New additions added on: 07/09/03 TrinityOS(c) http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#trinityos Written and Maintained by: David A. Ranch dranch@trinnet.net These are all of the OLD updates to the TrinityOS doc found at: http://www.ecst.csuchico.edu/~dranch/LINUX/index.htnl#trinityos ------------------------------------------------------------------------------- === Added 07/09/03 ========================================================== N 01/12/03 - Added the another-domain.com example to the Search/Replace * Sent system to show the setup of multiple domains on your DNS Update * server. [Section 7 - Search/Replace] I - Added a subsection about what happens when a MASTER dns server is either GOING to be unavailable for more than a week OR IS ALREADY down will be out for over a week. This is VERY IMPORTANT to read if you don't already understand the issue. G - Updated the internal DNS server's named.conf file to filter "lame server" log messages. I also added a little paragraph explaining what a lame server really is. N - Added the use of the another-domain.com example to make setting up multiple master domains more clear G - Made the recommendation that when picking a domain registrar, make sure they offer the ability to make updates via a SSLed WWW page and not via some old-school email method. N - Generalized the BIND version numbers throughout the section G - Went through the entire chapter and cleaned up the text, removed old NSI pricing of $70/2yrs per domain, [Section 24 - DNS] G - Added a little subsection talking about DNS MX records. I can't believe I didn't explicitly mention this before. Yes, it was implicitly mentioned in the DNS section. Without MX records, an email server just won't work. [Section 25 - SMTP] G - Synced the serial ports to all be 9600 baud - Added a missing sub-section to have the LOGIN process respond to the serial port [Section 55 - Console ports] ------------------ G 01/06/03 - Updated the SMTP aliases section to reflect that it will be rolled into Section 25. - Also updated some of the verbage in this section [Section 18 - SMTP Aliases] G - Significantly updated the Sendmail section to reflect multiple forms of a backup SMTP server. Also expanded on the section to be more clear, address some specific gotchas, why I still use Sendmail vs. other MTAs, etc. [Section 25 - Sendmail] ------------------ G 12/18/02 - Updated the UPS section to reflect some issues with APC's Powerchute software for Linux. I also added to the CONs section of the Powerchute software. Please note that this does NOT reflect APC's new Powerchute Business Edition software. [Section 36 - UPS] ------------------ N 12/15/02 - Updated Samba to 2.2.7a [Section 5 - URLs] G - Added the --with-smbwrapper compile option [Section 33 - Samba] ------------------ G 12/13/02 - Published to WWW site - sorry for the delay * Sent Update * ------------------ G 11/28/02 - Updated to reflect that Sendmail 8.12.6 and 8.11.6 have an smrsh security but but it doesn't effect the TrinityOS configuration. *C* - Updated to reflect that Samba is at 2.2.7 *C* - Updated the DHCPcd version to reflect v 1.3.22-p12 *C* - Updated the kernel versions to 2.4.20 and 2.2.22. The 2.4.20 and 2.2.22 kernel versions fix a locally generated DoS attack that can crash the kernel. [ Section 5 - URLs ] *C* - Updated the section to verify the md5sum hash of the libpcap and tcpdump sources as the tcpdump.org site was broken into a trojan code installed. [Section 21 - tcpdump] N - Updated the copying of the Bind man files to reflect issues with not having OpenJade, etc. [Section 24 - DNS] G - Updated to reflect that Sendmail 8.12.6 and 8.11.6 have an smrsh security but but it doesn't effect the TrinityOS configuration. This section also mentions a good G - Updated the RPM and source installation section to verify the the sendmail.org PGP signatures. I - Added a 8.12.6 / 8.11.6 smrsh bug workaround for TrinityOS configurations without the need to patch and recompile. [Section 25 - Sendmail] *C* - Updated the Samba section to reflect 2.2.7. This version fixes a known security problem with the "m" macro. M - Removed the --with-vfs option as it's now built in. N - Added additional comments and information on the Samba section G - Added PGP source code verification commands. This is becoming a critical issue as various OpenSource packages have been trojaned over the years. [Section 33 - Samba] *C* - All versions of DHCPcd prior to 1.3.22-p12 are vunerable to rogue DHCP servers being able to execute any commands on the DHCP client. [Section 34 - DHCPcd] ------------------ N 11/25/02 - Updated the current Bind8 version to 8.3.4 [Section 5 - URLs ] N - Updated the DNS section to reflect Bind 9.2.1 and 8.3.4 *C* - Added missing "mknod" command to create the /dev/random and /dev/zero devices required in the Bind CHROOT jails. This wasn't required for Bind 9.1.x *C* - Changed the default of the EXTERNAL zone to not do recursion. This makes the DNS server only reply to domains YOU run. All remote DNS lookups (recursion) is done by the INTERNAL server. G - Updated the /etc/rc.d/init.d/named script to make sure people edit the script activate the correct Bind version N - Updated the example startup logs to show a Bind 9.2.x startup G - Added a quick bind error troubleshooting section [Section 24 - DNS ] ------------------ N 11/14/02 - Updated the current Bind version to 8.3.3-Patch1 [Section 5 - URLs ] *C* - Updated the Bind section to note that the minimum secure 8.3.x version of Bind is 8.3.3-REL-patch1 [Section 24 - DNS ] ------------------ G 10/20/02 - Released to WWW site * Sent Update * ------------------ N 09/15/02 - Swapped sections 53 and 54 [Section 53 - Linux DESKTOP : Section 53 - Patching] N - Removed a bunch of old exploit patching logs (cruft). Aug.97 - Jan.00 [Section 53 - Patching] G * Added a new section "Section 55 - Serial Linux Consoles and Reverse TELNET" This section shows how to send LILO, kernel, and bootup logs over a serial port. In addition, it also covers how to setup a Reverse TELNET terminal service on Linux with the use of a multi-port serial card. [Section 55 - Linux Serial Console] N - Changed all of my email addresses to use works like "at" and "dot" to see if I can throttle back my SPAM problem. [Multiple Sections] ------------------ N 08/16/02 - Fixed an incorrect MX record from trinnet.net to acme123.com. Thanks to Robbie Read for catching this. [Section 24 - DNS] ------------------ N 07/31/02 - Updated the versions of SSH [Section 5 - URLs] G - Updated the SSH section to use additional configure statements. [Section 30 - SSH] ------------------ G 07/20/02 - Fixed some incorrect referenced drive assignments. /dev/sdc1 to /dev/sda1 - Added some comments into the /etc/raidtab file [Section 31 - RAID] ------------------ N 07/04/02 - Updated Bind to 8.3.3 [Section 3 - URLs] N - Updated the DNS section to read better G - Updated the check Bind version section to use Dig in addition to the depricated nslookup command N - added a Bind version check for chrooted Named binaries I - Updated the minimum secure version to 8.2.5 [Section 24 - DNS] ------------------ G 05/28/02 - Fixed some permission issues for the startppp and stopppp scripts. Thanks to Aaron Powell for the errata [Section 22] ------------------ G 05/12/02 - Updated the Anti-spam note in the Sendmail section. Overall, I'm coming to the impression that the anti-spam blackhole lists don't work very well and cause more problems then filter spam. Stay tuned. [ Section 25- Sendmail ] ------------------ G 05/11/02 - Updated the version for DHCPd [ Section 5 - URLs ] *C* - Added a note that ISC DHCPd server version less than 3.0p1 are vunerable to a dynamic DNS root exploit. [ Section 27 - DHCPd ] ------------------ N 05/05/02 - Consolodated the two PPTP URL sections [ Section 5 - URLs ] N - Tuned the generate-cf script a little more [ Section 25 - Sendmail ] ------------------ N 05/04/02 - Updated the Features section to better what TrinityOS * Sent supports now and in the future Update * [ Section 3 - Features ] G - Updated the trinityos.mc file since orbz is dead but added spamcop, dsbl, and osirusoft. I - Added multiple warnings in this section to note that there are downsides to Anti-SPAM black lists G - Updated the .mc-->.cf bit for better error handling and also made it a script called "generate-cf" [ Section 25 - Sendmail ] ------------------ N 05/01/02 - Updated the Features section to ADD PPTP support and moved UPS power quality graphing from Future to Supported. [Section 3 - Features] N - Updated to reflect the 2.2.20 and 2.4.18 kernels [Section 5 - URLs] N - Added additional Search/Replace items for the new PPTP examples [Section 7 - Search/Replace] G - Inserted a new section - Setting up a PPTP client on Linux and allow supporting PPTP pass-through on a MASQ server. Thanks to Luis Palacios for the initial basic form of this HOWTO and permission to integrate it into TrinityOS [Section 48 - PPTP] N - Added OpenOffice, replaced Everybuddy with GAIM for a good universal IM client, Mozzila as a great WWW browser and good email client [Section 54 - Linux desktop] N - Moved the ChangeLOG section from 55 to 100 [Section 100 - ChangeLOG] ------------------ N 04/28/02 - Updated various LDP URLs to reflect the new tldp.org domain. Thanks to Dean Lewis for the heads up [Section 5] ------------------ G 02/07/02 - Updated the Bind URL as there is a critical bug in 8.3.0 that 8.3.1 fixes. [Section 5] ------------------ N 01/31/02 - Updated the URLs for PPPd and Diald [Section 5] ------------------ I 01/29/02 - Fixed an error in the /etc/rc.d/init.d/sshd script where it was starting SSHD and not SSHD2 G - Added parallel compiling for better compile times [Section 30] ------------------ N 01/26/02 - Updates the URL for the APC Powerchute software [Section 5] ------------------ N 01/21/02 - Updated the apcupsd-generate-ups-graph.sh and powerchute-generate-ups-graph.sh scripts to v1.2 to support additional debugging and also changed the defaults to do more temp file cleanup. [Section 36] N - Moved all ChangeLOG entries older than 11/13/01 to the archived updates file. URL is at the bottom of the ChangeLOG section [Section 58] ------------------ N 01/13/02 - Updated the versions of Sendmail to 8.12.2 and Bind to 9.2.0 and 8.3.0 [Section 5] N - Updated the Distro thoughts section to reflect the newest distros and what I think of them: Mandrake 8.1, Redhat 7.2, Slackware 8.0, Debian 2.2r5, Caldera 3.1, and SuSe 7.3, [Section 6] N - Should have been pointing users to Section 52 for thoughts on RPMs vs. Section 50. N - Noted that Redhat 7.2 is not LSB compliant for the paths for Sendmail files (/etc/sendmail.cf and /etc/aliases) G - Fixed the comments in the 8.11.x .cf configs to reflect that the "local-host-names" file replaced the sendmail.cw file. G - Added a .mc method to disable the Sendmail helpfile * Thanks to Chuck Hartley for the reminder and prod! [Section 25] ------------------ N 01/08/02 - Updated the SMB workstation mount point from /tmp/smb-c to /mnt/smb-c. I also added an explicit step to make Samba start upon reboot (it was implied to reverse this from Section 8). Thanks to Robbie Read for the pointer. [Section 33] ------------------ N 01/05/02 - Updated the URLs for APCUPSd [Section 5] N - Noted that users can log in via SMB with different username/passwds than defined in the normal passwd file. [Section 33] G - Kern emailed me back and is now linking to TrinityOS from his APCUPSd site for TrinityOS's graphing tool. In addition, he will be adding Battery Runtime Calibration to newer versions of APCUPSd! [Section 36] ------------------ N 12/30/01 - Updated various versions of software, etc. *Sent - kernel 2.4.17 Update* - PPPd 2.4.1 - noted that pppd 2.4.x now supports ML/PPP - Bind 9.2.0 - DHCP v3.0 - WUFTPd 2.6.2 - SSH 3.1.0 - Apache 1.3.22 - Nmap 2.54Beta30 - Added urls for - Powertweak - preempt 2.2.x patches - everybuddy [Section 5] *C* - Updated the strong rc.firewall to rc.firewall-4.05-123NIC - OUCH! Somehow the final setting of ip_forward got set to "0" instead of "1". Thanks to Chris van der Merwe for catching this! - Added comments when a 2.4.x kernel is found that running IPCHAINS emulation is NOT recommended due to poor MASQ support. It is recommended to run a native IPTABLES