TrinityOS: A Guide to Configuring Your Linux Server for Performance, Security, and Manageability <author>David A. Ranch <tt>dranch at trinnet dot net</tt> <date>May 22, 2005 <abstract> TrinityOS and its associated archive scripts guide the Linux user in a step-by-step fashion using a common example throughout to configure over 50+ Internet services. The main focus of TrinityOS is to do this in a secure fashion while keeping both performance and manageability in mind. The documents also guide the user in other advanced topics such as aquiring their own Internet domain(s), moving DNS servers, confirming if you've been hacked, fighting SPAM email, and fixing various Linux file system, partition, LILO, and data recovery problems. </abstract> <toc>  <sect>Copyright Notice<label id="sect-1"> TrinityOS(TM)(c) <url url="http://www.ecst.csuchico.edu/˜dranch/LINUX/index.html#TrinityOS"> Written, Maintained, Trademarked, and Copyrighted by David A. Ranch (dranch at trinnet dot net) Sorry for all the legal stuff... I've already had one company try to take the name TrinityOS from me (thus the trademark - Reg. Numbers 2440502 and 2525874). I also have had one LDP Guide author ("Securing and Optimizing Linux Red Hat Edition - A Hands on Guide") rip off a large portion of TrinityOS's content without even referencing me or TrinityOS as a source. Unfortunately, this author simply rewrote / rephrased the sections of it to avoid any direct copyright issue though the content is the same. So, with all this bad luck, I had to start covering my butt from the many lowlifes in the world. Anyway, if you would like to use some of the content from TrinityOS in your project, you NEED to contact me first for permission. I'm an easy going guy so it won't be a big deal. Please just don't use my stuff first and ask second. That's pretty silly.  <sect>Introduction<label id="sect-2"> TrinityOS is a complete Linux server configuration, maintenance, and security guide for the Linux novice and guru alike! Though there are a LOT of features covered in TrinityOS, you don't have to implement all of them. All I can say is, if you are going to connect your Linux box to the Internet, at least INSTALL the packet firewall!! This document is tailored as a step-by-step, example driven document, instead of a detailed explanation doc on each Linux feature. It doesn't go into many debugging aspects since the Linux Documentation Project's (LDP) HOWTOs already cover this. The TrinityOS document is intended for a techincal audience but hopefully everything is laid out well enough that a new user should be able to follow along without too much trouble! All of TrinityOS's step-by-step instructions, files, and scripts are fully scripted out for an automatic installation at: <url url="http://www.ecst.csuchico.edu/˜dranch/LINUX/TrinityOS-security/TrinityOS-security.tar.gz"> * For the curious, the name TrinityOS and my company, Trinity Designs, is NOT derived from being religious (the holy Trinity). The name &dquot;Trinity Designs&dquot; came from the Trinity Alps in Northern California and &dquot;TrinityOS&dquot; came from the name of the first atomic bomb testing site in White Sands, New Mexico. Like any UNIX document, it must be updated constantly to remain relevant. I will do my best to maintain this document but all comments, ideas, etc. are appreciated to keep TrinityOS valuable! This guide was initially based off the Slackware v3.2 distribution but due to a disk crash, I then installed Redhat 5.0 to try it out. From that point on, I now try to make TrinityOS doc reflect other distributions. Note: Most of the initial functionality given in this document is already available in a modern day distribution such as Mandrake, Redhat, Debian, SuSe, etc. If you are using any other distribution than Redhat, Debian, etc., you will need to use this doc as a *reference* or a project management guide only. You will then need to obtain the various software sources or binaries by hand and configure the software via its native methods. ** Please note that this document will always be &dquot;Under Construction&dquot;. ** Everything in the &dquot;Current Features List&dquot; has been implemented and should be documented. Some things in the &dquot;Future Features&dquot; section have already been completed though not necessarily documented yet. If you have any specific questions about the &dquot;Future&dquot; or &dquot;Current features&dquot;.. feel free to ask! #### Tangent #### # # If you have come to this doc directly, you also might want to # check out the rest of my WWW page at: # # <url url="http://www.ecst.csuchico.edu/˜dranch"> # # It covers other topics such as: # <itemize> <item>Who am I (Why did I do all this?) <item>Linux (TrinityOS, book reviews, other links, etc) <item>PC Hardware (PC chipsets, CDR evals, BIOS discussions, etc) <item>RAS technologies (xDSL, 56K modems, PPP optimizations, etc) <item>Cable modems (how they work, the system I setup, @Home, etc) <item>ISDN technologies (T/A & router evaluations, etc) <item>Researching ISPs (How to pick a good ISP) <item>Bookmarks (Check out my extensive WWW bookmarks) </itemize> <verb> ********************************************************************** ** Would you like to be notified when I update my WWW page or ** ** specifically the TrinityOS doc? ** ** ** ** Every &dquot;update&dquot; e-mail is based from both the ChangeLog WWW page ** ** and the TrinityOS ChangeLog section so you will know what ** ** exactly was updated without any extra fluff. ** ** ** ** If you're interested, send an e-mail to ** ** ** ** mailto:dranch at trinnet dot net ** ** ** ** with a subject of &dquot;Add me to your updates list&dquot; and I'll add ** ** you to the list! ** ** ** ** -P.S.- In the same request email, tell me what specifically you ** ** were/are looking for on my WWW page or in TrinityOS. ** ** I'm always taking new requests for additions and expanded ** ** coverage of topics already on my page. ** ** ** ** So don't be shy! ** ********************************************************************** </verb>  <sect>Feature Sets<label id="sect-3"> <sect1>Current Features: <sect2>Master References and Recommended Guidelines <itemize> <item>An extensive URL library and current version list for all installed and recommended Linux tools and applications <item>Example guidelines on documenting the hardware and partition layout of your specific hardware </itemize> <sect2> Linux Distribution Thoughts: <itemize> <item>Thoughts and recommendations on picking a Linux distribution <item>A common "Search & Replace" example template throughout the document for both better clarity and the ability to use Search/Replace tools to customize this doc to YOUR specific setup </itemize> <sect2> Core OS setup: <itemize> <item>Configuring, compiling, installing, and booting both a 2.2.x & 2.0.x kernel <item>Lilo configuration, security, and recovery <item>PCMCIA / CARDBUS PC-Card Services <item>Software RAID 0 (striping) hard drives <item>7-CD SCSI CD-ROM changer system <item>Automated Patching via RPM notifiers <item>EXT2 file system tuning <item>IDE hard drive performance optimization <item>Dual printing system support for both UNIX and Windows/Samba hosts </itemize> <sect2> Network Connectivity: <itemize> <item>Strong, configurable, and well commented IPCHAINS and IPFWADM packet firewall rule sets for SINGLE, DUAL, and THREE NIC environments. This section also incluides a complete intro on how Packet and Stateful Inspected firewalls work <item>Automated rollback script for the loading of rc.firewall rule sets so that if you make an error in the firewall rule set and the rule set doesn't complete execution, a backup rule set will be automatically loaded to restore connectivity. <item>Full LAN masquerading (NAT or Network Address Translation) using private IP addressing <item>Masq IP port forwarding support (PORTFW) <item>Three Ethernet network card support setup and TCP/IP Performance optimization (modem and cable modem users w/ DMZ support) <item>DNS servers running both primary and secondary zones using Bind in a CHROOTed and and SPLIT Zone configuration <item>Full Sendmail-based SMTP and backup SMTP e-mail system support w/ domain masquerading & Anti-SPAM measures with support for more than one Internet domain on one EMAIL server <item>IMAP4 / POP3 remote email service <item>DHCPd server for other LAN machines (laptops, etc) <item>DHCPc Linux client setup for getting TCP/IP addresses <item>SAMBA: Full Microsoft Windows file & printing support <item>NFS: Full Sun RPC-based Network File System support <item>IPSEC (Swan) VPN [Almost Complete] <item>PPTP VPN client and forwarding through IPMASQ <item>HTTPd WWW server support <item>PPP connectivity for primary PPP connectivity AND backup PPP connections <item>Dial-on-Demand (Diald) Internet connections (modem users) - Automatic Internet connections every 15 minutes (modem users) <item>Direct dial-in terminal / PPP access via a modem <item>NTP time calibration <item>Full UNIX printing via LPR </itemize> <sect2> Security: <itemize> <item>Complete physical and OS-level security recommendations and guidelines <item>Full SSHd (encrypted TELNET) support <item>Actively Updated Linux system security and patching (Shadow passwords, etc) <item>Advanced SYSLOG logging and nightly filtered reports emailed to the root user <item>Prioritized TrinityOS &dquot;CRITICALITY&dquot; rating system in the CHANGELOG section to gauge the level of urgency of security vulnerabilities, system mis-configurations, etc. <item>NMAP port scanning to test your packet firewall <item>Anonymized Sendmail Banners </itemize> <sect2> System backup: <itemize> <item>Minimum backups to floppy <item>Full backups via Hard drives or to tape using BRU with emergency restore diskette creation <item>Full APC SmartUPS power down support (APCUPSd) with both paging support and plotting power stats with GNU Plot to a graph which is emailed via "Sendlogs" <item>Backing up the server to a CD-R [not completed yet] </itemize> <sect2>More extensive guides: <itemize> <item>How to fix LILO, HD partitioning, and file system corruption <item>How to obtain an Internet domain(s) via a domain registrar <item>How to successfully move Internet domains across DNS servers and/or TCP/IP addresses <item>How to recover from your box being hacked and how to RE-secure it <item>Full documentation on how understand and FIGHT all that SPAM email <item>How to understand and fight SPAM email <item>SSH encrypted PORTFW VPN tunnels for email, etc </itemize> <sect1>Future Features: (Won't be implemented in any particular order) <sect2> * TrinityOS TO-DOs: <itemize> <item>Add more &dquot;Configuration via GUI tools&dquot; sections </itemize> <sect2> * Network stuff <itemize> <item>Give instructions on compiling Xntp <item>Modularize the rc.firewall rulset so updates can be transparent and not require additional tailoring for each update. <item>Remove LPR and replace it with LPRng or CUPS <item>IPv6: Configure and setup IPv6 and possibly setup a IPv6 tunnel via the 6Bone <item>Dial Backup: Add automatic analog modem dial backup when the ADSL/Cable modem goes down <item>CODA: Replace NFS support with CODA <item>Add a CACHING only setup for DNS <item>Setup a email list server (MajorDomo, Petidomo, dunno yet) <item>Email sent dynamic IP address exception requests for access through the TCP Wrappers and the IPFWADM rule sets <item>DHCPc client setup for Cablemodems <item>128-bit encrypted Apache SSL WWW server <item>Move over to xinetd for better DoS protection <item>WWW Proxy services <item>WWW banner add filtering <item>Give instructions on compiling Xntp </itemize> <sect2> * Security Stuff <itemize> <item>Replace the Sendlogs script to use either Swatch or LogSentry <item>Automate the firewall hits logging for trend analysis <item>Install PGP / GPG for secure and/or verified communications to: other users, Internic, binaries/source code verification, etc. <item>Tripwire Security Breech monitoring [not completed yet] <item>SATAN / SAINT / Nessus / COPS / ISS security testing </itemize> <sect2> * Application stuff <itemize> <item>Get Sendmail to run in an SMRSH shell <item>Implement Procmail to do local email filtering <item>Setup fetchmail to get remote email vs. setting up a remote .forward </itemize> <sect2> * Administration stuff <itemize> <item>Rotate the UPS logs <item>Implement automatic weekly incremental tape backups to a tape drive. </itemize> <sect2> * System Stuff <itemize> <item>Iomega parallel ZIP drive support </itemize>  <sect>Hardware Configuration<label id="sect-4"> This document uses methodologies that I have developed over the years. Some of these docs have saved my butt on several occasions (documenting things like Drive partition maps, I/O and IRQ maps). This may seem like a pain in the butt to do initially but when you need them.. YOU NEED THEM! <sect1>- Distribution: - Mandrake 7.0 w/ all available patches <sect1>- Kernel v2.2.25 <sect1>Hardware Used: <verb> - Intel Pentium 200Mhz / 128MB EDO RAM - Intel TC430HX motherboard (cannot tune IRQ use) - Serial port #1: COM1 - IRQ 4 - Serial port #2: COM2 - IRQ 3 - LPT1 - IRQ 7 - IDE 0 (disabled) - IDE 1 - IRQ 15 - Network: Eth0: Compaq Netelligent 10/100 Dual port (PCI) - port #1 (IRQ 11) - cable modem side Eth1: Compaq Netelligent 10/100 Dual port (PCI) - port #2 (IRQ 14) - Int LAN - Video: Matrox Millennium II (4MB) - (PCI) - Sound: Built-in Windows Sound System (IO:530h, IRQ: 9, L-DMA: 0, H-DMA: 1, MPU: 330h, MPU IRQ: -1 - Controllers: - Adaptec 2940UW SCSI controller (PCI) - IRQ: 10 - Used for SCSI disks (ext. cabling to RAID enclosure) - Adaptec 2940U SCSI controller (PCI) - IRQ: 14 - Used for CDROMs and Tape drives (int. & ext. cabling) - I/O Adapter - (ISA) (2) port serial / (1) parallel - COM3 - IRQ 4 - COM4 - IRQ 3 - LPT2 - IRQ 5 - Storage Devices: == In the primary system case == - HDC: Maxtor DiamondMax+ 10.0GB (UDMA)[512k][LBA] [ - HDD: IBM 120GB HD - SR0-6: Nakamichi 7-CD 2x changer (ID: 4) - SR7: Philips CM4xx 4x CDROM (ID: 5) - ST0: HP T4000 TR4 Tape drive (ID: 6) [dead?] == In the secondary RAID enclosure == - SDA: Seagate ST39173N 9GB (20Mb/s) (ID: 0) - Primary HD - SDB: Seagate ST39173N 9GB (20Mb/s) (ID: 1) - - SDC: IBM DNES-309170 9GB (20Mb/s) (ID: 2) - - SDD: Seagate ST39173N 9GB (20Mb/s) (ID: 3) - dd backup of SDA - I/O:(See docs on IRQTUNE to better understand why these are like this. It makes a difference!) ttyS0: COM1 - APC SmartUPS UPS ttyS1: COM2 - N/A ttyS3: COM3 - USR Courier v.Everything ttyS2: COM4 - LPT1: Hp