04/15/00 TrinityOS(TM)(c) http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS.wri Written, Maintained, Trademarked, and Copyrighted by David A. Ranch (dranch@trinnet.net) +------------------------------------------------------------------------------------+ | ** Best viewed in a GUI WWW browser or MS Wordpad. | | | | Sorry, it will look like CRAP in Lynx ** | | | | ** If you want to PRINT this document, set your printer to LANDSCAPE mode ** | +------------------------------------------------------------------------------------+ | | | --- All of these issues will be resolved once the SGML port is completed --- | | | +------------------------------------------------------------------------------------+ == == == == == == == == == == == == == == == == == == == == == == == == == == Sorry for all the legal stuff... == == == == Yet I've already had one company try to have the name TrinityOS taken from me and == == one HOWTO author has already ripped off MUCH of TrinityOS's content though it was == == re-written to avoid and direct copyright issue. I'm just covering my butt here == == from the many lowlifes in the world. == == == == == == == == == == == == == == == == == == == == == == == == == == Intro: TrinityOS is a complete Linux server configuration, maintinance, and security guide for the Linux novice and guru alike! Though there are a LOT of features covered in TrinityOS, you don't have to implement all of them. All I can say is, if you are going to connect the Linux box to the Internet, at least INSTALL the packet firewall!! This document is tailored as a step-by-step, example driven document instead of a detailed explanation doc on each Linux feature. It doesn't go into much debugging aspects since the Linux Documentation Project's (LDP) HOWTOs already cover this. The TrinityOS document is intended for a techincal audience but hopefully everything is layed out well enough that a new user should be able to follow along without too much trouble! ------------------------------------------------------------------------------ All of TrinityOS's step-by-step instructions, files, and scripts are fully scripted out for an automatic installation at: http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS-files/TrinityOS-security.tgz ----------------------------------------------------------------------------- * For the curious, the name TrinityOS and my company, Trinity Designs, is NOT derived from being religious (the holy Trinity). The name "Trinity Designs" came from the Trinity Alps in Northern California and "TrinityOS" came from the name of the first atomic bomb testing site in White Sands, New Mexico. ================================================================================ Like any UNIX document, it must be updated constantly to remain relevant. I will do my best to maintain this document but all comments, ideas, etc is appreciated to keep TrinityOS valuable! ================================================================================ This guide was initially based off the Slackware v3.2 distribution but due to a disk crash, I then installed Redhat 5.0 to try it out. From that point on, I now try to make TrinityOS doc reflect other distros. Note: Most of the initial functionality given in this document is already available in a modern day distribution such as Redhat5, Debian, SuSe, etc. If you are using any other distribution than Redhat, Debian, etc.. you will need to use this doc as a *reference* or a project management guide only. You will then need to obtain the various software sources or binaries by hand and configure the software via its native methods. ** Please note that this document will always be "Under Construction". ** Everything in the "Current Features List" have been implemented and should be documented. Some things in the "Future Features" section have already been completed though not necessarily documented yet. If you have any specific questions about the "Future" or "Current features".. feel free to ask! #### Tangent #### If you have come to this doc directly, you also might want to check out the rest of my WWW page at: http://www.ecst.csuchico.edu/~dranch It covers other topics such as: Who am I (Why did I do all this?) ISDN technologies (T/A & router evalutations, etc) RAS technologies (xDSL, 56K modems, PPP optimizations, etc) PC Hardware (overclocking, chipset & BIOS discussions, etc) Cablemodems (how they work, the system I setup, @Home, etc) Linux (TrinityOS, book reviews, other links, etc) Researching ISPs (How to pick a good ISP) Bookmarks (Check out my extensive WWW bookmarks) ********************************************************************* ** Would you like to be notified when I update my WWW page or ** ** specifically the TrinityOS doc? ** ** ** ** Every "update" e-mail is based from both the ChangeLog WWW page ** ** and the TrinityOS ChangeLog section so you will know what was ** ** exactly updated without any extra fluff. ** ** ** ** If you're interested, send an e-mail to ** ** ** ** mailto:dranch@trinnet.net ** ** ** ** with a subject of "Add me to your updates list" and I'll add ** ** you to the list! ** ** ** ** -PS- In the same request email, tell me what specifically you ** ** were/are looking for on my WWW page or in TrinityOS. ** ** I'm always taking new requests for additions and expanded ** ** coverage of topics already on my page. ** ** ** ** So don't be shy! ** ********************************************************************* ================================================================================= Section 2 - TrinityOS Table of Contents Section 1 - Introduction 2 - TOC: TrinityOS Table of contents (this section) 3 - TrinityOS Feature set 4 - Hardware layout: An example of complete documentation on hardware configuration (I/O and disk maps) 5 - URLs: Software URL download map and checklist 6 - Distros: Thoughts on Picking a Linux Distribution 7 - Initial Steps: Installing a distribution, patching it, and doing a Search/Replace on TrinityOS 8 - Initial Security: Initial System Security [CMOS setups, TCP wrappers, shadow passwds, etc] 9 - Logging: Advanced System Logging and some Cool Tips 10 - Firewalls: How Packet firewlls work; initial configuring of an IP MASQ startup; Configuring STRONG firewall rulesets for both IPFWADM and IPCHAINS for single and multi-NIC setups 11 - MASQ tools: Patching a 2.0.x kernel for Ipportfw, Compiling, and installing 12 - Kernel Compiling: Initial Linux 2.0.x and 2.2.x kernel compiling 13 - PPP: Compile PPPd 14 - Kernel Compiling #2: Final Linux Kernel compiling and installation 15 - Lilo: Lilo configuration and installation 16 - Network: Additional RC script configuration and