ruleset under 2.4.x kernels. [Section 10] G - Updated the info on the state of PPPd dial-on-demand featureset. Since PPPd really does do everything that Diald does, there isnt much reason to use Diald anymore. [Section 22] G - Updated the Diald section to reflect that I no longer recommend the use of Diald. I recommend to use the Dial-on-demand features built into PPPd. If you disagree with this, please email me and I'll try to clarify my point. [Section 23] G - Added a small addition to the Sendmail testing section to to test if the server can accept email from a simple TELNET connection. N - Added some extra clarification and testing proceedures to the Sendmail backup MX section [Section 25] ---------------- N 12/22/01 - Updated the versions of APCUPSd *Sent [Section 5] Update* G - Updated the UPS section - Cleaned up the text a bit and added comparisons between Powerchute and APCUPSd - Updated the setup of APCUPSd to reflect the new configuration and logging setup that was recently introduced - Renamed the generate-ups-graph.sh script to powerchute-generate-ups-graph.sh - Added the apcupsd-generate-ups-graph.sh to graph APCUPSd logs [Section 36] ---------------- G 12/21/01 - Updated the Sendmail.mc file to update and expand the Blackhole lists to improve the spam blocking system. Thanks to Frank Pineau for the tip. [Section 25] ---------------- G 12/01/01 - Updated the IPCHAINS ruleset to rc.firewall-4.03-123NIC - New version has some echo statements to let the ruleset load when DHCP is disabled. Thanks to Roger Farrero Tapias for this one - Added some comments to let people know that the lack of the "dynaddr" and "ipdefrag" kernel options is ok - Added explict filtering of the SubSeven trojan [Section 10] ---------------- I 11/23/01 - Fixed the perms of /bin/su to be 4750 instead of 750 as su would then fail since it couldn't read the shadow password file. Thanks to Julian Buckley for catching this. [Section 8] ---------------- I 11/11/01 - Updated the build-it script to both increase build time and make is more reliable. - Some of the text still refered to /usr/src/ and not the newer /usr/src/kernel style [Section 14] ---------------- I 11/09/01 - Updated the IPCHAINS rc.firewall to 4.02 - Disabled external DNSd and SMTPd server options as per the default. - Added comments and #ed out DHCPd for eth1 (input and output) - split up the SSHd and DNSd enable/disable area for eth1 - #ed out SSHd and DNSd access (output) per the correct default Thanks to kent at iastate for the errata. [Section 10] === Added 11/09/01 ============================================================ *C* 11/04/01 - Updated the versions for the kernels and warned people * Sent about all 2.4.x kernels less than 2.4.13 and 2.2.x kernels Update * less than 2.2.20 for the symlink vunerability N - Updated the versions of named to 8.2.5. 8.2.3 is the minimum secure version N - Added new version for the new sendmail code: 8.12.1 G - Added a URL for more DHCP info *C* - Updated the version of SSHv1 and SSHv2 N - Updated the version of Samba to 2.2.2 [Section 5] G - Updated the /etc/securetty section to now support DevFS. [Section 8] G - Updated the network diagram and Search/Replace table to reflect the new DMZ segment supported in the IPCHAINS v4.01-123nic firewall ruleset [Section 6] N - Updated the stateful verbage in the beginning of the section to mention that IPTABLES is Linux's stateful firewall soliution. *I* - Noted that the most secure kernel is 2.2.20. *I* - Updated the IPCHAINS rc.firewall to 123nic-4.01f. * This new firewall supports 1, 2, or 3 network segments. You enable additional segments simply by configurting them in the header. The rest is all taken care of. Note that this new rc.firewall is intended for an external, internal, and a DMZ (802.11b wireless network) setup. 802.11b networks are -NOT- safe and should be considered as so. ** P.S. I'm inclined to stick with the shell scripting for future revs but I have a feeling I might regret it. Thoughts anyone? Should I really obfusigate the learning curve of the rc.firewall with Perl or Python? * This version is my prototype architecure to split the TrinityOS rc.firewall into -2- files. The first file will be simply be the config of the firewall while the other file will be the ruleset itself. So, when I have a new feature or bugfix, you can update the ruleset without changing ANY configs on your side. * It also recognizes 2.4.x kernels and installs the ipchains.o module if needed. [Section 10] I - Updated the path for the kernel source from /usr/src/linux to /usr/src/kernel/linux. Also updated the TrinityOS-security script [Section 11] I - Updated the kernel path to use /usr/src/kernel instead and updated the build-it script to script to reflect this. [Section 14] G - Updated the DHCP server section to include more information, now covers DHCP Relay, etc. [Section 27] *C* - Updated the SSH section to both warn people about the newest vunerabities, recommend users NOT to use SSHv1, and updated the docs and scripts to reflect the use of SSHv2 ONLY. [Section 30] G - Updated the compiling of Samba and to also support Windows2000 Distributed File Shares, etc. [Section 33] G - Added a section in the DHCP client section on how to put DNS search lists into the /etc/resolv.conf file. Thanks to Dan Sandberg for this good idea. [Section 35] N - Deleted empty sections (I'll get back to some of these): 53 - Zip drive connected to the parallel port 54 - Sound card utilities 55 - System optimization and tuning 56 - WWW caching proxy 57 - Transparent WWW banner/Ad filtering N - Started a new section called "Enabling Linux to be a good desktop OS" Thanks to Andy Barclay for this good idea. [Section 53] ---------------- N 10/14/01 - Updates the IPCHAINS to 3.83e - Fixed a typo where I was referring to 172.19.x.x and not 172.16.x.x for RFC1918 private address filtering. Thanks to Barton Hodges for catching this. [Section 10] ---------------- N 09/13/01 - Fixed a typo where I said a /29 netmask was 255.255.255.250. It should be a .248 Thanks to Josh Ward for catching this. [Section 24] ---------------- G 09/09/01 - Added permission and group ownership changes to /bin/su [Section 8] ---------------- N 09/07/01 - Moved from the "Future Feature" section the use of the firewall-confirm script to automatically rollback rc.firewall rulesets in the event of an error in the ruleset. [Section 3] N - Fixed a typo in the "How MASQ works" text where the destination IP was 111.222.212.222 instead of 222.020.222.111. Thanks to Jaroslaw Bruest for catching this. [Section 10] ---------------- N 09/03/01 - Updated the versions of Bind to 8.2.4 and 9.1.3 [Section 5] G - Updated Section 8 to support Xinetd and cleaned up some other stuff in that section N - Added an intro section to what shadow password files are N - Deleted the 8.19 "refer to section 15 for lilo security section [Section 8] G - Fixed a typo in both the ext and int forward zone files where the backup NS record was an IP address and not the correct "ns.backupacme.com" address. - Fixed a comment in the int forward zone that the MX record was saying it was a Secondary NS server. - Reordered the section a little to first TEST Bind. If things work ok, then enable it to load upon boot. - All changes are reflected in the TrinityOS-security script. Thanks to Robbie Read for catching these. [Section 24] N - Corrected the filename and path for some users who have problems compiling Bind. [Section 25] ---------------- G 08/27/01 - Updated the root-hints-update script to v2.6 - Fixed an error where the root.hints.new file was missing from the "results" email. - The script is now deleting the "results" file and is using all absolute paths. - The script is again sending the "result" output as well. - Thanks to Eddie Atherton for catching this [Section 14] ---------------- N 08/26/01 - Added a URL for NTP servers N *Sent - Updated the 2.4.x kernel to 2.4.9 *C* Update* - Noted that Sendmail 8.11.6 is the minimum secure version of Sendmail. [Section 5] *C* - Noted that Sendmail 8.11.6 is the current secure version [Section 25] N - Corrected and moved a URL reference from this section to Section 5. Thanks to Robbie Read for this one. [Section 26] ---------------- N 08/20/01 - Updated the title of the UPS section [Section 5] I - Corrected a bad file path: /etc/sendmail.cf to /etc/mail/sendmail.cf Thanks to John C. Wojtulewicz for the good eye. [Section 25] N - Updated the layout of the UPS section G - Added the generate-ups-log.sh script that graphs each day's power conditions in a emailed .PDF N - Added a URL of an example generate-ups-log .PDF file [Section 26] ---------------- N 08/16/01 - Updated the URL for Psionic's Abacus tool Thanks to Tim Barkley for the update. [Section 5] ---------------- G 08/09/01 - Updated the DNS section to help 8.2.x users with compiling problems G - Updated the root-hints-update script to be a little more verbose and and fixed the use of a non-existent file *C* - Added a DNS subsecion that explains a odd but important corner case when 1) using the same domain name on both the internal and external DNS servers; 2) secondary for other remote domains and 3) try to send email to a person at one of those remote domains. Thanks to Andy Barclay for helping me track this one down. [Section 24] ---------------- N 08/07/01 - Updated the URLs for Software RAID [Section 5] G - Updated the Software RAID section to reflect RAID on the 2.2.x and 2.4.x kernels with Auto-Detected RAID setups. [Section 31] ---------------- I 07/19/01 - In the internal chroot DNS zone record for 127.0.0.1, there was a rogue serial number line in there that prevented the zone from loading. This has been fixed in both TrinityOS and in the archive. Thanks to Frances R. Clark for catching this [Section 24] ---------------- G 06/10/01 - Updated the DNS section to reflect the use of the *Sent a.root-servers.net server for dig like the Update* root-hints-update has had a for a while. Thanks to Robbie Read for this one [Section 24] *C* 05/28/01 - Updated the DNS section to reflect the more correct zone file names: internal: acme123-int.comdb vs. 192.168.0.db external: 100.200.0.212-in.addr.db vs. 212.0.200.100-in.addr.d - Updated both of the internal and external named.conf files - Fixed a IP address mistake in the external reverse zone that was pointing to 102.200.0.25 instead of 100.200.0.212 - Also notice that I've added the following comment to the internal acme123-int.com.db zone file: ; ; note - If you wish to directly resolve any acme123.com hosts ; that are currently only defined in the EXTERNAL zone ; files (say www.acme123.com), you MUST list them here ; as well since the internal zone assumes that it is ; authoritative for acme123.com zone and thus would never ; contact the external server for any other ; acme123.com queries. - Both internal and external forward zone files had a MX record pointing to a CNAME called mail. Redefined "mail" as a "A" record. Doh! Sorry about that! [Section 24] ------------- N 04/06/01 - Changed some formatting and layout - removed specific Redhat version #s - updated the other things available on my WWW site [Section 2] N - Fixed some spelling typos - Removed link speed specific comments for Ethernet - Removed specific Bind version #s - Added that the Sendmail setup does backup SMTP - Deleted redundant "Getting DNS domains", "Fighting Spam", and "Been Hacked?" items - Deleted the old SSH comment for supporting SSH'ed X connections - Moved the Tripwire section to the Futures section since it hasn't been documented yet. I'll probably do this with AIDE anyway. - Removed the backup SMTP section from the Futures section (done) - Removed the Single NIC IPCHAINS setip from teh Future Section (done) [Section 3] N - Updated the kernel to 2.2.19 [Section 4] N - Updated the Mandrake Updates URL - Deleted old Redhat mirrir URLs - Updated the 2.2.x kernel to 2.2.19 - Reversed the Order of the noted Kernels and added 2.4.x kernels [Section 5] --------------- I 03/09/01 DohDoh! Actually removed the # typo from the rc.firewall *Sent errata shown on 03/07/01. Update* [Section 10] G For some reason, when I did the DNS updates, I was thinking Bind was at version 8.9.3 (thinking Sendmail) instead of 8.2.3. [Section 24] ---------------- I 03/07/01 Doh! Updated all the TrinityOS-security.tgz