LaserJet-IIp (UNIX & Samba share) LPT2: Canon S800 (UNIX & Samba share) ------ I/O Maps and &dquot;Expert&dquot; fdisk partition tables ----- IRQ Map: 0: timer (system) 1: keyboard (system) 2: Cascade (system) 3: COM2-N/A (Motheboard) & COM4- 4: COM1-APC Smartups (Motherboard & COM3-US Robotics modem 5: Sound (Motherboard) 6: Floppy (system) 7: LPT1-printer (motherboard) 8: Clock (system) 9: Cascade 10: Adaptec 2940U (PCI) 11: Compaq Ethernet#1 (PCI) 12: PS/2 mouse (motherboard) 13: Math coprocessor 14: Adaptec 2940UW (PCI) 15: IDE1 (motherboard) I/O Port MAP: 170-1F7h: IDE1 1F0-1F7h: IDE0 200-207h: (not used) usually Joystick 278-27Fh: LPT1 2E8-2EFh: COM4 2F8-2FFh: COM2 330-331h: Windows Sound Systye Pro MPU-401 376-376h: IDE1 378-37Fh: LPT1 3E8-3EFh: COM3 3F0-3F5h: Floppy drive 3F6-3F6h: IDE0 530-533h: Windows Sound System E800h: AHA2940U EC80h: AHA2940U FCE0: TLAN #1 FCF0: TLAN #2 E400h: System BIOS E800h: Systen BIOS F000h: System BIOS DMA Map: 0 - Windows Sound System 1 - Windows Sound System 2 - Alternative Floppy DMA 3 - Floppy DMA 4 - Casecade 5 - None 6 - None ----- All hard Drive partition tables ----- /dev/hdc (normal mode printout - expert truncates) ================================================== Disk /dev/hdc: 16 heads, 63 sectors, 19390 cylinders Units = cylinders of 1008 * 512 bytes Device Boot Begin Start End Blocks Id System /dev/hdc1 1 1 19390 9772528+ 83 Linux native ================================================== /dev/sda (expert mode printout) ================================================== Disk /dev/sda: 255 heads, 63 sectors, 1106 cylinders Nr AF Hd Sec Cyl Hd Sec Cyl Start Size ID 1 80 1 1 0 254 63 6 63 112392 06 2 00 0 1 7 254 63 1023 11245517655435 05 3 00 0 0 0 0 0 0 0 0 00 4 00 0 0 0 0 0 0 0 0 00 5 00 1 1 7 254 63 261 63 4096512 83 6 00 1 1 262 254 63 294 63 530082 82 7 00 1 1 295 254 63 1023 6312289662 83 8 00 254 63 1023 254 63 1023 63 738927 83 ================================================== /dev/sdb (expert mode printout) ================================================== Disk /dev/sdb: 255 heads, 63 sectors, 1106 cylinders Nr AF Hd Sec Cyl Hd Sec Cyl Start Size ID 1 00 1 1 0 254 63 1023 6317767827 83 2 00 0 0 0 0 0 0 0 0 00 3 00 0 0 0 0 0 0 0 0 00 4 00 0 0 0 0 0 0 0 0 00 ================================================== /dev/sdc (expert mode printout) ================================================== Disk /dev/sdc: 255 heads, 63 sectors, 1115 cylinders Nr AF Hd Sec Cyl Hd Sec Cyl Start Size ID 1 00 1 1 0 254 63 1023 6317912412 83 2 00 0 0 0 0 0 0 0 0 00 3 00 0 0 0 0 0 0 0 0 00 4 00 0 0 0 0 0 0 0 0 00 ================================================== /dev/sdd (expert mode printout) ================================================== Disk /dev/sdd: 255 heads, 63 sectors, 1106 cylinders Nr AF Hd Sec Cyl Hd Sec Cyl Start Size ID 1 80 1 1 0 254 63 6 63 112392 06 2 00 0 1 7 254 63 1023 11245517655435 05 3 00 0 0 0 0 0 0 0 0 00 4 00 0 0 0 0 0 0 0 0 00 5 00 1 1 7 254 63 261 63 4096512 83 6 00 1 1 262 254 63 294 63 530082 82 7 00 1 1 295 254 63 1023 6312289662 83 8 00 254 63 1023 254 63 1023 63 738927 83 ================================================== ------- -- </verb>  <sect>Software URL download map and checklist<label id="sect-5"> <itemize> Software recommended and used for the TrinityOS doc (roughly in this order). ** NOTE** Put all code in /usr/src/archive/ I personally recommend to putting ALL additional software source code, RPMs, etc in /usr/src/archive. In the &dquot;archive&dquot; directory, I make subdirectories for the various code like dns, ssh, sendmail, etc. This IS your box though so put things ANYWHERE you so wish. :) </itemize> <sect1>Master site for all Internet RFCs: <itemize> <url url="http://www.cis.ohio-state.edu/rfc/"> </itemize> <sect1>The Master IANA site <itemize> For all Internet port numbers, protocol numbers, etc. A VERY recommended place to go, download them ALL, and put them in /etc/iana. <itemize> <url url="http://www.iana.org/numbers.htm"> </itemize> To create a local copy, do the following: <code> mkdir /etc/iana cd /etc/iana/ wget -r -l 1 -nH --no-parent http://www.iana.org/numbers.htm </code> </itemize> <sect1>Master site for all known Internet Trojan ports <itemize> <url url="http://www.simovits.com/sve/nyhetsarkiv/1999/nyheter9902.html"> </itemize> <sect1>Distribution Sites and Update MIRRORS: Any Service Packs, security patches, etc. for your installed Slackware or Redhat distribution(s) <sect2>Mandrake Updates: <itemize> <item>Master URL: <url url="http://www.linux-mandrake.com/en/security/"> </itemize> <sect2>Redhat Updates: <itemize> <item>Master MIRROR URL: <url url="http://www.redhat.com/mirrors.html"> <item>Fast: <url url="ftp://ftp.codemeta.com/pub/mirrors/redhat/updates/">; <item>5.2 only: <url url="ftp://ftp.infomagic.com/pub/mirrors/linux/RedHatUpdates/"> </itemize> <sect1>Newest stable kernel <url url="ftp://ftp.kernel.org/pub/linux/kernel/"> or <url url="ftp://ftp.freesoftware.com/pub/linux/sunsite/kernel/"> <sect2> 2.6.x <itemize> <item>2.6.11.10 is stable </itemize> <sect2> 2.4.x <itemize> <item>2.4.30 is stable <itemize> <item>All kernels less that 2.4.20 have the lcall7 local DoS attack vunerability. No REMOTE DoS attack is possible. <item>All kernels less than 2.4.13 have a serious symlink vunerability. Please upgrade your kernel. <item>Please note that the 2.4.x series of kernels is still quite new and some aspects of it are immature in comparison to 2.2.x kernels ( PCMCIA, Power Management, etc ). But, several new aspects of the 2.4.x kernels might make you want to try it (faster IP stack, stateful firewalls, journaled filesystems, etc. ) </itemize> </itemize> <sect2> 2.2.x <itemize> <item>2.2.26 is stable <itemize> <item>All versions less than 2.2.22 have a local denial of service risk though no REMOTE DoS attack is possible. <item>ALL versions less than 2.2.16 have a TCP exploit that when combined with tools such as Sendmail, will leed to a root compromise. <item>All kernels below 2.2.12 have a IP fragmentation bug. This will make ALL strong IPCHAINS rule sets vulnerable! <item>2.2.11 has a memory leak issue. </itemize> </itemize> <sect2> 2.0.x <itemize> <item>2.0.40 is stable <itemize> <item>Any lower version have a DoS attack against the TCP/IP stack </itemize> </itemize> <sect1>IP NAT, MASQ, Load Balancing, and High Availability tools <itemize> There are several implementations but here are the common ones: <itemize> <item>A Good Master Reference to the various NAT implimentations for multiple Operating Systems <itemize> <url url="http://www.uq.net.au/~zzdmacka/the-nat-page/"> </itemize> <item>Main Linux NAT, Load Balancing, and High Availability reference site: <itemize> <url url="http://www.linas.org/linux/load.html"> </itemize> <item>Newer NAT implementations: <itemize> <item>IPROUTE2: The primary true Many:Many NAT implimentation for 2.2.x kernels - <url url="ftp://ftp.inr.ac.ru/"> <itemize> <item>Mirror: <url url="ftp://ftp.tux.org/people/alexey-kuznetsov/ip-routing/"> <item>Documentation #1: <url url="ftp://post.tepkom.ru/pub/vol2/Linux/docs/"> <item>Documentation #2: <url url="http://www.compendium.com.ar/policy-routing.txt"> <item>Advanced Routing HOWTO: This doc covers IPROUTE2, Policy-based routing (source IP), GRE tunnels, Multicast, Queueing, etc, and more - <url url="http://www.linuxdoc.org/HOWTO/Adv-Routing-HOWTO.html"> </itemize> <item>An older NAT implimentation available here: <url url="http://proxy.iinchina.net/˜wensong/ipnat/"> </itemize> <item>Excellent tutorials on Linux NAT and the home of one of the first implementations: <itemize> <item><url url="http://www.csn.tu-chemnitz.de/HyperNews/get/linux-ip-nat.html"> or <item><url url="http://www.suse.de/˜mha/HyperNews/get/linux-ip-nat.html"> </itemize> </itemize> </itemize> <sect2>MASQ E-mail list : By far the BEST way to get MASQ-help (very helpful!!) <itemize> <item>Send mail to <url url="mailto:masq-request@tiffany.indyramp.com"> </itemize> <sect2>Linux IP Masq <sect3>2.4.x kernels <itemize> <item>NetFilter now provides for both 1:Many Masq-like NAT and true 1:1 NAT: <itemize> <item><url url="http://www.netfilter.org/documentation/index.html"> </itemize> </itemize> <sect3>2.2.x kernels <itemize> <item>NOTE: ALL versions less than 2.2.16 have a IP fragmentation bug (among other things). This will make ALL strong IPCHAINS rule sets vulnerable! Upgrade NOW! <itemize> <item>IPCHAINS Main site: <itemize> <item><url url="http://www.netfilter.org/ipchains/"> </itemize> </itemize> IPMASQADM port forward patches: <itemize> <item><url url="http://ipmasq.webhop.net/juanjox/"> or <item><url url="ftp://ftp.compsoc.net/users/steve/ipportfw/linux21/"> </itemize> The beginnings of Stateful Inspection for Linux: <itemize> <item>2.0.x kernels <itemize> <item><url url="http://www.ifi.unizh.ch/ikm/SINUS/firewall.html"> </itemize> <item>2.1.x / 2.2.x kernels <itemize> <item><url url="ftp://ftp.interlinx.bc.ca/pub/spf"> </itemize> </itemize> </itemize> <sect3> 2.0.x kernels <itemize> <item>IPFWADM (source must download regardless if installed with Redhat) <itemize> <item>Slackware: <itemize> <item><url url="ftp://ftp.xos.nl/pub/linux/ipfwadm/ipfwadm-2.3.0.tar.gz"> </itemize> <item>Redhat: <itemize> <item><url url="ftp://ftp.xos.nl/pub/linux/ipfwadm/ipfwadm-2.3.0-1.src.rpm"> </itemize> </itemize> <item>IPFWADM patches (if required for pre-2.0.30 kernels) at: <itemize> <item><url url="http://ipmasq.cjb.net/ipfwadm-2.3.0-generic-timeout.patch.gz"> </itemize> <item>IPCHAINS support for the 2.0.3x kernels <itemize> <item><url url="http://aemiaif.lip6.fr/willy/pub/linux-patches/ipnat/"> <item><url url="http://www-miaif.lip6.fr/willy/pub/linux-patches/"> </itemize> <item>IPPORTFW Port forwarding for 2.0.x kernels <itemize> <item>Homepage: <itemize> <item><url url="http://www.ox.compsoc.org.uk/˜steve/portforwarding.html"> </itemize> <item>Patches: <itemize> <item><url url="ftp://ftp.ox.compsoc.org.uk/pub/users/steve/ipsubs/sub-patch-1.37.gz"> </itemize> </itemize> <item>Interpreting Firewall hits: <itemize> <item>This is a great URL in addition to the content in Section 10 on how to interpret your firewall logs and what all the information means: <itemize> <item><url url="http://www.robertgraham.com/pubs/firewall-seen.html"> </itemize> </itemize> </itemize> <sect1>PPP - v2.4.3 (not needed for most cable modem users) Primary site: <url url="http://www.samba.org/ppp/index.html/"> <sect1>ML/PPP <itemize> <item>PPPd now supports ML/PPP as of 2.4.x (see above) <item>Strong Implimentation: <url url="http://mp.mansol.net.au/mp/"> <item>Lots of data, little code: <url url="ftp://ftp.east.telecom.kz/pub/src/networking/ppp/multilink"> <item>Another implementation (runs on 2.2.x+ and he is looking for testers) <url url="http://linux-mp.terz.de"> <item>Dead link? <url url="http://mp.ins-coin.de"> </itemize> <sect1>PPPoE (PPP over Ethernet) : Needed for some DSL and Cablemodem users Very popular user-space client : Primary Site: <url url="http://www.roaringpenguin.com/pppoe.html"> Kernel-Space client known for somewhat better performance: <url url="http://www.davin.ottawa.on.ca/pppoe/"> Some other informational URLs as well: <url url="http://www.suse.de/~bk/PPPoE-project.html"> <url url="http://www.sympaticousers.org/faq.htm"> <sect1>Diald v1.00 (not needed for cable modem users) Diald is now maintained by a new author and site: <url url="http://diald.sourceforge.net"> RPMS: <url url="http://ipmasq.webhop.net/juanjox/"> Download the original Diald and Diald patches (Diald v0.16.5) <url url="http://www.loonie.net/˜eschenk/diald.html"> <sect1>Bind / Named current: 9.3.1 and 8.4.6 Sources: <url url="ftp://ftp.isc.org/isc/bind/src/"> Versions: 9.2.2 requires non-vulnverable OpenSSL code. It's also recommend to download both the source code /and/ the associated .asc PGP signature for that version of BIND. RPMs: Finding new RPMs for the newest versions of Bind isn't very easy. Once place you might have luck is the CONTRIB area of sites like Redhat and Mandrake. Those RPMs seem to work fine but some people do NOT trust someone else's compiled code, so, it's your choice. <url url="ftp://rawhide.redhat.com/"> You can also find a chroot-ed version of bind here: <url url="ftp://ftp.fi.muni.cz/pub/users/kas/bind-chroot/"> Announcement list: Send email to bind-announce-request@isc.org with &dquot;subscribe&dquot; in the subject field. <sect1>Vlock (stock in Redhat if installed) <url url="ftp://ftp.freesoftware.com/pub/linux/sunsite/utils/console/vlock-1.0.tar.gz"> <sect1>Network Sniffers <sect2> - TCPDUMP (stock in Redhat if installed) - Excellent network packet sniffer <url url="ftp://ftp.freesoftware.com/pub/linux/sunsite/system/network/management/"> or <url url="ftp://ftp.ee.lbl.gov/tcpdump.tar.Z"> <sect2> - IPtraf - Excellent high level network protocol watcher - Current 2.7.0 <url url="http://iptraf.seul.org"> <sect2> - EtherReal - An excellent GUI decoder - Current 0.10.11 <url url="http://ethereal.zing.org/"> <sect1>Sendmail current: v8.13.4, v8.12.11, and v8.11.7 <url url="ftp://ftp.sendmail.org/pub/sendmail/"> Both Sendmail 8.12.9 and 8.11.7 are secure though they have a problem with the "smrsh" shell. TrinityOS doesn't use this but if you are concerned about it, a patch is available. Currently, if you plan to use 8.11.x, you need to run 8.11.7 secure it from a few recently found remote root exploits. RPMs: The newest Sendmail is NOT available in RPM form from sendmail.org but it IS in Redhat's CONTRIB area. It seems to work fine but some people do NOT trust someone else's compiled code, so, it's your choice. <url url="ftp://ftp.infomagic.com/pub/mirrors/linux/RedHatContrib/libc6/i386"> Announcement list: Send an email to majordomo@Lists.Sendmail.ORG with the text &dquot;subscribe sendmail-announce&dquot; in the body of the message. <sect1>POPAuth I have taken over ownership of these documents but haven't had a chance to post them yet. If you would like to get a copy of them, please email <url url="mailto:dranch at trinnet at net" name="me"> For allowing remote POP-3 clients to be able to use the SMTP server to send email. <sect1>Virtual Email domains To support multple email domains w/ Sendmail, Qmail, etc check out: <url url="http://www.linuxdoc.org/HOWTO/Virtual-Services-HOWTO.html"> <sect1>DHCP Server - DHCPd v3.0.2 DHCP Faq: <url url="http://www.dhcp-handbook.com/dhcp_faq.html#hddhs"> RFC Info: <url url="http://www.dhcp.org/rfc2131.html"> <url url="http://www.dhcp.org/rfc2132.html"> Legacy Info: <url url="http://www.cis.ohio-state.edu/rfc/rfc1542.txt"> Download: <url url="http://www.isc.org/dhcp.html"> <sect1>DHCP