TrinityOS: A Guide to Configuring Your Linux Server for Per- formance, Security, and Manageability David A. Ranch dranch at trinnet dot net May 22, 2005 TrinityOS and its associated archive scripts guide the Linux user in a step-by-step fashion using a common example throughout to configure over 50+ Internet services. The main focus of TrinityOS is to do this in a secure fashion while keeping both performance and manageability in mind. The documents also guide the user in other advanced topics such as aquiring their own Internet domain(s), moving DNS servers, confirming if you've been hacked, fighting SPAM email, and fixing var- ious Linux file system, partition, LILO, and data recovery problems. ______________________________________________________________________ Table of Contents 1. Copyright Notice 2. Introduction 3. Feature Sets 3.1 Current Features: 3.1.1 Master References and Recommended Guidelines 3.1.2 Linux Distribution Thoughts: 3.1.3 Core OS setup: 3.1.4 Network Connectivity: 3.1.5 Security: 3.1.6 System backup: 3.1.7 More extensive guides: 3.2 Future Features: 3.2.1 * TrinityOS TO-DOs: 3.2.2 * Network stuff 3.2.3 * Security Stuff 3.2.4 * Application stuff 3.2.5 * Administration stuff 3.2.6 * System Stuff 4. Hardware Configuration 4.1 - Distribution: 4.2 - Kernel 4.3 Hardware Used: 5. Software URL download map and checklist 5.1 Master site for all Internet RFCs: 5.2 The Master IANA site 5.3 Master site for all known Internet Trojan ports 5.4 Distribution Sites and Update MIRRORS: 5.4.1 Mandrake Updates: 5.4.2 Redhat Updates: 5.5 Newest stable kernel 5.5.1 2.6.x 5.5.2 2.4.x 5.5.3 2.2.x 5.5.4 2.0.x 5.6 IP NAT, MASQ, Load Balancing, and High Availability tools 5.6.1 MASQ E-mail list : By far the BEST way to get MASQ-help (very helpful!!) 5.6.2 Linux IP Masq 5.6.2.1 2.4.x kernels 5.6.2.2 2.2.x kernels 5.6.2.3 2.0.x kernels 5.7 PPP - v2.4.3 (not needed for most cable modem users) 5.8 ML/PPP 5.9 PPPoE (PPP over Ethernet) : Needed for some DSL and Cablemodem users 5.10 Diald v1.00 (not needed for cable modem users) 5.11 Bind / Named current: 9.3.1 and 8.4.6 5.12 Vlock (stock in Redhat if installed) 5.13 Network Sniffers 5.13.1 - TCPDUMP (stock in Redhat if installed) - Excellent network packet sniffer 5.13.2 - IPtraf - Excellent high level network protocol watcher 5.13.3 - EtherReal - An excellent GUI decoder 5.14 Sendmail current: v8.13.4, v8.12.11, and v8.11.7 5.15 POPAuth 5.16 Virtual Email domains 5.17 DHCP Server - DHCPd v3.0.2 5.18 DHCP Client 5.19 WU-FTP v2.6.2 - with multiple patches 5.20 NetWatch 5.21 Getdate (NTP) - v1.2 (Was SETTIME) 5.22 NTP Clock Sources 5.23 Tape Back up: 5.24 Mozilla v1.7.8 ( Netscape is dead) 5.25 SSH 5.26 MDADM and Raidtools 5.27 Samba current: 3.0.14a (stock in most distros if installed) 5.28 PCMCIA Services - 3.2.8 5.29 UPS software - APCUPSd and Powerchute 5.30 Apache WWW server - 2.0.54 and 1.3.33 5.31 File Integrity testing/Monitoring 5.31.1 TripWire: 5.31.2 Aide: 5.31.3 ViperDB: 5.32 RPM update tools: 5.32.1 AutoRPM current version: 1.9.8.1 5.32.2 The Perl module "Libbet" 5.32.3 RPM Watch current version: 1.1 5.32.4 RPMLevel (from the author of RPMWatch) 5.33 Mkisofs 5.34 Compression tools 5.35 Bash HOWTO 5.36 Dial-In Server HOWTO 5.37 SWAN / IPSEC VPN 5.38 PPTP VPNs and client software 5.39 PGP Email Encryption 5.40 Serial consoles and Remote TELNET 5.41 IP logger 5.42 Hardware Performance Tuning: 5.43 Security Documentation, Tools, and Resources 5.43.1 Various Security Mailing lists and documentation 5.43.2 The Linux Security HOWTO 5.43.3 Logging tools: 5.43.4 - Nmap - v3.81 : 5.43.5 - Nessus - 2.24 : 5.43.6 - COPS (old) 5.43.7 - Saint (new version of Satan) 5.43.8 - SATAN (Old) 5.43.9 - Solar buffer-overflow fixer 5.43.10 - Kurt Seifried's Linux Administrators Security Guide (LASG) 5.43.11 - Ofir Arkin's paper on ICMP protocol fingerprinting 5.43.12 - Other URLs: 5.43.13 - Abacus Security Initiative 5.43.14 - Intrusion Detection Systems (IDS) Tools SHADOW (SANS) 5.43.15 - Network Flight Recorder 5.44 WWW proxy (Apache or Squid) 5.45 WWW Ad banner filtering 5.46 Zip drive 5.47 Linux Applications: 5.48 Linux Games: 5.49 Linux Instant Messenger clients: 6. Thoughts on Picking a Linux Distribution 6.1 - Installing Linux distribution 6.2 Redhat: http://www.redhat.com 6.3 Mandrake: http://www.linux-mandrake.com 6.4 SuSE: http://www.suse.com 6.5 Debian: http://www.debian.org 6.6 Gentoo: http://www.gentoo.org/ 6.7 Slackware: http://www.slackware.com 6.8 Caldera: http://www.calderasystems.com/ 6.9 Other Distributions 7. Installing a distribution, patching it, and doing a Search/Replace on TrinityOS 7.1 Upgrading/Updating your Linux distribution: 7.1.1 Redhat users: 7.2 TrinityOS diagrams and Search and Replace Keys 7.3 ## Fixing Redhat, Mandrake, etc. (bugs) that are right out of the BOX! (ouch!): ## 7.3.1 - Fix all cron permissions (some fixed in RH6.x) 7.3.2 - Let Minicom and "ls" run in Color: 7.3.3 - Let ColorGCC always run to make compiling a little more obvious 7.3.4 Fix the timezone 7.3.5 - Change the default UMASK (default file/directory create) 7.3.6 - Fix compressed FTP downloads (still broken in RH6.1) 7.3.7 - Fix the permissions on the /etc/rc.d/init.d script files!!! 8. Initial System security 8.1 BIOS/CMOS Settings 8.1.1 + Enabled the BIOS password 8.1.2 + DISABLE booting from the floppy drive 8.2 Linux root Password 8.3 Enable the "sticky" bit in /tmp 8.4 - Disable the Control-Alt-Delete keyboard shutdown command 8.5 - Disable the ability to run INIT in interactive mode 8.6 - Compile / install vlock (available in most modern distributions). 8.7 - Change what system daemons get loaded by editing the following files in "/etc/rc.d/" 8.7.1 Redhat: 8.7.2 Slackware: 8.7.3 Securing your machine by limiting what daemons load: 8.8 Shutting down most of inetd / xinetd 8.9 TCP wrapper security 8.10 FTP Anonymous users 8.11 Shadow Passwords 8.11.1 Slackware 3.x 8.11.2 Redhat 8.12 Disable ROOT TELNET/SSH access 8.13 Disable ROOT FTP access 8.14 Disable miscellaneous cron stuff 8.14.1 Redhat users: 8.14.2 Slackware Users: 8.15 File Permission corrections 8.16 SUID ROOT PROGRAMS 8.17 Looking for R-command files 8.18 Fix Xwindows permissions 9. Advanced System Logging and some Cool Tips 9.1 SYSLOG tuning 9.1.1 Redhat: 9.1.2 Slackware: 9.2 Log Rotations 9.3 Cool rc.local tips and LOGIT for logging troubleshooting 9.4 A more readable BASH prompt 9.5 Some security tips for BASH 9.6 Make the apropos database 9.7 Sendlogs - Daily email of system logs with log reduction 9.7.1 Creating an off-line firewall hit log 9.7.2 Thoughts on various log entries you will see and what to do 10. Advanced firewall rule sets including IP Masquerade for single and multi-NIC setups 10.1 What is packet firewall 10.2 How a packet firewall works 10.3 How IP Masquerade (IP MASQ) works: 10.4 Differences between Packet and Statefull Firewalls 10.5 Debugging / Monitoring your firewall with examples 10.6 Simple IPCHAINS / IPFWADM rule set for initial IPMASQ testing 10.7 Strong TrinityOS IPCHAINS firewall rule set 10.8 The /etc/rc.d/init.d script to load the IPCHAINS rule set upon boot 10.9 An older TrinityOS rc.firewall rule set for 2.0.x kernels (LEGACY) 10.10 An older TrinityOS rc.firewall rule set for 2.0.x kernels not running IPMASQ (LEGACY) 10.11 Tips on editing the rc.firewall to support specific access 10.12 Testing your firewall rulesets 10.13 Remotely running the firewall-confirm file 11. Initial Preparation for Kernel Patching and Compiling 12. Initial Linux Kernel compiling 12.1 Configuring a kernel 12.2 Tricks: Upgrading an existing kernel to a newer one 12.3 A 2.2.16 kernel config 12.4 A 2.0.38 kernel config /w IPPORTFW and LooseUDP patches 13. Compile PPPd 14. Final Linux Kernel compiling and installation 14.1 Manually compiling the kernel 14.2 Automating kernel compiling via the "build-it" script 15. Lilo configuration and installation 16. Additional RC script configuration and TCP/IP network optimization 16.1 Serial Port Optimizations: 16.2 Network Optimization: 16.2.1 Ethernet NIC 16.2.2 TCP/IP Stack specific: 17. Patching, Compiling, and installing IPFWADM 18. Mail aliases for system administration 19. Preparing for reboot and clearing the logs 20. Verifing MASQ module installation 21. Install TCPDUMP 22. PPPd configuration [For both PRIMARY and BACKUP PPP connections] 22.1 Thoughts on PPP and its Dial-on-Demand feature 22.2 Primary PPP users using Strong Firewalls: 22.3 FAQ: PPP issues and troubleshooting 23. Diald [For Modem users only] 24. DNS: Acquiring and configuring CHROOTed and SPLIT master/slave DNS servers 24.1 Protecting your Internet Domain Name when Making Changes 24.2 BIND version 9 vs 8 vs 4 and Figuring out what version you have: 24.3 Security Warnings about previous versions of BIND 24.4 Downloading and compiling BIND 24.5 Creating the CHROOTed environments 24.6 Creating the internal named.conf configuration file 24.7 Creating the internal zone files 24.8 Creating the external named.conf configuration file 24.9 Creating the external zone files 24.10 Fixing final CHROOTed permissions and ownerships 24.11 Tuning How NAMED loads the SPLIT zone file configuration 24.12 Fixing SYSLOGing to understand the new CHROOTed setup 24.13 Starting up and testing BIND 24.14 Possible Bind errors upon load 24.15 Enabling Bind to load upon future boots 24.16 Changes for Bind9 24.17 Supporting more than one Internet Domain name on this DNS server 24.18 Setting up Secondary (BACKUP) DNS servers 24.19 Gotchas with Master DNS servers being down for long periods of time 24.20 Secondary DNS Design considerations 24.21 Automating the maintenance of the root-hints.db file 24.22 How to acquire an Internet Domain Name 25. SMTP MAIL: Sendmail configuration w/ domain masquerading & spam filters 25.1 Determining what version of Sendmail you are running 25.2 Notes about changes in Sendmail over various versions of Sendmail 25.3 Downloading and either compiling or installing Sendmail from binaries 25.4 Final install clean-up 25.5 Configuring Sendmail to support your single or multiple Domain name(s) 25.6 Configuring the Sendmail .mc files via m4 or by hand 25.6.1 .mc Configs for Sendmail 8.11.x 25.6.2 Old .mc Configs for Sendmail 8.9.x 25.7 Email Alias and Relay configuration 25.8 Configuring DNS MX records 25.9 Some Possible Sendmail Startup Troubleshooting 25.10 Tuning Sendmail for security 25.11 Running Sendmail as a daemon or as a cron job 25.12 Testing your Sendmail setup 25.13 More troubleshooting help 25.14 Being a Backup SMTP email server (Backup MX) for other Internet domains 26. NTP Time calibration 26.1 - The Getdate way: 26.2 - The xntp way: 27. DHCPd SERVER configuration 27.1 The Differences between DHCP and BOOTP 27.2 Configuring DHCP support on various Linux Distributions: 27.3 Determining MAC addresses for static DHCP scopes 27.4 Creating the /etc/dhcpd/conf file 27.5 Starting up DHCP 27.6 Using DHCP Relay for LANS seperated by routers 28. POP3 and IMAP4 e-mail services 29. System Backups: Backing up data to HDs, Tape, and floppies 29.1 STATE backups to floppies 29.2 FULL Backups: local and remote backups using a Hard Drive 29.3 Full backups using a Tape drive: 29.4 Using a CD-R or CD-R/W drive 30. SSH Terminal, FTP, X-windows, and tunnel encryption 30.1 What is SSH and the differences between SSH protocol v1 and v2 30.2 Running OpenSSH vs. SSH.com code 30.3 OpenSSH: Thoughts, Issues, and Features 30.4 Compiling OpenSSH: 30.5 Compiling up SSH.com's SSH 30.6 Configuring OpenSSH or SSH.com to load the server daemon upon reboot with startup scripts 30.7 Configuring the Unix services 30.7.1 Configuring OpenSSH: 30.8 Configuring SSH.com SSH: 30.9 Configuring BASH aliases for proper SSH operation through firewalls 30.10 Starting the SSH server: 30.11 SSH Problems? Here are a few possible solutions 30.12 SSH Port Forwarding 31. Software RAID 0 (striping) Hard drives 32. SCSI CD-ROM Changers: Installing and Setup 33. Samba installation and configuration 33.1 Determining what version you Samba you might have now 33.2 Downloading and compiling Samba 33.2.1 Specific Compiling issues: 33.3 Configuring the smb.conf file 33.4 Testing your smb.conf file 33.5 Loading Samba for the first time 33.6 Creating the smbpasswd file 33.7 Specific Windows issues with Samba 33.8 Samba printing 33.9 Having smbd load upon Linux reboot 33.10 Listing and Mounting remote SMB shares locally on your Linux machine 34. PCMCIA services installation and configuration 34.1 Compiling the PCMCIA tools 34.2 Editing the PCMCIA configuration files 35. DHCPcd : Client DHCP for xDSL / Cablemodem users 36. UPS: Complete UPS Backup & Graphing support for APC UPSes 36.1 The state of the software 36.2 Installing and Using APC's Powerchute 36.3 Installing APCUPSd 36.4 Configuring APCUPSd for logging and paging 36.5 Testing your new UPS setup 36.6 Graphing the UPS stats results each day 37. Apache