URLs to * Sent point to .tar.gz files. Update * - Thanks to Mark Rushing for catching this N Moved all ChangeLOG updates older than 10/15/01 to the TrinityOS-old-updates.wri file N Moved all IPCHAINS rc.firewall errata older than 3.72 to the TrinityOS-old-updates.wri file G Updated the ISC Bind versions and URLs [Section 5] I Updated the IPCHAINS rc.firewall ruleset to 3.83d # - Fixed a typo (stray #) where the RFC1918 # 10.x.x.x network was NOT being filtered in # the OUTPUT section [Section 10] G Updated the DNS section to include CHROOTed and Split Bind 9.1.0 - Updated the intro text for Section 24 for clarity, cleaned up some formatting issues, removed pricing info for registering domain names (I've seen registrars offering from $14.95 to $45/yr). - Added additional methods on how to figure out what version of Bind is running - Updated the minimum secure version of Bind to 8.2.3 - Removed ALL older BIND information to the TrinityOS-old-configs.txt files - Changed from explicting moving named and named-xfer binaries into the CHROOTed jails to copying named*. The reason for this is that named-xfer no longer exists in Bind9 but there are two new files. This way is a little more generic. - One of the changes from Bind8 to Bind9 is that the TYPE record in the named.conf file must now be the FIRST line. - Changed the filename 192.168.0.db to be acme123-int.com.db since it really was a FORWARD zone file and not a reverse * Updated the TrinityOS-security script to reflect all of these changes as well as cleaned up the chapter numbers, etc. [Section 24] ------------ 03/06/01 - Moved all IPCHAINS rc.firewall Changelogs to the TrinityOS-old-updates.wri file ------------ # v3.72 - 10/07/00 # - Added some more descriptions to the OUTPUT filter section for trojans. # - I updated some of the existing OUTPUT trojans filters and also added a # filter Eggdrop and MySQL connections to the Inet # - Added a master URL for a complete listing of known Trojan ports # - Added some comments to the DHCP rules where some distros do NOT allow # for TCP-based DHCP # - Reversed the RESERVED-192 and RESERVED-2 IANA filters since # www.iana.org is using this domain space. # - Added commented support for an IRC server # - Finally fixed (re-enabled) the Reserved-7 IANA ruleset in both the # INPUT and OUTPUT rules that was blocking the 64.x.x.x network due # to a faulty /3 netmask # # v3.71 - 09/10/00 # - Add a SMB/CIFS rule to block port 137 UDP traffic in both the INPUT # and OUTPUT rules # - Deleted a commented option to list the deleted SECONDARYDNS variable # - Added a comment to the LooseUDP section to note that some distros like # TurboLinux delete this option from their kernel # - Had to disable the BLACKHOLE3 filter since though the Internic shows # it as reserved, www.iana.org is actually in that reserved space! # - Added a comment why Reserved-7 is disabled (the /3 includes the # commonly used 64.x.x.x network # - Added an excellent URL to the comments section of the Advanced ICMP # section # - Reordered, enhanced, added logging, and enabled some Advanced ICMP # filters in both the INPUT and OUTPUT sections # - Did some reformatting of the ruleset for more readibility # - Added another note to the RFC1918 section regarding some specific # ISPs using private addressing space, etc. # - Added a test to make sure that the $EXTIF is up before running the # firewall. Thanks to Gatto_1@excite.com for the recommendation # - Added a commented INPUT and OUTPUT section for Internet-wide HTTPS # - Deleted some duplicate SMB/CIFS output rules and add added some explict # INPUT and OUTPUT UDP rules for SMB/CIFS # # v3.70 - 07/12/00 # - Added converse rules for IDENT in the INPUT and OUTPUT sections for # better documentation and updated the OUTPUT section description of AUTH # # - Deleted the SECONDARYDNS varable from the firewall rule set as it did # nothing nor could it since both TCP and UDP DNS traffic must be wide # open to the world anyway. # # - Added several new /proc terms to secure or ensure settings are set: # - Added TCPSYN checking # - Added Sanity ICMP filters for # - ICMP broadcasts # - ICMP bad error packet # - ICMP redirects # - Added Sanity filters for source-routing and spoofed packets # - Added explict but disabled by default filters for different types # of ICMP traffic to both the INPUT and OUTPUT sections # # - Cleaned up the DHCP / PUMP issue description section a little # # - The rc.firewall ruleset has been manually aligned with the # TrinityOS-archive rc.firewall ruleset for the last time. The # TrinityOS-archive file is now parsed directly out of the SGML text to # ensure a perfect copy. # # Sorry for any previous differences between the two files. # # - Added a disabled OUTPUT section to support APC Powerchute for Linux # # - Added the new top banner to the rc.firewall file and added a top # section for enduser's personal notations and version changes # # - Added a disabled option for the ICQ MASQ module # # - For some reason, SMTP OUTPUT on the EXTERNAL interface was enabled # by default. This is now DISABLED by default. # # - Put #s in front for the SECUREHOST OUTPUT echo statements though the # IPCHAINS statements were already disabled. # ----------------- I 02/18/01 Made another fix to the root-hints-update script # v2.4 - Updated the dig info lookup from ns.internic.net # to a.root-servers.net [Section 24] ---------------- G 02/14/01 Made some fixed to the root-hints-update script for DNS: # v2.3 - Updated the initial CD into one of the real # CHROOTed dirs vs. /var/named. The old script # was also leaving a stray NEW file in the EXT # directory. Because of all this, the email # notification would show an old root.hints # file though DNS would have the correct # updated file. Thanks to Jehan Bing for this errata. N Moved over the root-hints-update script to the automatic extraction from HTML (no more manual file sync'ing [Section 24] ---------------- N 02/10/01 Cleaned up some formatting issues * Sent N Update * Updated Section 4 to reflect the current hardware I'm running [Section 4] G Updated several URLs and version numbers: Updated the 2.0.x URL to 2.0.39 Updated the 2.2.x URL to 2.2.18 Updated the URLs to reflect the 2.4.x kernels Updated the PPPd URL to 2.3.11 Updated the Bind URL to 8.2.3 Updated the Sendmail URL to 8.11.2 *C* Updated the SSH URLs to 1.2.31 and 2.4.0 * Please note that SSH v1.2.31 still has a critical exploitable bug. The fix has not been posted yet to ssh.com. I will soon post installation instructions for OpenSSH to avoid these technical and new licensing issues (SSHv1 from ssh.com is no longer free to everyone) [Section 5] ------------ N 01/28/01 Updated the /etc/rc.d/init.d/named startup script # 01/28/01 - Added a few CR-LFs to clean up the output # between starting the internal and external # zones [Section 24] ----------------- G 01/27/01 Updated the IPCHAINS firewall # v3.83c - 01/27/01 # - Fixed a wrong output netmask for NET-TEST-B being # a /12 instead of a /16. But, this really doesn't # matter as I have disabled the filtering of reserved # IP space as ARIN constantly is releasing this # address space to the public without any form of # notification. See the update for v3.83a # Thanks to Keith Mitchell for this one. [Section 10] ---------------- G 01/06/01 Updated the Sendlogs script a bit: - Fixed some formatting issues and moved it over to make the .sgml code the primary source for the script vs. two seperate copies - Added --MARK-- filtering - Made the output more pretty - Cleaned up the error reports in the SUID and RCMD searches - Added an lsof log entry - Added a #ed out section to DD one HD to another backup [Section 9] ---------------- G 12/31/00 Changed the versioning mechanism of TrinityOS. The new system no longer includes the published date of TrinityOS in the actual filename of each file ( i.e. TrinityOS-122100-c-1.html ). I did this because the dates were hosing search engines since once I would push out a new update, it would invalidate all of the various search engines links due to the change in date. N Updated the IPCHAINS firewall - Added a missing .0 to the 72.0.0 networks in the Reserved-7 filters. Thanks to Michael Briegl for this one. [Section 10] N Fixed a spelling error in the title of Chapter 29 [Section 29] ---------------- G 11/11/00 Changed all the archives on the WWW site from .tgz to .tar.gz to fix the corrupted file issue that people are complaining about. Basically, the issue is that the WWW server has the wrong MIME type for .tgz files. I've tried to get them to fix this without results so I'll just use this work around. N - Added links to IPROUTE2 code and documentation N - Also cleaned up the indentation of the 2.0.x URLs [Section 5] N - Fixed two typos where I was restarting syslogd instead of inetd. Thanks to Jason Ramey for the sharp eye [Section 8] G Fixed a BASH version issue for the deletion of the .bash_history file. The new syntax is "trap "rm -f ~$LOGNAME/.bash_history" 0" instead of the older KSH-style of "trap 0 rm -f ~$LOGNAME/.bash_history". Thanks to Jason Schadel for reporting this. [Section 9] N - Fixed a echo typo in the /etc/rc.d/init.d/firewall script where I was setting the default policy to REJECT but the echo statement said ACCEPT. - Also added a "mlist" option to display current MASQ entries. Thanks to Brandon Keirns for catching this [Section 10] N Fixed a typo where I was touching a "var/adm/messages file for Redhat instead of /var/log/messages. Thanks to Jason Schadel for reporting this. [Section 19] ---------------- I 11/09/00 Updates the IPCHAINS ruleset again and ripped out all the Non-RFC1918 filtered addresses. I guess it was my mistake to believe IANA that addresses were reserved when things like 65.x.x.x are used by MediaONE, etc. Sorry peoples.. my mistake. [Section 10] I - Updated the firewall-confirm script # 11/09/00 - The initial release was the wrong version. Ack! # This updated version includes a critical check for # /tmp/fwok. This version includes a 30 second screen # timer. # Please upgrade! Thanks to Ryan Snodgrass for catching this I have also updated the TrinityOS-security script to reflect this. [Section 10] N Moved all old ChangeLOG entries dated 07/14/00 and older to the TrinityOS-old-updates.wri file. N I also cleaned up some formatting issues in the existing ChangeLOG entries. [Section 58] ------------------ N 10/28/00 - Updated the IPCHAINS firewall to v3.82 # Updated the Xwindows filtering to from ports 6000-6010 # to 6000-6063. Thanks to John Soltow for this one. [Section 10] N - Fixed the text for the firewall-confirm script that should reference /tmp/fwok and not /tmp/ok Thanks to Xavier for this one. [Section 10] ------------------- ------------------- N 10/15/00 - Updated some of the URLs *Sent [Section 5] Update* *C* - Updated the IPCHAINS firewall to v3.81 # v3.81 - 10/15/00 # - Crap! Last subnet error in the Reserved-8 IANA # section. Please change the subnet mask on # 68.0.0.0 to a /6! [Section 10] ----------------- N 10/13/00 - Added Ofir Arkin's paper on ICMP protocol fingerprinting *Sent to the main list Update* - Updated the URL for mkisofs - Added a URL for a kernel-based PPPoE client [Section 5] N - Fixed a inetd description that said "swat" was for Apache when it is really for Samba. Thanks to Stephen Lawrence for this one. [Section 8] G - Changed the version to v3.80 since all of these changes are VERY significant. G - Cleaned up and added some additional verbiage to the firewall section to help users troubleshoot connectivity problems. G - Added a little section to help the Linux newbies enable PORTFW access from within the TrinityOS rc.firewall ruleset. [Section 10] I - Fixed a named.conf problem in chroot-dns-int where the internal zone was called "192.168.0" and NOT acme123.com. This would cause forward lookups to fail but reverses to work. G - Also added an MX record in to the internal acme123.com zone to fix some issues. Thanks to Jeff Robinson for the help on this one. - Updated the TrinityOS-security script to reflect this [Section 24] G - Cleaned up a lot of grammar, etc issues - Updated the REMOVE URL for Scour Thanks to Kenneth Porter for this one. [Section 49] ----------------- N 10/08/00 - Added to the Future Feature section to support smrsh for Sendmail [Section 3] N - Updated the PCMCIA