Client DHCP HOWTO: <url url="http://www.tldp.org/HOWTO/mini/DHCP/index.html"> dhclient v3.0.2 comes with the server code above DHCPcd 1.3.22-p14: <url url="http://www.phystech.com/download/dhcpcd.html"> Other DHCP info: <url url="http://www.linux-firewall-tools.com/linux/firewall/index.html"> A HOWTO specific to the RoadRunner Cablemodem setup, but it's still a good site: <url url="http://www.vortech.net/rrlinux/"> <sect1>WU-FTP v2.6.2 - with multiple patches FTP: <url url="ftp://ftp.wu-ftpd.org/pub/wu-ftpd/"> FAQ: <url url="http://www.cetis.hvu.nl/˜koos/wu-ftpd-faq.html"> <sect1>NetWatch <url url="ftp://ftp.digital.com/pub/linux/redhat/powertools-5.0/i386/"> <sect1>Getdate (NTP) - v1.2 (Was SETTIME) <url url="ftp://metalab.unc.edu/pub/Linux/system/network/misc/getdate_rfc868-1.2.tar.gz"> <sect1>NTP Clock Sources <url url="http://www.eecis.udel.edu/˜mills/ntp"> <sect1>Tape Back up: - BRU (it's not free but it's the best Linux backup software out there IMHO. This is one place you just CAN'T skimp!) Recommended! http://www.estinc.com <sect1>Mozilla v1.7.8 ( Netscape is dead) Original Mozilla (deprecated) - 1.7.8 Firefox - 1.0.4 Thunderbird - 1.0.2 <url url="ftp://ftp.mozilla.org"> <sect1>SSH Commonly used BSD licensed OpenSSH client/server (totally free) - current: 4.0p1 <url url="http://www.openssh.com/"> Original Commercial SSH.com client/server (free for Linux :: for now) - current: 3.2.6.1 <url url="http://ftp.ssh.com/pub/ssh/"> Additional UNIX SSH tunneling URLs: <url url="http://www.ccs.neu.edu/groups/systems/howto/howto-sshtunnel.html"> <sect1>MDADM and Raidtools MDADM v1.11.0): <url url="http://www.cse.unsw.edu.au/~neilb/source/mdadm/"> Good but old info on Linux RAID: <url url="http://linas.org/linux/raid.html"> Raidtools (DEPRECATED) 1.00.3: <url url="http://people.redhat.com/mingo/raidtools/"> <sect1>Samba current: 3.0.14a (stock in most distros if installed) <url url="http://www.samba.org"> Also, they have great docs at <url url="http://samba.anu.edu.au/"> <sect1>PCMCIA Services - 3.2.8 <url url="http://pcmcia-cs.sourceforge.net/"> <sect1>UPS software - APCUPSd and Powerchute Original and quite nice APCUPSd open-source daemon - v3.10.17a: <url url="http://www.apcupsd.com/"> or <url url="http://www.sibbald.com/apcupsd/"> Official APC Powerchute for Linux - v4.5.3 - Free closed-source daemon with excellent Xwindows support: <url url="http://www.apcc.com/tools/download/index.cfm"> <sect1>Apache WWW server - 2.0.54 and 1.3.33 Standard Apache: <url url="http://www.apache.org"> or <url url="ftp://ftp.redhat.com/pub/contrib/i386/apache-1.2.6-5.i386.rpm"> SSL-encrypted Apache: <url url="http://www.apache-ssl.com/"> <sect1>File Integrity testing/Monitoring <sect2> TripWire: Tripwire has gone OpenSource for LINUX! Woohoo! Though it isn't available quite yet, it will be there soon: <url url="http://www.tripwire.org"> Also, as of v2.2.1, Tripwire now runs on Glibc. <url url="http://www.tripwiresecurity.com/products/Tripwire_ASR20.cfml"> You can also get the older versions here: <url url="ftp://coast.cs.purdue.edu/pub/COAST/Tripwire"> <sect2> Aide: AIDE is a GNU version of Tripwire - v0.10 <url url="http://sourceforge.net/projects/aide"> <sect2> ViperDB: ViperDB is another GNU version of Tripwire <url url="http://www.resentment.org/projects/viperdb/index.html"> <sect1>RPM update tools: <sect2> AutoRPM current version: 1.9.8.1 <url url="http://www.kaybee.org/˜kirk/html/linux.html"> <sect2> The Perl module &dquot;Libbet&dquot; <url url="http://cpan.valueclick.com/modules/by-module/Net/"> <sect2> RPM Watch current version: 1.1 (does not work for Redhat 5.2+) [Will be phased out] <url url="ftp://ftp.iaehv.nl/pub/users/grimaldo/rpmwatch-1.1-1.noarch.rpm"> <sect2> RPMLevel (from the author of RPMWatch) <url url="http://coralys.com/products/"> <sect1>Mkisofs <url url="ftp://ftp.fokus.gmd.de/pub/unix/cdrecord/mkisofs/"> <sect1>Compression tools BZip2 : <url url="http://sourceware.cygnus.com/bzip2/index.html"> <sect1>Bash HOWTO <url url="http://www.linuxdoc.org/HOWTO/Bash-Prompt-HOWTO.html"> Also see <ref id="sect-42" name="Section 42"> in TrinityOS <sect1>Dial-In Server HOWTO <url url="http://www.swcp.com/˜jgentry"> <sect1>SWAN / IPSEC VPN Project home page: <url url="http://www.xs4all.nl/˜freeswan"> or <url url="http://www.flora.org/freeswan/"> SWAN email list: <url url="http://www.xs4all.nl/˜freeswan"> Overview <url url="http://www.cygnus.com/˜gnu/swan.html"> Download the IPSec code from: Broken? <url url="ftp://ftp.xs4all.nl/pub/crypto/freeswan"> Works ? <url url="http://ftp.xs4all.nl/pub/crypto/freeswan"> or <url url="http://www.flora.org/freeswan/download"> Other Mini-HOWTOs: https://www.seifried.org/articles/ipsec/ <sect1>PPTP VPNs and client software <itemize> <item>Client: <url url="http://sourceforge.net/projects/pptpclient/pptp-linux-1.1.0-1.tar.gz"> <item>PPP shim: <url url="http://sourceforge.net/projects/pptpclient/ppp-mppe-2.4.0-4.tar.gz"> <item>Additional docs: <url url="http://pptpclient.sourceforge.net/howto.html#setup"> <item>Addition troubleshooting: <url url="http://pptpclient.sourceforge.net/howto-diagnosis.phtml"> <item>IPMASQ patches: <url url="ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html"> </itemize> <sect1>PGP Email Encryption <itemize> <item>PGP: <url url="http://web.mit.edu/network/pgp.html"> </itemize> <sect1>Serial consoles and Remote TELNET <itemize> <item>Remote Serial HOWTO (for more details on configuring serial consoles): <url url="http://tldp.org/HOWTO/Remote-Serial-Console-HOWTO/"> </itemize> <sect1>IP logger <url url="ftp://ftp.tu-graz.ac.at/pub/linux/redhat-contrib/SRPMS/iplogger-0.1-1.src.rpm"> <sect1>Hardware Performance Tuning: <itemize> <item>PowerTweak - optimize the BIOS/Chipset/PCI registers <url url="http://powertweak.sourceforge.net/"> <item>Preempt patch - make the kernel more responsive under load <url url="http://www.tech9.net/rml/linux/"> <item>IRQTune - optimize IRQ response times - good for PPP/Modem users <url url="ftp://shell5.ba.best.com/pub/cae/irqtune.tgz"> <item>HDparm - good for hardcore IDE performance users <url url="ftp://sunsite.unc.edu/pub/Linux/kernel/patches/diskdrives"> </itemize> <sect1>Security Documentation, Tools, and Resources <sect2>Various Security Mailing lists and documentation <itemize> <item><url url="http://www.shmoo.com"> </itemize> <sect2>The Linux Security HOWTO <itemize> <item><url url="http://www.linuxdoc.org/HOWTO/Security-HOWTO.html"> </itemize> <sect2>Logging tools: <itemize> <item>CheckLogs: <itemize> <url url="http://www.iae.nl/users/grimaldo/chklogs.shtml"> </itemize> <item>Swatch: <itemize> <url url="ftp://ftp.stanford.edu/general/security-tools/swatch"> </itemize> <item>Psionic LogCheck: <itemize> <url url="http://www.psionic.com/abacus/logcheck"> </itemize> <item>LogSurfer: (like Swatch but with state checking!) <itemize> <url url="http://www.cert.dfn.de/eng/logsurf/home.html"> </itemize> </itemize> <sect2> - Nmap - v3.81 : <url url="http://www.insecure.org/nmap/"> <sect2> - Nessus - 2.24 : <url url="http://www.nessus.org/"> <sect2> - COPS (old) <url url="ftp://ftp.freesoftware.com/pub/linux/sunsite/system/security/cops_104.tgz"> <sect2> - Saint (new version of Satan) <url url="http://www.wwdsi.com/saint/"> <sect2> - SATAN (Old) Newer: <url url="ftp://ftp.porcupine.org/pub/security/index.html"> Older <url url="ftp://ftp.win.tue.nl/pub/security/satan.tar.Z"> <sect2> - Solar buffer-overflow fixer <url url="ftp://ftp.huwig.de/pub/linux/mama/2.0/stack_noexec-symlink-security-fix.bz2"> <sect2> - Kurt Seifried's Linux Administrators Security Guide (LASG) <url url="https://www.seifried.org/lasg/"> <sect2> - Ofir Arkin's paper on ICMP protocol fingerprinting <url url="http://www.sys-security.com/archive/papers/ICMP_Scanning_v2.0.pdf"> <sect2> - Other URLs: Test Exploits: <url url="http://www-miaif.lip6.fr/willy/security/"> Test Exploits: <url url="http://www.rootshell.org"> Test Exploits: <url url="http://www.l0pht.com"> Test Exploits: <url url="http://www.geek-girl.com"> Security Alerts: Subscribe to BugTraq at <url url="mailto://LISTSERV@NETSPACE.ORG"> More Security: <url url="http://www.ecst.csuchico.edu/˜dranch/LINUX/index-linux.html#security"> <url url="http://www.ecst.csuchico.edu/˜jtmurphy/"> <sect2> - Abacus Security Initiative Includes host_sentry, port_sentry and logchecker. <url url="http://www.psionic.com/abacus"> <sect2> - Intrusion Detection Systems (IDS) Tools SHADOW (SANS) SHADOW (SANS): <url url="http://www.nswc.navy.mil/ISSEC/CID/step.htm"> Snort: <url url="http://www.snort.com"> <sect2> - Network Flight Recorder Setup HOWTO: <url url="http://www.nswc.navy.mil/ISSEC/CID/nfr.htm"> NFR software: <url url="http://www.nfr.net/download/"> NFR ID Attack ID Packages: <url url="http://www.nswc.navy.mil/ISSEC/CID/nfr_id.tar.gz"> <url url="http://www.l0pht.com/NFR/"> <sect1>WWW proxy (Apache or Squid) <sect1>WWW Ad banner filtering <url url="http://www-math.uni-paderborn.de/˜axel/NoShit/index.html"> patch: <url url="http://www.america.com/˜chrisf/web/NoShit/WebFilter_0.5.patch.gz"> Example filter: <url url="http://www.america.com/˜chrisf/web/NoShit/library.txt"> <sect1>Zip drive <url url="http://www.torque.net/˜campbell"> <sect1>Linux Applications: <url url="http://www.xnet.com/˜blatura/linapps.shtml"> <sect1>Linux Games: X-Shipwars: <url url="http://fox.mit.edu/xsw/"> <sect1>Linux Instant Messenger clients: <itemize> <item>GAIM 1.3.0 <url url="http://gaim.sf.net"> <item>Reviews of different IMs for Linux: <url url="http://www.linuxnetmag.com/en/issue2/m2icq1.html"> <url url="http://www.portup.com/˜gyandl/"> </itemize>  <sect>Thoughts on Picking a Linux Distribution<label id="sect-6"> <sect1>- Installing Linux distribution This is too complicated to be completely covered in TrinityOS. But, to get you started, here are a few comments that talk about what Linux distribution might be right for you. One thing I've been asked over and over is regarding users that are trying out Linux with an old Linux CD ( given to them, etc.). With the new 2.4.x kernels out, all the newest Linux distributions BLOW AWAY the old ones in terms of ease of setup, performance, hardware compatibility, etc. So, I recommend that you get a new copy a given Linux distribution and give that a look. And you can't tell me it's expensive when you can get almost ANY Linux distribution for under $3.00 US a CD from places like <url url="http://www.cheapbytes.com">. <verb> *-----------------------------------------------------------------------------* * What do I use? I currently use Mandrake v9.1 on my work laptop (Dell) and * * * * 7.0 at home but I'm worried about Mandrake's direction (see more below) * *-----------------------------------------------------------------------------* </verb> So, with that behind us, here is a few notes: <sect1>Redhat: http://www.redhat.com Redhat has recently discontinued both their regular Linux distribution via retail channels as well as their downloadable ISO version (currently 9.0). Moving forward, Redhat has created two projects. The "Fedora" project which is an opensource distribution and then their Redhat Enterprise Linux v3.0 distro line. A good question is if the Fedora project will take over where the RH9.0 distro left off in terms of quality, etc. I have no idea but I do know that the testing won't be nearly as good and I doubt the installer and GUI tools will be as refined as they've been in the past. Fedora: The main differentiation with with the two RH distros is there isn't any Redhat commercial grade testing or tech support for the Fedora version This is no different than using distros like Debian, Gentoo, etc. which are well supported by the Linux community as a whole. All Fedora support will be via web forums, 3rd party support vendors, etc. Enterprise Linux: The RH Enterprise Linux line offers email/phone support for 2-3 years for email/phone support and 5 years for critical security patches, etc. which is very good in my option. Unfortunately, the Enterprise line comes in three versions (workstation only (WS), small server (ES), and big server (AS)) and thus charges accordingly: As of November, 2003 -------------------- WS - $180 - only initial install support :: Full 1 yr support is $299 US. - NO servers support - this is only a workstation (very limiting) ES - $350 - only initial install support :: Full 1 yr support is $799 US.A - Full servers support - Dual SMP only - limited RPM package list AS - $1500 - support included but 4 CPU version starts at $2500 US. - Full servers support - 4way CPU + - more complete RPM package list Yes, this is expensive for a enduser but not bad for an enterprise setup. BUT, my major gripe with RHEL is that the software package list or RPM list Linux is probably < 50% that of RH 9.0 was. Check it out, here is a full list of the RHEL ES 3.0 RPMs - <url url="http://www.ecst.csuchico.edu/~dranch/LINUX/Rhel/"> As you can tell, not only does this make EL expensive but you don't get a whole lot for your money other than a good software patch policy. Anyway, Redhat has been a premier Linux distribution that has a strong installation tool and has some great system administration utilities too. One of the best parts of Redhat is its increamental RPM package installation and upgrade system. Redhat is constantly upgraded, they even support / offer patches for their oldest distro versions, and it is well supported in the Linux community. Redhat is a good choice for the Linux newbie that wants a more server-focused distro or a GUI configuration approach running with all kinds functionality. Don't let the server focus fool you.. this distro is very desktop friendly as well. Redhat is a Gnome shop vs. a KDE-centric distro. If you are already a UNIX snob, you might find Redhat's layout a little wierd (unless you are a Sun Solaris (SYSV) person - the /etc/rc.d/rc2.d layout is similar). *BUT*, many people don't like Redhat. Why? 1. Redhat has a LOT of extra software built-in. Yes, you can choose the &dquot;Custom&dquot; installation process and get rid of most of the options (recommended) but a FULL install is quite large (a full RH8.0 install is 4.6GB!). Yes, you can pick a "custom" install and reduce the number of installed packages but it's still a heavy distro. 2. If you want to *learn* UNIX (not specifically Linux) in the classic LINUX step-by-step fashion and truly understand it (the hardest but BEST way (IMHO)), Redhat probably wouldn't be my first choice! Yet, I do have to admit my opinion is slowly changing though. 