WWW Server 38. Tripwire file monitoring [Not finished yet] 39. Backing up the new system Linux to a CD-R 40. NFS (Network File System) File sharing 40.1 NFS Security: 40.2 Note about Linux NFS performance: 41. EXT2 File system tuning 42. Dial-in terminal / PPP access via a modem 42.1 For PPP connectivity: 42.2 Dialing in with answering machines: 43. Automated RPM notifiers 43.1 AutoRPM (the preferred solution): 43.2 rpmwatch 44. Nmap port scanner 45. So you think you are being hacked: Confirm it! 46. UNIX and Samba Printing 47. IPSec (SWAN) Virtual Private Network (VPN) [Almost complete] 47.1 Bugs and Gotchas: 47.1.1 Newest fixes and patches: 47.1.2 Private addressing: 47.1.3 DHCP 47.1.4 Automatic SWAN startup 47.1.5 Running SWAN through a IPFWADM/IPCHAINS/other firewall: 48. PPTP support as a Linux client or PPTP through a MASQ server 48.1 Kernel source tree 48.2 Install PPTP related software 48.2.1 Confirm that your kernel is PPTP compatible 48.2.2 Install ppp-mppe 48.2.3 Install pptpclient 48.3 Create the various PPP/PPTP configuration files 48.3.1 Create the PPP peer file 48.3.2 Create the chap-secrets file 48.3.3 Create the resolv.conf file 48.4 Running PPTP for the first time 48.4.1 Load the PPP/PPTP kernel modules 48.4.2 Start up the PPTP VPN 48.4.3 Stop up the PPTP tunnel 48.4.4 Cleaning up 48.5 Running PPTP behind a Linux IPMASQ NAT or Strong firewall server 48.6 Troubleshooting your PPTP connection 48.6.1 PPTP through a IPMASQ server 49. IDE HDs performance optimization via hdparm 50. SPAM: Dealing with it and helping others stop it 50.1 SPAM: 50.2 Web Crawlers: 51. FS Recovery: How to fix LILO and file system problems 52. Gracefully transitioning Internet domains through a IP address or ISP change change 53. Setting up Linux as a good desktop operating system 54. Thoughts about the needs and procedures to Patching your Linux distribution 55. Serial Linux Consoles and Reverse TELNET 55.1 Lilo and Daemon Boot Logs via a Serial Port 55.2 Reverse TELNET terminal services 56. Common Observations, Q&A, etc 57. ChangeLOG ______________________________________________________________________ 1. Copyright Notice TrinityOS(TM)(c) Written, Maintained, Trademarked, and Copyrighted by David A. Ranch (dranch at trinnet dot net) Sorry for all the legal stuff... I've already had one company try to take the name TrinityOS from me (thus the trademark - Reg. Numbers 2440502 and 2525874). I also have had one LDP Guide author ("Securing and Optimizing Linux Red Hat Edition - A Hands on Guide") rip off a large portion of TrinityOS's content without even referencing me or TrinityOS as a source. Unfortunately, this author simply rewrote / rephrased the sections of it to avoid any direct copyright issue though the content is the same. So, with all this bad luck, I had to start covering my butt from the many lowlifes in the world. Anyway, if you would like to use some of the content from TrinityOS in your project, you NEED to contact me first for permission. I'm an easy going guy so it won't be a big deal. Please just don't use my stuff first and ask second. That's pretty silly. 2. Introduction TrinityOS is a complete Linux server configuration, maintenance, and security guide for the Linux novice and guru alike! Though there are a LOT of features covered in TrinityOS, you don't have to implement all of them. All I can say is, if you are going to connect your Linux box to the Internet, at least INSTALL the packet firewall!! This document is tailored as a step-by-step, example driven document, instead of a detailed explanation doc on each Linux feature. It doesn't go into many debugging aspects since the Linux Documentation Project's (LDP) HOWTOs already cover this. The TrinityOS document is intended for a techincal audience but hopefully everything is laid out well enough that a new user should be able to follow along without too much trouble! All of TrinityOS's step-by-step instructions, files, and scripts are fully scripted out for an automatic installation at: * For the curious, the name TrinityOS and my company, Trinity Designs, is NOT derived from being religious (the holy Trinity). The name "Trinity Designs" came from the Trinity Alps in Northern California and "TrinityOS" came from the name of the first atomic bomb testing site in White Sands, New Mexico. Like any UNIX document, it must be updated constantly to remain relevant. I will do my best to maintain this document but all comments, ideas, etc. are appreciated to keep TrinityOS valuable! This guide was initially based off the Slackware v3.2 distribution but due to a disk crash, I then installed Redhat 5.0 to try it out. From that point on, I now try to make TrinityOS doc reflect other distributions. Note: Most of the initial functionality given in this document is already available in a modern day distribution such as Mandrake, Redhat, Debian, SuSe, etc. If you are using any other distribution than Redhat, Debian, etc., you will need to use this doc as a *reference* or a project management guide only. You will then need to obtain the various software sources or binaries by hand and configure the software via its native methods. ** Please note that this document will always be "Under Construction". ** Everything in the "Current Features List" has been implemented and should be documented. Some things in the "Future Features" section have already been completed though not necessarily documented yet. If you have any specific questions about the "Future" or "Current features".. feel free to ask! #### Tangent #### # # If you have come to this doc directly, you also might want to # check out the rest of my WWW page at: # # # # It covers other topics such as: # o Who am I (Why did I do all this?) o Linux (TrinityOS, book reviews, other links, etc) o PC Hardware (PC chipsets, CDR evals, BIOS discussions, etc) o RAS technologies (xDSL, 56K modems, PPP optimizations, etc) o Cable modems (how they work, the system I setup, @Home, etc) o ISDN technologies (T/A & router evaluations, etc) o Researching ISPs (How to pick a good ISP) o Bookmarks (Check out my extensive WWW bookmarks) ********************************************************************** ** Would you like to be notified when I update my WWW page or ** ** specifically the TrinityOS doc? ** ** ** ** Every "update" e-mail is based from both the ChangeLog WWW page ** ** and the TrinityOS ChangeLog section so you will know what ** ** exactly was updated without any extra fluff. ** ** ** ** If you're interested, send an e-mail to ** ** ** ** mailto:dranch at trinnet dot net ** ** ** ** with a subject of "Add me to your updates list" and I'll add ** ** you to the list! ** ** ** ** -P.S.- In the same request email, tell me what specifically you ** ** were/are looking for on my WWW page or in TrinityOS. ** ** I'm always taking new requests for additions and expanded ** ** coverage of topics already on my page. ** ** ** ** So don't be shy! ** ********************************************************************** 3. Feature Sets 3.1. Current Features: 3.1.1. Master References and Recommended Guidelines o An extensive URL library and current version list for all installed and recommended Linux tools and applications o Example guidelines on documenting the hardware and partition layout of your specific hardware 3.1.2. Linux Distribution Thoughts: o Thoughts and recommendations on picking a Linux distribution o A common "Search & Replace" example template throughout the document for both better clarity and the ability to use Search/Replace tools to customize this doc to YOUR specific setup 3.1.3. Core OS setup: o Configuring, compiling, installing, and booting both a 2.2.x & 2.0.x kernel o Lilo configuration, security, and recovery o PCMCIA / CARDBUS PC-Card Services o Software RAID 0 (striping) hard drives o 7-CD SCSI CD-ROM changer system o Automated Patching via RPM notifiers o EXT2 file system tuning o IDE hard drive performance optimization o Dual printing system support for both UNIX and Windows/Samba hosts 3.1.4. Network Connectivity: o Strong, configurable, and well commented IPCHAINS and IPFWADM packet firewall rule sets for SINGLE, DUAL, and THREE NIC environments. This section also incluides a complete intro on how Packet and Stateful Inspected firewalls work o Automated rollback script for the loading of rc.firewall rule sets so that if you make an error in the firewall rule set and the rule set doesn't complete execution, a backup rule set will be automatically loaded to restore connectivity. o Full LAN masquerading (NAT or Network Address Translation) using private IP addressing o Masq IP port forwarding support (PORTFW) o Three Ethernet network card support setup and TCP/IP Performance optimization (modem and cable modem users w/ DMZ support) o DNS servers running both primary and secondary zones using Bind in a CHROOTed and and SPLIT Zone configuration o Full Sendmail-based SMTP and backup SMTP e-mail system support w/ domain masquerading & Anti-SPAM measures with support for more than one Internet domain on one EMAIL server o IMAP4 / POP3 remote email service o DHCPd server for other LAN machines (laptops, etc) o DHCPc Linux client setup for getting TCP/IP addresses o SAMBA: Full Microsoft Windows file & printing support o NFS: Full Sun RPC-based Network File System support o IPSEC (Swan) VPN [Almost Complete] o PPTP VPN client and forwarding through IPMASQ o HTTPd WWW server support o PPP connectivity for primary PPP connectivity AND backup PPP connections o Dial-on-Demand (Diald) Internet connections (modem users) - Automatic Internet connections every 15 minutes (modem users) o Direct dial-in terminal / PPP access via a modem o NTP time calibration o Full UNIX printing via LPR 3.1.5. Security: o Complete physical and OS-level security recommendations and guidelines o Full SSHd (encrypted TELNET) support o Actively Updated Linux system security and patching (Shadow passwords, etc) o Advanced SYSLOG logging and nightly filtered reports emailed to the root user o Prioritized TrinityOS "CRITICALITY" rating system in the CHANGELOG section to gauge the level of urgency of security vulnerabilities, system mis-configurations, etc. o NMAP port scanning to test your packet firewall o Anonymized Sendmail Banners 3.1.6. System backup: o Minimum backups to floppy o Full backups via Hard drives or to tape using BRU with emergency restore diskette creation o Full APC SmartUPS power down support (APCUPSd) with both paging support and plotting power stats with GNU Plot to a graph which is emailed via "Sendlogs" o Backing up the server to a CD-R [not completed yet] 3.1.7. More extensive guides: o How to fix LILO, HD partitioning, and file system corruption o How to obtain an Internet domain(s) via a domain registrar o How to successfully move Internet domains across DNS servers and/or TCP/IP addresses o How to recover from your box being hacked and how to RE-secure it o Full documentation on how understand and FIGHT all that SPAM email o How to understand and fight SPAM email o SSH encrypted PORTFW VPN tunnels for email, etc 3.2. Future Features: (Won't be implemented in any particular order) 3.2.1. * TrinityOS TO-DOs: o Add more "Configuration via GUI tools" sections 3.2.2. * Network stuff o Give instructions on compiling Xntp o Modularize the rc.firewall rulset so updates can be transparent and not require additional tailoring for each update. o Remove LPR and replace it with LPRng or CUPS o IPv6: Configure and setup IPv6 and possibly setup a IPv6 tunnel via the 6Bone o Dial Backup: Add automatic analog modem dial backup when the ADSL/Cable modem goes down o CODA: Replace NFS support with CODA o Add a CACHING only setup for DNS o Setup a email list server (MajorDomo, Petidomo, dunno yet) o Email sent dynamic IP address exception requests for access through the TCP Wrappers and the IPFWADM rule sets o DHCPc client setup for Cablemodems o 128-bit encrypted Apache SSL WWW server o Move over to xinetd for better DoS protection o WWW Proxy services o WWW banner add filtering o Give instructions on compiling Xntp 3.2.3. * Security Stuff o Replace the Sendlogs script to use either Swatch or LogSentry o Automate the firewall hits logging for trend analysis o Install PGP / GPG for secure and/or verified communications to: other users, Internic, binaries/source code verification, etc. o Tripwire Security Breech monitoring [not completed yet] o SATAN / SAINT / Nessus / COPS / ISS security testing 3.2.4. * Application stuff o Get Sendmail to run in an SMRSH shell o Implement Procmail to do local email filtering o Setup fetchmail to get remote email vs. setting up a remote .forward 3.2.5. * Administration stuff o Rotate the UPS logs o Implement automatic weekly incremental tape backups to a tape drive. 