URL - Added a new Master NAT URL that covers not only Linux but other operating systems as well - Rearranged the various Security URLs into one section - Added www.snort.com URL to the IDS list - Added www.smhoo.com URL to the Resources list - Added www.mit.edu URL to the PGP Resource list [Seciton 5] N - Updated the blurb on TurboLinux [Section 6] N - Fixed a formatting typo in the System Search/Replace section [Section 7] N - Added additional BIOS keystrokes for various BIOSes N - Added SysV init level permutations for SuSe in addition to Redhat [Section 8] G - Added documentation on how to interpret various expected and non-expected log messages from the Sendlogs script for SUID, RCMD, and RPM output. [Section 9] I - Updated the v3.72 IPCHAINS firewall # - Reversed the RESERVED-192 and RESERVED-2 IANA filters # since www.iana.org is using this domain space. Thanks to jdow@bix.com for catching this one I - # - Finally fixed (re-enabled) the Reserved-7 IANA # ruleset in both the INPUT and OUTPUT rules that was # blocking the 64.x.x.x network due to a faulty /3 netmask G - Added comments to support TurboLinux in the /etc/rc.d/init.d/firewall script. I - Changed the /etc/rc.d/init.d/firewall script for the STOP option from ACCEPT to REJECT *C* - Added a new script called "firewall-confirmed" that allows users to safely impliment new rc.firewall rulesets from a remote system w/o possibly taking their machine offline due to an error or typo in their rc.firewall file. This new script was also added to the TrinityOS-security script [Section 10] N - Changed the title of this Subsection to reflect that it has more to do with Kernel compiling. I - Added a URL to this section that discusses some controversy if new kernel sources should be in /usr/src/linux or not. Check it out.. its a good read. Thanks to Aran Cox for the URL [Section 11] G - Expanded the section on the various methods to configuring a kernel. I also added section on how to use "make oldconfig" when upgrading kernels. [Section 12] G - Added a reference to the Sendmail section and Updated the mail Aliases section to reflect the new Sendmail paths. [Section 18] G - Added configs to verify Sendmail's 8.11.x file and path perms - Noted that some aspects of compiling Sendmail have now changed - Added recommendations to move the new Sendmail documentation to the proper place - Added a comment to tell users where to find more information on the various options used in the trinityos.mc file - Added some missing zone file serial numbers - The SMTP option now needs to be before the PROCMAIL option in the trinityos.mc file - Updated the UUCP section to reflect the new syntax - Added a testing section to verify that Blackhole SPAM filtering is working properly - Added a hint on how to compile Sendmail to hide all version numbers - Added an additional troubleshooting section for specific Sendmail log errors [Section 25] G - Chapterized this section - Added support for TurboLinux [Section 27] G - Fixed a typo in the NFS section for the /etc/exports file where it should be "no_root_squash" and NOT "no-root_squash" [Section 40] N - Updated the "Moving ISPs" section to note that Section 25 now supports the configurationg of backup SMTP servers. [Section 51] Thanks to Harold Bower for his TurboLinux contributions ---------------- I 10/07/00 - Vastly updated and improved the TrinityOS-security script N - Added the future feature to include instructions for compiling Xntp. [Section 3] N - Updated the distro section to note that apt is NOT a new version of dpkg. I also added a few more comments on the cool dependency power in dpkg. Thanks to Marcello Nuccio for catching this. [Section 6] G - Added the recommendation to disable the Interactive INIT script for newer Redhat and Mandrakes. - Fixed a typo where there was a missing space when moving the tetex.cron job. Thanks to Jens Braeuer for catching this. [Section 8] G - Updated the IPCHAINS firewal to v3.72 # - Added some more descriptions to the OUTPUT filter # section for trojans. # - I updated some of the existing OUTPUT trojans filters # and also added a filter Eggdrop and MySQL connections # to the Inet # - Added a master URL for a complete listing of known # Trojan ports # - Added some comments to the DHCP rules where some # distros do NOT allow for TCP-based DHCP # - Added commented support for an IRC server Thanks to Dennis Derks for the MySQL and Eggdrop filters. Thanks to Harondel Sibble for the trojan URL. Thanks to Harold Bower for some typo and spelling fixes. I - Added a note that starting with Mandrake 7.0 and probably Redhat 6.2, if it exists, /etc/rc.d/rc.firewall will be executed from /etc/rc.d/rc.sysinit. It is recommended to edit that file and # out that code. [Section 10] G - Added a comment that DHCP users will NOT get the TCP Window optimizations as described in this section. The reason is that most DHCP clients don't support advanced features like this. If you know of a good way to solve this, I'd like to hear from you. [Section 16] G - Updated the /etc/rc.d/init.d/named script to individually start/stop the internal or external DNS servers. I also added this script to the TrinityOS-archive script. I - Doh! Finally added the $TTL timeout to all the various zone files in both TrinityOS and the TrinityOS-security script. [Section 24] G - Updated the Sendmail section to reflect 8.11.x and cleaned things up N - Chapterized section 25 N - Retired the old 8.8.x configs to a new TrinityOS-Retired document I - Added a new config section for sendmail 8.11.x G - Part of the 8.10/8.11 confs, I added the "access_db" and "relay_mail_from" features to support backup SMTP features G - Added a redhat way to determine the Sendmail version N - Added a small table to describe the various Sendmail config changes over the various 8.8/8.9/8.11 versions I - The "rbl" feature tag has been replaced with the "dnsbl" tag G - Added the Feature(relay_mail_from) to support backup SMTP for remote domains where the remote user is NOT locally defined G - Updated the TrinityOS-security script to reflect these changes Thanks to Andy Barclay for the heads up on the "relay_mail_from" issue [Section 25] N - Updated the NTP section a little, cleaned it up, and added a note for Redhat users to edit the /etc/sysconfig/ntp option for setting the Timezone. [Section 26] I - The "option hostname" line in /etc/dhcpd.conf is no longer valid in newer versions of dhcpd. This was also fixed in the TrinityOS-security script [Section 27] G - Doh! I totally forgot to setup HDPARM to save and restore its settings over a HD reset or reboot. Thanks to Martin Steldinger for catching this. [Section 48] ---------------- N 09/16/00 - Updated the IPCHAINS v3.71 rules # - Deleted some duplicate SMB/CIFS output rules and add # added some explict INPUT and OUTPUT UDP rules for # SMB/CIFS [Section 10] ---------------- G 09/10/00 - Moved the deletion of .bash_history from Section 52 - Added this to the TrinityOS Archive [Section 9] N - Added a detailed explincation of how IP Masq WORKS in the intro section - Updated the IPCHAINS firewall to include #ed out options for secure HTTP (HTTPS) server connections [Section 10] N - Added a small PPPd pros/cons comparison section for the PPP vs. Diald's Dial-on-Demand features. [Section 22] G - Updated the DNS section N - Added a version number comment to all the zone files (v1.0.1) G - Added an "allow-transfer" and "allow-query" statement to the 192.168.0 zone file. G - Added the "cleaning-interval" option to the external zone to make cache entries last longer I - appending the acme123.com. domain to the INTERNAL 127.0.0.1 PTR record. - Added all these changes to the TrinityOS archive [Section 24] N - Added several subsection markers to the SSH chapter to make it easier to navigate [Section 30] I - Fixed a incorrect symbolic link ln -s /etc/rc.d/init.d/firewall /etc/dhcpc/dhcpcd-*EXTIF*.exe to ln -s /etc/rc.d/rc.firewall /etc/dhcpc/dhcpcd-*EXTIF*.exe [Section 35] ------------ G 09/02/00 - Updated the v3.71 IPCHAINS ruleset # A continuation of v3.71 # - Added an excellent URL to the comments section of the # Advanced ICMP section # - Reordered, enhanced, added logging, and enabled some # Advanced ICMP filters in both the INPUT and OUTPUT # sections # - Did some reformatting of the ruleset for more # readability [Section 10] ------------ G 08/17/00 - Changed both TrinityOS and the root-hints script to get the newest root servers list from ns.internic.net instead of the now defunct rs.internic.net [Section 24] ------------ G 08/12/00 - Updated the IPCHAINS ruleset to v3.71 # v3.71 - 08/12/00 # - Add a SMB/CIFS rule to block port 137 UDP traffic in # both the INPUT and OUTPUT rules # - Deleted a commented option to list the deleted # SECONDARYDNS variable # - Added a comment to the LooseUDP section to note that # some distros like TurboLinux delete this option from # their kernel # - Had to disable the BLACKHOLE3 IANA filter since # though the Internic shows it as reserved, www.iana.org # is actually in that reserved space! # - Added a comment why Reserved-7 is disabled (the /3 # includes the commonly used 64.x.x.x network Thanks to halbower@cablespeed.com for these comments. [Section 10] N 07/23/00 - Fixed a few spelling errors, etc in the doc. Thanks to "Kenneth Porter" for the help N - Just noticed that I never had an abstract at the very beginning of TrinityOS! [INDEX] N - Deleted the "How to compile BIND/Named" Future Feature and significantly rearranged, added, and deleted some bulletpoints on what TrinityOS has to offer [Section 3] N - Added a URL to the Nessus security toolkit [Section 5] G - Updated the SSH version from ssh-1.2.27 and ssh-2.0.13 to 1.2.30 and 2.2.0 [Section 5] G - Added the addition of a enviroment var in /etc/bashrc to make all C compiles use colorgcc to make compiling things a little more obvious. [Section 8] N - Updated the DNS section label to: "DNS: Acquiring and configuring a CHROOTed and SPLIT master/slave DNS servers" N - Reorganized the BIND section a little G - Added instructions on how to compile up BIND (DNS) I - Sigh.. Fixed another UID creation bug of the chroot-dns-int user. It was "useradd -u 120 -g 121 chroot-dns-int" and should have been "useradd -u 121 -g 121 chroot-dns-int" [Section 24] N - Updated the SSH section to reflect the newer versions of SSH [Section 30] ---------------- N 11/09/00 Moved all IPCHAINS rc.firewall change logs from v.3.60 and older to here # v3.60 - 07/03/00 # - Noted that all kernels less than 2.2.16 have a TCP exploit with tools # like Sendmail # # - As of kernel 2.2.16, LooseUDP is now DISABLED be default. I have # explicitly DISABLE LooseUDP in the final section of the firewall rule # set. Only gamers need the functionality and it can create an added # internal port scanning vunerability. # # - Added port 445 for Windows2000 CIFS / SMB filtering for both INPUT # and OUTPUT. Also enhanced the informational section to explain what # each port does # - Added EXTENSIVE INPUT and OUTPUT filters for the IANA reserved TCP/IP # addressing scheme # # - Noted that newer versions of pump now support the execution of script # upon lease bringup, renew, etc. # # - Added explicit though disabled Multicast filtering on the external # interface per many users requests. per many users requests. # # - Fixed some spelling errors # # - Replaced the EXTIP and EXTBROAD scripts with ones that required only # two programs instead of four to make things faster. # # v3.59 - 05/28/00 # - Fixed an error for the Squid re-direction where all detination traffic # was going to BROADCAST instead of INTLAN. # Thanks to sala@cbint.org for catching this. # # - Fixed an error where global SMTP allows on all interfaces were actually # limited to the EXTIP address. This should have been UNIVERSE. # # - Fixed a typo where the AOL filtering example had the SMTP port in # destination and not the source address field. # Thanks to johnh@mdscomp.com for these two reports. # # v3.58 - 04/15/00 # - Fixed a pretty serious issue if you were trying to enable the explicit # input filters for things like DoubleClick, etc. Basically, I was # allowing all internal traffic to get to the Internet before these # firewall rules were being inspected. I have now moved the ALLOW ALL # internal firewall rule sets toward the end of the INPUT