3. Redhat changes the entire behavior of how Linux is set up and configured compared to other distributions like Slackware to be more easy to use, modifible via scripts, etc. Unfortunately, Redhat's GUI tools don't easily tell you what it is going to do to your config files. If you want to learn UNIX in a classic fashion, go with Slackware or, to a lesser extent, Debian, SuSe, etc! Those distributions are a LOT more plain and easier to initially figure out. 4. RPM Hell. You've might have heard about this term before. What this basically means is that if you want install a given program, sometimes it has prerequisite of installing another program first. Ok, so you try to install that required program to only find thhat this sub-required program might have THREE other required programs. Then when you try to install the sub-sub programs, they TOO have requirements. Get the idea? Though it is always solved with patience (using RPM manually and installing all the required programs), many people hate RPMs for this reason. Fortunately, Redhat's newest RPM GUI tools determine all the required other programs for youi. Some say this is a fundamental flaw of the RPM system itself. I don't think it's that bad but I'm a patient kind of guy (most of the time at least). All Newer versions of Redhat have enhanced installation programs for simple installations but with the ability to configure advanced options like software RAID, LVM, etc. Also, the ASCII, NCURSES, and X-Windows versions of the &dquot;linuxconf&dquot; and &dquot;control-panel&dquot; GUI interfaces are getting VERY cool! <sect1> Mandrake: http://www.linux-mandrake.com Mandrake Linux, currently at version 9.2, is a close derivative of Redhat Linux with some significant changes and add-ons. The main difference between Mandrake and Redhat (even today) is that Mandrake is compiled for [ Pentium ] or newer machines. Redhat is currently compiled for Intel 386 (i386) processors though their kernels are optimized. With the Pentium optimizations alone, Mandrake can yeild anywhere from a 10-20% performance increase over RedHat on some platforms. Next, Mandrake has been adding more customized tools to their distribution. With these tools, like the &dquot;Mandrake Updater&dquot;, administration is easier. If you like GUI tools, Mandrake has them! One thing I do want to mention is that Mandrake installers within the &dquot;Drak&dquot; have become very powerful. The installers are very simple for the newbie but can also be very powerful (installtion of software RAID, LVM, etc). Mandrake is also very security conscious and gives the user the option of different default security settings, etc. Much like Redhat, Mandrake also shares with the RPM hell problem. Fortunately, Mandrake has RPMdrake which determines all of the required dependancies for you and fixes most of this issue. One last thing that must be noted is that like most Linux vendors, Mandrake has changed their patch support policies. They now only offers security patches for ONE year from the release of the distro. After that, you MUST upgrade to their newest distro. The alternative is to buy their Corporate Server version which is pretty expensive (Corp. Server 1.1 is $799) but will give you support 2+ years. In comparison to Redhat and SuSe's support policies, Mandrake is both expensive and lacking equal support. This pains me as I'm a big Mandrake fan but servers need to be supported and upgrading every two years is silly. Ultimately, if it's a server that you don't plan on upgrading very often, getting the Corporate version might make sense. For a destop system, only getting patches for 1 year sucks but then again, newer distros will have more featuress, etc. <sect1> SuSE: http://www.suse.com SuSE, currently in version 9.0, is a powerful distribution from Germany. I had previously tried their older releases but there was so much embedded German text in it, it bothered me so I gave up on it. I recently installed newer versions and it seemed much better. The installation program is pretty good though I think Redhat or Mandrake's is better. But, SuSE has a nice configuration tool called YaST and they were one of the first to come with the KDE window manager. If you like the BSD style of configuring services (much like Slackware, FreeBSD, etc.), you'll like SuSe. BUT.. recently, Novell with a grant from IBM is trying to buy SuSe. What will this mean to SuSe? Good question but it will take them a while to improve or bury it. <sect1> Debian: http://www.debian.org Debian is currently on their 3.0R1 release and though I haven't used Debian much, many people out there (mostly power users) seem to like it a lot. Debian is a community distro which means that there is no "Debian" corporation trying to make money at it. It's run and maintained by the community so the distro is only as good as the contributors. It has been best described to me as as a distribution that old Slackware users will LOVE which hate Redhat. Interestingly enough, the defunct Corel and Storm distributions were based on Debian. Debian doesn't include the kitchen sink in for software like Mandrake or Redhat but it's laid out in a good manner and it has it's own RPM-like installation/upgrade system called dPKG with GUI frontends like "apt" or the older too, "dselect". One thing to note about Debian's package system is that unlike the "RPM hell" situation (see the Redhat section above), it can automatically determine a package's dependancies (what other programs are needed to get this particular program to run) and automatically download AND install the required packages. In this respect, Debian is still untouched in ease of use. Like Redhat, Debian is reported to be constantly updated and well supported. Many people argue that Debian is even better updated than Redhat though they are considerably slower to release new distributions with the newest versions of Gnome, KDE, etc. compared to the other distro vendors. <sect1> Gentoo: http://www.gentoo.org/ Gentoo is a new distro community distro that is very similar to Debian in the respect that there is no "Gentoo" corporation trying to make money from it. It's run and maintained by the community so the distro is only as good as the contributors. Fortunately, Gentoo brings something new to the Linux distro mix. Most traditional linux distros (Redhat, Mandrake, SuSe, etc.) all install pre-compiled binaries which makes the installation quick and painless but the resulting distro might not take advantage of your hardware (ahem.. Redhat). Gentoo takes a totally different stance on the installation phase. Specifically, after you pick the packages you want to install, Gentoo will compile ALL of them from the sources to maximize your hardware. This is great though a full installation can take DAYS if not even a WEEK or more depending on how fast your hardware is and how many packages you are installing. Once installed, Gentoo uses the "portage" program installation system which is similar to the *BSD "ports" system. This is where everything is compiled from source. It's a pretty easy system to use as it automatically figures out where to download the programs from and how to compile them. It just is time consuming. But, the sweetest aspect to "portage" system is that with one command, you can upgrade your ENTIRE distro install to the current versions of all packages with ONE command! Very powerful though I also consider this dangerous too (config files change, too many variables if something breaks, etc.) <sect1> Slackware: http://www.slackware.com Slackware, now at version 9.1 is one of the original Linux distributions and it is still one of my favorites. It definately isn't as slick in terms of installation or functionality compared to Mandrake but it's laid out in a clear manner. The INIT scripts (the scripts that are executed to bring the system up) are laid out in a very readable fashion (BSD-style - So is SuSe) and everything is obvious (in the open). Slackware will be a comfortable fit for the UNIX guru peoples out there. Like Redhat, Slackware uses a software package system (pkg) for modularized system upgrades. Though it isn't as fancy as Redhat's RPM system.. it has almost all the same functionality. Though patches do come out for Slackware, Redhat's community usually has patches available FASTER. <sect1> Caldera: http://www.calderasystems.com/ Caldera or SCO, now at v3.1, is the most commercial of all the Linux distributions. They initially pulled ahead of the pack with a better installation program and auto-installing hardware modules but almost everyone has caught up pretty quickly. Caldera was understood to have one of the easiest installation program of ALL the distributions though Mandrake might have them beat now. Caldera differentiates itself by trying to meet the needs of the corporate market. For example, they have completed a port of Novell's NDS directory services to Linux. Pretty cool! But, it should be noted that SCO seems to be taking on Linux on the legal front. They are sueing various companies for Millions if not Billions of dollars. In my opinion, this is a last gasp for them to stay alive but this isn't a way to keep the Linux community happy with them. <sect1> Other Distributions There are other Distributions out there to pick from depending on your hardware platform (Dec Alpha, Motorola PowerPC, etc) such as: TurboLinux - popular in Japan / Network clusters LinuxPPc <url url="http://www.linuxppc.org"> - for PowerPC machines LinuxPro <url url="http://www.wgs.com/"> LinuxWare <url url="http://www.trans-am.com/"> MkLinux <url url="http://www.mklinux.apple.com/"> - For 680x0 and PPC Apples Stampede <url url="http://www.stampede.org/"> You'll have to experiment and ask other Linux people what distribution they like and WHY! Personally, I'd recommend to get one of those multiple Distrobution CD sets from places like <url url="http://www.cheapbytes.com"> and try them out yourself!! For more Distribution details, check out: <url url="http://www.linux.org/dist/english.html"> <url url="http://www.tldp.org/HOWTO/CD-Distributions-EN-HOWTO/index.html"> <url url="http://www.linuxgazette.com/issue31/hughes.html">  <sect>Installing a distribution, patching it, and doing a Search/Replace on TrinityOS<label id="sect-7"> <sect1> Upgrading/Updating your Linux distribution: Like ANY Linux distribution, bug fixes, security releases, etc. are always coming out and you NEED to stay on top of it. Remember, Linux is very functional but without a given security patch, a hacker can break into your box and do ANYTHING! Redhat, Debian, Slackware, etc have their own incremental update systems that makes this easier. P.S. If the program you update to with &dquot;pkgadd&dquot; has different configuration file layouts, you will have to the conversion manually. Debian and Redhat's systems can do the conversion for you though I've had mixed results with this. <sect2> Redhat users: Go to the Redhat Updates URL in <ref id="sect-5" name="Section 5"> and download all the recent patches to a directory (ie. /tmp/patches). Once you have all of the newest RPMs, you should use the &dquot;Fresh&dquot; option of the RPM tool. This will update the RPMs on your machine ONLY if an older version of the RPM is installed on your machine. So, I recommend thast you do: rpm -Fvh /tmp/patches/* Also, please heed these following warnings regarding RPMs: <verb> ******************************************************************************* ** Don't always trust RPMs!!!! ** ** ** ** See [Section 50] for more specific instructions on how to use ** ** RPMs, see what files will be installed/replaced/OVERWRITTEN BEFORE you ** ** install them, etc. ** ******************************************************************************* ** Staying on top of new RP Ms ** ** ** ** You should also implement the RPM notification tool that is documented ** ** in [Section 43] to stay on-top of this in the future! ** ******************************************************************************* </verb> <sect1>TrinityOS diagrams and Search and Replace Keys ---------------------------------------------- This is how the TrinityOS network is laid out: -- Network topology diagram: <verb> ________ / \ |Internet >------------------+ \________/ | Cablemodem | +-----------------------+ | | | | External Link: eth0 | | IP: 100.200.0.212 | _________ | DGW: 100.200.0.1 | / Various \ | | | Remote | | ------------ | | Sites >-ISDN--|- External Link: ppp0 | | & | | IP: dynamic | | Internet| | ------------ | | link | | DMZ Link: eth2 ---|----< To 802.11b wireless network \ backup / | IP: 192.168.10.1 | IP: 192.168.10.x --------- | ------------ | DGW: 192.168.10.1 | | DNS: 192.168.10.1 | Internal Link: eth1 | | IP: 192.168.0.1 | | | | +-----------------------+ | 8-port 100Mb/s switch | +----+----+----+----+----+----+----+----+ | | | | | | | | | PC PC PC PC PC PC PC PC PC #1 #2 #3 #4 #5 #6 #7 #8 #9 | | /----------------\ IP: 192.168.0.2 DGW: 192.168.0.1 DNS: 192.168.0.1 </verb> - Next, this section is to custom tailor your copy of TrinityOS to your specific environment. Do a search/replace on the &dquot;Search for&dquot; fields and replace them with your correct &dquot;replace with&dquot; fields. PLEASE NOTE: If you are going to use IP Masquerading, you should use one of the private address spaces as described in RFC 1918 <url url="http://www.cis.ohio-state.edu/htbin/rfc/rfc1918.html"> such as: <itemize> <item>Class-A: 10.x.x.x <item>Class-B: 172.16-31.x.x <item>Class-C: 192.168.x.x </itemize> <code> search for replace with (given as an example) ---------- ---------------------------------- Your main login ID johndoe your-login Your PPP ISP name your-ppp-isp-name your-ppp-isp-name Your PPP ISP # 555-1212 555-1234 Your PPP login your-ppp-login your-ppp-login Your PPP password your-ppp-passwd your-ppp-passwd The Linux machine name roadrunner your-linux-boxes-name Domain Name acme123.com yourdomain.org Second Domain Name another-domain.com yourseconddomain.org Internal IP network 192.168.0.0 192.168.0.0 Internal IP address 192.168.0.10 192.168.0.10 Internal gateway IP 192.168.0.1 192.168.0.1 Internal broadcast IP 192.168.0.255 192.168.0.255 Internal DMZ IP network 192.168.10.0 192.168.10.0 Internal DMZ IP address 192.168.10.10 192.168.10.10 Internal DMZ gateway IP 192.168.10.1 192.168.10.1 Internal broadcast DMZ IP 192.168.10.255 192.168.10.255 External IP network 100.200.0.0 100.201.0.0 External IP address 100.200.0.212 100.201.0.212 External gateway IP 100.200.0.1 100.201.0.1 External broadcast IP 100.200.0.255 100.201.0.255 Remote SECONDARY DNS ns.backupacme.com