3.2.6. * System Stuff o Iomega parallel ZIP drive support 4. Hardware Configuration This document uses methodologies that I have developed over the years. Some of these docs have saved my butt on several occasions (documenting things like Drive partition maps, I/O and IRQ maps). This may seem like a pain in the butt to do initially but when you need them.. YOU NEED THEM! 4.1. - Distribution: - Mandrake 7.0 w/ all available patches 4.2. - Kernel v2.2.25 4.3. Hardware Used: - Intel Pentium 200Mhz / 128MB EDO RAM - Intel TC430HX motherboard (cannot tune IRQ use) - Serial port #1: COM1 - IRQ 4 - Serial port #2: COM2 - IRQ 3 - LPT1 - IRQ 7 - IDE 0 (disabled) - IDE 1 - IRQ 15 - Network: Eth0: Compaq Netelligent 10/100 Dual port (PCI) - port #1 (IRQ 11) - cable modem side Eth1: Compaq Netelligent 10/100 Dual port (PCI) - port #2 (IRQ 14) - Int LAN - Video: Matrox Millennium II (4MB) - (PCI) - Sound: Built-in Windows Sound System (IO:530h, IRQ: 9, L-DMA: 0, H-DMA: 1, MPU: 330h, MPU IRQ: -1 - Controllers: - Adaptec 2940UW SCSI controller (PCI) - IRQ: 10 - Used for SCSI disks (ext. cabling to RAID enclosure) - Adaptec 2940U SCSI controller (PCI) - IRQ: 14 - Used for CDROMs and Tape drives (int. & ext. cabling) - I/O Adapter - (ISA) (2) port serial / (1) parallel - COM3 - IRQ 4 - COM4 - IRQ 3 - LPT2 - IRQ 5 - Storage Devices: == In the primary system case == - HDC: Maxtor DiamondMax+ 10.0GB (UDMA)[512k][LBA] [ - HDD: IBM 120GB HD - SR0-6: Nakamichi 7-CD 2x changer (ID: 4) - SR7: Philips CM4xx 4x CDROM (ID: 5) - ST0: HP T4000 TR4 Tape drive (ID: 6) [dead?] == In the secondary RAID enclosure == - SDA: Seagate ST39173N 9GB (20Mb/s) (ID: 0) - Primary HD - SDB: Seagate ST39173N 9GB (20Mb/s) (ID: 1) - - SDC: IBM DNES-309170 9GB (20Mb/s) (ID: 2) - - SDD: Seagate ST39173N 9GB (20Mb/s) (ID: 3) - dd backup of SDA - I/O:(See docs on IRQTUNE to better understand why these are like this. It makes a difference!) ttyS0: COM1 - APC SmartUPS UPS ttyS1: COM2 - N/A ttyS3: COM3 - USR Courier v.Everything ttyS2: COM4 - LPT1: Hp LaserJet-IIp (UNIX & Samba share) LPT2: Canon S800 (UNIX & Samba share) ------ I/O Maps and "Expert" fdisk partition tables ----- IRQ Map: 0: timer (system) 1: keyboard (system) 2: Cascade (system) 3: COM2-N/A (Motheboard) & COM4- 4: COM1-APC Smartups (Motherboard & COM3-US Robotics modem 5: Sound (Motherboard) 6: Floppy (system) 7: LPT1-printer (motherboard) 8: Clock (system) 9: Cascade 10: Adaptec 2940U (PCI) 11: Compaq Ethernet#1 (PCI) 12: PS/2 mouse (motherboard) 13: Math coprocessor 14: Adaptec 2940UW (PCI) 15: IDE1 (motherboard) I/O Port MAP: 170-1F7h: IDE1 1F0-1F7h: IDE0 200-207h: (not used) usually Joystick 278-27Fh: LPT1 2E8-2EFh: COM4 2F8-2FFh: COM2 330-331h: Windows Sound Systye Pro MPU-401 376-376h: IDE1 378-37Fh: LPT1 3E8-3EFh: COM3 3F0-3F5h: Floppy drive 3F6-3F6h: IDE0 530-533h: Windows Sound System E800h: AHA2940U EC80h: AHA2940U FCE0: TLAN #1 FCF0: TLAN #2 E400h: System BIOS E800h: Systen BIOS F000h: System BIOS DMA Map: 0 - Windows Sound System 1 - Windows Sound System 2 - Alternative Floppy DMA 3 - Floppy DMA 4 - Casecade 5 - None 6 - None ----- All hard Drive partition tables ----- /dev/hdc (normal mode printout - expert truncates) ================================================== Disk /dev/hdc: 16 heads, 63 sectors, 19390 cylinders Units = cylinders of 1008 * 512 bytes Device Boot Begin Start End Blocks Id System /dev/hdc1 1 1 19390 9772528+ 83 Linux native ================================================== /dev/sda (expert mode printout) ================================================== Disk /dev/sda: 255 heads, 63 sectors, 1106 cylinders Nr AF Hd Sec Cyl Hd Sec Cyl Start Size ID 1 80 1 1 0 254 63 6 63 112392 06 2 00 0 1 7 254 63 1023 11245517655435 05 3 00 0 0 0 0 0 0 0 0 00 4 00 0 0 0 0 0 0 0 0 00 5 00 1 1 7 254 63 261 63 4096512 83 6 00 1 1 262 254 63 294 63 530082 82 7 00 1 1 295 254 63 1023 6312289662 83 8 00 254 63 1023 254 63 1023 63 738927 83 ================================================== /dev/sdb (expert mode printout) ================================================== Disk /dev/sdb: 255 heads, 63 sectors, 1106 cylinders Nr AF Hd Sec Cyl Hd Sec Cyl Start Size ID 1 00 1 1 0 254 63 1023 6317767827 83 2 00 0 0 0 0 0 0 0 0 00 3 00 0 0 0 0 0 0 0 0 00 4 00 0 0 0 0 0 0 0 0 00 ================================================== /dev/sdc (expert mode printout) ================================================== Disk /dev/sdc: 255 heads, 63 sectors, 1115 cylinders Nr AF Hd Sec Cyl Hd Sec Cyl Start Size ID 1 00 1 1 0 254 63 1023 6317912412 83 2 00 0 0 0 0 0 0 0 0 00 3 00 0 0 0 0 0 0 0 0 00 4 00 0 0 0 0 0 0 0 0 00 ================================================== /dev/sdd (expert mode printout) ================================================== Disk /dev/sdd: 255 heads, 63 sectors, 1106 cylinders Nr AF Hd Sec Cyl Hd Sec Cyl Start Size ID 1 80 1 1 0 254 63 6 63 112392 06 2 00 0 1 7 254 63 1023 11245517655435 05 3 00 0 0 0 0 0 0 0 0 00 4 00 0 0 0 0 0 0 0 0 00 5 00 1 1 7 254 63 261 63 4096512 83 6 00 1 1 262 254 63 294 63 530082 82 7 00 1 1 295 254 63 1023 6312289662 83 8 00 254 63 1023 254 63 1023 63 738927 83 ================================================== ------- -- 5. Software URL download map and checklist o Software recommended and used for the TrinityOS doc (roughly in this order). ** NOTE** Put all code in /usr/src/archive/ I personally recommend to putting ALL additional software source code, RPMs, etc in /usr/src/archive. In the "archive" directory, I make subdirectories for the various code like dns, ssh, sendmail, etc. This IS your box though so put things ANYWHERE you so wish. :) 5.1. Master site for all Internet RFCs: o 5.2. The Master IANA site o For all Internet port numbers, protocol numbers, etc. A VERY recommended place to go, download them ALL, and put them in /etc/iana. o To create a local copy, do the following: ___________________________________________________________________ mkdir /etc/iana cd /etc/iana/ wget -r -l 1 -nH --no-parent http://www.iana.org/numbers.htm ___________________________________________________________________ 5.3. Master site for all known Internet Trojan ports o 5.4. Distribution Sites and Update MIRRORS: Any Service Packs, security patches, etc. for your installed Slackware or Redhat distribution(s) 5.4.1. Mandrake Updates: o Master URL: 5.4.2. Redhat Updates: o Master MIRROR URL: o Fast: ; o 5.2 only: 5.5. Newest stable kernel or 5.5.1. 2.6.x o 2.6.11.10 is stable 5.5.2. 2.4.x o 2.4.30 is stable o All kernels less that 2.4.20 have the lcall7 local DoS attack vunerability. No REMOTE DoS attack is possible. o All kernels less than 2.4.13 have a serious symlink vunerability. Please upgrade your kernel. o Please note that the 2.4.x series of kernels is still quite new and some aspects of it are immature in comparison to 2.2.x kernels ( PCMCIA, Power Management, etc ). But, several new aspects of the 2.4.x kernels might make you want to try it (faster IP stack, stateful firewalls, journaled filesystems, etc. ) 5.5.3. 2.2.x o 2.2.26 is stable o All versions less than 2.2.22 have a local denial of service risk though no REMOTE DoS attack is possible. o ALL versions less than 2.2.16 have a TCP exploit that when combined with tools such as Sendmail, will leed to a root compromise. o All kernels below 2.2.12 have a IP fragmentation bug. This will make ALL strong IPCHAINS rule sets vulnerable! o 2.2.11 has a memory leak issue. 5.5.4. 2.0.x o 2.0.40 is stable o Any lower version have a DoS attack against the TCP/IP stack 5.6. IP NAT, MASQ, Load Balancing, and High Availability tools o There are several implementations but here are the common ones: o A Good Master Reference to the various NAT implimentations for multiple Operating Systems o o Main Linux NAT, Load Balancing, and High Availability reference site: o o Newer NAT implementations: o IPROUTE2: The primary true Many:Many NAT implimentation for 2.2.x kernels - o Mirror: o Documentation #1: o Documentation #2: o Advanced Routing HOWTO: This doc covers IPROUTE2, Policy-based routing (source IP), GRE tunnels, Multicast, Queueing, etc, and more - o An older NAT implimentation available here: o Excellent tutorials on Linux NAT and the home of one of the first implementations: o or o 5.6.1. MASQ E-mail list : By far the BEST way to get MASQ-help (very helpful!!) o Send mail to 5.6.2. Linux IP Masq 5.6.2.1. 2.4.x kernels o NetFilter now provides for both 1:Many Masq-like NAT and true 1:1 NAT: o 5.6.2.2. 2.2.x kernels o NOTE: ALL versions less than 2.2.16 have a IP fragmentation bug (among other things). This will make ALL strong IPCHAINS rule sets vulnerable! Upgrade NOW! o IPCHAINS Main site: o IPMASQADM port forward patches: o or o The beginnings of Stateful Inspection for Linux: o 2.0.x kernels o o 2.1.x / 2.2.x kernels o 5.6.2.3. 2.0.x kernels o IPFWADM (source must download regardless if installed with Redhat) o Slackware: o o Redhat: o o IPFWADM patches (if required for pre-2.0.30 kernels) at: o o IPCHAINS support for the 2.0.3x kernels o o o IPPORTFW Port forwarding for 2.0.x kernels o Homepage: o o Patches: o o Interpreting Firewall hits: o This is a great URL in addition to the content in Section 10 on how to interpret your firewall logs and what all the information means: o 5.7. PPP - v2.4.3 (not needed for most cable modem users) Primary site: 5.8. ML/PPP o PPPd now supports ML/PPP as of 2.4.x (see above) o Strong Implimentation: o Lots of data, little code: o Another implementation (runs on 2.2.x+ and he is looking for testers) o Dead link? 5.9. PPPoE (PPP over Ethernet) : Needed for some DSL and Cablemodem users Very popular user-space client : Primary Site: Kernel-Space client known for somewhat better performance: Some other informational URLs as well: 5.10. Diald v1.00 (not needed for cable modem users) Diald is now maintained by a new author and site: RPMS: Download the original Diald and Diald patches (Diald v0.16.5) 5.11. Bind / Named current: 9.3.1 and 8.4.6 Sources: Versions: 9.2.2 requires non-vulnverable OpenSSL code. It's also recommend to download both the source code /and/ the associated .asc PGP signature for that version of BIND. RPMs: Finding new RPMs for the newest versions of Bind isn't very easy. Once place you might have luck is the CONTRIB area of sites like Redhat and Mandrake. Those RPMs seem to work fine but some people do NOT trust someone else's compiled code, so, it's your choice. You can also find a chroot-ed version of bind here: Announcement list: Send email to bind-announce-request@isc.org with "subscribe" in the subject field. 5.12. Vlock (stock in Redhat if installed) 5.13. Network Sniffers 5.13.1. - TCPDUMP (stock in Redhat if installed) - Excellent network packet sniffer or 5.13.2. - IPtraf - Excellent high level network protocol watcher - Current 2.7.0 5.13.3. - EtherReal - An excellent GUI decoder - Current 0.10.11 5.14. Sendmail current: v8.13.4, v8.12.11, and v8.11.7 Both Sendmail 8.12.9 and 8.11.7 are secure though they have a problem with the "smrsh" shell. TrinityOS doesn't use this but if you are concerned about it, a patch is available. Currently, if you plan to use 8.11.x, you need to run 8.11.7 secure it from a few recently found remote root exploits. RPMs: The newest Sendmail is NOT available in RPM form from sendmail.org but it IS in Redhat's CONTRIB area. It seems to work fine but some people do NOT trust someone else's compiled code, so, it's your choice. Announcement list: Send an email to majordomo@Lists.Sendmail.ORG with the text "subscribe sendmail-announce" in the body of the message. 5.15. POPAuth I have taken over ownership of these documents but haven't had a chance to post them yet. If you would like to get a copy of them, please email me For allowing remote POP-3 clients to be able to use the SMTP server to send email. 