section. # Thanks to thomas.stangner@navigon.de for catching this! # # v3.57 - 04/09/00 # - Added some spaces in front of the work &dquot;Optional&dquot; for # prettier # output upon loading. # - I've rearranged the enabling of FORWARDING -before- the enabling # of MASQUERADING since IPCHAINS complains. # - As of 2.2.12, the IP_ALWAYS_DEFRAG option has been omitted and is now # a /proc configured option. I have now added this to the FORWARD # section. # - Added an echo statment and additional SILENT blocking statements for # SMB traffic on the external interface # # v3.56 - 04/08/00 # - Added the /sbin path to the commented IPCHAINS lines for setting the # TOS bits. # # v3.55 - 03/26/00 # - Grrr.. reversed the DHCPcd issue since the /etc/dhcpc/dhcpcd-INT.exe # script will NOT execute if the IP address hasn't changed from the one # before reboot. I have deleted some of the commented text from the # EXTIP section. Please see the TrinityOS errata section for more # details. # # v3.54 - 03/25/00 # - Added filters for the new Shaft DDos tools # # v3.53 - 03/19/00 # - Hopefully caught the last DHCP issue. I've added in the comments # that users who need to use DHCP on their extneral interface SHOULD # not enable nor use the /etc/rc.d/init.d/firewall script. The reason # for this is that the DHCP program will run both the # /etc/dhcpcd/dhcpcd-ethX.exe and the /etc/rc.d/rc.firewall. This # will completely hose the loaded firewall rule sets. I have noted this # in the EXTIP sections comments. # # v3.52 - 03/18/00 # - Finally found a 100% solution for DHCPcd users out there that # get DHCP'ed IP addresses on their external INTERFACE. Changes # in the firewall rule set are only comments in the top sections # regarding DHCPcd but please see the DHCPcd section in TrinityOS # for full details. # # - Moved the PORTFW variable to be below the SECUREHOST section # for clarity. # # - Added some comments for PORTFW users on how to allow portfw access # to explicit hosts and/or networks. # # - Added two more PORTFWIP variables to the IPCHAINS rule set # # - Moved the PORTFW section from the INPUT section to the FORWARDing # section for better clarity # # - Added a section in the general INPUT section for Squid w/ JunkBuster. # # - Expanded on the DoubleClick filtering example with network numbers from # cwilson@ece.gatech.edu # # v3.51 - 03/05/00 # - Removed a duplicate input filter for spoofed packets, etc. # Interestingly enough, trinityos.wri didn't have the duped line. # Thanks to leo@leobutler.com for the sharp eye. # # - Added a new INPUT section to filter out ANY requests for # specific sites (a form of Net-Nanny, etc). You would use these # filters to block access to given sites. I've explicitly shown # disabled examples for doubleclick.net and aol.com. # # v3.50 - 02/26/00 # - Fixed a minor error in the commented Diald line were the $INTLAN # variable needed to have the extra &dquot;/24&dquot; deleted. Thanks to # jonbir@cogs.susx.ac.uk for reporting this. # --------------- ============================================================================== N 11/09/00 Moved all ChangeLOG entries dated 07/14/00 and older to the G 07/14/00 - Sent out the a notification to the people on the Updates list. * Sent Update * N - Moved all ChangeLOGS dated 04/09/00 and older to the arhives ----------------- N 07/09/00 - In the spirit of automating of building the TrinityOS docs, I have added the and tags to the strong IPCHAINS rule set so that I can have single place for the maintinance of the rule set. Now I don't have to manually maintain and update the ruleset in both TrinityOS and in the TrinityOS-archive. Sorry for any previous differences between the two files. Thanks to Ken Kellam for the Perl code to do this. [Section 10] ---------------- N 07/06/00 - Merge over the ICMP and /proc changes to the rc.firewall archive ---------------- N 07/05/00 Fixed many spelling errors and downright english mistakes throughout the document: explict --> explicit implict --> implicit enviroment -->environment vunerable --> vulnerable ruleset --> rule set i.e. --> e.g. maintinance --> maintenance portscan --> port scan powerdown --> power down cablemodem --> cable modem impliment --> implement distro -->distribution etc --> etc. taylor --> tailor enduser --> end user thats --> that's immeadiately --> immediately occured --> occurred goto --> go to Removed the poor usage of too many ".." THANKS to "Roberts, Mike" for all these. Better late the never eh Mike? I Wow! It looks like some URLs fell through the SGML conversion crack! I Missing URLs included: MLPPP, PPPoE, PPTP, and Netscape. N I also updated the version numbers for Sendmail (8.9.3 to 8.10.2 ) and Wu-FTPd (2.6.0 to 2.6.1). G Finally, I also added URLs for OpenSSH, APCs Powerchute for Linu x, and ViperDB (Tripwire clone). [Section 5] N Updated the fact that I now currently use both Mandrake 6.1 and 7.0 [Section 6] G Added to the TCP Wrappers section how to support advanced logging and sending text banners to remote clients. A belated thanks to jlrice@crosswinds.net for this one. [Section 8] I Updated the IPCHAINS rc.firewall to v3.70 to reflect all the pre vious significant but unpublished changes and also the following: G - Updated the rc.firewall to use newer methods to get the EXTIP and EXTBROAD addresses using two programs instead of four. Thanks to "John E. Christ III" for this one. N - Fixed a spelling error of internface --> interface in the SMB section G - Added additional explicit ACCEPT traffic for INDENT traffic in the INPUT and OUTPUT sections N - Deleted the SECONDARYDNS varable from the firewall rule set as it did nothing nor could it since both TCP and UDP DNS traffic must b e wide open to the world anyway. G - Added several new /proc terms to secure or ensure settings are set: - Added TCPSYN checking - Added Sanity ICMP filters for - ICMP broadcasts - ICMP bad error packet - ICMP redirects - Added Sanity filters for source-routing and spoofed packets G - Added explict but disabled by default filters for different ty pes of ICMP traffic to both the INPUT and OUTPUT sections N - Added more subsection labels to section 10 to make the section easier to navigate G - Deleted the the SECONDARYDNS varanble in the firewall because it wasn't used and authoritative DNS servers must have both UDP a nd TCP DNS ports open to the world to work properly. N - Cleaned up the DHCP / PUMP issue description section a little G - Added a disabled OUTPUT section to support APC Powerchute for Linux G - Added the new top banner to the rc.firewall file and added a t op section for enduser's personal notations and version changes N - Added a disabled option for the ICQ MASQ module I - For some reason, SMTP OUTPUT on the EXTERNAL interface was ena bled by default. This is now DISABLED by default. N - Put #s in front for the SECUREHOST OUTPUT echo statements thou gh the IPCHAINS statements were already disabled. Thanks to "Ian Chilton" for the /proc and I CMP ideas. [Section 10] G Added inline comments to the trinityos.mc Sendmail config files for both the Sendmail 8.9 and 8.8 configs to explain what each l ine does. [Section 25] N Changed the name of the tape backup section to something a littl e more straitforward and obvious [Section 29] N Updated the PCMCIA section a little [Section 34] N Updated the APCUPSd section to note that though the official APC Powerchute for Linux software not only works but its FREE, but unfortunatel y it is NOT compatible with MS Windows Powerchute clients for over-the-netwo rk shutdowns. [Section 36] N Updated the IPSEC section to note that typical IPSEC VPNS are ru nning a 168-bit cipher. [Section 47] ---------------- N 07/03/00 Updated all the old/dead links for IPCHAINS and Netfilter N Cleaned up all the stray "X" marks in the URL section. Thanks to John Hardy for the prod. [Section 5] N Noted that I have taken over the POP-Auth documenation and it will be posted to my WWW site soon. [Section 5] N Noted in the various firewall rule sets that newer versions of Pump now support script execution upon lease bringup, renew, etc . Thanks to Mark Baysinger for this one. [Section 10] N Updated the verbage in the Kernel Compiling section to reflect that the 2.4.x kernels are about upon us. N Updated the 2.2.x kernel example to reflect a 2.2.16 kernel [Section 12] G Added some headers to the two different NTP scripts and also added some inline comments for users who want to set the date/time via NTP but save the results in UTC format. Thanks to Anders Oreback for this one [Section 26] G Added a new section called "Gracefully transitioning Internet domains through a IP address or ISP change". This section takes you step by step on how to best notify the Internic and DNS servers of the change without having your domain actually stop responding to email, etc. [Section 51] G Oh wow.. I didn't realize that Section 51 had the wrong name! Before, it had a title for patching Tar to support BZip2 and NOT "Thoughts and procedures about Patching your distribution". Thanks to Chuck Hartley for catching this. Regardless, its now section 52 to make room for the "Changing ISPs and/or IP addresses" section [Section 52] ---------------- G 07/02/00 Fixed all the broken links that were pointing to http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS-files They should have been pointing to TrinityOS-security. N Fixed all the "layed" spelling errors. Thanks to rcunning@acm.org for this one. N Removed the line from the TODO list: * Impliment external 10.x.x.x and 172.16-31.x.x packet * filtering [Section 2] N Added to the TODO list to modularize the rc.firewall rule set so that users can update their firewall without having to re-edit a nd tailor it to their needs. [Section 2] N Fixed the formatting issues of the /etc/ftpconversions file edit . Thanks to wlindley@wlindley.com for the sharp eye. [Section 7] I Updated the rc.firewall rule set to v3.60 # Added port 445 for Windows2000 CIFS / SMB filtering for both # I NPUT and # OUTPUT. Also enhanced the informational section to explain # wha t each # port does # Added EXTENSIVE INPUT and OUTPUT filters for the IANA # reserved # TCP/IP addressing scheme This one comes from good discussions with joe@plaguesplace.dyndn s.org # - Added explicit though disabled Multicast filtering on the # ex ternal # interface per many users requests. [Section 10] I Fixed a typo where the second CHMOD should have been for /home/chroot-dns-int and not ext. I Updated the root-hints-update script to v2.1 # v2.1 - Fixed a typo in the CHMOD of the external # root-hints.sb file # - Fixed the file ownership of the internal root-hints.db file # - Changed the default path of where the new # root.hints.ne w file # is to be placed # - Updated to have a backup copy of the INTERNAL hints # fil e and not # just have an EXTERNAL backup N Added a new subsection to get to the root-hints.db script easier # A strong Thanks to dsuthers@naxs.com for these corrections [Section 24] ---------------- *C* 06/25/00 Updated the 2.2.x kernel section to remind users that 2.2.16 is and is the ONLY secure kernel version available. See below. [Section 5] *C* Roughly June 7th, it was found that Linux running kernels less then 2.2.16 had a TCP exploit. I have updated the rc.firewall to reflect this info: NOTE: All 2.2.x Linux kernels prior to 2.2.16 have TCP exploit that **** that when combined with tools like Sendmail can lead to a ROOT compromise. In addition to this, all kernels less than 2 .2.11 have a fragmentation bug that renders all strong IPCHAINS rule sets void. It is CRITICAL that users upgrade the Linux kernel to at lease a 2.2.16+ kernel for proper firewall and system sec urity. [Section 10] ---------------- N 06/24/00 Added to the DNS section how to determine the version of BIND simply using "nslookup". [Section 24] ---------------- G 06/22/00 Updated the /etc/logrotate.d/syslog file to reflect that klogd in /sbin and NOT /usr/sbin in RH 6.1 Thanks to for catching that Phil_Verghese@bigfoot.com. [Section 8] ---------------- N 06/19/00 Added a few options to the TrinityOS "Futures" section - Named compiling walk-thru - GnuPG / PGP support [Section 3] G Heavily went over the DNS section - Cleaned up a lot of the text, fixed many formatting and and layout issues throughout this section, etc. - Fixed two typos where the path