TCP/IP network optimization 17 - Firewalls #2: Patching, Compiling, and installing IPFWADM for 2.0.x kernels 18 - ROOT MAIL: Mail aliases for system administration 19 - Clean up: Preparing for reboot and clearing the logs 20 - MASQ Modules: Verifing MASQ module installation 21 - Sniffers: Install the TCPDUMP sniffer for tracing traffic (only needed on OLD distros) 22 - PPP: PPPd configuration [For both PRIMARY and BACKUP PPP connections] 23 - Diald: The configuration of Dynamic dial on Demand [For Analog and ISDN modem users only] 24 - DNS: The acquiring, installation, and configuration of both Primary and Secondary servers in a CHROOTed and SPLIT Zone environment 25 - SMTP: Sendmail configuration w/ domain masquerading & spam filters 26 - NTP: Setting up NTP Time calibration 27 - DHCPd: DHCPd SERVER configuration 28 - EMAIL: POP3 and IMAP4 e-mail serivces 29 - BACKUP: Backing up your box (minimum files to floppy and full backup to tape with BRU) 30 - SSH: Securing Terminal, FTP, X-windows, and tunnel encryption with SSH v1/2 31 - RAID: Software RAID 0 : (striping) support 32 - CD Changer: Installation / Setup of a SCSI CD-ROM Changer 33 - Samba: Setup the Microsoft File and Print Services for UNIX 34 - PCMCIA services installation and configuration 35 - DHCPc: Client DHCP for xDSL / Cablemodem users 36 - APCUPSD: Full automation of a APC UPS 37 - WWW: Installation & configuration of the Apache WWW server 38 - File monitors: Installation of the Tripwire file monitor system [Not Complete] 39 - CDR Backup: Backing up the new system Linux to a CD-R [Not Complete] 40 - NFS: Setting up, testing, and securing NFS 41 - EXT2: File system tuning 42 - Dial-in: Terminal & PPP access via a modem 43 - Patch Notifiers: Automated RPM notifier / updater (not complete) 45 - Port Scanners: NMAP portscanning to test your packet firewall 46 - Security Audits: So you think you are being hacked.. Confirm it! 47 - Printing: UNIX and Samba Printing 48 - VPN: IPSec (SWAN) Virtual Private Network (VPN) [Almost complete] 49 - HD Performance: IDE HDs performance optimization via hdparm 50 - SPAM: Dealing with unwanted email and other types of traffic and how to stop it 51 - File System Recovery: How to fix LILO and file system problems 60 - Security: Final Security and up-to-date Linux Security & patching (NEVER ending story. Check back OFTEN!) -- 99 - FAQ: Common observations, Q&A, etc.. 100- Changes: TrinityOS "CRITICALITY" list and ChangeLOG ================================================================================ Section 3 - Feature Sets Current Features: Linux Distribution Thoughts: ---------------------------- + Thoughts and recommendations on picking a Linux distribution + A Search & Replace Key to customize this doc to YOUR environment for easier implementation Core OS setup: ----------------- + Setting up, compiling, installing, booting a 2.2.x / 2.0.x kernel + Lilo configuration and security + Sound Blaster 16 sound support + PCMCIA / CARDBUS PC-Card Services + Software RAID 0 (striping) hard drives + 7-CD SCSI CD-ROM changer system + Stabilizing the Linux EXT2 filesystem + Automated Patching via RPM notifiers + EXT2 file system tuning + IDE HDs performance optimization via hdparm + Dual printer support for both UNIX and Samba hosts Network Connectivity: --------------------- + Full LAN masquerading (NAT or Network Address Translation) using private IP addressing + Masq IP port forwarding support (IPportfw) + Dual 10Mb/s Ethernet network card support setup and TCP/IP Performance optimization (modem and cablemodem users) + PPP connectivity for primary PPP connectivity AND backup PPP connections + Dial-on-Demand (Diald) Internet connections (modem users) - Automatic Internet connections every 15 minutes (modem users) + Direct dial-in terminal / PPP access via a modem + How to setup fully authoritative primary and secondary DNS servers (Bind v8.x) in a CHROOTed and and SPLIT Zone configuration. + How to apply for a full Internet domain name via Network Solutions + Full Sendmail e-mail system support w/ domain masquerading & Anti-SPAM measures with support for more than one Internet domain on one EMAIL server + Full documentation on how understand and FIGHT all that SPAM email + DHCP server for other LAN machines (laptops, etc) + DHCP client setup for TCP/IP addresses + Apache WWW server + Samba : Full Microsoft Windows file & printing support + NFS: Full Sun RPC-based Network File System support + NTP time calibration + Full UNIX (SMB) printing + POP-3 remote email service Security: --------- + Complete physical and OS-level security recommendations and guidelines + Actively Updated Linux system security and patching (Shadow passwords, etc) + Advanced SYSLOG logging and nightly filtered reports emailed to the root user + Advanced packet filter firewall rulesets Complete intro on how packet and Stateful Inspected firewalls work Examples given using either IPFWADM (2.0.x kernels) or IPCHAINS (2.1.x + kernels) + Full SSH telnet support [Future: X-windows encrypted tunnels] + IPSEC (Swan) VPN [Almost Complete] + TrinityOS "CRITICALITY" rating in the CHANGELOG section to gauge the level of urgency of security vulnerabilities, system mis-configurations, etc. + Tripwire Security Breech monitoring [not completed yet] + NMAP portscanning to test your packet firewall + Figuring out if you have been hacked.. Confirm it! + Prioritized ChangeLog to let users know what changes are and are NOT too important + Anonymized Sendmail Banners System backup: -------------- + Minimum backups to floppy + Full tape backup via BRU with emergency restore diskette creation + Full APC SmartUPS powerdown support (APCUPSd) w/ paging support + Backing up the server to a CD-R [not completed yet] Hard Disk Recovery: ------------------- + How to recover from your box being hacked into and how to RE-secure it + How to fix LILO problems and file system corruption Future Features: (Won't be implemented in any particular order) * TrinityOS To-dos: - Move this doc over to SGML format!!!!!! - Add more "Configuration via GUI tools" sections * Network stuff - Add a single interface IPCHAINS rc.firewall for eth0/1/2 and ppp0/1/2 users - Remove LPR and replace it with LPRng - Mail Backup: Setup high cost MX records and ETRN email backup - IPv6: Configure and setup IPv6 and possibly setup a IPv6 tunnel via the 6Bone - Dial Backup: Add automatic analog modem dial backup when the ADSL/Cablemodem goes down - CODA: Replace NFS support with CODA - Implement IMAP4 for a complete email subsystem - Add a CACHING only setup for 8.1.x DNS - Setup a email list server (MajorDomo, Petidomo, dunno yet) - Email sent dynamic IP address exception requests for access