5.16. Virtual Email domains To support multple email domains w/ Sendmail, Qmail, etc check out: 5.17. DHCP Server - DHCPd v3.0.2 DHCP Faq: RFC Info: Legacy Info: Download: 5.18. DHCP Client DHCP HOWTO: dhclient v3.0.2 comes with the server code above DHCPcd 1.3.22-p14: Other DHCP info: A HOWTO specific to the RoadRunner Cablemodem setup, but it's still a good site: 5.19. WU-FTP v2.6.2 - with multiple patches FTP: FAQ: 5.20. NetWatch 5.21. Getdate (NTP) - v1.2 (Was SETTIME) 5.22. NTP Clock Sources 5.23. Tape Back up: - BRU (it's not free but it's the best Linux backup software out there IMHO. This is one place you just CAN'T skimp!) Recommended! http://www.estinc.com 5.24. Mozilla v1.7.8 ( Netscape is dead) Original Mozilla (deprecated) - 1.7.8 Firefox - 1.0.4 Thunderbird - 1.0.2 5.25. SSH Commonly used BSD licensed OpenSSH client/server (totally free) - current: 4.0p1 Original Commercial SSH.com client/server (free for Linux :: for now) - current: 3.2.6.1 Additional UNIX SSH tunneling URLs: 5.26. MDADM and Raidtools MDADM v1.11.0): Good but old info on Linux RAID: Raidtools (DEPRECATED) 1.00.3: 5.27. Samba current: 3.0.14a (stock in most distros if installed) Also, they have great docs at 5.28. PCMCIA Services - 3.2.8 5.29. UPS software - APCUPSd and Powerchute Original and quite nice APCUPSd open-source daemon - v3.10.17a: or Official APC Powerchute for Linux - v4.5.3 - Free closed-source daemon with excellent Xwindows support: 5.30. Apache WWW server - 2.0.54 and 1.3.33 Standard Apache: or SSL-encrypted Apache: 5.31. File Integrity testing/Monitoring 5.31.1. TripWire: Tripwire has gone OpenSource for LINUX! Woohoo! Though it isn't available quite yet, it will be there soon: Also, as of v2.2.1, Tripwire now runs on Glibc. You can also get the older versions here: 5.31.2. Aide: AIDE is a GNU version of Tripwire - v0.10 5.31.3. ViperDB: ViperDB is another GNU version of Tripwire 5.32. RPM update tools: 5.32.1. AutoRPM current version: 1.9.8.1 5.32.2. The Perl module "Libbet" 5.32.3. RPM Watch current version: 1.1 (does not work for Redhat 5.2+) [Will be phased out] 5.32.4. RPMLevel (from the author of RPMWatch) 5.33. Mkisofs 5.34. Compression tools BZip2 : 5.35. Bash HOWTO Also see ``Section 42'' in TrinityOS 5.36. Dial-In Server HOWTO 5.37. SWAN / IPSEC VPN Project home page: or SWAN email list: Overview Download the IPSec code from: Broken? Works ? or Other Mini-HOWTOs: https://www.seifried.org/articles/ipsec/ 5.38. PPTP VPNs and client software o Client: o PPP shim: o Additional docs: o Addition troubleshooting: o IPMASQ patches: 5.39. PGP Email Encryption o PGP: 5.40. Serial consoles and Remote TELNET o Remote Serial HOWTO (for more details on configuring serial consoles): 5.41. IP logger 5.42. Hardware Performance Tuning: o PowerTweak - optimize the BIOS/Chipset/PCI registers o Preempt patch - make the kernel more responsive under load o IRQTune - optimize IRQ response times - good for PPP/Modem users o HDparm - good for hardcore IDE performance users 5.43. Security Documentation, Tools, and Resources 5.43.1. Various Security Mailing lists and documentation o 5.43.2. The Linux Security HOWTO o 5.43.3. Logging tools: o CheckLogs: o o Swatch: o o Psionic LogCheck: o o LogSurfer: (like Swatch but with state checking!) o 5.43.4. - Nmap - v3.81 : 5.43.5. - Nessus - 2.24 : 5.43.6. - COPS (old) 5.43.7. - Saint (new version of Satan) 5.43.8. - SATAN (Old) Newer: Older 5.43.9. - Solar buffer-overflow fixer 5.43.10. - Kurt Seifried's Linux Administrators Security Guide (LASG) 5.43.11. - Ofir Arkin's paper on ICMP protocol fingerprinting 5.43.12. - Other URLs: Test Exploits: Test Exploits: Test Exploits: Test Exploits: Security Alerts: Subscribe to BugTraq at More Security: 5.43.13. - Abacus Security Initiative Includes host_sentry, port_sentry and logchecker. 5.43.14. - Intrusion Detection Systems (IDS) Tools SHADOW (SANS) SHADOW (SANS): Snort: 5.43.15. - Network Flight Recorder Setup HOWTO: NFR software: NFR ID Attack ID Packages: 5.44. WWW proxy (Apache or Squid) 5.45. WWW Ad banner filtering patch: Example filter: 5.46. Zip drive 5.47. Linux Applications: 5.48. Linux Games: X-Shipwars: 5.49. Linux Instant Messenger clients: o GAIM 1.3.0 o Reviews of different IMs for Linux: 6. Thoughts on Picking a Linux Distribution 6.1. - Installing Linux distribution This is too complicated to be completely covered in TrinityOS. But, to get you started, here are a few comments that talk about what Linux distribution might be right for you. One thing I've been asked over and over is regarding users that are trying out Linux with an old Linux CD ( given to them, etc.). With the new 2.4.x kernels out, all the newest Linux distributions BLOW AWAY the old ones in terms of ease of setup, performance, hardware compatibility, etc. So, I recommend that you get a new copy a given Linux distribution and give that a look. And you can't tell me it's expensive when you can get almost ANY Linux distribution for under $3.00 US a CD from places like . *-----------------------------------------------------------------------------* * What do I use? I currently use Mandrake v9.1 on my work laptop (Dell) and * * * * 7.0 at home but I'm worried about Mandrake's direction (see more below) * *-----------------------------------------------------------------------------* So, with that behind us, here is a few notes: 6.2. Redhat: http://www.redhat.com Redhat has recently discontinued both their regular Linux distribution via retail channels as well as their downloadable ISO version (currently 9.0). Moving forward, Redhat has created two projects. The "Fedora" project which is an opensource distribution and then their Redhat Enterprise Linux v3.0 distro line. A good question is if the Fedora project will take over where the RH9.0 distro left off in terms of quality, etc. I have no idea but I do know that the testing won't be nearly as good and I doubt the installer and GUI tools will be as refined as they've been in the past. Fedora: The main differentiation with with the two RH distros is there isn't any Redhat commercial grade testing or tech support for the Fedora version This is no different than using distros like Debian, Gentoo, etc. which are well supported by the Linux community as a whole. All Fedora support will be via web forums, 3rd party support vendors, etc. Enterprise Linux: The RH Enterprise Linux line offers email/phone support for 2-3 years for email/phone support and 5 years for critical security patches, etc. which is very good in my option. Unfortunately, the Enterprise line comes in three versions (workstation only (WS), small server (ES), and big server (AS)) and thus charges accordingly: As of November, 2003 -------------------- WS - $180 - only initial install support :: Full 1 yr support is $299 US. - NO servers support - this is only a workstation (very limiting) ES - $350 - only initial install support :: Full 1 yr support is $799 US.A - Full servers support - Dual SMP only - limited RPM package list AS - $1500 - support included but 4 CPU version starts at $2500 US. - Full servers support - 4way CPU + - more complete RPM package list Yes, this is expensive for a enduser but not bad for an enterprise setup. BUT, my major gripe with RHEL is that the software package list or RPM list Linux is probably < 50% that of RH 9.0 was. Check it out, here is a full list of the RHEL ES 3.0 RPMs - As you can tell, not only does this make EL expensive but you don't get a whole lot for your money other than a good software patch policy. Anyway, Redhat has been a premier Linux distribution that has a strong installation tool and has some great system administration utilities too. One of the best parts of Redhat is its increamental RPM package installation and upgrade system. Redhat is constantly upgraded, they even support / offer patches for their oldest distro versions, and it is well supported in the Linux community. Redhat is a good choice for the Linux newbie that wants a more server- focused distro or a GUI configuration approach running with all kinds functionality. Don't let the server focus fool you.. this distro is very desktop friendly as well. Redhat is a Gnome shop vs. a KDE- centric distro. If you are already a UNIX snob, you might find Redhat's layout a little wierd (unless you are a Sun Solaris (SYSV) person - the /etc/rc.d/rc2.d layout is similar). *BUT*, many people don't like Redhat. Why? 1. Redhat has a LOT of extra software built-in. Yes, you can choose the "Custom" installation process and get rid of most of the options (recommended) but a FULL install is quite large (a full RH8.0 install is 4.6GB!). Yes, you can pick a "custom" install and reduce the number of installed packages but it's still a heavy distro. 2. If you want to *learn* UNIX (not specifically Linux) in the classic LINUX step-by-step fashion and truly understand it (the hardest but BEST way (IMHO)), Redhat probably wouldn't be my first choice! Yet, I do have to admit my opinion is slowly changing though. 3. Redhat changes the entire behavior of how Linux is set up and configured compared to other distributions like Slackware to be more easy to use, modifible via scripts, etc. Unfortunately, Redhat's GUI tools don't easily tell you what it is going to do to your config files. If you want to learn UNIX in a classic fashion, go with Slackware or, to a lesser extent, Debian, SuSe, etc! Those distributions are a LOT more plain and easier to initially figure out. 4. RPM Hell. You've might have heard about this term before. What this basically means is that if you want install a given program, sometimes it has prerequisite of installing another program first. Ok, so you try to install that required program to only find thhat this sub-required program might have THREE other required programs. Then when you try to install the sub-sub programs, they TOO have requirements. Get the idea? Though it is always solved with patience (using RPM manually and installing all the required programs), many people hate RPMs for this reason. Fortunately, Redhat's newest RPM GUI tools determine all the required other programs for youi. Some say this is a fundamental flaw of the RPM system itself. I don't think it's that bad but I'm a patient kind of guy (most of the time at least). All Newer versions of Redhat have enhanced installation programs for simple installations but with the ability to configure advanced options like software RAID, LVM, etc. Also, the ASCII, NCURSES, and X-Windows versions of the "linuxconf" and "control-panel" GUI interfaces are getting VERY cool! 6.3. Mandrake: http://www.linux-mandrake.com Mandrake Linux, currently at version 9.2, is a close derivative of Redhat Linux with some significant changes and add-ons. The main difference between Mandrake and Redhat (even today) is that Mandrake is compiled for [ Pentium ] or newer machines. Redhat is currently compiled for Intel 386 (i386) processors though their kernels are optimized. With the Pentium optimizations alone, Mandrake can yeild anywhere from a 10-20% performance increase over RedHat on some platforms. Next, Mandrake has been adding more customized tools to their distribution. With these tools, like the "Mandrake Updater", administration is easier. If you like GUI tools, Mandrake has them! One thing I do want to mention is that Mandrake installers within the "Drak" have become very powerful. The installers are very simple for the newbie but can also be very powerful (installtion of software RAID, LVM, etc). Mandrake is also very security conscious and gives the user the option of different default security settings, etc. Much like Redhat, Mandrake also shares with the RPM hell problem. Fortunately, Mandrake has RPMdrake which determines all of the required dependancies for you and fixes most of this issue. One last thing that must be noted is that like most Linux vendors, Mandrake has changed their patch support policies. They now only offers security patches for ONE year from the release of the distro. After that, you MUST upgrade to their newest distro. The alternative is to buy their Corporate Server version which is pretty expensive (Corp. Server 1.1 is $799) but will give you support 2+ years. In comparison to Redhat and SuSe's support policies, Mandrake is both expensive and lacking equal support. This pains me as I'm a big Mandrake fan but servers need to be supported and upgrading every two years is silly. Ultimately, if it's a server that you don't plan on upgrading very often, getting the Corporate version might make sense. For a destop system, only getting patches for 1 year sucks but then again, newer distros will have more featuress, etc. 6.4. SuSE: http://www.suse.com SuSE, currently in version 9.0, is a powerful distribution from Germany. I had previously tried their older releases but there was so much embedded German text in it, it bothered me so I gave up on it. I recently installed newer versions and it seemed much better. The installation program is pretty good though I think Redhat or Mandrake's is better. But, SuSE has a nice configuration tool called YaST and they were one of the first to come with the KDE window manager. If you like the BSD style of configuring services (much like Slackware, FreeBSD, etc.), you'll like SuSe. BUT.. recently, Novell with a grant from IBM is trying to buy SuSe. What will this mean to SuSe? Good question but it will take them a while to improve or bury it. 6.5. Debian: http://www.debian.org Debian is currently on their 3.0R1 release and though I haven't used Debian much, many people out there (mostly power users) seem to like it a lot. Debian is a community distro which means that there is no "Debian" corporation trying to make money at it. It's run and maintained by the community so the distro is only as good as the contributors. It has been best described to me as as a distribution that old Slackware users will LOVE which hate Redhat. Interestingly enough, the defunct Corel and Storm distributions were based on Debian. Debian doesn't include the kitchen sink in for software like Mandrake or Redhat but it's laid out in a good manner and it has it's own RPM- like installation/upgrade system called dPKG with GUI frontends like "apt" or the older too, "dselect". One thing to note about Debian's package system is that unlike the "RPM hell" situation (see the Redhat section above), it can automatically determine a package's dependancies (what other programs are needed to get this particular program to run) and automatically download AND install the required packages. In this respect, Debian is still untouched in ease of use. Like Redhat, Debian is reported to be constantly updated and well supported. Many people argue that Debian is even better updated than Redhat though they are considerably slower to release new distributions with the newest versions of Gnome, KDE, etc. compared to the other distro vendors. 