for 212.0.200.100.db and 192.168.0.db were pointing to chroot-ext and chroot-int instead of chroot-dns-ext and chroot-dns-int [Section 24] I It should be noted that as I mentioned above in the DNS changes, I plan on going through all the various TrinityOS section and cleaning out all the old formatting issues, etc that were left over from the SGML port. Though this will take some time, TrinityOS will ultimately read and look better. It should also be mentioned that I'm in the process of bringing up my new Linux box. Since this machine is MODERN, I'm updating TrinityOS to reflect the new changes in Linux such as the hardwa re map, Software RAID, as well as updated configurations for Sendmail, etc. ---------------- N 05/28/00 Updated the Getdate URL [Section 5] G Updated the IPCHAINS rule set to v3.59 # - Fixed an error for the Squid re-direction where all # detination traffic was going to BROADCAST instead of # INTLAN. Thanks to sala@cbint.org for catching this. # # - Fixed an error where global SMTP allows on all # interfaces were actually limited to the EXTIP address. # This should have been UNIVERSE. # # - Fixed a typo where the AOL filtering example had the # SMTP port in destination and not the source address # field. # Thanks to johnh@mdscomp.com for these two reports. [Section 10] G Made some important updates to the DNS section: - The in.addr file for the external DNS zone had the wrong IP address in it. - Missed setting the chown ownerships for the external zone directories. Thanks to tcropper@tcrop.net for catching these. [Section 24] ---------------- N 04/25/00 Ok, I've started to clean up the SGML code by hand. Though Ian's Perl code did 95% of the work, it isn't as pretty as it should be. N I *DO* know that the PDF looks like crap. I have a possible solution w/ the aid of the new version of GhostScript but it will have to wait for a week or two. N Some of the ASCII border art was mis-aligned. I have started this cleanup but it will take some time to clean up all issues. N The CMOS setup table was mis-aligned. Fixed. [Section 4] N Started to cleanup the formatting of this section. You will notice that the fixed sections DON'T have the "X" in front of them (the old "checkmark" setup). I also updated the 2.2.x kernel to be 2.2.14 [Section 5] N Updated the URL of the TrinityOS security script [Section 7] N Fixed the formatting issues of the MASQ flowchart. [Section 10] G Fixed a typo where copying and then moving /usr/sbin/named-ext should have been named-xfer. Thanks to rip6@home.com for catching this. [Section 24] ---------------- G 04/24/00 Finally put up the first SGML version of TrinityOS that had *Sent HTML, PDF, PS, etc versions exported. Finally eh? Update* A HUGE thanks goes out to those users that had given me SGML ports from the past but they never were current with the current version of TrinityOS. Thankfully, ian.crow@compass-res.demon.co.uk wrote a Perl script that converted TrinityOS ASCII to SGML. The current version might still have some conversion errors so I would love any reports of problems but hopefully, things will be smooth sailing from here on! ------------ N 04/15/00 Fixed all &dquot;readable&dquot; spelling errors. Thanks to ashley@pcraft.com for catching these. H Updated the sendlgos script. # 04/13/00 - Added the $HOST variable to easily tune the SUBJECT field to # reflect the name of your Linux system. You should edit this # to reflect your system. [Section 9] I Updates the IPCHAINS rule set to v3.58 -- # v3.58 - 04/13/00 # - Fixed a pretty serious issue if you were trying to enabl e the explicit # input filters for things like DoubleClick, etc. Basical ly, I was allowing # all internal traffic to get to the Internet before these firewall rules # were being inspected. I have now moved the ALLOW ALL in ternal firewall # rule sets toward the end of the INPUT section. Thanks t o # thomas.stangner@navigon.de for catching this! [Section 10] N Missed the reference for pointing users to the Printing section. [Section 33] N Moved updates older 2/21/00 to the old updates list. The URL is giv en both ABOVE and below. ------------------  --------------- N 04/09/00 Changed the name of the DNS section to reflect that the *Sent TrinityOS documentation now tells users how to setup Update* DNS in both a CHROOTed and SPLIT Zone environment. [Section 2] N Removed the "Edit and move /var/log/sendlogs to /usr/local/sbin" line from the Future Features section. It was already done. [Section 2] N Removed the "Update the DNS setup to be a SPLIT-DNS setup for additional internal security" Future Feature line now that its completed. [Section 2] N Updated the Feature section to reflect that DNS is now done in a both a CHROOTed and SPLIT Zone fashion. [Section 3] I In addition to finding that the copy of Sendlogs in TrinityOS was old compared to the archive, I reversed a change I made a while back. Basically, now dates from 01-09 will now work properly. [Section 9] N Moved all IPCHAINS firewall changelogs older than v3.50 to the old-updates log. The URL is both just above this and at the end of TrinityOS. [Section 10] G Updated the IPCHAINS rc.firewall to v3.57 # - Added some spaces in front of the work # "Optional" for # prettier output upon loading. # - I've rearranged the enabling of FORWARDING # -before- the enabling of MASQUERADING since # IPCHAINS # complains. # - As of 2.2.12, the IP_ALWAYS_DEFRAG option has # been # omitted and is now a /proc configured option. # I # have now added this to the FORWARD section. # - Added an echo statment and additional SILENT # blocking # statements for SMB traffic on the external # interface [Section 10] N More for a self reminder, I added how to address a NIC in Redhat speak at the end of this section. [Section 16] I Wow! This was a LOT more work than I expected but I've finally updated the DNS section to now configure BIND to be in both a CHROOT'ed jail (for security) and have SPLIT Zones for internal and external internfaces. Please see the section for more details on what all this means. I have also slightly reorganized this section and updated and moved the root-hints script. [Section 24] I I have updated the TrinityOS archive with all this as well. ------------------ N 04/08/00 Added a URL for additional SSH tunneling help. Actually, I just moved it from Section 30 to 5. I did the same for the Security HOWTO from section 8 to 5. [Section 5] G Updated the permissions for the various /etc/cron.* files and also updated them in the TrinityOS-security script. [Section 7] N Moved the changing of permissions of /bin/rpm from the bottom of section 8 to section 9. [Section 7 to 8] N Moved and updated the URL for the Security HOWTO to Section 5. [Section 8] N Updated some of the verbage in the password section section. Also cleaned up and expanded on the daemon enabling/disabling section for both BSD and SysV systems. [Section 8] G Added a note for the /etc/hosts.allow file to only use TCP/IP addresses and NOT DNS names since they can be spoofed. I also added an example in /etc/hosts.allow to allow all hosts on a given subnet. [Section 8] N Fixed two typos in the source directory when moving the logrotate config files for mysql and and squid. [Section 9] N Added changing the permissions of /etc/issue and /etc/issue.net. I've also added this to the script. [Section 9] N Aligned TrinityOS with the script. The "logit" script should be in /root. I also fixed the permissions on it. [Section 9] N Added the creation of the apropos database to the TrinityOS script. N Noted that the "makewhatis" command now runs cleanly in Mandrake 7.0. [Section 9] I Holy Cow! The /usr/local/sbin/sendlogs file in TrinityOS was VERY old. Dunno how this escaped me! Sorry! The old version was 11/26/99, the new version is 2/21/00! The version in the TrinityOS archive was ok. [Section 9] N Updated the IPCHAINS firewall rulset to v3.56 # v3.56 - 04/08/00 # - Added the /sbin path to the commented # IPCHAINS lines # for setting the TOS bits. [Section 10] N Deleted the changing the permissions of IPFWADM or IPCHAINS since they are duplicated in Section 8. [Section 10] N Noted that the 2.2.x kernels have PORTFW functionality built in. [Section 11] N Updated the top comments that TrinityOS covers the compiling of both 2.2.x and 2.0.x kernels. [Section 12] N Updated and reformtted the section for editing of /sbin/ifup to reflect the line numbers for Mandrake 7. [Section 16] N Added the SSH section to reflect that SecureCRT v3.x supports the SSHv2 protocol. I also noted that SSHv2 is not free for commercial and educational use. Thus, many people still use SSHv1 servers. I also moved the URL for additional tunneling help from Section 30 to Section 5 [Section 30] G Added a SysV script file to load SSHd for Linux systems like Redhat, etc. I also clarified the existing system was for BSD systems like Slackware, etc. I also added a few more configuration options for disabling Xwindows and SSH tunnels. [Section 30] G Added a SysV script file to load SSHd to the TrinityOS-security archive. ------------------ N 04/04/00 ftp.cdrom.com has moved their Linux archives to ftp://ftp.freesoftware.com I have updated the URLs. [Section 5] ------------------ G 04/02/00 Updated the distribution section to reflect Redhat 6.2 and my thoughts and worries about Mandrake 7.0's installer. [Section 6] I Added a security alert / patch recommendation for ircii [Section 60] ------------------ N 04/01/00 Updated the name of the email section to to reflect the support of IMAP4 as well. [Section 2] G Added a URL to a HOWTO on the LDP for supporting multple virtual domains for email. [Section 5] G Added a large description of what UUCP, POP3, and IMAP4 are, how they work, and how they are better/worse. I also re-wrote part of it to reflect both POP3 and IMAP4 and IPFWADM and IPCHAINS. [Section 28] N Added a pointer to Section 5 for users that need to setup virtual domains for email. [Section 28] I Fixed a type where I was restarting syslog and NOT crond as I was describing. Thanks to tcropper@tcrop.net for catching this silly mistake. [Section 41] I Fixed a typo in the TrinityOS archive where "touch /etc/dhcpd.leases" had a stray "A" at the end of the line. Thanks to tcropper@tcrop.net for that one. ------------------ I 3/27/00 Updated the IPCHAINS firewall to v3.55 *Sent Update* Deleted the text from the IPCHAINS firewall rule set and the DHCPcd section: -- # ***************************************************** # ABSOLUTELY CRITICAL: If you run the # /etc/dhcpcd/dhcpcd-ethX.exe file # (needed for DHCP'ed DSL and cable # modem users), # you CANNOT also enable the # /etc/rc.d/init.d/firewall # script below. # ***************************************************** -- The reason for this is that the firewall script file WON'T be executed if the old IP address for the machine was the same after reboot. So, you need to have: Redhat: the /etc/rc.d/init.d/firewall script activated Slackware: have the /etc/rc.d/rc.local script load the /etc/rc.d/rc.firewall rule set. Please NOTE: ------------ I think there still might be some issues with this setup. The problem stems around the fact that the rc.firewall might get loaded from both dhcpcd's /etc/dhcpcd/dhcpcd-ethX.exe AND /etc/rc.d/init.d/firewall. I'm still looking into this and if you have any comments on this, I'd love to hear from you. [Section 10 and 35] *C* There are -6- new security vunerabilities for Linux that depends on the distribution you are running. Check out this section ASAP!! [Section 60] G Updated the TrinityOS archive script to reflect the DHCPcd issues. N Moved all TrinityOS updates older than 01/03/00 to the Changes Archive. The URL is above. ------------------ N 3/25/00 Updated the SSH Url [Section 3] N Fixed a typo where I was calling the "Dial-In Server HOWTO" the "Dial-UP" server HOWTO. [Section 5] G Updated the IPCHAINS firewall to 3.54 - Added filters for the new "Shaft" DDos tools [Section 10] ------------------ I 03/20/00 Found a typo in the /usr/lib/sendmail-cf/cf/trinityos.mc file. Changed "confSTMP" to "confSMTP". Thanks to frank@pineaus.com for this one. [Section 25] ------------------ *C* 03/19/00 I -thought- I solved all the DHCPcd issues but it sounds like DHCP users cannot run both the /etc/rc.d/init.d/firewall and the /etc/dhcpcd/dhcpcd-eth0.exe file. This yeilds BAD results. I have added