Would you like to be notified when I update my WWW pages or specifically the
TrinityOS doc?
Would you like to be notified when I update my WWW pages or specifically the
TrinityOS doc?
If you're interested in subscribing to this very low traffic email list, send an e-mail to dranch@trinnet.net with a subject of "Add me to your updates list" and I'll add you to the list!
-PS- If you have a second, in the same request email, tell me what specifically you were/are looking for on my WWW page or TrinityOS. I'm always taking new requests for additions and expanded coverage of topics already on my page. So don't be shy!
You are graphical user
(for this main page) since 8/28/99
(Note: This counter requires JavaScript)
04/09/00 Rolled off the following from the main page's Top 10 list:
3/26/00 Rolled off the following from the Main page's Top 10 list:
03/18/00 Rolled off the following from the Main page's Top 10 list:
12/26/99
12/23/99
8/28/99
07/14/99
05/06/99 - Added "common-cables.txt" to the hardware page for NULL serial, NULL parallel, 10/100Mb/s ethernet (strait and crossed). http://www.ecst.csuchico.edu/~dranch/HARDWARE/performance.html
05/02/99 - I really haven't been updating this page as much as I should but most of my time has been spent on TrinityOS so all changes there are noted in TrinityOS [Section 100]. Anyway.. - I've added a simple navigation toolbar to the TOP/BOTTOM of all WWW pages. Should be much easier to move around now. - Added a little section on how to evaluate hard drives in terms of performance. - Updated TrinityOS
3/10/99 - Lots of changes to TrinityOS. I'm not going to put them here since
it would be a waste of bandwidth. Check out the ChangeLog at the
end of the TrinityOS for full details. I appologize for all this
but once its converted to SGML, this won't be an issue.
http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html
02/11/98 - [Notified the Updates email list]
02/11/99 Placed short header names in each [Section] *Sent name. Makes topicseasier to find. Update* [Section 2] Added the note that there is now a description of how packet and statefully inspected firewalls work. [Section 3] Changed the "Future Features" section to group similar taskes. ie. Networking, hardware, etc. Also added a future feature to do more GUI help. [Section 3] Added a backup URL for IPCHAIN's IPmasqadm since Juanjo's main ML.ORG site is now 404. [Section 5] Indented all the Security URLs, added L0pht, Rootshell, etc URLs. [Section 5] Updated the "How firewalls work" flow diagram to include the FORWARDING rule. [Section 10] Added a little blurb on what are the differences between packet and statefully inspected firewalls work. [Section 10] Doh! The explict OUTPUT firewall ruleset was matching the wrong ports for the MASQ and NON-MASQ strong ruleset! This isn't a super huge issue but it IS sloppy!!! For example: From: #secure1.host.com /sbin/ipfwadm -O -a accept -W $extif -P tcp -S $extip/32 -D $securehost/32 ftp ftp-data ssh pop-3 $unprivports To: #secure1.host.com /sbin/ipfwadm -O -a accept -W $extif -P tcp -S $extip/32 ftp ftp-data ssh -D $securehost/32 $unprivports [Section 10] Fixed the DHCP rules to reflect the port names of "bootps" and "bootpc" vs. ports 67 and 68. Makes things more readible. [Section 10] Made sure the /etc/services file has: -- bootps 67/udp # bootp server bootpc 68/udp # bootp client -- [Section 27] Recently found out on the BRU mailing list that when you use BRU's software compression or your tape drive's hardware compression, you should set the tape drive's capacity setting to "0"! [Section 29] Added a little section on how to test Bru's tape backups * VERY IMPORTANT* [Section 29] Under the RPM testing section, added another RPM test with a double -vv to really look at a given RPM. [Section 50] Made Lynx permissions recommentations for Lynx users running older versions than 2.8.1. [Section 50] Noted that though not included in Slackware or Redhat, the ProFTPd daemon included with Debian Linux is vunerable to the same FTP root exploit that Wu-ftpd is vunerable. [Section 50] 02/10/99 Updated the Feature Sets to reflect the support of multiple Internet domains on one box for DNS and EMAIL [Section 3] Changed the default permissions on Redhat's /bin/rpm from 755 to 700. Normal endusers shouldn't have access to something like this. [Section 7] Clarified that users should ADD the specific lines to the /etc/syslog.conf file and not replace the exitsting file. [Section 