through the TCP Wrappers and the IPFWADM rulesets - DHCPc client setup for Cablemodems - 128-bit encrypted Apache SSL WWW server - Move over to xinetd for better DoS protection - WWW Proxy services - WWW banner add filtering * Security Stuff - Replace the Sendlogs script to use either Swatch or LogSentry - Automate the firewall hits logging for trend analysis - Impliment external 10.x.x.x and 172.16-31.x.x packet filtering - Add a WATCHDOG feature to the rc.firewall ruleset so that if you make an error in the firewall ruleset and the ruleset doesn't complete, a backup ruleset will be automatically loaded to restore connectivity. - Install PGP / GPG for secure and/or verified communications to: other users, Internic, binaries/source code verification, etc - SATAN / COPS / ISS security testing * Application stuff - Implement Procmail to do local email filtering - Setup fetchmail to get remote email vs. setting up a remote .forward - Full SVGA X-Windows support w/ the WindowMaker window Manager (Xfree only. Metrox-X sucks) * Administration stuff - Up the logging time on the UPS to 1 second increments and then plot all the stuff with GNU Plot to then be emailed via "Sendlogs" - Rotate the UPS logs - Implement automatic weekly incremental tape backups to the TR4 tape drive. - BZip2 compression w/ tar patches * System Stuff - Iomega parallel ZIP drive support ================================================================================= ================================================================================= Section 4 - Hardware Configuration This document uses methodologies that I have developed over the years. Some of these docs have saved my butt on several occasions (Drive partition maps, I/O and IRQ maps). This may seem like a pain in the butt to do initially but when you need them.. YOU NEED THEM! -- - Distribution: - Redhat 5.0 w/ all available patches - Kernel v2.0.38 Hardware Used: - ASUS GX4 Motherboard / 256k 2nd level cache (2 VLB slots) - AMD 486-160Mhz/40MB RAM NOTE: Though sick.. this machine doesn't have a free IRQ, IDE port, or SCSI ID available. This system is MAXED out! - Network: Eth0: 3Com 3c509 (IRQ 9) - cablemodem interface *Configured for: - No modem - optimization: Server Eth1: 3Com 3C509b (IRQ 12) - Internal LAN interface *Configured for: - No modem - optimization: Server - Video: Orchid ProIIs ET4000 w/1MB RAM (ISA) - Sound: Sound Blaster 16 (IRQ 10; DMA 1,6; Port 220, CD-Port 300) - Controllers: - Generic EIDE Controller (VLB) (IRQ 14,15) - Adaptec 2842b VLB SCSI controller (IRQ 11, DMA 5, port CC00, BIOS D000) - Hard Drives: == In the primary system case == - HDA: Western Digital Caviar 1.0GB (EIDE)[128k][LBA] [Mode 3-able] - HDB: Empty - HDC: Maxtor DiamondMax+ 10.0GB (UDMA)[512k][LBA] [Mode UDMA] - HDD: Seagate Medalist 540MB (EIDE)[124k][LBA] [Mode 3-able] == In the secondary RAID case == - SDA: Seagate ST31200 1.05GB - SDB: Hp (IBM 2GB Ultrastar) - SDC: Conner CP30540 540MB - CD-Roms: - SCD0: Philips Quad - Nakamichi 7-disk CD-ROM changer (external) - Tape Drives: - Hp T4000s TR4 4/8GB SCSI tape drive (in the RAID case) - I/O:(See docs on IRQTUNE to better understand why these are like this. It makes a difference!) ttyS0: USR Courier v.Everything (IRQ 4) ttyS1: Dec Hub console (IRQ 3) ttyS2: APC SmartUPS UPS (IRQ 3) ttyS3: Logitech 3b mouse (IRQ 5) LPT1: Hp LaserJet-IIp (UNIX & Samba share) LPT2: Epson Stylus 500 Color (UNIX & Samba share) BIOS Setup (Specific to the ASUS GX4 Award BIOS) - This is abbrev'ed here for me. Though these settings will mean NOTHING to you but you ---really--- should write down the CMOS settings for your box. Standard: Drive C: 1024GB LBA Drive D: 1224GB LBA Drive E: 2722GB LBA - BIOS does NOT support this 10GB drive for DOS Drive F: 540MB LBA Features: Chipset: - Disabled - ON - Setup Auto-Disabled Auto Sync - Enabled - High - Enabled BUS 1/4 Write-Thru - Enabled - Enabled - Disabled Speed- faster 1 - Enabled - Disabled - Disabled 0 2 - C, A - 6 - Disabled 1T Non - Disabled - 250 Enabled Disabled - Disabled Enabled Enabled Enabled 2uS T2 Installed cards: VLB EIDE Controller w/ I/O [2-16550] IDE0: Enabled IDE1: Enabled Joystick: Disabled Serial1: Enabled COM1/IRQ4 (modem) Serial2: Enabled COM2/IRQ3 (UPS) Parallel: Enabled LPT1/polling (Hp LJ printer) VLB 2842B SCSI controller SCSI: Enabled * Be sure that the SCSI setup, accessed via Floppy: Disabled * upon reboot, has *ALL* devices set Port: CC00 * for 10Mb/s, DISCONNECT, and Send-Spin-UP command BIOS: Enabled BIOS: D000 ISA Multi-I/O Serial1: Enabled COM3/IRQ3 (HUB) Serial2: Enabled COM4/IRQ5 (Mouse) Parallel: Enabled LPT2/IRQ (Epson SC500 printer) Joystick: Disabled SoundBlaster16: Joystick: Enabled ------ I/O Maps and "Expert" fdisk partition tables ----- IRQ Map: 0: timer (system) 1: keyboard(system) 2: Cascade (system) 3: COM2-UPS (VLB controller) & COM3-HUB (ISA controller) 4: COM1-modem (VLB controller) 5: COM4-Mouse (ISA controller) 6: Floppy (system) 7: LPT1-printer 8: Clock (system) 9: Cascade-3c509 (cablemodem) 10: SoundBlaster 16 11: 2842b SCSI 12: 3c509b (internal LAN) 13: Math coprocessor 14: IDE0 15: IDE1 I/O Port MAP: 170-1F7h: IDE1 1F0-1F7h: IDE0 200-207h: (not used) usually Joystick 220-22Fh: SoundBlaster 16 230-233h: SoundBlaster 16 CD-ROM interface 260- ? h: 3c509b (eth1) 278-27Fh: LPT1 2A0-2AFh: 3c509 (eth0) 2E8-2EFh: COM4 2F8-2FFh: COM2 330-331h: SoundBlaster MPU-401 334-337h: Adaptec 2842b 376-376h: IDE1 378-37Fh: LPT1 388-38Bh: SoundBlaster OPL2/3 3E8-3EFh: COM3 3F0-3F5h: Floppy drive 3F6-3F6h: IDE0 CCOOh: AHA2842b port D000h: AHA2842b BIOS port E400h: System BIOS E800h: Systen BIOS F000h: System BIOS DMA Map: 0 - Dunno. 1 - SoundBlaster16 LOW 2 - Alternative Floppy DMA 3 - Floppy DMA 4 - Casecade 5 - AHA 2842b 6 - SoundBlaster 16 HIGH SCSI IDs: ----------------------------------------------------------------- ID 0 SEAGATE Model: ST31200N SUN1.05 Rev: 8564 Type: Direct-Access ANSI SCSI revision: 02 ----------------------------------------------------------------- ID 1 HP Model: 2.13 GB #C Rev: 1111 Type: Direct-Access ANSI SCSI revision: 02 ----------------------------------------------------------------- ID 2 LUN 0-6: NRC Model: MBR-7 Rev: 110 Type: CD-ROM ANSI SCSI revision: 02 ----------------------------------------------------------------- ID 3 Philips Model: CM4xx Rev: 1.01 Type: CD-ROM ANSI SCSI revision: 02 ----------------------------------------------------------------- ID 4 HP Model: T4000s Rev: 1.10 Type: Sequential-Access ANSI SCSI revision: 02 ----------------------------------------------------------------- ID 5 NONE ----------------------------------------------------------------- ID 6 COMPAQPC Model: CP30540 Rev: 90C5 Type: Direct-Access