comments to make DHCP users aware of this in both the IPCHAINS firewall and the DHCP sections. [Section 10, 35] I have changed the enabling the /etc/rc.d/init.d/firewall script from AutoFix to Userfix in the TrinityOS archive script. ------------------ I 03/18/00 Added a top section to clarify why TrinityOS is both Trademarked and Copyrighted: -- Sorry for all the legal stuff... Yet I've already had one company try to have the name TrinityOS taken from me, and one HOWTO author has already ripped off MUCH of TrinityOS's content though it was re-written to avoid and direct copyright issue. I'm just covering my butt here from the many lowlifes in the world. -- [Intro] N Updated the URL for Diald Thanks to lourdes@ljones.com for this one. [Section 5] N Tripwire has gone OpenSource for Linux! Woohoo! They have also released a version that runs on Glibc. I've updated the Tripwire section with all the new URLs. Thanks to lourdes@ljones.com for this one. [Section 5] N Added a few URLs for PPPoE [Section 5] N Added a few URLs for PPTP and Encrypted PPTP VPNs [Section 5] G Added a URL to Robert Gram's FAQ on how to understand what Firewall logs mean. [Section 5] N Added a URL for Linux Real Time Messangers (ICQ, AIM, etc) [Section 5] N Deleted the reference to /etc/localhosts. This is OLD stuff. Thanks to lourdes@ljones.com for this one. [Section 7] G Fixed the permission setting locations of klogd and syslogd Thanks to lourdes@ljones.com for this one. [Section 8] G Updated the IPCHAINS rc.firewall rule set to v3.52 # v3.52 - 03/18/00 # - Finally found a 100% solution for DHCPcd users # out there that # get DHCP'ed IP addresses on their external # INTERFACE. Changes # in the firewall rule set is only the DELETION # of comments in the # top section to then refer users to the DHCPcd # section in TrinityOS # for full details (as it should be to minimize # confusion). # # The syntax "dhcpcd -D -H $EXTINT # /etc/rc.d/rc.firewall" was WRONG. # # - Moved the PORTFW variable to be below the # SECUREHOST section # for clarity. # # - Added some comments for PORTFW users on how to # allow portfw acces # to explicit hosts and/or networks. # # - Added two more PORTFWIP variables to the # IPCHAINS rule set # # - Moved the PORTFW section from the INPUT section # to the FORWARDing # section for better clarity # # - Added a section in the general INPUT section # for Squid w/ JunkBuster. # # - Expanded on the DoubleClick filtering example # with network numbers from # cwilson@ece.gatech.edu Thanks to bbass@austin.rr.com for helping troubleshoot this for me. [Section 10] G Deleted an extra "#" from the /etc/rc.d/init.d/firewall script that kept it running with Linuxconf. Thanks to frost@engen.com for catching this one. [Section 10] G Updated the IPFWADM rc.firewall rule set to v2.97 # v2.97 - Deleted the DHCPcd commands as the syntax was # old an misleading. # Update to IPCHAINS for a far superior # firewall rule set. [Section 10] G Added a recommendation for users to check out Robert Gram's Firewall hit FAQ to understand what their firewall logs really mean. [Section 10] I Finally found the proper solution to get users that use DHCPcd on their external interfaces to re-run the rc.firewall rule set upon a lease renew. [Section 35] I Updates to the TrinityOS archives: - Fixed the permission setting locations of klogd and syslogd Thankd to lourdes@ljones.com for catching this. - Fixed an error in the TrinityOS archive where chkconfig was enabling "network" instead of "firewall" in the various /etc/rc.d/rc.Xd dirs. Thanks to tcropper@tcrop.net for catching this one. - Updated the firewall to v3.52 ----------------- N 03/13/00 Added the URL for the DHCPcd homepage [Section 5] ----------------- N 03/05/00 jlhaynes@ieee.org informed me that the Trinity site, the first nuclear test site, wasn't in Nevada but White Planes, New Mexico. Thanks James! N Updated the rc.firewall rule set to v3.51 - Removed a duplicate input filter for spoofed packets, etc. Interestingly enough, trinityos.wri didn't have the duped line. Thanks to leo@leobutler.com for the sharp eye. [Section 10] N Updated the TrinityOS archive ------------------ N 02/29/00 Updated the proceedures for installing Sendmail manually. Before I did: cp /usr/src/archive/sendmail/sendmail-x.x.x/ \ /usr/lib/sendmail-cf now it is: mkdir /usr/lib/sendmail-cf tar cpf - /usr/src/archive/sendmail/sendmail-x.x.x/* | \ (cd /usr/lib/sendmail-cf; tar xvpf -) This fixes an issue where the /usr/lib/sendmail-cf dir isn't already present or when its on the same file system. Thanks to dsuthers@naxs.com for bringing this to my attention. [Section 25] ------------------ N 02/26/99 Updated the IPCHAINS rc.firewall to v3.50 - Fixed a minor error in the commented Diald line were the $INTLAN variable needed to have the extra "/24" deleted. Thanks to jonbir@cogs.susx.ac.uk for reporting this. [Section 10] G Fixed a missing "fi" statement in the TrinityOS-security.sh script that would kill it after the PPP section. ------------------ N 02/21/99 Added a URL to the PopAuth site for users that have *Sent remote users that are having issues with sending Update* email via SMTP. Thanks to Frank Pineau for reminding me about this. [Section 5] I Doh! When I converted over the date function in the sendlogs script to %d over %e, I should have left the SPACE between the two variables. This will solve the issue where users are getting EMPTY sendlog emails. Thanks to jacob@kjeldahl.dk for catching this. [Section 9] N Changed the order of the /etc/rc.d/init.d/firewall commands to be start|stop|reload|status vs. start|stop|status|reload [Section 10] G Updated the IPCHAINS firewall ruleset to v3.49 - Added some error checking where if the EXTIP variable is not properly set, the firewall ruleset will abort. Thanks to jkoehler@ma.ultranet.com for the ideas. - Updated the rp_filter setting to "2" for the highest level of anti-spoof protection. G Updated the root-hints-update script to send better success / failure update emails. Thanks to jon.marks@novatek.co.nz for the thoughts. [Section 24] N Cleaned up a few typos and such in the Sendmail intro. [Section 25] G Added a few comments about why sending of email for POP-3 clients might not work and offered a few resolutions. I then referenced the PopAuth URL in section 5 for a complete solution. [Section 28] N Changed the date filter to use %d over %e. [Section 29] G Updated the TrinityOS-security.sh archive N Moved all TrinityOS updates older that 11/30/99 to the archives. ------------------ N 02/17/00 Updated the Slackware and Debian descriptions. [Section 6] ------------------ N 02/15/00 Updated the IPCHAINS ruleset to v3.48 - Added some clarification comments why I don't log INPUT SMB and NFS rejects (grows the logs much too fast) [Section 10] G Added an additional section to the DNS section on how to properly setup a secondary DNS server for someone that have a "subnet of IPs" and not just a single IP address. [Section 24] Updated the TrinityOS-security.tgz archive to have a "ls -laR" of the directory ------------------ N 01/29/00 Cleaned up the Index a little [Section 2] ------------------ N 01/24/00 Posted Robert Hembrook 's port of TrinityOS v01/03/00 in both MS Word 2K and PDF. The formatting isn't perfect but it works. http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html ------------------ G 01/22/00 Added (4) URLs for ML/PPP. Though these ML/PPP drivers work, some need stability or performance tuning still. [Section 5] G Added to the PPP section about current issues (performance, latency, # of lines, etc with the various ML/PPP implimentations. ML/PPP setup and installation is not included in TrinityOS yet. Thanks to Charles @ chas@pcscs.com for his thoughts. [Section 22] G Fixed the compression exclusion for spanned ARJ and RAR files. Also added file exclusions for gif/jpg/mpg. [Section 29] ------------------ N 01/19/00 Cleaned up the IPFWADM ruleset for the IPSEC firewall rulesets and added examples for IPCHAINS. [Section 48] ------------------ N 01/17/00 I just overwrote a new TrinityOS that had many updates to it and references to the users that submitted the ideas. Doh! Though I can't remember your email addresses and thus can't give you credit here, I still appreciate your emails. Please keep them comming and I hope I don't do this stupid move again. N Noted that Mandrake is now on version 7.0 [Section 6] G Fixed all the "date" issues in the "sendlogs" script. Date now uses %d over %e and doesn't use any spaces. Contributor's email lost. [Section 9] G Updated the IPCHAINS firewal to v3.47 - Added a script to support dynamic interface names via the EXTIF variable. Contributor's email lost. - Clarified that PPP and DHCP users MUST understand that the firewall ruleset MUST understand your new IP addresses to work at ALL. Contributor's email lost. - removed the #s in the diabled "echo" statements for "SECUREHOST" and "INTERNALHOST" IPs. Contributor's email lost. - Added UDP for NTPd time serving. Please note that some NTP servers use TCP while others use UDP. Contributor's email was lost. [Section 10] G Fixed the date issues in the "build-it" script to use %d over %e and remove any spaces in the date format. I also changed the layout a little and added some beeps at the end. Contributor's email lost. [Section 14] G Updated the following scripts to use "%d" instead of "%e" in the date setup: bru-fullbackup bru-viewtape bru-find-changes bre-restore [Section 29] N Added (4) security RPMs [Section 60] ------------------ N 01/03/00 TrinityOS is starting to get some good press. Sharing a Six Pack: http://www.linuxcare.com/news_columns/tales/index.epl ------------------ Moved all IPCHAINS firewall changes older than v3.50 to the old-updates log: # ------------------------------------------------------------------------------- # v3.49 - 02/21/00 # - Added some error checking where if the EXTIP variable is not # properly set, the firewall ruleset will abort. Thanks to # jkoehler@ma.ultranet.com for the ideas. # # - Updated the rp_filter setting to "2" for the highest level of # anti-spoof protection. # # v3.48 - 02/15/00 # - Added comments about NOT logging INPUT SMB and NFS traffic because # of log file size issues # # v3.47 - 01/15/00 # - Added a script to support dynamic interface names via the EXTIF # variable # # - Clarified that PPP and DHCP users MUST understand that the # firewall ruleset MUST understand your new IP addresses to # work at ALL. #-- # v3.46 - 01/09/00 # - removed the #s in the diabled "echo" statements for SECUREHOST, # INTERNALHOST IPs # - Added UDP for NTPd time serving. Please note that some # NTP servers use TCP while others use UDP. # # v3.45 - 12/26/99 # - Added a echo statement for explict INPUT filters # - Reordered the INPUT section a little to flow with the explict INPUT filters # - Moved the explict OUTPUT filters to be BELOW the explict ALLOWs # - Added an explict output filter for un-authorized IPSEC VPNs # - Moved a few of the OUTPUT spoofing filters to be in the explict # output filter section # # v3.42 - 12/19/99 # - Doh! Didn't delete the garbage at the top before the !