9] Added both a Slackware and Redhat version of the /root/logit script [Section 9] Cleaned up the "supporting more than one Internet DNS Domain" section and fixed some formatting issues. [Section 24] Cleaned up the "supporting more than one Internet Email Domain" section and fixed some formatting issues. [Section 25] Moved the RPM installation pre-installation tests to [Section 50] since you should follow these simple recommendations EVERY TIME before you install an RPM [Section 25] Upgrade the "run-rpmwatch" script to v1.1. This added "rm -f rh-errata.txt" to the end of the script to clean up the lose tmp files. [Section 43] Moved from [Section 25] a pre-RPM TEST list to make sure that the user is aware of any files that will be overwritten/DELETED, etc. [Section 50] Installed an RPM to fix security: wu-ftpd-2.4.2b18-2.1.i386.rpm [Section 50] 02/09/99 Added a few Future Feature sets: - Mail Backup: Setup MX email backup - IPv6: Configure and setup IPv6 and possibly setup a IPv6 tunnel via the 6Bone - Dial Backup: Add analog modem dial backup when the ADSL/Cablemodem goes down - CODA: Replace NFS support with CODA - Implement a new 2.2.x kernel [Section 3] Added a very detailed description and diagram of how any TCP/IP packet firewall (including IPFWADM and IPCHAINS) operates. [Section 10] Cleaned up area between the MASQ vs. NON-MASQ rc.firewall rulesets [Section 10] Updated the MASQ and NON-MASQ rc.firewall to v2.90 - Changed the default policy for INPUT/OUTPUT/FORWARD from DENY to REJECT. This is actually just a symantic issue since I was REJECTing all non-allowed packets at the end of each INPUT, OUTPUT, and FORWARD section. [Section 10] Detailed out how to support muliple Internet domain names from one DNS server. Simple! [Section 24] Added a note that if you are going to support email for multiple Internet domains on this one box, you need to add those domain names to the /etc/sendmail.cw file. [Section 25] Added a rough tape drive benchmark output in the /usr/local/sbin/bru-fullbackup file. [Section 29] Moved a bunch of old Updates to the old Updates URL given at the top of this section. [Section 100] 02/08/99 Updated the "ssh" profile to include the -C and -P options to enable Compression and to disable rsh (tcp ports > 1024) support. This would break the ability to SSH out of the rc.firewall ruleset. [Section 30] 02/07/99 Updated the MASQ and NON-MASQ rc.firewall to v2.80 - Clarified the input/output rules for HTTP to use the -W interface option and added a #ed out rule for allowing HTTP traffic directly to the Linux box from the Internet. [Section 10] 02/04/99 Fixed a typo from /var/adm/log.to.ttys to /var/log/log.to.ttys [Section 9] --
=====================================================
02/09/99 - Lots of changes to the TrinityOS doc. See the TrinityOS changelog
at the bottom of the document for full details.
- Cleaned up the Who-Am-I section a little
- Changed the layout of the main ~dranch WWW page
=====================================================
01/08/99 - [Notified the Updates email list]
=====================================================
01/08/99 Fixed some spelling issues
[Section 1]
Added the Future Feature to move /var/log/sendlogs to /usr/local/sbin
Fixed some spelling issues and added the fact in the Future Features
section that I think I'm going to implement a SWAN / IPSEC VPN instead
of a SSH/PPPd VPN.
[Section 2]
Added IPCHAINS URLs
Added SWAN / IPSEC URLs
[Section 5]
Documented the fact that most Linuxs truncate all passwords
after 8 characters and how its critical to make good passwords.
Fixed a anonymous FTP file name typo. Should have been
/etc/ftpaccess.
[Section 8]
Changed the perms on /etc/syslog.conf to 600
[Section 9]
Added the pointer to check out [Section 40] for specific NFS
IPFWADM exceptions.
[Section 10]
Added a little text intro on how Linux Alpha and Beta kernels
are numbered and what it means to be an "even numbered" kernel.
[Section 12]
Documeneted the rational to always run/not-run Sendmail and
noted a few critical things for users that are NOT always running
sendmail but do want to send mail from their Linux box.
[Section 25]
Did some cleanup to the NFS section, added "635/udp mountd"
to /etc/services {Why isn't there now?}.
Added specific exceptions to the IPFWADM ruleset to allow NFS traffic
to specific hosts on the internet.
[Section 40]
Did some clean-up to the IPCHAINS section and added a pointer
about 2.1.x / 2.2.x kernels to the Kernel section.