ANSI SCSI revision: 02 ----------------------------------------------------------------- ID 7 Adaptec AHA2842b SCSI controller ----------------------------------------------------------------- ----- All hard Drive partition tables ----- /dev/hda (expert mode printout) ================================================== Disk /dev/hda: 64 heads, 63 sectors, 525 cylinders Nr AF Hd Sec Cyl Hd Sec Cyl Start Size ID 1 80 1 1 0 63 63 25 63 104769 06 2 00 0 1 26 63 63 523 104832 2007936 05 3 00 0 0 0 0 0 0 0 0 00 4 00 0 0 0 0 0 0 0 0 00 5 00 1 1 26 63 63 76 63 205569 82 6 00 1 1 77 63 63 523 63 1802241 83 ================================================== /dev/hdc (normal mode printout - expert truncates) ================================================== Disk /dev/hdc: 16 heads, 63 sectors, 19390 cylinders Units = cylinders of 1008 * 512 bytes Device Boot Begin Start End Blocks Id System /dev/hdc1 1 1 19390 9772528+ 83 Linux native ================================================== /dev/hdd (expert mode printout) ================================================== Disk /dev/hdd: 32 heads, 63 sectors, 528 cylinders Nr AF Hd Sec Cyl Hd Sec Cyl Start Size ID 1 00 1 1 0 31 63 527 63 1064385 83 2 00 0 0 0 0 0 0 0 0 00 3 00 0 0 0 0 0 0 0 0 00 4 00 0 0 0 0 0 0 0 0 00 ================================================== /dev/sda (expert mode printout) ================================================== Disk /dev/sda: 64 heads, 32 sectors, 1006 cylinders Nr AF Hd Sec Cyl Hd Sec Cyl Start Size ID 1 00 1 1 0 63 32 1005 32 2060256 83 2 00 0 0 0 0 0 0 0 0 00 3 00 0 0 0 0 0 0 0 0 00 4 00 0 0 0 0 0 0 0 0 00 ================================================== /dev/sdb (expert mode printout) ================================================== Disk /dev/sdb: 64 heads, 32 sectors, 2033 cylinders Nr AF Hd Sec Cyl Hd Sec Cyl Start Size ID 1 00 1 1 0 63 32 1023 32 4163552 83 2 00 0 0 0 0 0 0 0 0 00 3 00 0 0 0 0 0 0 0 0 00 4 00 0 0 0 0 0 0 0 0 00 ================================================== /dev/sdc (expert mode printout) ================================================== Disk /dev/sdb: 64 heads, 32 sectors, 511 cylinders Nr AF Hd Sec Cyl Hd Sec Cyl Start Size ID 1 00 1 1 0 63 32 510 32 1046496 83 2 00 0 0 0 0 0 0 0 0 00 3 00 0 0 0 0 0 0 0 0 00 4 00 0 0 0 0 0 0 0 0 00 ================================================== ------- Linux HD mount table: /dev/hda6 on / type ext2 (rw) none on /proc type proc (rw) /dev/hda1 on /mnt/dosc type msdos (rw) /dev/hdc1 on /home/hpe type ext2 (rw) /dev/sda1 on /home/hpe/WINDOWS type ext2 (rw) /dev/md0 on /home/hpe/RAID0 type ext2 (rw) /dev/scd0 on /home/hpe/CDROMs/Cdrom0 type iso9660 (ro,norock,uid=501,gid=10,mode=0550) /dev/scd1 on /home/hpe/CDROMs/Cdrom1 type iso9660 (ro,norock,uid=501,gid=10,mode=0550) /dev/scd2 on /home/hpe/CDROMs/Cdrom2 type iso9660 (ro,norock,uid=501,gid=10,mode=0550) /dev/scd3 on /home/hpe/CDROMs/Cdrom3 type iso9660 (ro,norock,uid=501,gid=10,mode=0550) /dev/scd4 on /home/hpe/CDROMs/Cdrom4 type iso9660 (ro,norock,uid=501,gid=10,mode=0550) /dev/scd5 on /home/hpe/CDROMs/Cdrom5 type iso9660 (ro,norock,uid=501,gid=10,mode=0550) /dev/scd6 on /home/hpe/CDROMs/Cdrom6 type iso9660 (ro,norock,uid=501,gid=10,mode=0550) /dev/scd7 on /home/hpe/CDROMs/Cdrom7 type iso9660 (ro,norock,uid=501,gid=10,mode=0550) ================================================================================= Section 5 - Software URL download map and checklist Software recommended and used for the TrinityOS doc (roughtly in this order). ** NOTE** Put all code in /usr/src/archive/ I personally recommend to put ALL additional software source code, RPMs, etc in /usr/src/archive. In the "archive" directory, I make subdirectorys for the various code like dns, ssh, sendmail, etc. This IS your box though so put things ANYWHERE you so wish. :) Done ---- X - Master site for all Internet RFCs: http://www.cis.ohio-state.edu/rfc/ X - The Master IANA site for all Internet port numbers, protocol numbers, etc. A VERY recommended place to goto, download them ALL, and put them in /etc/iana. http://www.isi.edu/in-notes/iana/assignments X - Distribution Sites and Update MIRRORS: Any Service Packs, security patches, etc for your installed Slackware or Redhat distribution(s) Mandrake Updates: Master URL: ftp://ftp.linux-mandrake.com/pub/updates Redhat Updates: Master MIRROR URL: http://www.redhat.com/mirrors.html Often Busy: ftp://updates.redhat.com/pub/redhat/updates/ *** Fast: ftp://ftp.codemeta.com/pub/mirrors/redhat/updates/" 5.2 only: ftp://ftp.infomagic.com/pub/mirrors/linux/RedHatUpdates/ X - Newest stable kernel ftp://ftp.kernel.org or ftp://ftp.freesoftware.com/pub/linux/sunsite/kernel/ 2.0.x ----- 2.0.38 is stable - Any lower version have a DoS attack against the TCP/IP stack 2.2.x ----- 2.2.12 is stable ALL versions less than 2.2.11 have a IP fragmentation bug. This will make ALL strong IPCHAINS rulesets vunerable! I also understand that 2.2.11 has a memory leak issue. Sounds like 2.2.12 is the only version to go with right now. X - The Linux Security HOWTO http://www.linuxdoc.org/HOWTO/Security-HOWTO.html X - Logging tools: CheckLogs: http://www.iae.nl/users/grimaldo/chklogs.shtml Swatch: ftp://ftp.stanford.edu/general/security-tools/swatch Psionic LogCheck: http://www.psionic.com/abaus/logcheck LogSurfer: (like Swatch but with state checking!) http://www.cert.dfn.de/eng/logsurf/home.html X - IP NAT, MASQ, Load Balancing, and High Availability tools - True 1:1 IP NAT (different than IP MASQ). There are several implimentations but here are the common ones: Main Linux NAT, Load Balacing, and High Availability reference site: http://www.linas.org/linux/load.html A newer NAT implimentation: http://proxy.iinchina.net/~wensong/ipnat/ The original Linux NAT implimentation: http://www.csn.tu-chemnitz.de/HyperNews/get/linux-ip-nat.html or http://www.suse.de/~mha/HyperNews/get/linux-ip-nat.html - MASQ E-mail list : By far the BEST way to get MASQ-help (very helpful!!) Send mail to - Linux 2.3.x kernls NetFilter now provides for both 1:Many Masq-like NAT and true 1:1 NAT: http://www.rustcorp.com/linux/index.html X - Linux IP Masq 2.2.x kernels ------------- NOTE: ALL versions less than 2.2.11 have a IP fragmentation bug. This will make ALL strong IPCHAINS rulesets vunerable! Upgrade NOW! - IPCHAINS Main site: http://www.rustcorp.com/linux/ipchains/ - IPMASQADM portforward patches: http://juanjox.kernelnotes.org/ or ftp://ftp.compsoc.net/users/steve/ipportfw/linux21/ - The beginnings of Stateful Inspection for Linux: 2.0.x kernels http://www.ifi.unizh.ch/ikm/SINUS/firewall.html 2.1.x / 2.2.x kernels ftp://ftp.interlinx.bc.ca/pub/spf - ICQ module v0.55 http://members.tripod.com/~djsf/masq-icq/ 2.0.x kernels ------------- - IPFWADM (source must download regardless if installed with Redhat) Slackware: ftp://ftp.xos.nl/pub/linux/ipfwadm/ipfwadm-2.3.0.tar.gz Redhat: ftp://ftp.xos.nl/pub/linux/ipfwadm/ipfwadm-2.3.0-1.src.rpm - IPFWADM patches (if required) at: http://ipmasq.cjb.net/ipfwadm-2.3.0-generic-timeout.patch.gz - IPCHAINS support for the 2.0.3x kernels http://aemiaif.lip6.fr/willy/pub/linux-patches/ipnat/ http://www-miaif.lip6.fr/willy/pub/linux-patches/ - IPPORTFW Port forwarding for 2.0.x kernels Homepage: http://www.ox.compsoc.org.uk/~steve/portforwarding.html Patches: ftp://ftp.ox.compsoc.org.uk/pub/users/steve/ipsubs/sub-patch-1.37.gz - ICQ module v0.52 http://members.tripod.com/~djsf/masq-icq/ - Interpreting Firewall hits: This is a great URL on how to interpret your firewall logs and what all the information means: http://www.robertgraham.com/pubs/firewall-seen.html X - PPP - v2.3.8 (not needed for most cablemodem users) Primary site: ftp://cs.anu.edu.au/pub/software/ppp/ Backup site (has older versions): ftp://ftp.freesoftware.com/pub/linux/sunsite/system/network/serial/ppp/ - ML/PPP Strong implimentation: http://mp.mansol.net.au/mp/ Lots of data, little code: ftp://ftp.east.telecom.kz/pub/src/networking/ppp/multilink Another implimentation (runs on 2.2.x+ and he is looking for testers) http://linux-mp.terz.de Dead link? http://mp.ins-coin.de - PPPoE (PPP over Ethernet) : Needed for some DSL and Cablemodem users http://www.roaringpenguin.com/pppoe.html Some other informational URLs as well: http://www.suse.de/~bk/PPPoE-project.html http://www.sympaticousers.org/faq.htm - PPTP VPNs to Microsoft servers (NOT recommended.. use IPSEC) ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html To enable PPTP Encryption: http://www.moretonbay.com/PPTP/ X - Diald v0.99.4 (not needed for cablemodem users) Diald is now maintained by a new author and site: http://diald.sourceforge.net RPMS: http://juanjox.kernelnotes.org Download the original Diald and Diald patches (Diald v0.16.5) http://www.loonie.net/~eschenk/diald.html X - NAMED current: 8.2.2p5 Sources: ftp://ftp.isc.org/isc/bind/src/cur/bind-8/ RPMs: As of 4/17/98, The newest bind was only available in the CONTRIB area. It seems to work fine but some people do NOT trust someone else's compiled code, so, its your choice. ftp://rawhide.redhat.com/ You can also find a chroot-ed version of bind here: ftp://ftp.fi.muni.cz/pub/users/kas/bind-chroot/ Announcement list: Send email to bind-announce-request@isc.org with "subscribe" in the suject field. X - Vlock (stock in Redhat if installed) ftp://ftp.freesoftware.com/pub/linux/sunsite/utils/console/vlock-1.0.tar.gz X - Network Sniffers - TCPDUMP (stock in Redhat if installed) - Excellent network packet sniffer ftp://ftp.freesoftware.com/pub/linux/sunsite/system/network/management/ or ftp://ftp.ee.lbl.gov/tcpdump.tar.Z - IPtraf - Excellent high level network protocol watcher - Current 2.1.0 ftp://ftp.cebu.mozcom.com/pub/linux/net - EtherReal - An excellent GUI decoder http://ethereal.zing.org/ X - Sendmail current: v8.9.3 ftp://ftp.sendmail.org/pub/sendmail/ RPMs: The newest Sendmail is NOT available in RPM form from sendmail.org but it IS in Redhat's CONTRIB area. It seems to work fine but some people do NOT trust someone else's compiled code, so, its your choice. ftp://ftp.infomagic.com/pub/mirrors/linux/RedHatContrib/libc6/i386 Announcement list: Send an email to majordomo@Lists.Sendmail.ORG with the text "subscribe sendmail-announce" in the body of the message. - POPAuth http://www.morelr.com/technical/unix/popauth.html For allowing remote POP-3 clients to be able to use the SMTP server to send email. - Virtual Email domains To support multple email domains w/ Sendmail, Qmail, etc check out: http://www.linuxdoc.org/HOWTO/Virtual-Services-HOWTO.html X - DHCP Server RFC Info: http://www.dhcp.org/rfc2131.html http://www.dhcp.org/rfc2132.html Legacy Info: http://www.cis.ohio-state.edu/rfc/rfc1542.txt Download: http://www.isc.org/dhcp.html X - WU-FTP v2.6 FTP: ftp://ftp.wu-ftpd.org/pub/wu-ftpd/ FAQ: http://www.cetis.hvu.nl/~koos/wu-ftpd-faq.html X - DHCP Client DHCP HOWTO: http://metalab.unc.edu/pub/Linux/docs/HOWTO/mini/DHCPcd DHCPcd client: http://www.phystech.com/download/dhcpcd.html Other DHCP info: http://www.linux-firewall-tools.com/linux/firewall/index.html A HOWTO specifc to the RoadRunner Cablemodem setup but its still a good site: http://www.vortech.net/rrlinux/ X - NetWatch ftp://ftp.digital.com/pub/linux/redhat/powertools-5.0/i386/ X - Getdate (NTP) - v1.2 (Was SETTIME) ftp://ftp.freesoftware.com/pub/linux/sunsite/system/network/misc/getdate_rfc868-1.2.tar.gz X - Backing up: (stock in Redhat if installed) - BRU (it's not free but its the best Linux backup software out there. This is one place you just CAN'T skimp!) X - Netscape (stock in Redhat if installed) X - SSH current: ssh-1.2.27 and ssh-2.0.13 http://ftp.ssh.com/pub/ssh/ Additional UNIX SSH tunneling URLs: http://www.ccs.neu.edu/groups/systems/howto/howto-sshtunnel.html X - Raidtools Good info on Linux RAID: http://linas.org/linux/raid.html The drivers: http://luthien.nuclecu.unam.mx/~miguel/raid X - Samba (stock in Redhat if installed) (this version fixes an exploit on bugtract) http://www.samba.org Also.. they have great docs at http://samba.anu.edu.au/ X - PCMCIA Services http://pcmcia.sourceforge.org/ X - APCUPSD UPS server http://www.brisse.dk/site/apcupsd/ X - Apache WWW server Standard Apache: http://www.apache.org or ftp://ftp.redhat.com/pub/contrib/i386/apache-1.2.6-5.i386.rpm SSL-encrypted Apache: http://www.apache-ssl.com/ - File Integrity testing/Monitoring TripWire: --------- Tripwire has gone OpenSource for LINUX! Woohoo! Though it isn't available quite yet, it will be there soon: http://www.tripwire.org Also, as of v2.2.1, Tripwire now runs on Glibc. http://www.tripwiresecurity.com/products/Tripwire_ASR20.cfml You can also get the older versions here: ftp://coast.cs.purdue.edu/pub/COAST/Tripwire Aide: ----- AIDE is a GNU version of Tripwire ftp://ftp.cs.tut.fi/pub/src/gnu/aide-0.4.tar.gz X - RPM update tools: AutoRPM current version: 1.9.8.1 http://www.kaybee.org/~kirk/html/linux.html The Perl module "Libbet" http://cpan.valueclick.com/modules/by-module/Net/ RPM Watch current version: 1.1 (does not work for Redhat 5.2+) [Will be phased out] ftp://ftp.iaehv.nl/pub/users/grimaldo/rpmwatch-1.1-1.noarch.rpm RPMLevel (from the author of RPMWatch) http://coralys.com/products/ X - Mkisofs ftp://tsx-11.mit.edu//pub/linux/packages/mkisofs X - Compression tools BZip2 : http://sourceware.cygnus.com/bzip2/index.html X - Bash HOWTO http://www.linuxdoc.org/HOWTO/Bash-Prompt-HOWTO.html [Section 42] X - Dial-In Server HOWTO http://www.swcp.com/~jgentry - SWAN / IPSEC VPN Project home page: http://www.xs4all.nl/~freeswan or http://www.flora.org/freeswan/ SWAN email list: http://www.xs4all.nl/~freeswan Overview http://www.cygnus.com/~gnu/swan.html Download the IPSec code from: Broken? Works ? or Other Mini-HOWTOs: https://www.seifried.org/articles/ipsec/ - IP logger ftp://ftp.tu-graz.ac.at/pub/linux/redhat-contrib/SRPMS/iplogger-0.1-1.src.rpm - Tuning: - IRQTune ftp://shell5.ba.best.com/pub/cae/irqtune.tgz - HDparm ftp://sunsite.unc.edu/pub/Linux/kernel/patches/diskdrives - Security Tools X - Nmap: http://www.insecure.org/nmap/ - COPS (old) ftp://ftp.freesoftware.com/pub/linux/sunsite/system/security/cops_104.tgz - Saint (new version of Satan) http://www.wwdsi.com/saint/ - SATAN (Old) Newer: ftp://ftp.porcupine.org/pub/security/index.html Older ftp://ftp.win.tue.nl/pub/security/satan.tar.Z - Solar buffer-overflow fixer ftp://ftp.huwig.de/pub/linux/mama/2.0/stack_noexec-symlink-security-fix.bz2 - Kurt Seifried's Linux Administrators Security Guide (LASG) https://www.seifried.org/lasg/ - Other URLs: Test Exploits: http://www-miaif.lip6.fr/willy/security/ Test Exploits: http://www.rootshell.org Test Exploits: http://www.l0pht.com Test Exploits: http://www.geek-girl.com Security Alerts: Subscribe to BugTraq at mailto://LISTSERV@NETSPACE.ORG More Security: http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#security http://www.ecst.csuchico.edu/~jtmurphy/ - Abacus Security Initiative Includes host_sentry, port_sentry and logchecker. http://www.psionic.com/abacus - SHADOW (SANS) http://www.nswc.navy.mil/ISSEC/CID/step.htm - Network Flight Recorder Setup HOWTO: http://www.nswc.navy.mil/ISSEC/CID/nfr.htm NFR software: http://www.nfr.net/download/ NFR ID Attack ID Packages: http://www.nswc.navy.mil/ISSEC/CID/nfr_id.tar.gz http://www.l0pht.com/NFR/ - WWW proxy (Apache or Squid) - WWW Ad banner filtering http://www-math.uni-paderborn.de/~axel/NoShit/index.html patch: http://www.america.com/~chrisf/web/NoShit/WebFilter_0.5.patch.gz Example filter: http://www.america.com/~chrisf/web/NoShit/library.txt - Zip drive http://www.torque.net/~campbell - Linux Applications: http://www.xnet.com/~blatura/linapps.shtml - Linux Games: X-Shipwars: http://fox.mit.edu/xsw/ - Linux Real Time messengers: http://www.portup.com/~gyandl/ ================================================================================ ================================================================================ Section 6 - Thoughts on Picking a Linux Distribution - Install Linux distribution (too complicated to be covered in TrinityOS) Here are a few comments that talk about what Linux distribution might be right for you. One thing I've been asked over and over is regarding users trying out Linux with an old Linux that was given to them. With the new 2.2.x kernel out, all new Linux distributions BLOW AWAY the old ones in terms of ease of setup, performance, hardware compatibility, etc. So, I recommend that you get a new copy a given Linux distribution and give that a look. And you can't tell me its expensive when you can get almost ANY Linux distribution for under $3.00 US a CD from places like http://www.cheapbytes.com. *------------------------------------------------------------------------------------------* * What do I use? I currently use Mandrake v6.1 but I'm worried about Mandrake's direction * *------------------------------------------------------------------------------------------* So, with that behind us, here is a few notes: Redhat: http://www.redhat.com Redhat, currently in its 6.2 version, is a modern Linux distribution that has a strong installation program and has some great system administration utilities too. One of the best parts of Redhat is its increamental RPM package installation and upgrade system. Another major reason for going with Redhat is its support for the new Glibc2 libraries. Redhat is constantly upgraded and is well supported in the Linux community. Redhat is a good choice for the Linux newbie that wants Linux running with all kinds functionality without a lot of work. It comes with everything from TELNET/FTP to Microsoft and Novell file server emulation. If you are already a UNIX snob, you might find Redhat's layout wierd (unless you are a Sun Solaris (SYSV) person - the /etc/rc.d/rc2.d layout is similar). *BUT*.. many people don't like Redhat. Why? 1. Redhat has a LOT of extra software built-in. Yes, you can choose the "Custom" installation process and get rid of most of the options (recommended) but a FULL install is 1.5+GB! 2. If you want to *learn* UNIX (not specifically Linux) in the classic LINUX step-by-step fashion and truely understand it (the hardest but BEST way (IMHO)), Redhat probably wouldn't be my first choice! Yet, I do have to admit my opinion is slowly changing though. 3. Redhat changes the entire behavior of how Linux is setup and configured compared to other distributions like Slackware to be more easy to use, modifible via scripts, etc. Unfortunately, Redhat's GUI tools don't easily tell you what it is going to do to your config files. If you want to learn UNIX in a classic fashion, go with Slackware or, to a lesser extent, Debian, SuSe, etc! Those distros are a LOT more plain and easier to initially figure out. Version 6.x has enhanced the installation program for easier use and they have updated almost ALL of the tools such as Apache, Samba, etc. Also, the ASCII, NCURSES, and X-Windows versions of the "linuxconf" and "control-panel" GUI interfaces are getting VERY cool! Mandrake: http://www.linux-mandrake.com Mandrake Linux, currently at version 7.0, is a close derivative of Redhat Linux with some changes and add-ons. The main difference between Mandrake and Redhat is that Mandrake is compiled for [ Pentium ] or newer machines. Redhat is currently compiled for Intel 386 (i386) processors. With the Pentium optimizations alone, Mandrake yeilds anywhere from a 10-20% performance increase over RedHat on new platforms. Next, Mandrake has been adding more customized tools to their distribution. With these tools, like the "Mandrake Updater", administration is easier. If you like GUI tools, Mandrake has them! One thing I do want to mention is that Mandrake 7.0's new installer called "Drak-X" has some *SERIOUS* problems. I won't go into deep details but both the Xwindows and Ncurses versions of Drak-X's partitioning utils failed to understand some simple partition layouts, etc. Not only that, it just doesn't give you the flexibility of installer methods like Redhat v6.2 does. BUT, it does give the user the option of different default security settings, etc. This is good but I'm very worried about the direction Mandrake