/bin/sh line! # - Cleaned up some formatting, added more echo statements. Nothing # critical # -- # v3.41 - 12/18/99 # - Added a commented section on setting the TOS bits # - Added a recommendation for ICQ users to change the UDP timeout # -- # v3.40 - 12/14/99 # - Added filters for the new Trinoo trojan flooder # - Fixed typos for commented out ECHO lines that had missing open " # -- # v3.35 - 11/26/99 # - Changed a typo where the ruleset would run but say it was version 3.20 # - Added #ed out echo lines for optional sections that could be re-enabled # by the user. This makes the ruleset execute more readible # - Added more SECUREHOST variables (5 in total now) and reordered them a # little to be more consitant # - Fixed the default ruleset NOT allow the server to be an NNTP server # - Added an explict INPUT fiter to block SMB traffix IN or OUT on the # external interface # - Deleted the generic Samba filter since it works on ALL interfaces which # wasn't granular. # - Added explict OUTPUT filters for SMB traffic # - Added a blurb that someday, we won't have to allow out ALL high ports # (stateful) # -- # v3.30 - 10/28/99 # - Re-ordered the ruleset to set the policies first and then flush them # # - Moved the enabling of the kernel's IP forwarding to the END of the # firewall to slightly strengthen the ruleset. # -- # v3.20 - (9/26/99) # *CRITICAL* The ordering of the ACCEPT of the HIGH PORTS in the # output ruleset are WRONG!! Moved them to be AFTER # all the various REJECT lines but before the final # output reject. # # Several comment additions # # Changed the DGW variable to EXTGW, added the XWINDOWS_PORTS # variable. # # Put a copy of the actual firewall ruleset up on the WWW site # -- # v3.13 - (9/20/99 # Added a commented FORWARD ruleset to support Diald users that # have a SL0 slip interface # -- # v3.12 - (9/14/99) # Very minor: Aligned the IP examples with the TrinityOS # search/replace section. # # Fixed the IPCHAINS ruleset to use the $EXTIF variable when doing the # dynamic EXTBROAD variable. It was hard coded to ETH1. # # Added additional explict OUTPUT filters for NetBus Pro, Win Crash, # Socket De Troye, and the Unknown Trojan Horse (Master's Paradise # [CHR]) trojans in the OUTPUT filter of the IPCHAINS ruleset. # -- # v3.11 - (9/8/99) # Enabled external DHCP client access per default for cablemodem # and DSL users. This change involves enabling both INPUT and # OUTPUT rules. # -- # v3.10 (9/7/99) # - Enabled SYN checking on all HIGH ports. This is VERY important # and I recommend ALL users to use this newer ruleset. # # - Fixed the syntax of the disabled "ipmasqadm portfw" command # - Added the enabling of all "rp_filter" anti-IP spoofing mechanisms # -- # v3.00 - Cleaned up parts of the ruleset and re-ordered parts of it # -- # v2.97 - Fixed a typo in the IPCHAINS port that named the external # interface's IP address variable "EXITIP" instead of # the correct "EXTIP". # -- # v2.96 - Some minor formatting changes # # - Changed David's C.'s default behavior of external NIC # having DHCPed IP addresses to STATIC IPs # # - *IMPORTANT* # Added blurbs and scripts in the EXTIP, EXTBROAD, and DGW variable areas # that DHCP users should use "dhcpcd" with the -c option to re-run # the ruleset upon lease renews. It is also mentioned that both # DHCP and PPP users need to get their EXTBROAD and DGW addresses # dynamically. # # - Changed the debug system to re-create the debug log each time # (removed one of the >'s at the top of the debug setup) # # - Updated the original IPCHAINS port ruleset to v2.95 # -- # v1.01 - Remove row with just -o. # - Replace -o with $LOGGING. # - Use service names instead of service numbers. # - Remove rows that appear to give full access to all protocols. # - Add logging option variable. # - Make the order a bit more logical. # -- # v1.00 - Original TrinityOS v2.94 firewall port of TrinityOS ruleset # from David Cittadini # # ------------------------------------------------------------------------------- ------------------ G 01/02/00 Added the URL for downloading all the various port-numbers, *Sent protocol-numbers, etc from the IANA. To be, ALL of these files Update* belong in a globally readible directory in /etc/iana. [Section 5] G Added a pointer to this IANA archive when describing how to read a firewall IPCHAINS hit. [Section 10] G Fixed two typos in the TrinityOS-security.sh archive. A missing ending " and a missing "rc.d". Thanks to loren@siebert.org for the heads up. N Moved all TrinityOS updates older than 11/25/99 to the TrinityOS-updates list. URL is above. ------------------ N 01/01/00 Hehehe.. gotta love that date eh? Anyway, just added a link to the Linux Application page. Lots of these good links are on my main Linux page but some need to be in TrinityOS. [Section 5] N Added a URL for Ethereal. An EXCELLENT GUI network sniffer. [Section 5] N Fixed a missing ">" on line 139. Thanks to gary@edisoninfo.com for this one. [Section 9] Updated the TrinityOS-security.sh archive too. ------------------ N 12/29/99 Updated the info in the Partition recovery tools to denote which ones were Linux and DOS utils. As it stands, I lost the partition table on my laptop due to Dell's new "Resume-from-Disk" feature that actually OVER-WROTE my partition table. Grrrr.. [Section 51] ------------------ G 12/26/99 Updated the TrinityOS filewall to v3.45 - Added an explict filter for unauthorized IPSEC VPNs - reordered some input and output filters for better enduser customization. G Updated the TrinityOS-security archive G Its HIGH on my list to make the TrinityOS ruleset modular. What this means is when I update the ruleset, you won't have to re-edit the ruleset itself. All enduser configs that are specific to your environment will be in a different config file, something like /etc/rc.d/rc.firewall.config ------------------ G 12/23/99 Updated the TrinityOS-security.tgz archive - Updated the firewall to 3.43 - Fix the init.d directory to be in the right place - Updated the DHCPcd syntax N Added a new "Completed" section on "LILO / File System Recovery" which is Section 51. [Section 2] N Cleaned up and expanded on the "Feature section" of TrinityOS [Section 3] G Added a Feature section for "Recovery" noting that TrinityOS covers recovery from when your box was hacked into and the recovery of LILO / File system problems. [Section 3] G Updated the rc.firewall to v3.43 - Updated the DHCPcd syntax in the firewall ruleset [Section 10] G Updated the DHCPcd section to reflect the newer DHCPcd syntax. [Section 35] I Added a whole new section on MBR, partition table, and file system recovery and tools. [Section 51] ------------------ N 12/22/99 Updated the URL for Robert Zeigler's firewall site [Section 5] ------------------ N 12/20/99 Updated the SSH alias in /etc/bashrc to use a full path [Section 30] ------------------ G 12/19/99 Added a URL to RPMLevel from the author of RPMWatch. This tool might turn out to be easier than AutoRPM. [Section 5] G Updated the IPCHAINS ruleset to v3.42 - Fixed a HUGE error of the text above the /bin/sh line - Cleaned up and added a few more ECHO lines [Section 10] G Changed the method of loading of the rc.firewall script to be more Redhat-ish. To be specific, I created a /etc/rc.d/init.d/firewall script instead of the manual editing of /etc/rc.d/init.d/network to load the rc.firewall script. [Section 10] G Updated the TrinityOS-security archive to TrinityOS-security-121999.tgz - Added the new v3.42 ruleset - Change the firewall to load after the network comes up via the Redhat method of /etc/rc.d/init.d/firewall ------------------ G 12/18/99 Added the URL for the ICQ kernel modules and their versions. As it stands, there is a new version for the 2.2.x kernels that is greatly improved. [Section 5] N Updated the IPCHAINS ruleset to v3.41 - Added a commented section on setting the TOS bits - Added a recommendation for ICQ users to change the UDP timeout [Section 10] ------------------ N 12/16/99 Added URLs for WU-FTP [Section 5] N I've started adding Application and Game URLs. Namely I've added the URL for Xshipwars that looks VERY cool. [Section 5] I Added a new security warning about a root exploit with HTDIG v3.1.x. Please note this is NOT a standard install on Redhat. This is for initially focused at Debian users *if* it is installed. [Section 10] ------------------ G 12/14/99 Updated the TrinityOS-security.tgz archive. URL is above. G Added the LogSurfer URL. This tool is like Swatch but it understands states to better detect attacks! Very cool! [Section 5] I Updated the rc.firewall ruleset to v3.40 - Added filters for the Trinoo flooder - fixed typos with commented "echo" statements that were missing the front " [Section 10] ------------------- N 12/11/99 Updated the PCMCIA URL] [Section 5] ------------------- N 11/30/99 - Fixed a typo that had "window 8192" instead of "window 16384". [Section 16] --------------- N 11/28/99 - Updated the name of the SSH chapter *Sent [Section 3] Updates* N - Added a future feature to add a new IPCHAINS firewall for single interface users (eth and ppp) [Section 3] N - Added URLs for the CHKLOGs, Swatch, and LogCheck tools [Section 5] N - Added the URL for IP traf for an excellent Ncurses network sniffer/monitor [Section 5] N - Added a URL for a high level intro to Linux hardware and software RAID support [Section 5] I - Added a URL for AutoRPM and mentioned that RpmWatch will be phased out since it doesn't work with Redhat's new WWW layout for Redhat 5.2 and newer distro update pages. [Section 5] N - Added/Changed TrinityOS search/replace entries for: - PPP dialin accounts - the username replacement field - Added (2) more Explictly allowed hosts [Section 5] G - Fixed permissions (made recursively) for all cron directory entries [Section 5] G - Clarified the umask issue with multiple user systems [Section 5] G - Changed the perms for /etc/rc.d/init.d from 700 to 770 in favor of adminstration groups instead of just root users. [Section 7] - Changed some verbage: N - Put the Redhat section on top and Slackware on the bottom N - Put in a testing criteria for shadow passwords and noted that RH6 already supports shadow passwords. N - Put the MD5 method for shadow passwords on top [Section 7] G - Setting the sticky bit for /tmp/.X11-unix wasn't working (using 1777) so I used a different method (u+t). [Section 8] N - Changed the Redhat / Slackware order for the configuration files. [Section 9] G - Added permission changes for Slackware SYSLOG files [Section 9] G - Added extra file permission checks for SYSLOG files [Section 9] G - Added the option of how to disable the "--MARK--" lines in the various syslog files. [Section 9] G - Tuned a few more syslog files to compress via logrotate.d [Section 9] I - Removed the /etc/rc.d/rc.local lines to start the firewall and CDROM programs to their appropreate TrinityOS chapter. This is the kind of leftover old TrinityOS crap that needs to be cleaned up. I'm getting there. [Section 9] G - Cleaned up the "logit" script verbage a little and deleted the "recycle" script as it only pertained to the old "logit" script that used tail to send logs to TTY7/8 [Section 9] N - Mentioned that the "sendlogs" script will be REPLACED once I impliment something like Swatch or CheckLog. [Section 9] G - Significantly cleaned up the "sendlogs" script and added the the search for RCMD files as well. [Section 9] N - Moved the new "sendlogs" script to /usr/local/sbin [Section 9] G - Added running the "makewhatis" program mannually for new installations and if you get ERRORs running this command, there are instructions how to fix them. [Section 9] G - Appended to the logroted section how to fix some of the logrotate error you might be receiving via email. [Section 9] N - Changed the /etc/bashrc file a little to give non-root users a "green" prompt and ROOT users a "red" prompt. [Section 9] I - Updated the IPCHAINS ruleset to v3.35 [Section 10] N - Updated the kernel configs for the 2.2.13 and 2.0.38 kernels [Section 12] N - reversed the kernel configs so that 2.2.13 is first and then 2.0.38 second [Section 12] N - Added a blurb regarding that Setserial isn't really needed for modern 2.2 kernels to get 115,200. [Section 16] N - Added a check when adding rc.serial to rc.sysinit [Section 16] N - Cleaned up some verbage about the /etc/aliases file [Section 18] N - Removed the references for NetWatch. Use IPTraf instead [Section 21] G - Updated /etc/ppp/options file to use LOCKs and to reflect the modern PPPd config file setup [Section 22] G - Changed the formatting of this section [Section 22] I - Integrated my old seperate PPP docs into TrinityOS [Section 22] N - Cleaned up the formatting a little and updated the example root-hints.db file [Section 24] G - Updated the trinityos.mc file to reflect the paths for procmail and how to do some .cf tricks via the .mc files directly. Thanks to lourdes@ljones.com for some the tips. [Section 25] G - Disable sendmail help in the /etc/sendmail.cf file. [Section 25] G - Added xntp support in addition to getdate [Section 26] N - Deleted the references to PPP within the NTP script [Section 26] N - Made a clarification that this example ONLY runs on eth1 [Section 27] G - Added the config to have DHCPd load upon boot [Section 27] N - Updated the title of the chapter [Section 30] N - Cleaned up a few things in the verbage to configure SSH [Section 30] G - Moved the "ssh" alias to /etc/bashrc [Section 30] G - Added a whole subsection on how to do SSH tunnels with UNIX clients. Its pretty simple once you see it