[Section 44]
Added the use of the pwck and grpck commands to check for hacked
/etc/passwd and /etc/group files.
Added the use of the "last | more" command to check when users
last logged in.
[Section 46]
* Lots of thanks to Andy Barclay for his editorial eye on these
* fixes.
01/06/99 Moved all changelogs prior to 12/22/98 to
the URL above. (64 changes/additions)
[Section 100]
01/05/99 Changed the System backup section name to reflect minimum
and quick backups to floppy
[Section 2 and 3]
Added the LDP's Security HOWTO URL
[Section 8]
Changed the /var/log file perms from 700 to 600
Changed the cron daily's execution order to
correct lost log issues from the "rotatelogs"
executing.
[Section 9]
Change the section name to "Backing up your box (minimum files to
floppy and full backup to tape with BRU)"
Added minimum critical files to backup to floppy in addition to
backing up the whole system to tape or CD. Lots of good stuff
in here!
[Section 29]
Added the "ssh" alias to use the BlowFish codec for outgoing
Linux SSH connections
[Section 30]
Added the "So you think you are being hacked.. Confirm it!" section
[Section 46]
12/29/98 Added the NMAP portscanner to the feature set
section
[Section 3]
Added the NMAP URL (doh!)
Thanks to Fidor for pointing this out..
[Section 5]
Added NMAP portscanner installation and use instructions
[Section 45]
Added a PAM RPM update
[Section 50]
12/28/98 Added the PPPd/SSH VPN in the future features
[Section 3]
Added the beginnings of the IPCHAINS section
[Section 44]
Each file must be unique. So, the fix is to configure and create individual scripts
RETCMD /usr/local/sbin/apcupsd-retcmd
12/23/98 -
12/22/98 - [Notified the Updates email list]
12/21/98 -
12/18/98 -
12/17/98 -
Added 6 RPMs to fix issues with Netscape, FTP, and Xwindows
[Section 50]
http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html
12/06/98 -
12/05/98 -
12/04/98 -
12/03/98 -
12/01/98 -
Also added version notes to the script
[Section 24]
11/29/98 -
11/27/98 -
Updated the BRU exclude files to not compress RAR files
[Section 29]
Moved most of the old updates to a seperate file at:
http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS-old-updates.wri
[Section 100]
http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html
11/22/98 -
Updated SSH to 1.2.26
[Section 30]
http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html
11/20/98 -
11/18/98 -
11/17/98 - [Notified the Updates email list]
http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html
11/15/98 -
11/13/98 -
11/06/98 -
11/05/98 -
11/01/98 -
http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html
10/31/98 - [Notified the Updates email list]
http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html
I'll just list some of the more MAJOR points here and let you read about all the little changes in [Section 100] of the doc:
- Added the WWW functionality to the feature list - Added an additional strong IPFWADM ruleset for single-NIC non-masquerading servers - Added Section 38 for Tripwire monitoring - Added the beginnings of backing the machine up to a CD-R - Added the APCUPSD configuration * Added a search/replace section for endusers to do a search/replace on a downloaded copy of TrinityOS to customly change the doc to reflect their enviroment. I honestly beleive this will help people setup their Linux boxes faster. - Removed FTP guest access - Added MD5 hashing to the shadow password setup - Added the cracklib.so module to the passwd system - Added monitoring /var/log/maillog on tty9 - Added IPPORTFW compiling and rulesets be sure you read the notes section in there - Changes the Firewall to REJECT outgoing PPTP, Remote Winsock, NFS, PcAnywhere, and Xwindows highports. - Added a little intro blurb on how Redhat start/stops daemons from the various /etc/rc.d dirs. - Completely OVERHAULED the IPFWADM firewall rulesets. To be honest.. the old ones SUCKED! - Fixed the FTPd defaults so that Redhat will properly work with a patched version of Tar (supports Bzip2) and properly support "compress" compression on the fly! - Disabled anonymous FTP -- VERY IMPORTANT!!!! - Fixed the permissions in the rc.cdrom file so people can READ the files. Evidently, though the permissions don't correctly show up in a "ls -la", they DO work!
Adding a CD-ROM changer, installing (2) HDs and (1) tape drive, impliment MD0spanning or
software-based RAID-5, setup SPLIT-DNS, impliment automatic weekly incremental tape
backups, and move this doc over to HTML format.
Section 3
I hope to begin implementing my new WWW site design fairly soon that will include a
ton of new content and a search engine too.
Last Updated: 10/16/03