is going. Enough said for now. Slackware: http://www.slackware.com Slackware, now at version 7.0 is one of the original Linux distributions and it is still one of my favorites. It definately isn't as slick in terms of installation or functionality compared to Redhat but it's layed out in a clear manor. Its INIT scripts (the scripts that are executed to bring the system up) are layed out in a very readable fashion (BSD-style) and everything is obvious (in the open). Slackware will be a comfortable fit for the UNIX guru peoples out there. Like Redhat, Slackware uses a software package system (pkg) for modularized system upgrades. Though it isn't as fancy as Redhat's RPM system.. it has almost all the same functionality. Though patches do come out for Slackware, Redhat's community usually has patches available FASTER. Debian: http://www.debian.org Though I haven't used Debian much, many people out there seem to like it a lot. It has been best described to me as as a distro that old Slackware users will LOVE that hate Redhat. Interestingly enough, Corel's distro and also Storm are based on Debian as well. Anyway, Debian doesn't include the kitchen sink in software like Redhat but it's layed out in a good mannor, has it's own RPM-like installation/upgrade system called dPKG (new version is called "apt"), and it does support the new Glibc2 library system. Like Redhat, Debian reported to be constantly updated and well supported. Many people argue that Debian is even better updated than Redhat though they are considerably slower to release new distros compared to the others. Caldera: http://www.calderasystems.com/ Caldera, now at v2.3, is the most commercial of all the Linux distros. They initially pulled ahead of the pack with a better installation program and auto-installing hardware modules but everyone caught up pretty quick. Caldera is understood to have the easiest installation program of ALL the distributions. Caldera differentiates itself by trying to meet the needs of the corporate market. For example, they have completed a port of Novell's NDS directory services to Linux. Pretty cool! SuSE: http://www.suse.com SuSE, currently in version 6.3, is a fairly new distribution from Germany. I had previously tried their 5.x version but there was so much embedded German text in it, it bothered me so I gave up on it. I recently installed version 6.0 and it seems much better. Its installation program is pretty good though I think Redhat's is somewhat better. But, SuSE has a nice configuration tool called YaST and they were one of the first to come with the KDE window manager. There are other Distributions out there to pick from depending on your hardware platform (Dec Alpha, Motorola PowerPC, etc) such as: TurboLinux - popular in Japan / BeoWolf clusters LinuxPPc http://www.linuxppc.org - for PowerPC machines LinuxPro http://www.wgs.com/ LinuxWare http://www.trans-am.com/ MkLinux http://www.mklinux.apple.com/ - For 680x0 and PPC Apples Stampede http://www.stampede.org/ You'll have to experiment and ask other Linux people what distribution they like and WHY! Personally, I'd recommend to get one of those multiple Distrobution CD sets from places like www.cheapbytes.com and try them out yourself!! For more Distribution details, check out: http://www.linux.org/dist/english.html http://metalab.unc.edu/LDP/HOWTO/Distribution-HOWTO.html http://www.linuxgazette.com/issue31/hughes.html ================================================================================ Section 7 - Installing a distribution, patching it, and doing a Search/Replace on TrinityOS Upgrading/Updating your Linux distro: Like ANY Linux distribution, bug fixes, security releases, etc are always coming out and you NEED to stay on top of it. Remember, Linux is very functional but without a given security patch, a hacker can break into your box and do ANYTHING! Redhat, Debian, Slackware, etc have their own incremental update systems that makes this easier. Ps. If the program you update to with "pkgadd" has different configuration file layouts, you will have to the conversion manually. Debian and Redhat's systems can do the conversion for you though I've had mixed results with this. Redhat users: Goto the Redhat Updates URL in [Section 5] and download all the recent patches to a directory (ie. /tmp/patches). Once you have all of the newest RPMs, you should use the "Fresh" option of the RPM tool. This will update the RPMs on your machine ONLY if an older version of the RPM is installed on your machine. So, I recommend thast you do: rpm -Fvh /tmp/patches/* Also, please heed these following warnings regarding RPMs: ****************************** ** Don't always trust RPMs!!!! ****************************** ** See [Section 50] for more specific instructions on how to use ** RPMs, see what files will be installed/replaced/OVERWRITTEN ** BEFORE you install them, etc ****************************** ** Staying on top of new RPMs ** ** You should also impliment the RPM notification tool that is documented ** in [Section 43] to stay on-top of this in the future! ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ TrinityOS diagrams and Search and Replace Keys ---------------------------------------------- This is how the TrinityOS network is layed out: -- Network topology diagram: ________ / \ |Internet >------------------+ \________/ | Cablemodem | +-----------------------+ | | | | External Link: eth0 | | IP: 100.200.0.212 | _________ | DGW: 100.200.0.1 | / Various \ | | | Remote | | | | Sites >-ISDN--|- External Link: ppp0 | | & | | IP: dynamic | | Internet| | | | link | | ----------- | \ backup / | | --------- | Internal Link: eth1 | | IP: 192.168.0.1 | | | | +-----------------------+ | 8-port 10Mb/s hub | +----+----+----+----+----+----+----+----+ | | | | | | | | | PC PC PC PC PC PC PC PC PC #1 #2 #3 #4 #5 #6 #7 #8 #9 | | /----------------\ IP: 192.168.0.2 DGW: 192.168.0.1 DNS: 192.168.0.1 -- ============================================================================================== - Next, this section is to custom taylor your copy of TrinityOS to your specific enviroment. Do a search/replace on the "Search for" fields and replace them with your correct "replace with" fields. -------------------------------------------------------------------------------------- PLEASE NOTE: If you are going to use IP Masquerading, you should use one of the private address spaces as described in RFC 1918 such as: Class-A: 10.x.x.x Class-B: 172.16-31.x.x Class-C: 192.168.x.x -------------------------------------------------------------------------------------- search for replace with (given as an example) ---------- ---------------------------------- Your main