6.6. Gentoo: http://www.gentoo.org/ Gentoo is a new distro community distro that is very similar to Debian in the respect that there is no "Gentoo" corporation trying to make money from it. It's run and maintained by the community so the distro is only as good as the contributors. Fortunately, Gentoo brings something new to the Linux distro mix. Most traditional linux distros (Redhat, Mandrake, SuSe, etc.) all install pre-compiled binaries which makes the installation quick and painless but the resulting distro might not take advantage of your hardware (ahem.. Redhat). Gentoo takes a totally different stance on the installation phase. Specifically, after you pick the packages you want to install, Gentoo will compile ALL of them from the sources to maximize your hardware. This is great though a full installation can take DAYS if not even a WEEK or more depending on how fast your hardware is and how many packages you are installing. Once installed, Gentoo uses the "portage" program installation system which is similar to the *BSD "ports" system. This is where everything is compiled from source. It's a pretty easy system to use as it automatically figures out where to download the programs from and how to compile them. It just is time consuming. But, the sweetest aspect to "portage" system is that with one command, you can upgrade your ENTIRE distro install to the current versions of all packages with ONE command! Very powerful though I also consider this dangerous too (config files change, too many variables if something breaks, etc.) 6.7. Slackware: http://www.slackware.com Slackware, now at version 9.1 is one of the original Linux distributions and it is still one of my favorites. It definately isn't as slick in terms of installation or functionality compared to Mandrake but it's laid out in a clear manner. The INIT scripts (the scripts that are executed to bring the system up) are laid out in a very readable fashion (BSD-style - So is SuSe) and everything is obvious (in the open). Slackware will be a comfortable fit for the UNIX guru peoples out there. Like Redhat, Slackware uses a software package system (pkg) for modularized system upgrades. Though it isn't as fancy as Redhat's RPM system.. it has almost all the same functionality. Though patches do come out for Slackware, Redhat's community usually has patches available FASTER. 6.8. Caldera: http://www.calderasystems.com/ Caldera or SCO, now at v3.1, is the most commercial of all the Linux distributions. They initially pulled ahead of the pack with a better installation program and auto-installing hardware modules but almost everyone has caught up pretty quickly. Caldera was understood to have one of the easiest installation program of ALL the distributions though Mandrake might have them beat now. Caldera differentiates itself by trying to meet the needs of the corporate market. For example, they have completed a port of Novell's NDS directory services to Linux. Pretty cool! But, it should be noted that SCO seems to be taking on Linux on the legal front. They are sueing various companies for Millions if not Billions of dollars. In my opinion, this is a last gasp for them to stay alive but this isn't a way to keep the Linux community happy with them. 6.9. Other Distributions There are other Distributions out there to pick from depending on your hardware platform (Dec Alpha, Motorola PowerPC, etc) such as: TurboLinux - popular in Japan / Network clusters LinuxPPc - for PowerPC machines LinuxPro LinuxWare MkLinux - For 680x0 and PPC Apples Stampede You'll have to experiment and ask other Linux people what distribution they like and WHY! Personally, I'd recommend to get one of those multiple Distrobution CD sets from places like and try them out yourself!! For more Distribution details, check out: 7. Installing a distribution, patching it, and doing a Search/Replace on TrinityOS 7.1. Upgrading/Updating your Linux distribution: Like ANY Linux distribution, bug fixes, security releases, etc. are always coming out and you NEED to stay on top of it. Remember, Linux is very functional but without a given security patch, a hacker can break into your box and do ANYTHING! Redhat, Debian, Slackware, etc have their own incremental update systems that makes this easier. P.S. If the program you update to with "pkgadd" has different configuration file layouts, you will have to the conversion manually. Debian and Redhat's systems can do the conversion for you though I've had mixed results with this. 7.1.1. Redhat users: Go to the Redhat Updates URL in ``Section 5'' and download all the recent patches to a directory (ie. /tmp/patches). Once you have all of the newest RPMs, you should use the "Fresh" option of the RPM tool. This will update the RPMs on your machine ONLY if an older version of the RPM is installed on your machine. So, I recommend thast you do: rpm -Fvh /tmp/patches/* Also, please heed these following warnings regarding RPMs: ******************************************************************************* ** Don't always trust RPMs!!!! ** ** ** ** See [Section 50] for more specific instructions on how to use ** ** RPMs, see what files will be installed/replaced/OVERWRITTEN BEFORE you ** ** install them, etc. ** ******************************************************************************* ** Staying on top of new RP Ms ** ** ** ** You should also implement the RPM notification tool that is documented ** ** in [Section 43] to stay on-top of this in the future! ** ******************************************************************************* 7.2. TrinityOS diagrams and Search and Replace Keys ---------------------------------------------- This is how the TrinityOS network is laid out: -- Network topology diagram: ________ / \ |Internet >------------------+ \________/ | Cablemodem | +-----------------------+ | | | | External Link: eth0 | | IP: 100.200.0.212 | _________ | DGW: 100.200.0.1 | / Various \ | | | Remote | | ------------ | | Sites >-ISDN--|- External Link: ppp0 | | & | | IP: dynamic | | Internet| | ------------ | | link | | DMZ Link: eth2 ---|----< To 802.11b wireless network \ backup / | IP: 192.168.10.1 | IP: 192.168.10.x --------- | ------------ | DGW: 192.168.10.1 | | DNS: 192.168.10.1 | Internal Link: eth1 | | IP: 192.168.0.1 | | | | +-----------------------+ | 8-port 100Mb/s switch | +----+----+----+----+----+----+----+----+ | | | | | | | | | PC PC PC PC PC PC PC PC PC #1 #2 #3 #4 #5 #6 #7 #8 #9 | | /----------------\ IP: 192.168.0.2 DGW: 192.168.0.1 DNS: 192.168.0.1 - Next, this section is to custom tailor your copy of TrinityOS to your specific environment. Do a search/replace on the "Search for" fields and replace them with your correct "replace with" fields. PLEASE NOTE: If you are going to use IP Masquerading, you should use one of the private address spaces as described in RFC 1918 such as: o Class-A: 10.x.x.x o Class-B: 172.16-31.x.x o Class-C: 192.168.x.x ___________________________________________________________________ search for replace with (given as an example) ---------- ---------------------------------- Your main login ID johndoe your-login Your PPP ISP name your-ppp-isp-name your-ppp-isp-name Your PPP ISP # 555-1212 555-1234 Your PPP login your-ppp-login your-ppp-login Your PPP password your-ppp-passwd your-ppp-passwd The Linux machine name roadrunner your-linux-boxes-name Domain Name acme123.com yourdomain.org Second Domain Name another-domain.com yourseconddomain.org Internal IP network 192.168.0.0 192.168.0.0 Internal IP address 192.168.0.10 192.168.0.10 Internal gateway IP 192.168.0.1 192.168.0.1 Internal broadcast IP 192.168.0.255 192.168.0.255 Internal DMZ IP network 192.168.10.0 192.168.10.0 Internal DMZ IP address 192.168.10.10 192.168.10.10 Internal DMZ gateway IP 192.168.10.1 192.168.10.1 Internal broadcast DMZ IP 192.168.10.255 192.168.10.255 External IP network 100.200.0.0 100.201.0.0 External IP address 100.200.0.212 100.201.0.212 External gateway IP 100.200.0.1 100.201.0.1 External broadcast IP 100.200.0.255 100.201.0.255 Remote SECONDARY DNS ns.backupacme.com ns.yourdomain.org External secondary DNS 102.200.0.25 102.201.0.25 Reverse DNS lookup 54.44.80.10 50.0.201.102 Explict allowed IP#1 200.211.0.40 200.244.0.40 Explict allowed IP#2 200.211.0.41 200.244.0.41 Explict allowed IP#3 200.211.0.42 200.244.0.42 Explict allowed IP#4 200.211.0.43 200.244.0.43 ISP DNS server #1 10.200.200.69 10.222.222.44 ISP DNS server #2 10.200.200.96 10.222.222.88 Your SMB Workgroup: ACME123 your-linux-boxes-SMB-workgroup-name Your pager email: 1234567@skytel.com 2321432342@skytel.com An internal PORTFWed MASQ machine name: coyote one-internal-MASQed-machine-name A internal PORTFWed MASQ machine IP: 192.168.0.20 192.168.0.20 Internal machines allowed to connect to the MASQ server: 192.168.0.11 192.168.0.11 192.168.0.12 192.168.0.12 Remote PPTP setup PPTP server running at: MyEmployer.com MyEmployer.com PPTP server IP: 220.1.2.3 220.1.2.3 PPTP username: YourUserNameHERE YourUserNameHERE PPTP CHAP name: REMOTE-PPTP-CHAP-HERE REMOTE-PPTP-CHAP-HERE ___________________________________________________________________ 7.3. ## Fixing Redhat, Mandrake, etc. (bugs) that are right out of the BOX! (ouch!): ## * These are errors, bugs, annoyances, etc that I've notice in Redhat5.x. But, these might be fixed in later CD releases, patches, etc. 7.3.1. - Fix all cron permissions (some fixed in RH6.x) ______________________________________________________________________ chmod -R 750 /etc/cron.hourly chmod -R 750 /etc/cron.hourly/* chmod -R 750 /etc/cron.daily chmod -R 750 /etc/cron.daily/* chmod -R 750 /etc/cron.weekly chmod -R 750 /etc/cron.weekly/* chmod -R 750 /etc/cron.monthly chmod -R 750 /etc/cron.monthly/* ______________________________________________________________________ 7.3.2. - Let Minicom and "ls" run in Color: o Edit /etc/profile and add: o Add the following after the "export" line if you have Minicom installed: MINICOM="-c on" export MINICOM o This "ls" issue is fixed in RH6.x but its good to setup regardless. Edit the /etc/bashrc file and add: alias ls='ls --color=yes' 7.3.3. - Let ColorGCC always run to make compiling a little more obvious o Add the following to the /etc/bashrc file to make compiling highlight various warnings, errors, etc. I think it helps.. ___________________________________________________________________ export CC="colorgcc" ___________________________________________________________________ 7.3.4. Fix the timezone o NOTE: This is supposed to be already fixed in a Glibc RPM fix o Edit the /etc/profile file o Just above the "EXPORT PATH" line, add the line for Pacific Daylight time (adjust for your Time zone) TZ=PST8PDT Now edit the "EXPORT PATH" line and append the word "TZ" 7.3.5. - Change the default UMASK (default file/directory create) NOTE: Changing this behavior makes the permissions of all NEWLY created files only readable by certain users and groups. This can have a detrimental effect on programs that need to be used by multiple users. The default is "umask 002 else umask 022". NOTE2: If you see two "umask" lines, change them BOTH to 027 - edit /etc/profile, find the umask line(s) and make them it read "umask 027" 7.3.6. - Fix compressed FTP downloads (still broken in RH6.1) NOTE: The changes were: o "compress" is in /usr/bin and NOT /bin o I had previously patched TAR to understand .BZ2 compression but this is now already done in RH6.x and most other modern Linux distributions (the man pages don't reflect this. Obviously this is STILL a bug as of Mandrake 7.0.). o If you have an old distribution, compile up the new tar executale. Then put this new TAR binary in /usr/local/bin. o Create a link to the new tar file ln -s /usr/local/bin/tar /bin/tar o Now, to fix FTP so you can get compressed archives automatically from ftpd, edit the /etc/ftpconversions file and make it look like this: ___________________________________________________________________ :.Z: : :/usr/bin/compress -d -c %s:T_REG|T_ASCII:O_UNCOMPRESS:UNCOMPRESS : : :.Z:/usr/bin/compress -c %s:T_REG:O_COMPRESS:COMPRESS :.gz: : :/bin/gzip -cd %s:T_REG|T_ASCII:O_UNCOMPRESS:GUNZIP : : :.gz:/bin/gzip -9 -c %s:T_REG:O_COMPRESS:GZIP : : :.tar:/bin/tar -c -f - %s:T_REG|T_DIR:O_TAR:TAR : : :.tar.Z:/bin/tar -c -Z -f - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+COMPRESS : : :.tar.gz:/bin/tar -c -z -f - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+GZIP ___________________________________________________________________ 7.3.7. - Fix the permissions on the /etc/rc.d/init.d script files!!! Bad, Bad, Bad. Only "root" and admin groups should be able to do this type of adminstration. ______________________________________________________________________ chmod -R 770 /etc/rc.d/init.d/* ================================================================================ ______________________________________________________________________ 8. Initial System security This covers CMOS setups, disable ports, TCP wrappers, shadow passwds, etc. First thing, I would recommend to do in addition to following TrinityOS for your needed purposes, read LDP's Security HOWTO for a more detailed explanation of what to do. Interestingly enough, I never read it until recently and a LOT of things I had independantly recommend was already in the Security HOWTO too! So, it sounds like we are on-track! I recommend you read it too! The URL is in ``Section 5''. 