc/rc.d/init.d/(service) stop
4. vi /etc/inetd.conf (remove un-needed services)
5. restart inetd, /etc/rc.d/init.d/inet restart
6. nmap 127.0.0.1 (make sure the services are shut down)
7. install all security updates from a updates.redhat.com mirror, my favorite is ftp://ftp.freesoftware.com/pub/linux/redhat/update s/ [freesoftware.com]

Redhat 7.0 is very similar to 6.2, except you do not need to edit /etc/inetd.conf because it does not exist, and you can use ntsysv to remove services from the new xinetd used in 7.0.

an even better solution for #7 is to use an auto update script or program. Personally I feel that most of the ones out there for the redhat distributions aren't so great, so I decided to write my own script to do it myself. Run it fron cron once a day, and forget about manual updates. I just wrote a web page for my script, and you can see it here http://www.bol.ucla.edu/~drewm/superupd/ [ucla.edu]

Additional info

[whydna]

Another good source is "Securing and Optimizing Linux: Red Hat Edition" [linuxdoc.org] (4Mb PDF). It's actually a book... you can buy it online [openna.com] too. It covers shutting down services, firewalling, reconfiging the kernel, and a number of other things.

Re:Just secure the machine

[nion]

Love the script. Been looking for something like this (well, not really but was thinking about looking for it) for a while.

Interesting puzzle

[Guido del Confuso]

I have no real experience doing anything like that, but it doesn't sound impossible. A couple of solutions I can think of:

Get someone who has physical access to the box and guide them through the install over the phone. This one is obvious.

If the computer has two hard drives, find a way to cram all the files necessary for the install (not too many, mostly just some basic utilities) onto one drive. Install OpenBSD onto a drive at a local machine, make an image of that, send it to the remote machine, and dd it onto the second harddrive. Then you can play with the boot options so it will boot OpenBSD by default. At that point, you can erase the old Linux partition and remount it under, say, /usr on the new system.

Good luck!

It's tough, but possible.

[danpbrowning]

I'm not sure about how you could go about installing it directly from Linux, but I would look more into remote-console type options. For example, VA Linux has a VACS projects (search for it) that lets you setup a "monitoring" box which has serial cables to all your systems in the colo. Then, when you need console access to a system, you just ssh into your monitoring box and do it from there.

What type of motherboard/case is it? Newer intel cases (SRKA4, SPKA4, etc.) have serial-bios and stuff that you can use.
Also you should check into the cheaper remote console thingies that have a bunch of serial ports on one side, and an ethernet to plug in on the other. You just ssh into the little box (or telnet in) and access the serial's that way. (It's just a specialized, cheaper version of the 'monitoring' box above).
HTH. -dan

Been there, done that.

[colonel]

It's not as hard as it sounds, assuming you have the resources. I'll leave out the details and just give a brief overview.

1.) Get a local box with similar hardware

2.) Install 6.2 and oBSD in a dual-boot.

3.) On the CoLo, clear off a spare partition the same size as the oBSD partition on the local box.

4.) Config oBSD on the local box to use the same networking info as the CoLo box, and allow remote access.

5.) On the local box, fill up the oBSD partition with dd if=/dev/zero of=/mnt/obsd/bigfile ; rm /mnt/obsd/bigfile (so it compresses better)

6.) On the local box, umount the oBSD partition and dd if=/dev/hda4 | gzip - > oBSDPartition.img.gz

7.) SCP/FTP the huge-ass file to the CoLo

8.) dd thru gzip the file in to the blank partition. (hope you set up /etc/fstab in it right!)

9.) Set up lilo to boot in to oBSD, reboot it, and pray.

There are a whole lot of gotchas with this, but if you think it though for a day or so first, you might manage.