ns.yourdomain.org External secondary DNS 102.200.0.25 102.201.0.25 Reverse DNS lookup 54.44.80.10 50.0.201.102 Explict allowed IP#1 200.211.0.40 200.244.0.40 Explict allowed IP#2 200.211.0.41 200.244.0.41 Explict allowed IP#3 200.211.0.42 200.244.0.42 Explict allowed IP#4 200.211.0.43 200.244.0.43 ISP DNS server #1 10.200.200.69 10.222.222.44 ISP DNS server #2 10.200.200.96 10.222.222.88 Your SMB Workgroup: ACME123 your-linux-boxes-SMB-workgroup-name Your pager email: 1234567@skytel.com 2321432342@skytel.com An internal PORTFWed MASQ machine name: coyote one-internal-MASQed-machine-name A internal PORTFWed MASQ machine IP: 192.168.0.20 192.168.0.20 Internal machines allowed to connect to the MASQ server: 192.168.0.11 192.168.0.11 192.168.0.12 192.168.0.12 Remote PPTP setup PPTP server running at: MyEmployer.com MyEmployer.com PPTP server IP: 220.1.2.3 220.1.2.3 PPTP username: YourUserNameHERE YourUserNameHERE PPTP CHAP name: REMOTE-PPTP-CHAP-HERE REMOTE-PPTP-CHAP-HERE </code> <sect1> ## Fixing Redhat, Mandrake, etc. (bugs) that are right out of the BOX! (ouch!): ## * These are errors, bugs, annoyances, etc that I've notice in Redhat5.x. But, these might be fixed in later CD releases, patches, etc. <url url="http://www.ecst.csuchico.edu/˜dranch/LINUX/TrinityOS-security/TrinityOS-security.tar.gz"> <sect2> - Fix all cron permissions (some fixed in RH6.x) <code> chmod -R 750 /etc/cron.hourly chmod -R 750 /etc/cron.hourly/* chmod -R 750 /etc/cron.daily chmod -R 750 /etc/cron.daily/* chmod -R 750 /etc/cron.weekly chmod -R 750 /etc/cron.weekly/* chmod -R 750 /etc/cron.monthly chmod -R 750 /etc/cron.monthly/* </code> <sect2> - Let Minicom and &dquot;ls&dquot; run in Color: <itemize> <item>Edit /etc/profile and add: <itemize> <item>Add the following after the &dquot;export&dquot; line if you have Minicom installed: MINICOM=&dquot;-c on&dquot; export MINICOM <item>This &dquot;ls&dquot; issue is fixed in RH6.x but its good to setup regardless. Edit the /etc/bashrc file and add: <quote> alias ls='ls --color=yes' </quote> </itemize> </itemize> <sect2> - Let ColorGCC always run to make compiling a little more obvious <itemize> <item>Add the following to the /etc/bashrc file to make compiling highlight various warnings, errors, etc. I think it helps.. <code> export CC="colorgcc" </code> </itemize> <sect2>Fix the timezone <itemize> <item>NOTE: This is supposed to be already fixed in a Glibc RPM fix <itemize> <item>Edit the /etc/profile file <itemize> <item>Just above the &dquot;EXPORT PATH&dquot; line, add the line for Pacific Daylight time (adjust for your Time zone) TZ=PST8PDT Now edit the &dquot;EXPORT PATH&dquot; line and append the word &dquot;TZ&dquot; </itemize> </itemize> </itemize> <sect2> - Change the default UMASK (default file/directory create) NOTE: Changing this behavior makes the permissions of all NEWLY created files only readable by certain users and groups. This can have a detrimental effect on programs that need to be used by multiple users. The default is &dquot;umask 002 else umask 022&dquot;. NOTE2: If you see two &dquot;umask&dquot; lines, change them BOTH to 027 - edit /etc/profile, find the umask line(s) and make them it read &dquot;umask 027&dquot; <sect2> - Fix compressed FTP downloads (still broken in RH6.1) NOTE: The changes were: <itemize> <item>&dquot;compress&dquot; is in /usr/bin and NOT /bin <item>I had previously patched TAR to understand .BZ2 compression but this is now already done in RH6.x and most other modern Linux distributions (the man pages don't reflect this. Obviously this is STILL a bug as of Mandrake 7.0.). <item>If you have an old distribution, compile up the new tar executale. Then put this new TAR binary in /usr/local/bin. <item>Create a link to the new tar file ln -s /usr/local/bin/tar /bin/tar <item>Now, to fix FTP so you can get compressed archives automatically from ftpd, edit the /etc/ftpconversions file and make it look like this: </itemize> <code> :.Z: : :/usr/bin/compress -d -c %s:T_REG|T_ASCII:O_UNCOMPRESS:UNCOMPRESS : : :.Z:/usr/bin/compress -c %s:T_REG:O_COMPRESS:COMPRESS :.gz: : :/bin/gzip -cd %s:T_REG|T_ASCII:O_UNCOMPRESS:GUNZIP : : :.gz:/bin/gzip -9 -c %s:T_REG:O_COMPRESS:GZIP : : :.tar:/bin/tar -c -f - %s:T_REG|T_DIR:O_TAR:TAR : : :.tar.Z:/bin/tar -c -Z -f - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+COMPRESS : : :.tar.gz:/bin/tar -c -z -f - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+GZIP </code> <sect2> - Fix the permissions on the /etc/rc.d/init.d script files!!! Bad, Bad, Bad. Only &dquot;root&dquot; and admin groups should be able to do this type of adminstration. <code> chmod -R 770 /etc/rc.d/init.d/* ================================================================================ </code>  <sect>Initial System security<label id="sect-8"> This covers CMOS setups, disable ports, TCP wrappers, shadow passwds, etc. First thing, I would recommend to do in addition to following TrinityOS for your needed purposes, read LDP's Security HOWTO for a more detailed explanation of what to do. Interestingly enough, I never read it until recently and a LOT of things I had independantly recommend was already in the Security HOWTO too! So, it sounds like we are on-track! I recommend you read it too! The URL is in <ref id="sect-5" name="Section 5">. <sect1>BIOS/CMOS Settings Upon system boot, enter into the CMOS setup <itemize> <item>AMI BIOSes use the DEL key <item>Compaq BIOSes use the F10 key <item>Some Pheonix BIOSes use Control-Escape, Control-Alt-Ret, F2, or Control-Alt-Shift (mostly in vendor-customized versions such as Dell). <item>IBM Series 300 uses F2 in their SurePath Bios. </itemize> - Once you are in the BIOS, search around and try to set the following: <sect2> + Enabled the BIOS password - I recommend the combination of upper and lower case characters with numbers! <sect2> + DISABLE booting from the floppy drive By changing the BIOS boot order from A:,C: to C:,A: If you are extra paranoid, you can set the floppy drive to READ only or even disable the floppy drive all together if you wish. <sect1>Linux root Password - Now, boot back into Linux and make sure you have a password for the root login <code> passwd root </code> NOTE: You may not have noticed this but most Linux distributions only took the first -8- characters of your password. After that, they simply ignore ALL other passwords. For example, these two passwords are the SAME to Linux: Pl3a5eGet0ut and Pl3a5eGe Because of this, you need a strong password and it can ONLY be 8-characters long. You REALLY should use a combination of UPPER and lower case characters, numbers, and special characters such as: [ `˜!@#$%^&*()-_=+{[]}\|'&dquot;;:,<.>/? ] Fortunately enough, the newer Linux distributions have fixed this issue. But regardless if this has been fixed on your distribution or not, it IS important that you choose a strong passwd. <sect1>Enable the &dquot;sticky&dquot; bit in /tmp This ensures that only the file's owner can delete a given file in /tmp (Fixed in RH6.x): <code> chmod 1777 /tmp </code> <sect1>- Disable the Control-Alt-Delete keyboard shutdown command - This is pretty important if you don't have the best physical security on the box: - Do implement this, edit /etc/inittab and change the line: <code> ca::ctrlaltdel:/sbin/shutdown -t3 -r now </code> to <code> #ca::ctrlaltdel:/sbin/shutdown -t3 -r now </code> - Now, for the system to understand the change, type in the following at a prompt <code> /sbin/init q </code> <sect1> - Disable the ability to run INIT in interactive mode Newer Redhat: <itemize> <item>Edit the /etc/sysconfig/init script and change the line: <code> prompt=yes </code> to.. <code> prompt=no </code> </itemize> <sect1>- Compile / install vlock (available in most modern distributions). NOTE: Use this command if you are logged in as root and want to LOCK the ttys without having to log fully out and back in again. Nice! <sect1>- Change what system daemons get loaded by editing the following files in &dquot;/etc/rc.d/&dquot; NOTE: Regardless of Linux distribution, you might want to SKIP some of the following steps if you plan to run: <itemize> <item>Samba (smb) <item>Printing (lpd) <item>Mail (Sendmail), <item>NFS <item>etc. </itemize> <sect2> Redhat: (though this is specific to Redhat, the following is a good read for ALL Linux users.) The way that Redhat boots is the SysV way. This is where the OS will execute ALL files for a given runlevel (see definition below) that start with a &dquot;S&dquot; (that's a CAPITAL &dquot;S&dquot;) and have a number after that in a numerical order from lowest to highest. For example, it will run &dquot;S10network&dquot; before it runs &dquot;S30syslog&dquot;. So what's a RUN-level? A run-level is the mode that the machine will load various system programs. Though this varies from Unix to Unix (Linux, Solaris, AIX, HP-UX, etc.), they are similar. For Linux, this is the run-levels (from /etc/inittab): Please note that some Linux distributions have slight variations: <itemize> <item> 0: halt (stops the OS and sometimes shuts the power off) <item> 1: single user (doesn't bring up the network, no passwd for root. Needed for system problems, lost root passwds, etc) <item> 2: Redhat: Multiuser (Brings up the whole OS but doesn't mount remote file systems (NFS, CODA, etc) SuSe: Full Multiuser (Brings up the whole OS with any remote file systems) <item> 3: Redhat: Full Multiuser (Brings up the whole OS with any remote file systems) SuSe: Xwindows (Brings up the system immediately into X-windows) <item> 4: Unused <item> 5: X-windows (Brings up the system immediately into X-windows) <item> 6: Reboot (reboots the machine; usually into a COLD boot state [counts all the RAM, etc]) </itemize> Also, if you didn't already notice, all of the files in various runlevel directories like /etc/rc.d/rc0, 1, 2, 3, 4, 5, 6.d are actually just symbolic links to all the real script files in /etc/rc.d/init.d! This makes things more manageable. So, since Linux usually runs in multi-user / non-Xwindows mode, that means runlevel &dquot;3&dquot; will execute all files in the /etc/rc.d/rc3.d directory. Then, the system will begin to run ALL files starting with &dquot;S&dquot; in order. When you shutdown or restart the machine, you change the machine into runlevel &dquot;0&dquot; or &dquot;1&dquot;. This will first execute all commands from the initial runlevel directory of &dquot;3&dquot; starting with &dquot;K&dquot;. If the given process isn't already running, like my example for LPD, it will just skip it and move on. Get it? <sect2> Slackware: The way that Slackware boots is the BSD way. It will execute the /etc/rc.d/rc.inet1 (network interfaces) file first. Then, it will run the /etc/rc.d/rc.inet2 (network services) file. This is much more readable than the Redhat method but its harder to maintain (IMHO). <sect2> Securing your machine by limiting what daemons load: BSD-Style: Edit the following files in /etc/rc.d/ and make these changes unless you need that service. <verb> - rc.M (disable email and WWW servers) - line 75: #'d out all lines for Sendmail - line 97: #'d out all lines for httpd - rc.inet2 (disable SERVER and NFS servers) - line 14: #'d out all lines for lpd - line 15: #'d out all lines for lpd - line 31: #'d out all lines for portmap - line 72: #'d out all lines for mountd, nfsd, pcnfsd, bwnfsd </verb> There are at least (6) ways to turn on/off what daemons load: Via A GUI interface: This process manipulation can be done either via: <itemize> <item>&dquot;chkconfig&dquot; command line utility <item>&dquot;ntsysv&dquot; Ncurses GUI utility <item>&dquot;tksysv&dquot; Xwindows GUI utility <item>&dquot;control-panel&dquot; or &dquot;linuxconf&dquot; Xwindows GUIs. <item>&dquot;Manual editing&dquot; <item>&dquot;Deleting the package altogether&dquot; </itemize> Note - Though I'm a command line bigot, I feel the &dquot;ntsysv&dquot; GUI is the fastest way to modify these options! NOTE #2 - It should be noted that some people really feel that if you are going to disable a package, you might as well REMOVE IT. This is technically MORE secure (nothing to run an exploit against) nor does it take up any disk space. Personally, I usually side with functionality and rather just disable the service vs. delete it all together. Now, if you're sure that you'll NEVER use this service, definately recommend to delete the package. To DELETE a given package: To remove packages: <itemize> <item>Redhat: rpm -e package-name <item>Slackware: pkgdel package-name </itemize> NOTE #3 - I've found that when you first run these GUI tools, they will default to running and disabling some processes they SHOULDN'T! So, be careful and make sure that the tool is starting/stopping the correct daemons. Confirm this by going into the correct runlevel directory, say /etc/rc.d/rc3.d, and making sure only the minimal S* files are there. With &dquot;chkconfig&dquot;: Please note that there might be some daemons that are missing and/or extra in your specific /etc/rc.d/init.d directory so make sure you enable/disable the appropriate ones for your needs. <code> -- #Disable automounters chkconfig --level 2345 amd off #Disable unless this is a laptop chkconfig --level 2345 apmd off #Disable unless you want to run batch programs within certain loads chkconfig --level 2345 atd off #Disable unless you want emails of EVERY ARP on your network segment chkconfig --level 2345 arpwatch off #Disable unless you want boot diskless workstations chkconfig --level 2345 bootparamd off #Disable unless this machine will be a DHCP *SERVER* chkconfig --level 2345 dhcpd off #Disable unless this machine will be a full blown router chkconfig --level 2345 gated off #Disable unless this machine will be a WWW server chkconfig --level 2345 httpd off #Disable unless this machine uses a modularized kernel # NOTE: Not needed for 2.2.x+ kernels chkconfig --level 2345 kerneld off #Disable unless you really want to configure remote machines via Linuxconf chkconfig --level 2345 linuxconf off #Disable unless this machine will be a print server #(for the local or remote machine) chkconfig --level 2345 lpd off #Disable unless you really need the proprietary MC server chkconfig --level 2345 mcserv off #Disable unless this machine will be a database server chkconfig --level 2345 mysql off #Disable unless this machine will be a caching or full blown DNS server chkconfig --level 2345 named off #Disable unless this machine will be a NFS server chkconfig --level 2345 nfs off #Disable unless this machine is a laptop or the PC has PCMCIA cards chkconfig --level 2345 pcmcia off #Disable unless this machine will be an NFS server or needs RPC tools chkconfig --level 2345 portmap off #Disable all R-cmds chkconfig --level 2345 rusersd off chkconfig --level 2345 rwalld off chkconfig --level 2345 rwhod off #Disable unless this machine is a email server chkconfig --level 345 sendmail off #Disable unless this machine is a Samba (MS File&Print) server chkconfig --level 345 smb off #Disable unless this machine is to support SNMP chkconfig --level 2345 snmpd off #Disable unless this machine is a local/remote HTTP proxy server chkconfig --level 2345 squid off #Disable unless this machine will be running X-windows chkconfig --level 2345 xfs off #Disable unless this machine will be an NTP server chkconfig --level 2345 xntpd off #Disable unless this machine will be part of a NIS/YP domain chkconfig --level 2345 ypbind off chkconfig --level 2345 yppasswdd off #Disable unless this machine will be a NIS/YP server chkconfig --level 2345 ypserv off </code> Manually: NOTE: only do this to the processes you WON'T use. NOTE #2: If, for some reason, any of the K or S* files don't exist and you want them to be there, use one of the GUI tools above. Do this in /etc/rc.d/rc2.d, /etc/rc.d/rc3.d, and /etc/rc.d/rc5.d <code> - mv S08autofs K08autofs - mv S20nfs K20nfs (unless this is for a full or caching NFS server) - mv S20rusersd K20rusersd - mv S20rwalld K20rwalld - mv S20rwhod K20rwhod - mv S30mcserv K30mcserv - mv S98kerneld K98kerneld - mv S35smb K35smb (unless this is for a Samba F&P server) - mv S60lpd K60lpd (unless this is for a print server) - mv S65portmap K65portmap (unless this is for a NFS server) - mv S95nfsfs K95nfsfs (unless this is for a NFS server) - mv S45pcmcia K45pcmcia (unless this for a laptop) - mv S65dhcpd K65dhcpd (unless this is for a DHCP server) - mv S85httpd K85httpd (unless this is for a WWW server) - mv S80sendmail K80sendmail (unless this is for a mail server) </code> <sect1>Shutting down most of inetd / xinetd Inetd and Xinetd are called the &dquot;super servers&dquot; as they load a network server based upon a request from the network. I personally recommend that any service that you DON'T need shouldn't be able to load. This both minimizes CPU and Memory load as well as greatly reduces your security risk. <code> * The exceptions that I leave in and secure via a firewall and * TCPwrappers are: * * TELNET, FTP, SSH, sometimes TALK, POP-3, IMAP, and maybe FINGER. * </code> Newer Linux distributions no longer use "inetd" but instead use a newer version called "xinetd". This new version allows for much more granular configuration as well as superior logging, etc. Overall, I really recommend Xinetd though it does take a little time to get used to. XINETD: ------- Go into the /etc/xinetd.d directory and edit each of the files in that directoru. In each one of the service files that should be disabled, make sure that a line reading "disable = yes" is present. For example /etc/xinetd.d/chargen <code> # default: off # description: A chargen server. This is the tcp \ # version. service chargen { type = INTERNAL id = chargen-stream socket_type = stream protocol = tcp user = root wait = no disable = yes } </code> I recommend to disable the following services and any other services enabled in your machine that you don't need (unless noted below). <Itemize> <item>chargen <item>chargen-udp <item>daytime <item>daytime-udp <item>echo <item>echo <item>finger (you might want to enable this) <item>imap (you might want to enable this) <item>ident (don't enable this unless you use IRC) <item>ipop3 (you might want to enable this) <item>ntalk (you might want to enable this) <item>swat <item>talk (you might want to enable this) <item>time </Itemize> To make the change take effect, type in: <itemize> <item>Redhat: /etc/rc.d/inet.d/xinetd restart <item>Slackware: kill -HUP `ps aux | grep xinetd | grep -v -e grep | awk '{print $2}'` </itemize> INETD: ------ I recommend to edit the /etc/inetd.conf file and place a &dquot;#&dquot; in front of the lines to disable them (if not already done). <itemize> <item>echo - basic network functions that AREN'T needed <item>discard - &dquot; <item>chargen - &dquot; <item>daytime - For checking the date remotely (or) <item>time - &dquot; <item>shell - Remote Shell. flexible but VERY insecure. A part of the R-command tools <item>login - &dquot; <item>exec - &dquot; <item>comsat - Email box monitoring server (very old) <item>talk - UNIX Talk (I usually allow this but secure it via the firewall/tcp-wrappers <item>ntalk - &dquot; <item>dtalk - &dquot; <item>pop-2 - For checking email. Use POP3 instead. <item>uucp - For sending/receiving email the OLD way. <item>tftp - For simple file transfers (unless you need this functionality) <item>bootps - For simple configuration transfer (very old; replaced by DHCP) <item>cfingerd - For probing information on a specific user or who is logged in <item>systat - For probing information about the system itself <item>netstat - For probing information about the system's network <item>auth - For the ident system to see what user is creating specific network traffic <item> <item>linuxconf - For remotely configuring the system via the Linuxconf GUI <item>swat - For remotely configuring the Samba server via Swat </itemize> As noted above for Xinetd, some items you might want to leave enabled. Some you might want to leave available until you install a secure alternative like SSH): <itemize> <item>ftp - For insecure file transfer <item>telnet - For insecure remote logins <item>talk - For accepting local/remote real-time talk sessions <item>ntalk - &dquot; <item>dtalk - &dquot; <item>pop-3 - For downloading email. <item>imap - For checking email on the server. <item>finger - For checking out info on system users (most people should disable this) <item>cfinger - &dquot; <item>NOTE: If you need to run finger, change the word &dquot;root&dquot; to &dquot;nobody&dquot;. </itemize> Once you make these changes, finish editing the file. To make the change take effect, type in: <itemize> <item>Redhat: killall -HUP inetd <item>Slackware: kill -HUP `ps aux | grep inetd | grep -v -e grep | awk '{print $2}'` </itemize> <sect1>TCP wrapper security More and more Linux distributions are shipping with secure defaults. But, never ASSUME that things are locked down. CONFIRM IT! - Edit &dquot;/etc/hosts.deny&dquot; and insert the following at the end of the file: <code> ALL: ALL </code> It should also be noted that TCP wrappers supports extensive logging and remote banners. Please see the end of this section for a detailed example. - edit &dquot;/etc/hosts.allow&dquot; and insert lines at the end of the file for each IP and or Domain that you want to allow access to the Linux box. NOTE: Do NOT use DNS names for the hosts as DNS can be spoofed. Use TCP/IP addresses instead. ALL: 127.0.0.1 #Needed for some local services like comsat ALL: 200.211.0.40 #Securehost ALL: w.x.y.z For example: <code> ALL: 192.168.0.2 #Allow everything from coyote2 ALL: 200.211.0.40 #Allow all traffic from Explict Allowed #1 ALL: 200.211.1. #Allow *ALL* traffic from all hosts on the 200.211.1.x #network. Yes, the option should END with a single &dquot;.&dquot; </code> Or if you want to be more granular, you can do the following. All TCP wrapper supported daemons that you can put in here are noted in the /etc/inetd.conf file. <code> in.ftpd: 192.168.0.2 #Allow only FTP traffic from coyote2 in.pop3d: 200.211.0.40 #All only pop-3 traffuc from Explict Allowed #1 </code> <bf>TCP Wrapper logging and banner support</bf> As mentioned above, TCP wrappers support advanced features like logging and sending text banners to the remote machine. To do this, you want to change the /etc/hosts.deny file to look something like the following: <code> # The following example will DENY all traffic except finger. # For finger, it will allow the request but log it, send a banner and THEN # deny it # # First, set up a booby trap and bounce message for all except finger # and log attempt to /var/log/tcpwrappers.log ALL except in.fingerd: ALL \ :spawn (/usr/sbin/safe_finger -l @%h | /bin/mail -s %d-%h root;\ date >>/var/log/tcpwrappers.log;\ echo '%u@%h (%d) connection attempted.' >>/root/access.log)& \ :rfc931 45\ :twist /bin/echo \ $'\nAccess to this system is limited to authorized users. \ \n%u@%h is not a valid ID to access %d \ \non this system. This attempt has been logged. \n' # Now log and bounce message for finger # in.fingerd: ALL\ :spawn (date >>/var/log/tcpwrappers.log; \ echo '%u@%h (%d) connection attempted.' >>/var/log/tcpwrappers.log)& \ :rfc931 45\ :twist /bin/echo \ $'\nAccess to this system is limited to authorized users. \ \n%u@%h is not a valid ID to access %d \ \non this system. This \ attempt has been logged.\ \n' </code> <sect1>FTP Anonymous users Disable anonymous FTP to your box by editing /etc/ftpaccess and change the common first line that looks like: <code> class all real,guest,anonymous * </code> ...to this (notice the words &dquot;guest&dquot; and &dquot;anonymous&dquot; is gone: <code> class all real * </code> <sect1>Shadow Passwords In most earily Linux distributions, all user's passwords were stored in the /etc/passwd file. These passwords were then encrypted by the "crypt" tool. The problem with this setup was that anyone could get these encrypted passwords and crypt's encryption was very poor. These passwords could then be broken with publically available tools. In recent times, the shadow system was implemented where the passwords were hashed with the MD5 algorithm and placed the resulting MD5 hased passwords in /etc/shadow. To quickly see if your machine is "shadow" enabled, look at the "/etc/passwd" file. In this file, you will see the username, password, UserID (UID), GroupID (GID), Home Directory, and the user's default shell all separated by colons (:). Anyway, if you see "x"s in the second left-hand field, the password field, then you are done! If you DON'T see "x"s in that field.. you need to follow these directions or better yet.. get a newer distribution! <sect2>Slackware 3.x Slackware v3.2 did not come with Shadow passwords enabled but v3.4+ does. For several reasons, I recommend that you just upgrade to Slackware v3.4 if you are running an older Slackware distribution. The upgrade will fix numerous security issues and has many other features as well. <sect2>Redhat Redhat5, out of the box, does NOT do shadow passwords (stupid) but it is fixed in RH 6.1 and onward. Confirm that your system is using SHADOW passwords by looking at the /etc/passwd file and make sure that the second left-hand field next to the username is a &dquot;:x:&dquot;. If so, make sure everthing in this section is setup the same on your box. If it isn't do the following: - login as root - type in &dquot;pwconv&dquot; - This will convert the /etc/passwd file and move the encrypted passwords over to /etc/shadow and change the encryption algorithm from the weak &dquot;crypt&dquot; system to &dquot;md5&dquot; - More info is available in &dquot;/usr/doc/pam-0.64/txts/pam.txt&dquot; - NOTE: Using passwords more than 8 characters will NOT work. Use larger passwords and prepare NOT to be able to login again! - Edit the /etc/pam.d/passwd file and change the bottom lines NOTE: There are (2) methods shown below. Crypt is the OLD UNIX method and is considered weak. The newer method uses MD5 hashing. I recommend the MD5 method. So, edit the file and change it to the following: For MD5 hashing (more secure and recommended): <code> -- auth required /lib/security/pam_pwdb.so shadow nullok account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so retry=3 password required /lib/security/pam_pwdb.so shadow use_authtok nullok md5 -- </code> For normal CRYPT hashing: <code> -- auth required /lib/security/pam_pwdb.so shadow nullok account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so retry=3 password required /lib/security/pam_pwdb.so shadow use_authtok nullok -- </code> <sect1>Disable ROOT TELNET/SSH access By default, most Linux distributions don't allow direct &dquot;root&dquot; logins via TELNET or SSH. This is considered good security. - If you DO need to login via telnet as root then edit or create the /etc/securetty file and ADD the following: <code> ttyp0 ttyp1 ttyp2 </code> Please note that newer Linux distributions now use the DevFS system. If your system uses DevFS, you should add the following in addition to the "ttyp0, ttyp1, etc." system. If you are using DevFS full time, you can delete the ttyp0, etc. lines. <code> vc/1 vc/2 </code> **** MAKE SURE YOU PUT &dquot;#&dquot;s IN FRONT OF THESE NEW LINES ONCE YOU ARE DONE! **** <sect1>Disable ROOT FTP access It seems that some Linux distributions do not come with the /etc/ftpusers file. This file basically is for when any usernames in this file, they are NOT allowed to FTP in. Usually, it is considered POOR security to be able to FTP in as ROOT. By putting the word &dquot;root&dquot; into this file, this disables FTP logins from &dquot;root&dquot;. - If you ever need to FTP into the linux box as ROOT (you shouldn't be able to by default), edit the &dquot;/etc/ftpusers&dquot; file and put a &dquot;#&dquot; in front of &dquot;root&dquot;. NOTE: If the /etc/ftpusers file DOESN'T already exist, just create it. Once you are done, LEAVE it there with at least the line &dquot;root&dquot; without a &dquot;#&dquot; in front of it. <verb> ********************************************************* **** MAKE SURE YOU REMOVE THIS "#" ONCE YOU ARE DONE **** **** SINCE THIS IS A BIG SECURITY ISSUE **** ********************************************************* </verb> <sect1>Disable miscellaneous cron stuff * When users install Redhat, they usually install more programs than they plan to initially use. Though Redhat allows users to later choose what daemons are and are NOT run upon boot, this does NOT disable some things that are loaded into the cron file. As mentioned before in this section, unless you plan on using the functionality of a specific product, DON'T disable a given cron entry. Just delete the package all together as described above. <sect2> Redhat users: **NOTE**: DON'T disable: logrotate, tmpwatch, updatedb.cron, makewhatis.cron - Look in the /etc/cron.hourly, /etc/cron.daily, /etc/cron.weekly, and /etc/cron.monthly and make sure that nothing is installed that you don't want. For example, I had to do the following for RH 5.2: <code> mkdir -m 700 /etc/cron.disabled mkdir -m 700 /etc/cron.disabled/cron.hourly mkdir -m 700 /etc/cron.disabled/cron.daily