8.1. BIOS/CMOS Settings Upon system boot, enter into the CMOS setup o AMI BIOSes use the DEL key o Compaq BIOSes use the F10 key o Some Pheonix BIOSes use Control-Escape, Control-Alt-Ret, F2, or Control-Alt-Shift (mostly in vendor-customized versions such as Dell). o IBM Series 300 uses F2 in their SurePath Bios. - Once you are in the BIOS, search around and try to set the following: 8.1.1. + Enabled the BIOS password - I recommend the combination of upper and lower case characters with numbers! 8.1.2. + DISABLE booting from the floppy drive By changing the BIOS boot order from A:,C: to C:,A: If you are extra paranoid, you can set the floppy drive to READ only or even disable the floppy drive all together if you wish. 8.2. Linux root Password - Now, boot back into Linux and make sure you have a password for the root login ______________________________________________________________________ passwd root ______________________________________________________________________ NOTE: You may not have noticed this but most Linux distributions only took the first -8- characters of your password. After that, they simply ignore ALL other passwords. For example, these two passwords are the SAME to Linux: Pl3a5eGet0ut and Pl3a5eGe Because of this, you need a strong password and it can ONLY be 8-characters long. You REALLY should use a combination of UPPER and lower case characters, numbers, and special characters such as: [ `~!@#$%^&*()-_=+{[]}\|'";:,<.>/? ] Fortunately enough, the newer Linux distributions have fixed this issue. But regardless if this has been fixed on your distribution or not, it IS important that you choose a strong passwd. 8.3. Enable the "sticky" bit in /tmp This ensures that only the file's owner can delete a given file in /tmp (Fixed in RH6.x): ______________________________________________________________________ chmod 1777 /tmp ______________________________________________________________________ 8.4. - Disable the Control-Alt-Delete keyboard shutdown command - This is pretty important if you don't have the best physical security on the box: - Do implement this, edit /etc/inittab and change the line: ______________________________________________________________________ ca::ctrlaltdel:/sbin/shutdown -t3 -r now ______________________________________________________________________ to ______________________________________________________________________ #ca::ctrlaltdel:/sbin/shutdown -t3 -r now ______________________________________________________________________ - Now, for the system to understand the change, type in the following at a prompt ______________________________________________________________________ /sbin/init q ______________________________________________________________________ 8.5. - Disable the ability to run INIT in interactive mode Newer Redhat: o Edit the /etc/sysconfig/init script and change the line: ___________________________________________________________________ prompt=yes ___________________________________________________________________ to.. ______________________________________________________________________ prompt=no ______________________________________________________________________ 8.6. - Compile / install vlock (available in most modern distribu- tions). NOTE: Use this command if you are logged in as root and want to LOCK the ttys without having to log fully out and back in again. Nice! 8.7. - Change what system daemons get loaded by editing the following files in "/etc/rc.d/" NOTE: Regardless of Linux distribution, you might want to SKIP some of the following steps if you plan to run: o Samba (smb) o Printing (lpd) o Mail (Sendmail), o NFS o etc. 8.7.1. Redhat: (though this is specific to Redhat, the following is a good read for ALL Linux users.) The way that Redhat boots is the SysV way. This is where the OS will execute ALL files for a given runlevel (see definition below) that start with a "S" (that's a CAPITAL "S") and have a number after that in a numerical order from lowest to highest. For example, it will run "S10network" before it runs "S30syslog". So what's a RUN-level? A run-level is the mode that the machine will load various system programs. Though this varies from Unix to Unix (Linux, Solaris, AIX, HP-UX, etc.), they are similar. For Linux, this is the run-levels (from /etc/inittab): Please note that some Linux distributions have slight variations: o 0: halt (stops the OS and sometimes shuts the power off) o 1: single user (doesn't bring up the network, no passwd for root. Needed for system problems, lost root passwds, etc) o 2: Redhat: Multiuser (Brings up the whole OS but doesn't mount remote file systems (NFS, CODA, etc) SuSe: Full Multiuser (Brings up the whole OS with any remote file systems) o 3: Redhat: Full Multiuser (Brings up the whole OS with any remote file systems) SuSe: Xwindows (Brings up the system immediately into X-windows) o 4: Unused o 5: X-windows (Brings up the system immediately into X-windows) o 6: Reboot (reboots the machine; usually into a COLD boot state [counts all the RAM, etc]) Also, if you didn't already notice, all of the files in various runlevel directories like /etc/rc.d/rc0, 1, 2, 3, 4, 5, 6.d are actually just symbolic links to all the real script files in /etc/rc.d/init.d! This makes things more manageable. So, since Linux usually runs in multi-user / non-Xwindows mode, that means runlevel "3" will execute all files in the /etc/rc.d/rc3.d directory. Then, the system will begin to run ALL files starting with "S" in order. When you shutdown or restart the machine, you change the machine into runlevel "0" or "1". This will first execute all commands from the initial runlevel directory of "3" starting with "K". If the given process isn't already running, like my example for LPD, it will just skip it and move on. Get it? 8.7.2. Slackware: The way that Slackware boots is the BSD way. It will execute the /etc/rc.d/rc.inet1 (network interfaces) file first. Then, it will run the /etc/rc.d/rc.inet2 (network services) file. This is much more readable than the Redhat method but its harder to maintain (IMHO). 8.7.3. Securing your machine by limiting what daemons load: BSD-Style: Edit the following files in /etc/rc.d/ and make these changes unless you need that service. - rc.M (disable email and WWW servers) - line 75: #'d out all lines for Sendmail - line 97: #'d out all lines for httpd - rc.inet2 (disable SERVER and NFS servers) - line 14: #'d out all lines for lpd - line 15: #'d out all lines for lpd - line 31: #'d out all lines for portmap - line 72: #'d out all lines for mountd, nfsd, pcnfsd, bwnfsd There are at least (6) ways to turn on/off what daemons load: Via A GUI interface: This process manipulation can be done either via: o "chkconfig" command line utility o "ntsysv" Ncurses GUI utility o "tksysv" Xwindows GUI utility o "control-panel" or "linuxconf" Xwindows GUIs. o "Manual editing" o "Deleting the package altogether" Note - Though I'm a command line bigot, I feel the "ntsysv" GUI is the fastest way to modify these options! NOTE #2 - It should be noted that some people really feel that if you are going to disable a package, you might as well REMOVE IT. This is technically MORE secure (nothing to run an exploit against) nor does it take up any disk space. Personally, I usually side with functionality and rather just disable the service vs. delete it all together. Now, if you're sure that you'll NEVER use this service, definately recommend to delete the package. To DELETE a given package: To remove packages: o Redhat: rpm -e package-name o Slackware: pkgdel package-name NOTE #3 - I've found that when you first run these GUI tools, they will default to running and disabling some processes they SHOULDN'T! So, be careful and make sure that the tool is starting/stopping the correct daemons. Confirm this by going into the correct runlevel directory, say /etc/rc.d/rc3.d, and making sure only the minimal S* files are there. With "chkconfig": Please note that there might be some daemons that are missing and/or extra in your specific /etc/rc.d/init.d directory so make sure you enable/disable the appropriate ones for your needs. ______________________________________________________________________ -- #Disable automounters chkconfig --level 2345 amd off #Disable unless this is a laptop chkconfig --level 2345 apmd off #Disable unless you want to run batch programs within certain loads chkconfig --level 2345 atd off #Disable unless you want emails of EVERY ARP on your network segment chkconfig --level 2345 arpwatch off #Disable unless you want boot diskless workstations chkconfig --level 2345 bootparamd off #Disable unless this machine will be a DHCP *SERVER* chkconfig --level 2345 dhcpd off #Disable unless this machine will be a full blown router chkconfig --level 2345 gated off #Disable unless this machine will be a WWW server chkconfig --level 2345 httpd off #Disable unless this machine uses a modularized kernel # NOTE: Not needed for 2.2.x+ kernels chkconfig --level 2345 kerneld off #Disable unless you really want to configure remote machines via Linuxconf chkconfig --level 2345 linuxconf off #Disable unless this machine will be a print server #(for the local or remote machine) chkconfig --level 2345 lpd off #Disable unless you really need the proprietary MC server chkconfig --level 2345 mcserv off #Disable unless this machine will be a database server chkconfig --level 2345 mysql off #Disable unless this machine will be a caching or full blown DNS server chkconfig --level 2345 named off #Disable unless this machine will be a NFS server chkconfig --level 2345 nfs off #Disable unless this machine is a laptop or the PC has PCMCIA cards chkconfig --level 2345 pcmcia off #Disable unless this machine will be an NFS server or needs RPC tools chkconfig --level 2345 portmap off #Disable all R-cmds chkconfig --level 2345 rusersd off chkconfig --level 2345 rwalld off chkconfig --level 2345 rwhod off #Disable unless this machine is a email server chkconfig --level 345 sendmail off #Disable unless this machine is a Samba (MS File&Print) server chkconfig --level 345 smb off #Disable unless this machine is to support SNMP chkconfig --level 2345 snmpd off #Disable unless this machine is a local/remote HTTP proxy server chkconfig --level 2345 squid off #Disable unless this machine will be running X-windows chkconfig --level 2345 xfs off #Disable unless this machine will be an NTP server chkconfig --level 2345 xntpd off #Disable unless this machine will be part of a NIS/YP domain chkconfig --level 2345 ypbind off chkconfig --level 2345 yppasswdd off #Disable unless this machine will be a NIS/YP server chkconfig --level 2345 ypserv off ______________________________________________________________________ Manually: NOTE: only do this to the processes you WON'T use. NOTE #2: If, for some reason, any of the K or S* files don't exist and you want them to be there, use one of the GUI tools above. Do this in /etc/rc.d/rc2.d, /etc/rc.d/rc3.d, and /etc/rc.d/rc5.d ______________________________________________________________________ - mv S08autofs K08autofs - mv S20nfs K20nfs (unless this is for a full or caching NFS server) - mv S20rusersd K20rusersd - mv S20rwalld K20rwalld - mv S20rwhod K20rwhod - mv S30mcserv K30mcserv - mv S98kerneld K98kerneld - mv S35smb K35smb (unless this is for a Samba F&P server) - mv S60lpd K60lpd (unless this is for a print server) - mv S65portmap K65portmap (unless this is for a NFS server) - mv S95nfsfs K95nfsfs (unless this is for a NFS server) - mv S45pcmcia K45pcmcia (unless this for a laptop) - mv S65dhcpd K65dhcpd (unless this is for a DHCP server) - mv S85httpd K85httpd (unless this is for a WWW server) - mv S80sendmail K80sendmail (unless this is for a mail server) ______________________________________________________________________ 8.8. Shutting down most of inetd / xinetd Inetd and Xinetd are called the "super servers" as they load a network server based upon a request from the network. I personally recommend that any service that you DON'T need shouldn't be able to load. This both minimizes CPU and Memory load as well as greatly reduces your security risk. ______________________________________________________________________ * The exceptions that I leave in and secure via a firewall and * TCPwrappers are: * * TELNET, FTP, SSH, sometimes TALK, POP-3, IMAP, and maybe FINGER. * ______________________________________________________________________ Newer Linux distributions no longer use "inetd" but instead use a newer version called "xinetd". This new version allows for much more granular configuration as well as superior logging, etc. Overall, I really recommend Xinetd though it does take a little time to get used to. XINETD: ------- Go into the /etc/xinetd.d directory and edit each of the files in that directoru. In each one of the service files that should be disabled, make sure that a line reading "disable = yes" is present. For example /etc/xinetd.d/chargen ______________________________________________________________________ # default: off # description: A chargen server. This is the tcp \ # version. service chargen { type = INTERNAL id = chargen-stream socket_type = stream protocol = tcp user = root wait = no disable = yes } ______________________________________________________________________ I recommend to disable the following services and any other services enabled in your machine that you don't need (unless noted below). o chargen o chargen-udp o daytime o daytime-udp o echo o echo o finger (you might want to enable this) o imap (you might want to enable this) o ident (don't enable this unless you use IRC) o ipop3 (you might want to enable this) o ntalk (you might want to enable this) o swat o talk (you might want to enable this) o time To make the change take effect, type in: o Redhat: /etc/rc.d/inet.d/xinetd restart o Slackware: kill -HUP `ps aux | grep xinetd | grep -v -e grep | awk '{print $2}'` INETD: ------ I recommend to edit the /etc/inetd.conf file and place a "#" in front of the lines to disable them (if not already done). o echo - basic network functions that AREN'T needed o discard - " o chargen - " o daytime - For checking the date remotely (or) o time - " o shell - Remote Shell. flexible but VERY insecure. A part of the R-command tools o login - " o exec - " o comsat - Email box monitoring server (very old) o talk - UNIX Talk (I usually allow this but secure it via the firewall/tcp-wrappers o ntalk - " o dtalk - " o pop-2 - For checking email. Use POP3 instead. o uucp - For sending/receiving email the OLD way. o tftp - For simple file transfers (unless you need this functionality) o bootps - For simple configuration transfer (very old; replaced by DHCP) o cfingerd - For probing information on a specific user or who is logged in o systat - For probing information about the system itself o netstat - For probing information about the system's network o auth - For the ident system to see what user is creating specific network traffic o o linuxconf - For remotely configuring the system via the Linuxconf GUI o swat - For remotely configuring the Samba server via Swat As noted above for Xinetd, some items you might want to leave enabled. Some you might want to leave available until you install a secure alternative like SSH): o ftp - For insecure file transfer o telnet - For insecure remote logins o talk - For accepting local/remote real-time talk sessions o ntalk - " o dtalk - " o pop-3 - For downloading email. o imap - For checking email on the server. o finger - For checking out info on system users (most people should disable this) o cfinger - " o NOTE: If you need to run finger, change the word "root" to "nobody". Once you make these changes, finish editing the file. To make the change take effect, type in: o Redhat: killall -HUP inetd o Slackware: kill -HUP `ps aux | grep inetd | grep -v -e grep | awk '{print $2}'` 8.9. TCP wrapper security More and more Linux distributions are shipping with secure defaults. But, never ASSUME that things are locked down. CONFIRM IT! - Edit "/etc/hosts.deny" and insert the following at the end of the file: ______________________________________________________________________ ALL: ALL ______________________________________________________________________ It should also be noted that TCP wrappers supports extensive logging and remote banners. Please see the end of this section for a detailed example. - edit "/etc/hosts.allow" and insert lines at the end of the file for each IP and or Domain that you want to allow access to the Linux box. NOTE: Do NOT use DNS names for the hosts as DNS can be spoofed. Use TCP/IP addresses instead. ALL: 127.0.0.1 #Needed for some local services like comsat ALL: 200.211.0.40 #Securehost ALL: w.x.y.z For example: ______________________________________________________________________ ALL: 192.168.0.2 #Allow everything from coyote2 ALL: 200.211.0.40 #Allow all traffic from Explict Allowed #1 ALL: 200.211.1. #Allow *ALL* traffic from all hosts on the 200.211.1.x #network. Yes, the option should END with a single "." ______________________________________________________________________ Or if you want to be more granular, you can do the following. All TCP wrapper supported daemons that you can put in here are noted in the /etc/inetd.conf file. ______________________________________________________________________ in.ftpd: 192.168.0.2 #Allow only FTP traffic from coyote2 in.pop3d: 200.211.0.40 #All only pop-3 traffuc from Explict Allowed #1 ______________________________________________________________________ TCP Wrapper logging and banner support As mentioned above, TCP wrappers support advanced features like logging and sending text banners to the remote machine. To do this, you want to change the /etc/hosts.deny file to look something like the following: ______________________________________________________________________ # The following example will DENY all traffic except finger. # For finger, it will allow the request but log it, send a banner and THEN # deny it # # First, set up a booby trap and bounce message for all except finger # and log attempt to /var/log/tcpwrappers.log ALL except in.fingerd: ALL \ :spawn (/usr/sbin/safe_finger -l @%h | /bin/mail -s %d-%h root;\ date >>/var/log/tcpwrappers.log;\ echo '%u@%h (%d) connection attempted.' >>/root/access.log)& \ :rfc931 45\ :twist /bin/echo \ $'\nAccess to this system is limited to authorized users. \ \n%u@%h is not a valid ID to access %d \ \non this system. This attempt has been logged. \n' # Now log and bounce message for finger # in.fingerd: ALL\ :spawn (date >>/var/log/tcpwrappers.log; \ echo '%u@%h (%d) connection attempted.' >>/var/log/tcpwrappers.log)& \ :rfc931 45\ :twist /bin/echo \ $'\nAccess to this system is limited to authorized users. \ \n%u@%h is not a valid ID to access %d \ \non this system. This \ attempt has been logged.\ \n' ______________________________________________________________________ 8.10. FTP Anonymous users Disable anonymous FTP to your box by editing /etc/ftpaccess and change the common first line that looks like: ______________________________________________________________________ class all real,guest,anonymous * ______________________________________________________________________ ...to this (notice the words "guest" and "anonymous" is gone: ______________________________________________________________________ class all real * ______________________________________________________________________ 8.11. Shadow Passwords In most earily Linux distributions, all user's passwords were stored in the /etc/passwd file. These passwords were then encrypted by the "crypt" tool. The problem with this setup was that anyone could get these encrypted passwords and crypt's encryption was very poor. These passwords could then be broken with publically available tools. In recent times, the shadow system was implemented where the passwords were hashed with the MD5 algorithm and placed the resulting MD5 hased passwords in /etc/shadow. To quickly see if your machine is "shadow" enabled, look at the "/etc/passwd" file. In this file, you will see the username, password, UserID (UID), GroupID (GID), Home Directory, and the user's default shell all separated by colons (:). Anyway, if you see "x"s in the second left-hand field, the password field, then you are done! If you DON'T see "x"s in that field.. you need to follow these directions or better yet.. get a newer distribution! 8.11.1. Slackware 3.x Slackware v3.2 did not come with Shadow passwords enabled but v3.4+ does. For several reasons, I recommend that you just upgrade to Slackware v3.4 if you are running an older Slackware distribution. The upgrade will fix numerous security issues and has many other features as well. 8.11.2. Redhat Redhat5, out of the box, does NOT do shadow passwords (stupid) but it is fixed in RH 6.1 and onward. Confirm that your system is using SHADOW passwords by looking at the /etc/passwd file and make sure that the second left-hand field next to the username is a ":x:". If so, make sure everthing in this section is setup the same on your box. If it isn't do the following: - login as root - type in "pwconv" - This will convert the /etc/passwd file and move the encrypted passwords over to /etc/shadow and change the encryption algorithm from the weak "crypt" system to "md5" - More info is available in "/usr/doc/pam-0.64/txts/pam.txt" - NOTE: Using passwords more than 8 characters will NOT work. Use larger passwords and prepare NOT to be able to login again! - Edit the /etc/pam.d/passwd file and change the bottom lines NOTE: There are (2) methods shown below. Crypt is the OLD UNIX method and is considered weak. The newer method uses MD5 hashing. I recommend the MD5 method. So, edit the file and change it to the following: For MD5 hashing (more secure and recommended): ______________________________________________________________________ -- auth required /lib/security/pam_pwdb.so shadow nullok account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so retry=3 password required /lib/security/pam_pwdb.so shadow use_authtok nullok md5 -- ______________________________________________________________________ For normal CRYPT hashing: ______________________________________________________________________ -- auth required /lib/security/pam_pwdb.so shadow nullok account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so retry=3 password required /lib/security/pam_pwdb.so shadow use_authtok nullok -- ______________________________________________________________________ 8.12. Disable ROOT TELNET/SSH access By default, most Linux distributions don't allow direct "root" logins via TELNET or SSH. This is considered good security. - If you DO need to login via telnet as root then edit or create the /etc/securetty file and ADD the following: ______________________________________________________________________ ttyp0 ttyp1 ttyp2 ______________________________________________________________________ Please note that newer Linux distributions now use the DevFS system. If your system uses DevFS, you should add the following in addition to the "ttyp0, ttyp1, etc." system. If you are using DevFS full time, you can delete the ttyp0, etc. lines. ______________________________________________________________________ vc/1 vc/2 ______________________________________________________________________ **** MAKE SURE YOU PUT "#"s IN FRONT OF THESE NEW LINES ONCE YOU ARE DONE! **** 8.13. Disable ROOT FTP access It seems that some Linux distributions do not come with the /etc/ftpusers file. This file basically is for when any usernames in this file, they are NOT allowed to FTP in. Usually, it is considered POOR security to be able to FTP in as ROOT. By putting the word "root" into this file, this disables FTP logins from "root". - If you ever need to FTP into the linux box as ROOT (you shouldn't be able to by default), edit the "/etc/ftpusers" file and put a "#" in front of "root". NOTE: If the /etc/ftpusers file DOESN'T already exist, just create it. Once you are done, LEAVE it there with at least the line "root" without a "#" in front of it. ********************************************************* **** MAKE SURE YOU REMOVE THIS "#" ONCE YOU ARE DONE **** **** SINCE THIS IS A BIG SECURITY ISSUE **** ********************************************************* 8.14. Disable miscellaneous cron stuff * When users install Redhat, they usually install more programs than they plan to initially use. Though Redhat allows users to later choose what daemons are and are NOT run upon boot, this does NOT disable some things that are loaded into the cron file. As mentioned before in this section, unless you plan on using the functionality of a specific product, DON'T disable a given cron entry. Just delete the package all together as described above. 8.14.1. Redhat users: **NOTE**: DON'T disable: logrotate, tmpwatch, updatedb.cron, makewhatis.cron - Look in the /etc/cron.hourly, /etc/cron.daily, /etc/cron.weekly, and /etc/cron.monthly and make sure that nothing is installed that you don't want. For example, I had to do the following for RH 5.2: ______________________________________________________________________ mkdir -m 700 /etc/cron.disabled mkdir -m 700 /etc/cron.disabled/cron.hourly mkdir -m 700 /etc/cron.disabled/cron.daily mv /etc/cron.hourly/inn-cron-nntpsend /etc/cron.disabled/cron.hourly mv /etc/cron.daily/inn-cron-expire /etc/cron.disabled/cron.daily mv /etc/cron.daily/inn-cron-rnews /etc/cron.disabled/cron.daily mv /etc/cron.daily/tetex.cron /etc/cron.disabled/cron.daily ______________________________________________________________________ 8.14.2. Slackware Users: **NOTE**: DON'T disable: updatedb.cron - Realistically, you won't have the same issues as Redhat users because Slackware doesn't have as many bells and whistles as RH does. BUT, check to make sure. All of Slackware's cron configuration is stored here. ______________________________________________________________________ less /var/spool/cron/crontabs/root ______________________________________________________________________ 8.15. File Permission corrections A lot of the default file permissions on Linux distributions just give away too much information to the end user or hacker. Some people might think that some of these are paranoid but I'd rather be safe than sorry: NOTE: Most of these permissions reflect Redhat 5.2 but most will apply to any Linux distribution. NOTE2: If you receive any ERRORs when applying these changes, don't worry. That just means you don't have that package installed. It is highly recommended that you apply these permissions via the TrinityOS-security script to avoid typing mistakes and save time. ______________________________________________________________________ # Files in /dev chmod 660 /dev/lp* # Files in /bin echo "Bru is a commercial backup program but some Linux distributions come with it" chmod 750 /bin/bru chmod 750 /bin/linuxconf chmod 750 /bin/mount chmod 750 /bin/mt chmod 750 /bin/rpm chmod 750 /bin/setserial chmod 4750 /bin/su chgrp adm /bin/su chmod 750 /bin/umount # Files in /sbin chmod 750 /sbin/accton chmod 750 /sbin/badblocks chmod 750 /sbin/ctrlaltdel chmod 750 /sbin/chkconfig chmod 750 /sbin/chkraid chmod 750 /sbin/debugfs chmod 750 /sbin/depmod chmod 750 /sbin/dhcpcd chmod 750 /sbin/dump* chmod 750 /sbin/fdisk chmod 750 /sbin/fsck* chmod 750 /sbin/ftl* chmod 750 /sbin/getty chmod 750 /sbin/halt chmod 750 /sbin/hdparm chmod 750 /sbin/hwclock chmod 750 /sbin/ide_info chmod 750 /sbin/if* chmod 750 /sbin/init chmod 750 /sbin/insmod echo "IPFWADM is only installed for v2.0 kernels" chmod 750 /sbin/ipfwadm chmod 750 /sbin/ipx* chmod 750 /sbin/isapnp chmod 750 /sbin/kerneld chmod 750 /sbin/killall* echo "This is the new location for klogd. Please disregard any errors if this doesn't work." chmod 750 /sbin/klogd chmod 750 /sbin/lilo chmod 750 /sbin/mgetty chmod 750 /sbin/mingetty chmod 750 /sbin/mk* chmod 750 /sbin/mod* chmod 750 /sbin/netreport chmod 750 /sbin/pam* chmod 750 /sbin/pcinitrd chmod 750 /sbin/pnpdump chmod 750 /sbin/portmap chmod 750 /sbin/quotaon chmod 750 /sbin/raidadd chmod 750 /sbin/restore chmod 750 /sbin/runlevel chmod 750 /sbin/stinit echo "This is the old location for klogd. Please disregard any errors if this doesn't work." chmod 750 /sbin/syslogd chmod 750 /sbin/swapon chmod 750 /sbin/tune2fs chmod 750 /sbin/uugetty chmod 750 /sbin/vgetty echo "Files in /usr/bin" chmod 750 /usr/bin/control-panel chmod 750 /usr/bin/comanche chmod 750 /usr/bin/eject chmod 750 /usr/bin/glint chmod 750 /usr/bin/gnome* chmod 750 /usr/bin/gpasswd chmod 750 /usr/bin/ipx* chmod 750 /usr/bin/kernelcfg chmod 755 /usr/bin/lp* chmod 4755 /usr/bin/lpr #NOTE: I feel setting "lpr" to allow any group to execute it is # a bad thing. # # I would like to add UNIX users and even the Samba process to # the "lp" group already defined in /etc/groups and then be able # to put things back to to 4750. BUT, I just talked to a buddy # of mine and this really isn't possible. Linux doesn't support # multiple groups per file and Linux doesn't support access lists # (ACLs') yet. So, you either have to do all this or run LPRng. # # Stock permissionss are: # -r-sr-sr-x 1 root lp 15436 Oct 17 06:49 lpq # -r-sr-sr-x 1 root lp 16176 Oct 17 06:49 lpr # -r-sr-sr-x 1 root lp 16132 Oct 17 06:49 lprm chmod 750 /usr/bin/mformat chmod 750 /usr/bin/minicom chmod 750 /usr/bin/mtools chmod 750 /usr/bin/netcfg chmod 750 /usr/bin/rusers chmod 750 /usr/bin/rwall chmod 750 /usr/bin/uucp echo "Files in /usr/sbin" chmod 750 /usr/sbin/am* chmod 750 /usr/sbin/at* chmod 750 /usr/sbin/automount chmod 750 /usr/sbin/bootp* chmod 750 /usr/sbin/crond chmod 750 /usr/sbin/dhc* chmod 750 /usr/sbin/dip chmod 750 /usr/sbin/dump* chmod 750 /usr/sbin/edquota chmod 750 /usr/sbin/exportfs chmod 750 /usr/sbin/fixmount chmod 750 /usr/sbin/ftpshut chmod 750 /usr/sbin/gated chmod 750 /usr/sbin/group* chmod 750 /usr/sbin/grp* chmod 750 /usr/sbin/imapd chmod 750 /usr/sbin/in.* chmod 750 /usr/sbin/inetd chmod 750 /usr/sbin/ipop* echo "This is the old location for klogd. Please disregard any errors if this doesn't work." chmod 750 /usr/sbin/klogd chmod 750 /usr/sbin/logrotate chmod 750 /usr/sbin/lp* chmod 755 /usr/sbin/lsof chmod 750 /usr/sbin/makemap chmod 750 /usr/sbin/mk-amd-map chmod 750 /usr/sbin/mouseconfig chmod 750 /usr/sbin/named* chmod 750 /usr/sbin/nmbd chmod 750 /usr/sbin/newusers chmod 750 /usr/sbin/ntp* chmod 750 /usr/sbin/ntsysv chmod 750 /usr/sbin/pppd chmod 750 /usr/sbin/pnpprobe chmod 750 /usr/sbin/pw* chmod 750 /usr/sbin/quota* chmod 750 /usr/sbin/rdev chmod 750 /usr/sbin/rdist chmod 750 /usr/sbin/repquota chmod 750 /usr/sbin/rhbackup chmod 750 /usr/sbin/rotatelogs chmod 750 /usr/sbin/rpc* chmod 750 /usr/sbin/rwhod chmod 750 /usr/sbin/samba chmod 750 /usr/sbin/setup chmod 750 /usr/sbin/showmount chmod 750 /usr/sbin/smb* chmod 750 /usr/sbin/sndconfig chmod 750 /usr/sbin/snmp* chmod 750 /usr/sbin/squid echo "This is the old location for sysklogd. Please disregard any errors if this doesn't work." chmod 750 /usr/sbin/syslogd chmod 750 /usr/sbin/taper chmod 750 /usr/sbin/tcpd* chmod 750 /usr/sbin/time* chmod 750 /usr/sbin/tmpwatch chmod 750 /usr/sbin/tunelp chmod 750 /usr/sbin/user* chmod 750 /usr/sbin/uu* chmod 750 /usr/sbin/vi* chmod 750 /usr/sbin/wire-test chmod 750 /usr/sbin/xntp* ______________________________________________________________________ 8.16. SUID ROOT PROGRAMS - Check that there aren't any SUID ROOT (programs that execute as the ROOT user) that are WRITABLE by other users. To do this, execute this following command (per ): ______________________________________________________________________ mkdir -m700 /etc/info find / -type f \( -perm -04000 -o -perm -02000 \) -ls > /etc/info/suid-results ______________________________________________________________________ So what do you do with these results? Figure out the SUID programs that you need and note which ones they are and where they are. The issue is to just make sure that no other unknonwn programs don't get added to this list. What about just changing their permissions to NOT be SUID root? This would be bad because most programs that are usually SUID ROOT *must* be this way or they won't work right. But, for example, GnuPlot on a recent copy of SuSE was found SUID though it shouldn't have been. Later, a person on BugTraq found this and created both a root exploit and patch for it. So, this is where you can be proactive and fix things. For the other SUID programs you don't need or know what they are, change their permissions to 700 (chmod 700 *) or even better yet, change their permissionss to 700, move them to a temporary directory to later delete them once you are SURE you don't need the programs. *** Once you have resolved all your SUID issues, rename this *** /etc/info/suid-results file to /etc/info/suid-results-checked and then *** fix the permissions: ______________________________________________________________________ mv /etc/info/suid-results /etc/info/suid-results-checked chmod 600 /etc/info/suid-results-checked ______________________________________________________________________ We will use this file later as a template file to check for changed SUID files in ``Section 9'' 8.17. Looking for R-command files Much like looking for SUID files above, it is also a good idea to look for R-command permission files. ______________________________________________________________________ find / | grep -e ".rhosts" -e "hosts.equiv" > /etc/info/rcmd-results ______________________________________________________________________ Once you have reviewed this /etc/info/rcmd-results file for any entries that DON'T belong in there, rename it and fix its permissions: ______________________________________________________________________ mv /etc/info/rcmd-results /etc/info/rcmd-results-checked chmod 600 /etc/info/rcmd-results-checked ______________________________________________________________________ 8.18. Fix Xwindows permissions * This was exploited recently in Xfree86 but I still feel that the sticky bit on the /tmp/.X11-unix directory should be set ______________________________________________________________________ rm -rf /tmp/.X11-unix mkdir -p -m 1777 /tmp/.X11-unix chmod o+t /tmp/.X11-unix ______________________________________________________________________ 9. Advanced System Logging and some Cool Tips 9.1. SYSLOG tuning - SYSLOG is the main UNIX logging tool. With this system, you can setup logging to be very high level to extremely detailed and have each logging stream go to a different file. Trust me, SYSLOG is your friend! Edit /etc/syslog.conf and -ADD- the following lines if they aren't already in there: ******* * NOTE!!! All space from the left and right columns MUST BE TABS. * If they are SPACEs, syslog will NOT load! Kinda stupid eh? * Redhat users: ______________________________________________________________________ *.warn;*.err /var/log/syslog auth.*;user.*;daemon.none /var/log/loginlog kern.* /var/log/kernel ______________________________________________________________________ Slackware users: ______________________________________________________________________ *.warn;*.err /var/adm/syslog mail.* /var/adm/maillog auth.*;user.*;daemon.none /var/adm/loginlog kern.* /var/adm/kernel ______________________________________________________________________ All Distributions: Once you have edited the /etc/syslog.conf file, save your changes and exit the editor. Now, following files must be created for SYSLOG to work: ______________________________________________________________________ touch /var/log/syslog touch /var/log/loginlog touch /var/log/kernel ______________________________________________________________________ Next, you might see in your /var/log/messages and /var/log/syslog files lines that look like: ______________________________________________________________________ -- Nov 28 08:25:42 hostname -- MARK -- -- ______________________________________________________________________ This is the SYSLOG daemon telling you that SYSLOG is running but had nothing to report. If you don't like this behavior, you can disable it by editing the following file and changing the MARK time out. In /etc/rc.d/init.d/syslog, find the line that says: ______________________________________________________________________ -- daemon syslogd -- ______________________________________________________________________ and replace it with: ______________________________________________________________________ -- daemon syslogd -m 0 -- ______________________________________________________________________ To make ALL of the above changes go into effect, run: o Redhat: killall -HUP syslogd o Slackware: kill -HUP `ps aux | grep syslogd | grep -v -e grep | awk '{print $2}'` Next, close down these new files (and existing files) permissions: 9.1.1. Redhat: ______________________________________________________________________ chmod 600 /var/log/syslog chmod 600 /var/log/loginlog chmod 600 /var/log/kernel echo "Make sure old SYSLOG file perms are ok too." chmod 600 /etc/syslog.conf chmod 600 /var/log/cron chmod 700 /var/log/httpd chmod 600 /var/log/httpd/* chmod 600 /var/log/maillog chmod 600 /var/log/messages