mv /etc/cron.hourly/inn-cron-nntpsend /etc/cron.disabled/cron.hourly mv /etc/cron.daily/inn-cron-expire /etc/cron.disabled/cron.daily mv /etc/cron.daily/inn-cron-rnews /etc/cron.disabled/cron.daily mv /etc/cron.daily/tetex.cron /etc/cron.disabled/cron.daily </code> <sect2> Slackware Users: **NOTE**: DON'T disable: updatedb.cron - Realistically, you won't have the same issues as Redhat users because Slackware doesn't have as many bells and whistles as RH does. BUT, check to make sure. All of Slackware's cron configuration is stored here. <code> less /var/spool/cron/crontabs/root </code> <sect1>File Permission corrections A lot of the default file permissions on Linux distributions just give away too much information to the end user or hacker. Some people might think that some of these are paranoid but I'd rather be safe than sorry: NOTE: Most of these permissions reflect Redhat 5.2 but most will apply to any Linux distribution. NOTE2: If you receive any ERRORs when applying these changes, don't worry. That just means you don't have that package installed. It is highly recommended that you apply these permissions via the TrinityOS-security script to avoid typing mistakes and save time. <code> # Files in /dev chmod 660 /dev/lp* # Files in /bin echo &dquot;Bru is a commercial backup program but some Linux distributions come with it&dquot; chmod 750 /bin/bru chmod 750 /bin/linuxconf chmod 750 /bin/mount chmod 750 /bin/mt chmod 750 /bin/rpm chmod 750 /bin/setserial chmod 4750 /bin/su chgrp adm /bin/su chmod 750 /bin/umount # Files in /sbin chmod 750 /sbin/accton chmod 750 /sbin/badblocks chmod 750 /sbin/ctrlaltdel chmod 750 /sbin/chkconfig chmod 750 /sbin/chkraid chmod 750 /sbin/debugfs chmod 750 /sbin/depmod chmod 750 /sbin/dhcpcd chmod 750 /sbin/dump* chmod 750 /sbin/fdisk chmod 750 /sbin/fsck* chmod 750 /sbin/ftl* chmod 750 /sbin/getty chmod 750 /sbin/halt chmod 750 /sbin/hdparm chmod 750 /sbin/hwclock chmod 750 /sbin/ide_info chmod 750 /sbin/if* chmod 750 /sbin/init chmod 750 /sbin/insmod echo &dquot;IPFWADM is only installed for v2.0 kernels&dquot; chmod 750 /sbin/ipfwadm chmod 750 /sbin/ipx* chmod 750 /sbin/isapnp chmod 750 /sbin/kerneld chmod 750 /sbin/killall* echo &dquot;This is the new location for klogd. Please disregard any errors if this doesn't work.&dquot; chmod 750 /sbin/klogd chmod 750 /sbin/lilo chmod 750 /sbin/mgetty chmod 750 /sbin/mingetty chmod 750 /sbin/mk* chmod 750 /sbin/mod* chmod 750 /sbin/netreport chmod 750 /sbin/pam* chmod 750 /sbin/pcinitrd chmod 750 /sbin/pnpdump chmod 750 /sbin/portmap chmod 750 /sbin/quotaon chmod 750 /sbin/raidadd chmod 750 /sbin/restore chmod 750 /sbin/runlevel chmod 750 /sbin/stinit echo &dquot;This is the old location for klogd. Please disregard any errors if this doesn't work.&dquot; chmod 750 /sbin/syslogd chmod 750 /sbin/swapon chmod 750 /sbin/tune2fs chmod 750 /sbin/uugetty chmod 750 /sbin/vgetty echo &dquot;Files in /usr/bin&dquot; chmod 750 /usr/bin/control-panel chmod 750 /usr/bin/comanche chmod 750 /usr/bin/eject chmod 750 /usr/bin/glint chmod 750 /usr/bin/gnome* chmod 750 /usr/bin/gpasswd chmod 750 /usr/bin/ipx* chmod 750 /usr/bin/kernelcfg chmod 755 /usr/bin/lp* chmod 4755 /usr/bin/lpr #NOTE: I feel setting &dquot;lpr&dquot; to allow any group to execute it is # a bad thing. # # I would like to add UNIX users and even the Samba process to # the &dquot;lp&dquot; group already defined in /etc/groups and then be able # to put things back to to 4750. BUT, I just talked to a buddy # of mine and this really isn't possible. Linux doesn't support # multiple groups per file and Linux doesn't support access lists # (ACLs') yet. So, you either have to do all this or run LPRng. # # Stock permissionss are: # -r-sr-sr-x 1 root lp 15436 Oct 17 06:49 lpq # -r-sr-sr-x 1 root lp 16176 Oct 17 06:49 lpr # -r-sr-sr-x 1 root lp 16132 Oct 17 06:49 lprm chmod 750 /usr/bin/mformat chmod 750 /usr/bin/minicom chmod 750 /usr/bin/mtools chmod 750 /usr/bin/netcfg chmod 750 /usr/bin/rusers chmod 750 /usr/bin/rwall chmod 750 /usr/bin/uucp echo &dquot;Files in /usr/sbin&dquot; chmod 750 /usr/sbin/am* chmod 750 /usr/sbin/at* chmod 750 /usr/sbin/automount chmod 750 /usr/sbin/bootp* chmod 750 /usr/sbin/crond chmod 750 /usr/sbin/dhc* chmod 750 /usr/sbin/dip chmod 750 /usr/sbin/dump* chmod 750 /usr/sbin/edquota chmod 750 /usr/sbin/exportfs chmod 750 /usr/sbin/fixmount chmod 750 /usr/sbin/ftpshut chmod 750 /usr/sbin/gated chmod 750 /usr/sbin/group* chmod 750 /usr/sbin/grp* chmod 750 /usr/sbin/imapd chmod 750 /usr/sbin/in.* chmod 750 /usr/sbin/inetd chmod 750 /usr/sbin/ipop* echo &dquot;This is the old location for klogd. Please disregard any errors if this doesn't work.&dquot; chmod 750 /usr/sbin/klogd chmod 750 /usr/sbin/logrotate chmod 750 /usr/sbin/lp* chmod 755 /usr/sbin/lsof chmod 750 /usr/sbin/makemap chmod 750 /usr/sbin/mk-amd-map chmod 750 /usr/sbin/mouseconfig chmod 750 /usr/sbin/named* chmod 750 /usr/sbin/nmbd chmod 750 /usr/sbin/newusers chmod 750 /usr/sbin/ntp* chmod 750 /usr/sbin/ntsysv chmod 750 /usr/sbin/pppd chmod 750 /usr/sbin/pnpprobe chmod 750 /usr/sbin/pw* chmod 750 /usr/sbin/quota* chmod 750 /usr/sbin/rdev chmod 750 /usr/sbin/rdist chmod 750 /usr/sbin/repquota chmod 750 /usr/sbin/rhbackup chmod 750 /usr/sbin/rotatelogs chmod 750 /usr/sbin/rpc* chmod 750 /usr/sbin/rwhod chmod 750 /usr/sbin/samba chmod 750 /usr/sbin/setup chmod 750 /usr/sbin/showmount chmod 750 /usr/sbin/smb* chmod 750 /usr/sbin/sndconfig chmod 750 /usr/sbin/snmp* chmod 750 /usr/sbin/squid echo &dquot;This is the old location for sysklogd. Please disregard any errors if this doesn't work.&dquot; chmod 750 /usr/sbin/syslogd chmod 750 /usr/sbin/taper chmod 750 /usr/sbin/tcpd* chmod 750 /usr/sbin/time* chmod 750 /usr/sbin/tmpwatch chmod 750 /usr/sbin/tunelp chmod 750 /usr/sbin/user* chmod 750 /usr/sbin/uu* chmod 750 /usr/sbin/vi* chmod 750 /usr/sbin/wire-test chmod 750 /usr/sbin/xntp* </code> <sect1>SUID ROOT PROGRAMS - Check that there aren't any SUID ROOT (programs that execute as the ROOT user) that are WRITABLE by other users. To do this, execute this following command (per <url url="http://rlz.ne.mediaone.net/linux/index.html">): <code> mkdir -m700 /etc/info find / -type f $ -perm -04000 -o -perm -02000 $ -ls > /etc/info/suid-results </code> So what do you do with these results? Figure out the SUID programs that you need and note which ones they are and where they are. The issue is to just make sure that no other unknonwn programs don't get added to this list. What about just changing their permissions to NOT be SUID root? This would be bad because most programs that are usually SUID ROOT *must* be this way or they won't work right. But, for example, GnuPlot on a recent copy of SuSE was found SUID though it shouldn't have been. Later, a person on BugTraq found this and created both a root exploit and patch for it. So, this is where you can be proactive and fix things. For the other SUID programs you don't need or know what they are, change their permissions to 700 (chmod 700 *) or even better yet, change their permissionss to 700, move them to a temporary directory to later delete them once you are SURE you don't need the programs. *** Once you have resolved all your SUID issues, rename this *** /etc/info/suid-results file to /etc/info/suid-results-checked and then *** fix the permissions: <code> mv /etc/info/suid-results /etc/info/suid-results-checked chmod 600 /etc/info/suid-results-checked </code> We will use this file later as a template file to check for changed SUID files in <ref id="sect-9" name="Section 9"> <sect1>Looking for R-command files Much like looking for SUID files above, it is also a good idea to look for R-command permission files. <code> find / | grep -e &dquot;.rhosts&dquot; -e &dquot;hosts.equiv&dquot; > /etc/info/rcmd-results </code> Once you have reviewed this /etc/info/rcmd-results file for any entries that DON'T belong in there, rename it and fix its permissions: <code> mv /etc/info/rcmd-results /etc/info/rcmd-results-checked chmod 600 /etc/info/rcmd-results-checked </code> <sect1>Fix Xwindows permissions * This was exploited recently in Xfree86 but I still feel that the sticky bit on the /tmp/.X11-unix directory should be set <code> rm -rf /tmp/.X11-unix mkdir -p -m 1777 /tmp/.X11-unix chmod o+t /tmp/.X11-unix </code>  <sect>Advanced System Logging and some Cool Tips<label id="sect-9"> <sect1>SYSLOG tuning - SYSLOG is the main UNIX logging tool. With this system, you can setup logging to be very high level to extremely detailed and have each logging stream go to a different file. Trust me, SYSLOG is your friend! Edit /etc/syslog.conf and -ADD- the following lines if they aren't already in there: ******* * NOTE!!! All space from the left and right columns MUST BE TABS. * If they are SPACEs, syslog will NOT load! Kinda stupid eh? * Redhat users: <code> *.warn;*.err /var/log/syslog auth.*;user.*;daemon.none /var/log/loginlog kern.* /var/log/kernel </code> Slackware users: <code> *.warn;*.err /var/adm/syslog mail.* /var/adm/maillog auth.*;user.*;daemon.none /var/adm/loginlog kern.* /var/adm/kernel </code> All Distributions: Once you have edited the /etc/syslog.conf file, save your changes and exit the editor. Now, following files must be created for SYSLOG to work: <code> touch /var/log/syslog touch /var/log/loginlog touch /var/log/kernel </code> Next, you might see in your /var/log/messages and /var/log/syslog files lines that look like: <code> -- Nov 28 08:25:42 hostname -- MARK -- -- </code> This is the SYSLOG daemon telling you that SYSLOG is running but had nothing to report. If you don't like this behavior, you can disable it by editing the following file and changing the MARK time out. In /etc/rc.d/init.d/syslog, find the line that says: <code> -- daemon syslogd -- </code> and replace it with: <code> -- daemon syslogd -m 0 -- </code> To make ALL of the above changes go into effect, run: <itemize> <item>Redhat: killall -HUP syslogd <item>Slackware: kill -HUP `ps aux | grep syslogd | grep -v -e grep | awk '{print $2}'` </itemize> Next, close down these new files (and existing files) permissions: <sect2> Redhat: <code> chmod 600 /var/log/syslog chmod 600 /var/log/loginlog chmod 600 /var/log/kernel echo &dquot;Make sure old SYSLOG file perms are ok too.&dquot; chmod 600 /etc/syslog.conf chmod 600 /var/log/cron chmod 700 /var/log/httpd chmod 600 /var/log/httpd/* chmod 600 /var/log/maillog chmod 600 /var/log/messages chmod 600 /var/log/mysql chmod 600 /var/log/netconf.log chmod 700 /var/log/samba chmod 600 /var/log/samba/* chmod 600 /var/log/sendmail.st chmod 600 /var/log/secure chmod 600 /var/log/spooler chmod 700 /var/log/squid chmod 600 /var/log/squid/* chmod 600 /var/log/xferlog </code> <sect2> Slackware: <code> chmod 600 /var/adm/syslog chmod 600 /var/adm/loginlog chmod 600 /var/adm/kernel chmod 600 /etc/syslog.conf </code> Ok, now restart SYSLOG: <itemize> <item>Redhat: killall -HUP syslogd <item>Slackware: kill -HUP `ps aux | grep syslogd | grep -v -e grep | awk '{print $2}'` </itemize> <sect1>Log Rotations Stock Redhat comes with a tool that will take your SYSLOG log files, rename them to the day they came from, optionally compress them, and then restart the log files for the next day. This is very handy as SYSLOG files can get VERY large. If you are using some other Linux distribution that doesn't have this feature, I highly recommend installed a program that will do this for you (there are many to choose from). - Redhat: Next, allow the new syslog file to be rotated as well. Add these lines to the /etc/logrotate.d/syslog: <code> -- /var/log/kernel { postrotate /usr/bin/killall -9 klogd /sbin/klogd & endscript } /var/log/loginlog { postrotate /usr/bin/killall -HUP syslogd endscript } /var/log/syslog { postrotate /usr/bin/killall -HUP syslogd endscript } -- </code> Also.. I highly recommend that you edit the /etc/logrotate.conf file and do the following: Find &dquot;#compress&dquot; and remove the &dquot;#&dquot; so it only says &dquot;compress&dquot;. I also recommend that your #ed out the sections to look like this: [ Why? If these files are rotated, you won't be easily able to ] [ tell when users have logged in. ] <code> ## no packages own lastlog or wtmp -- we'll rotate them here #/var/log/wtmp { # monthly # rotate 1 #} #/var/log/lastlog { # monthly # rotate 1 #} </code> This will then compress the moved log files with Gzip. Finally, some log files explicitly default to no-compression. Why? I recommend to add a &dquot;#&dquot; before the &dquot;nocompress&dquot; line in each of the following files: <code> /etc/logrotate.d/ftpd /etc/logrotate.d/linuxconf /etc/logrotate.d/sendfax </code> There might be other files in this directory. Check each one of them. Lastly, I recommend to go into the /etc/logrotate.d/ directory and MOVE log config files that you KNOW you won't be using to a &dquot;disabled&dquot; directory. This is completely dependant on the services that you installed and then on which ones you opted to NOT run. As mentioned before, for packages that you KNOW you won't ever use, instead of disabling the logrotation for a given package, DELETE the entire package either using RPM or PKGDEL. To manually disable things: <code> mkdir -m 700 /etc/logrotate.d.disabled mv /etc/logrotate.d/mysql /etc/logrotate.d.disabled mv /etc/logrotate.d/squid /etc/logrotate.d.disabled </code> <sect1>Cool rc.local tips and LOGIT for logging troubleshooting - Edit the &dquot;/etc/rc.d/rc.local&dquot; file and add the following lines at the end: The following tip is a personal idea I like for both Redhat and Slackware. By default, then you login to a Linux box, it tells you the Linux distribution name, version, kernel version, and the name of the server. Even worse, Mandrake puts up a very stupid looking Penguin. To me, this is giving away too much info. I rather just prompt users with a &dquot;Login: &dquot; prompt (if they ever get that far past your packet firewall and TCP wrappers). To fix this, do the following: Place &dquot;#&dquot;s in front of the following lines like shown: NOTE: This looks a little different with Mandrake: /etc/rc.d/rc.local <code> ## This will overwrite /etc/issue at every boot. So, make any changes you ## want to make to /etc/issue here or you will lose them when you reboot. #echo &dquot;&dquot; > /etc/issue #echo &dquot;Red Hat Linux $R&dquot; >> /etc/issue #echo &dquot;Kernel $(uname -r) on $a $(uname -m)&dquot; >> /etc/issue # #cp -f /etc/issue /etc/issue.net </code> Then, do the following: <code> - rm -f /etc/issue - rm -f /etc/issue.net - touch /etc/issue - touch /etc/issue.net - chmod 400 /etc/issue - chmod 400 /etc/issue.net </code> Also, if your Linux box stays up for several months, any kernel messages, errors, firewall hits, etc will OVERWRITE the output from &dquot;dmesg&dquot;. Personally, I *HATE* this but my work-around is to make a &dquot;dmesg&dquot; copy upon every boot. Append the following to the bottom of your /etc/rc.d/rc.local file: /etc/rc.d/rc.local <code> dmesg >> /etc/info/dmesg </code> * Next, the following tip is a great way of seeing your various logs on your Linux box without having to login, etc. Some people might feel that this is a security risk but the risk stems from physical security. Edit the following file and FIND each line for, say syslog or messages, and add in the respective line: /etc/syslog.conf <code> *.warn;*.err /dev/tty7 mail.* /dev/tty8 kern.* /dev/tty8 </code> To make these changes take effect, run the following line: <itemize> <item>Redhat: killall -HUP syslogd <item>Slackware: kill -HUP `ps aux | grep syslogd | grep -v -e grep | awk '{print $2}'` </itemize> Now, whenever anything is added to those log files, just go to the ALT-F7 or F8 VTY and see the messages roll by in real-time. * Like the real-time log monitor above, it's nice to be able to see errors in real time whenever you suspect problems via a TELNET, SSH, etc. To do this, create the file with the following: Slackware: /root/logit <code> -- #/bin/sh tail -f /var/adm/samba/log.nmb & tail -f /var/adm/samba/log.smb & tail -f /var/adm/xferlog & tail -f /var/adm/maillog & tail -f /var/adm/secure & tail -f /var/adm/syslog & tail -f /var/adm/messages & -- </code> Redhat: /root/logit <code> -- #!/bin/sh tail -f /var/log/samba/log.nmb & tail -f /var/log/samba/log.smb & tail -f /var/log/xferlog & tail -f /var/log/maillog & tail -f /var/log/secure & tail -f /var/log/syslog & tail -f /var/log/messages & -- </code> Now, fix the permissions for it: chmod 700 /root/logit Close the file and then fix it's permissions with &dquot;chmod 700 /usr/local/sbin/logit&dquot;. Now, whenever you are suspecting problems with ANYTHING on your Linux box, just run &dquot;/root/logit&dquot; and watch the error logs go by in real-time. A few tips: - type in &dquot;clear&dquot; at the UNIX prompt now and then to clean the screen up for readibility sake. - When logs are scrolling by but you are looking for something that should show up in a few seconds, hit ENTER a few times to move up the old log info a few lines. When you are done with &dquot;logit&dquot;, run the command &dquot;killall tail&dquot; to stop all the logging. <sect1>A more readable BASH prompt Being a command line junky, I use the CLI (command line interface) most of the time. To make things a little easier on the eye, I recommend that you make the BASH prompt a little more easy on the eye. All NON-root users will get a &dquot;green&dquot; colored prompt but ROOT users will get a &dquot;red&dquot; colored prompt. You can do this one of two ways. Have it setup on a PER USER basis or for ALL users. For this example, let's do it just for the ROOT user. 1. Copy the main bash profile to the root user's home directory: <code> cp /etc/bashrc /root/.bashrc </code> NOTE: Why bashrc and not profile? The reason being is that bashrc OVERRIDES anything in the profile. 2. Edit it and find the line for the &dquot;PS1&dquot; variable and REPLACE it with the following. This will make the prompt be a bright green (easy on the eyes) color for NON-root users and red for ROOT uses. It will also show the machine name and a condensed directory prompt: <code> if [ `id -un` = root ]; then PS1='\[\033[1;31m\]\h:\w\$\[\033[0m\] ' else PS1='\[\033[1;32m\]\h:\w\$\[\033[0m\] ' fi </code> 3. Save the .bashrc, login as the root user or run &dquot;su -&dquot; and then you should have the new prompt. For more good Bash ideas, check out the BASH howto from <ref id="sect-5" name="Section 5">. If you wanted to do it for ALL users, do the above changed to the /etc/bashrc file. <sect1>Some security tips for BASH As you execute commands in bash, they are recorded for the command history, etc. Though this is great during your shell login, you might accidently put a password in as a command, etc. To clean this up and cover your tracks once you log off, add the following line as the LAST line in your /etc/profile: <code> /etc/profile --<begin> #Depending on your version of BASH, you might have to use # the other form of this command trap "rm -f ~$LOGNAME/.bash_history" 0 #The older KSH-style form trap 0 rm -f ˜$LOGNAME/.bash_history --<end> </code> <sect1>Make the apropos database One powerful command in UNIX is the &dquot;apropos&dquot; or &dquot;man -k&dquot; command. This will let you do command searches on generic words like &dquot;modem&dquot;, etc. BUT, when you first install Linux, this database isn't complete. It is usually run as a weekly cron job but I recommend to start it now: <code> makewhatis -w & </code> NOTE: This command will take a while depending on HD and CPU speed. If you get ERRORs on the &dquot;makewhatis&dquot; command as I did in Mandrake 6.1, some of this is how to fix them. I received the following errors (bugs in the distribution - already reported as Bug #ier206). Running this command in Mandrake 7.0 runs without error. <code> -- bzcat: Can't open input file ./fetchmailconf.1.bz2: No such file or directory. bzcat: ./ksh.1.bz2 is not a bzip2 file. bzcat: Can't open input file ./pdksh.1.bz2: No such file or directory. Read file error: ./rec.1 No such file or directory bzcat: ./tixwish.1.bz2 is not a bzip2 file. bzcat: ./efence.3.bz2 is not a bzip2 file. Read file error: ./stm.8 No such file or directory Read file error: ./clockprobe.8 No such file or directory -- </code> line 1: The /usr/man/man1/fetchmailconf.1.bz2 file is a symbolic link to fetchmail.1. This file doesn't exist since its compressed with bz2. To fix it, do: <code> rm /usr/man/man1/fetchmailconf.1.bz2 ln -s /usr/man/man1/fetchmail.1.bz2 /usr/man/man1/fetchmailconf.1.bz2 </code> line 2: The /usr/man/man1/ksh.1.bz2 file isn't really bz2'ed. To fix it, do: <code> mv /usr/man/man1/ksh.1.bz2 /usr/man/man1/ksh.1 bzip2 -z /usr/man/man1/ksh.1 </code> line 3: The /usr/man/man1/pdksh.1.bz2 file points to a non-bz2 file. (sloppy). To fix it, do: Do the line-2 fix above <code> rm /usr/man/man1/pdksh.1.bz2 ln -s /usr/man/man1/ksh.1.bz2 /usr/man/man1/pdksh.1.bz2 </code> line 4: The /usr/man/man1/rec.1 file points to a bogus path /var/tmp/sox-root//usr/man/man1/play.1 (sloppy). To fix it, do: <code> rm /usr/man/man1/rec.1 ln -s /usr/man/man1/play.1.bz2 /usr/man/man1/rec.1.bz2 </code> line 5: The /usr/man/man1/tixwish.1.bz2 file is not a bz2 file. To fix it, do: <code> mv /usr/man/man1/tixwish.1.bz2 /usr/man/man1/tixwish.1 bzip2 -z /usr/man/man1/tixwish.1 </code> line 6: The /usr/man/man3/efence.3.bz2 file is not a valid man page To fix it, do: <code> rm /usr/man/man3/efence.3.bz2 </code> line 7: The /usr/man/man8/stm.8 file points to a non existing file. To fix it, do: <code> rm /usr/man/man8/stm.8 ln -s /usr/man/man8/SVGATextMode.8.bz2 /usr/man/man8/stm.8.bz2 </code> line 8: The /usr/man/man8/clockprobe.8 file points to a non existing file. To fix it, do: <code> rm /usr/man/man8/clockprobe.8 ln -s /usr/man/man8/grabmode.8.bz2 /usr/man/man8/clockprobe.8.bz2 </code> Once you have fixed these problems, re-run &dquot;makewhatis -w&dquot; and make sure it completes cleanly. <sect1>Sendlogs - Daily email of system logs with log reduction ** HIGHLY RECOMMENDEDD for ALL Administrators ** If you are like me, you would like to know if any strange things are happening to your system like (processes failing, hacker attempts, etc.). At the same time, you probably don't have the time to scan over all these logs every day to see what is and isn't interesting. This script will simply count the number of specific blocked port connections (worms, viruses, etc.). This script also optionally monitors how many times your modem line came online (or failed due to busy signals, etc.) and report what speeds it connected at in a nice summarized table. To do this, follow these next steps (note: this isn't the prettiest script I've wrote and it needs a LOT of cleaning but it should work for you). *** Note: <itemize> <item>Other tools like Psionic LogCheck and Stanford's Swatch tools do similar things but in in a MUCH cleaner fashion. As I get get those solutions running, this script will be replaced. </itemize> <code> ALL USERS: The first time this script executes, you will receive some errors regarding: - todays-date and yesterdays-date You can safely ignore these errors! Slackware users: This file should be called &dquot;/usr/local/sbin/sendlogs&dquot; Redhat users: This file should be called &dquot;/usr/local/sbin/sendlogs&dquot; </code> <verb> (Note: All users: you will need to substitute in your proper mail address ( so you will get your logs ( ( Slackware users: please edit this file and change the /var/log ( references to /var/adm ( ( Modem users: You will need to un-# out the modem fields and ( make sure that the temp file swaping from ( $1.tmp to $2.tmp etc. transisions are correct. ( ( I have this disabled because I'm a cable modem dude ( now but this worked well. </verb> ------------------------------------------------------------------------------ All of TrinityOS's step-by-step instructions, files, and scripts are fully scripted out for an automatic installation at: <url url="http://www.ecst.csuchico.edu/˜dranch/LINUX/TrinityOS-security/TrinityOS-security.tar.gz"> ----------------------------------------------------------------------------- /usr/local/sbin/sendlogs <Sendlogs START> <code> #!/bin/sh # TrinityOS-sendlogs.sh # 03/06/04 # # Part of the copyrighted and trademarked TrinityOS document. # <"http://www.ecst.csuchico.edu/~dranch"> # # Written and Maintained by David A. Ranch # dranch@trinnet.net # # Updates: # # 03/06/04 - Added counts for SQL # 02/12/04 - Added counts for MyDoom trojans # 01/12/04 - Added Samba counts to the DMZ segment # 11/15/03 - Fixed a typo of > vs. >> for the cups and http filter # 11/09/03 - added a count of port 631 hits (CUPS) # 10/28/03 - Changed mirror DD drive to sdc # 10/23/03 - Adding a logger debug command # 09/26/03 - Added a count of port 80 hits (www) # 09/23/03 - removed all port 80 hits # 01/30/03 - Added MP3 archive change log # 06/28/02 - Added Seti stats # 12/13/01 - Added a calculated total runtime to the end of the script # 11/13/01 - filter those damn run-parts messages # 08/28/01 - Log the status of the script for debuging hangs # 07/14/01 - delete all the Jeff R denied update messages # 01/07/01 - This script is now parsed directly from the SGML code and # because of this, several formatting issues were fixed. # - Made the output a little more pretty # - #ed out some diagnostic file information # - added an lsof log entry # - cleaned up the error reports in the SUID and RCMD searches # # 12/26/00 - Added --MARK-- Filtering # # 10/28/00 - Added an optional and #ed out section on DDing one HD to # another. This is a simple but VERY effective online backup # though it is only done once a night. If you have a spare HD # in your system, this is the next best thing to setting up # RAID1. Personally, I just recommend to setup RAID1! :) # # 10/08/00 - Deleted the removal of the SUID and RCMD new result files # # 09/16/00 - Added a full RPM database verification setup # # 04/15/00 - Added the $HOST variable to easily tune the SUBJECT field to # reflect the name of your Linux system. You should edit this # to reflect your system. # # 04/09/00 - Hmmm.. we need %e and NOT %d for catching dates 01-09. # Basically, I need to reverve the change on 01/17/00. # # 02/21/00 - Doh! We do need the spaces between %b and %d # # 01/17/00 - Fixed all the "date" issues. Date now uses %d over %e and # doesn't use any spaces. # # 01/01/00 - Fixed a missing ">" on line 139 # # 12/16/99 - Fixed the RCMD mailer command at the end. The "mail -s" line # needed to be ONE line # # 11/26/99 - Cleaned things up a bit # - Made all file references absolute # # 02/01/99 - Added "w" to the vitals output logger "Sendlogs starting: `date`" # Change this variable to reflect the HOSTNAME of this box # -------------------------------------------------------- HOST="roadrunner" EXTIP="100.200.0.212" export COLUMNS=132 echo "Sendlogs start: `date`" > /var/log/sendlogs.status START=`date +%s` #Make sure that the "yesterdays-date" file exists. If not, create it. # if [ -f /var/log/todays-date ]; then mv /var/log/todays-date /var/log/yesterdays-date; else date +'%b %e' > /var/log/yesterdays-date; fi #Make sure that the "/etc/info/logs" directory exists. If not, create it. # if [ -a /etc/info ]; then if [ -a /etc/info/logs ]; then echo ""; else mkdir /etc/info/logs; fi else mkdir /etc/info; mkdir /etc/info/logs; fi date +'%b %e' > /var/log/todays-date echo " Start messages: `date`" >> /var/log/sendlogs.status cat /var/log/messages | grep "`cat /var/log/yesterdays-date`" > /var/log/messlog.`date +'%b%d%y'` export f1=/var/log/messlog.`date +'%b%d%y'` export f2=/var/log/testfile #echo "File 1: $f1" #echo "File 2: $f2" #For messages - FTP and PPP stuff # sed -e "/PWD/d" -e "/PASV/d" -e "/TYPE/d" -e "/PORT/d" -e "/NLST/d" -e "/SYST/d" $f1 > $f1.tmp sed -e "/PASS/d" -e "/QUIT/d" -e "/LIST/d" -e "/CDUP/d" -e "/ATDT/d" -e "/Welcome/d" $f1.tmp > $f2.tmp sed -e "/Using/d" -e "/Connect/d" -e "/Remote/d" -e "/IP address/d" -e "/CHECKSUM/d" $f2.tmp > $f1.tmp sed -e "/Terminated/d" -e "/Terminating/d" -e "/diald/d" -e "/2.2.0/d" -e "/Exit./d" $f1.tmp > $f2.tmp sed -e "/(passwd=guest)/d" -e "/alarm/d" -e "/Failed/d" $f2.tmp > $f1.tmp #For messages - modem specific stuff # #sed -e "/send /d" -e "/expect/d" -e "/OK/d" -e "/AT&F/d" -e "/ATZ/d" -e "/ ^M /d" $f1.tmp > $f2.tmp #sed -e "/Swansea/d" -e "/logging/d" -e "/starting/d" -e "/Ready/d" -e "/0x03f8/d" -e "/0x02f8/d" $f2.tmp > $f1.tmp #sed -e "/sbpcd.c/d" -e "/CR-563/d" -e "/copyright/d" -e "/sockets/d" -e "/Serial/d" -e "/registered/d" $f1.tmp > $f2.tmp #sed -e "/SLIP/d" -e "/sbpcd-0/d" -e "/ATM0X7/d" -e "/1.44M/d" -e "/8272A/d" -e "/statistics/d" $f2.tmp > $f1.tmp #sed -e "/Please/d" -e "/hangup/d" -e "/ip-down/d" -e "/scans/d" $1.tmp -e "/abort on/d" $f1.tmp > $f2.tmp #sed -e "/CONNECT /d" -e "/BUSY/d" -e "/SIGHUP/d" $f2.tmp > $f1.tmp #For messages - modem dialout specific stuff # #echo -e "---------------------------------------" > /var/log/header.tmp #echo -e "$HOST Call stats for \c" >> /var/log/header.tmp #date >> /var/log/header.tmp #echo -e " " >> /var/log/header.tmp #echo -e "Total number of