login ID johndoe your-login Your PPP ISP name your-ppp-isp-name your-ppp-isp-name Your PPP ISP # 555-1212 555-1234 Your PPP login your-ppp-login your-ppp-login Your PPP password your-ppp-passwd your-ppp-passwd Your Linux box's name roadrunner your-linux-boxes-name Domain Name acme123.com yourdomain.org Internal IP network 192.168.0.0 192.168.0.0 Internal IP address 192.168.0.10 192.168.0.10 Internal gateway IP 192.168.0.1 192.168.0.1 Internal broadcast IP 192.168.0.255 192.168.0.255 External IP network 100.200.0.0 100.201.0.0 External IP address 100.200.0.212 100.201.0.212 External gateway IP 100.200.0.1 100.201.0.1 External broadcast IP 100.200.0.255 100.201.0.255 Remote SECONDARY DNS ns.backupacme.com ns.yourdomain.org External secondary DNS 102.200.0.25 102.201.0.25 Reverse DNS lookup 54.44.80.10 50.0.201.102 Explict allowed IP#1 200.211.0.40 200.244.0.40 Explict allowed IP#2 200.211.0.41 200.244.0.41 Explict allowed IP#3 200.211.0.42 200.244.0.42 Explict allowed IP#4 200.211.0.43 200.244.0.43 ISP DNS server #1: 10.200.200.69 10.222.222.44 ISP DNS server #2: 10.200.200.96 10.222.222.88 Your SMB Workgroup: ACME123 your-linux-boxes-SMB-workgroup-name Your pager email: 1234567@skytel.com 2321432342@skytel.com A internal PORTFWed MASQ machine name: coyote one-internal-MASQed-machine-name A internal PORTFWed MASQ machine IP: 192.168.0.20 192.168.0.20 Internal machines allowed to connect to the MASQ server: 192.168.0.11 192.168.0.11 192.168.0.12 192.168.0.12 ============================================================================================== ################################################################################## ## ## ## Fixing Redhat, Mandrake, etc (bugs) that are right out of the BOX! (ouch!): ## ## ## ################################################################################## * These are errors, bugs, anoyances, etc that I've notice in Redhat5.x. But, these might be fixed in later CD releases, patches, etc. ------------------------------------------------------------------------------ All of TrinityOS's step-by-step instructions, files, and scripts are fully scripted out for an automatic installation at: http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS-files/TrinityOS-security.tgz ----------------------------------------------------------------------------- - Fix all cron permissions (some fixed in RH6.x) - chmod -R 750 /etc/cron.hourly - chmod -R 750 /etc/cron.hourly/* - chmod -R 750 /etc/cron.daily - chmod -R 750 /etc/cron.daily/* - chmod -R 750 /etc/cron.weekly - chmod -R 750 /etc/cron.weekly/* - chmod -R 750 /etc/cron.monthly - chmod -R 750 /etc/cron.monthly/* - Let Minicom and "ls" run in Color: - Edit /etc/profile and add: - Add the following after the "export" line if you have Minicom installed: MINICOM="-c on" export MINICOM - This is fixed in RH6.x but its good to setup regardless. Edit the /etc/bashrc file and add: alias ls='ls --color=yes' - Fix the timezone NOTE: This is supposed to be already fixed in a Glibc RPM fix - Edit the /etc/profile file Just above the "EXPORT PATH" line, add the line for Pacific Daylight time (adjust for your Time zone) TZ=PST8PDT Now edit the "EXPORT PATH" line and append the word "TZ" - Change the default UMASK (default file/directory create) NOTE: Changing this behavior makes the permissions of all NEWLY created files only readable by certain users and groups. This can have a detremental effect on programs that need to be used by multiple users. The default is "umask 002 else umask 022". NOTE2: If you see two "umask" lines, change them BOTH to 027 - edit /etc/profile, find the umask line(s) and make them it read "umask 027" - Fix compressed FTP downloads (still broken in RH6.1) NOTE: The changes were: - "compress" is in /usr/bin and NOT /bin NOTE-2: I had previously patched TAR to understand .BZ2 compression but this is now already done in RH6.x and most other modern Linux distrobutions (the man pages don't reflect this. Obviously this is STILL a bug as of Mandrake 7.0.). If you have an old distribution, compile up the new tar executale. Then put this new TAR binary in /usr/local/bin. - Create a link to the new tar file ln -s /usr/local/bin/tar /bin/tar Now, to fix FTP so you can get compressed archives automatically from ftpd, edit the following file and make it look like this: /etc/ftpconversions -- :.Z: : :/usr/bin/compress -d -c %s:T_REG|T_ASCII:O_UNCOMPRESS:UNCOMPRESS : : :.Z:/usr/bin/compress -c %s:T_REG:O_COMPRESS:COMPRESS :.gz: : :/bin/gzip -cd %s:T_REG|T_ASCII:O_UNCOMPRESS:GUNZIP : : :.gz:/bin/gzip -9 -c %s:T_REG:O_COMPRESS:GZIP : : :.tar:/bin/tar -c -f - %s:T_REG|T_DIR:O_TAR:TAR : : :.tar.Z:/bin/tar -c -Z -f - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+COMPRESS : : :.tar.gz:/bin/tar -c -z -f - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+GZIP -- - Fix the permissions on the /etc/rc.d/init.d script files!!! Bad.. Bad.. Bad.. Only "root" and admin groups should be able to do this type of adminstration. chmod -R 770 /etc/rc.d/init.d/* ================================================================================ Section 8 - Initial System security [CMOS setups, disable ports, TCP wrappers, shadow passwds, etc] First thing, I would recommend to do in addition to following TrinityOS for your needed purposes, read LDP's Security HOWTO for a more detailed explination of what to do. Interestingly enough, I never read it until recently and a LOT of things I had independantly recommend was already in the Security HOWTO too! So.. it sounds like we are on-track! I recommend you read it too! The URL is in Section 5. - Upon system boot, enter into the CMOS setup - AMI BIOSes use the DEL key - Compaq BIOSes use the F10 key - some Pheonix BIOSes use Control-Escape - Once you are in the BIOS, search around and try to set the following: + Enabled the BIOS password - I recommend the combination of upper and lower case characters with numbers! + DISABLE booting from the floppy drive by changing the BIOS boot order from A:,C: to C:,A: + If you are extra paranoid, you can set the floppy drive to READ only or even disable the floppy drive all together if you wish. - Now, boot back into Linux and make sure you have a password for the root login - "passwd root" NOTE: You may not have noticed this but most Linux distributions only took the first -8- characters of your password. After that, they simply ignore ALL other passwords. For example, these two passwords are the SAME to Linux: Pl3a5eGet0ut and Pl3a5eGe Because of this, you need a strong password and it can ONLY be 8-characters long. You REALLY should use a combination of Upper and lower case characters, numbers, and special characters such as: [ `~!@#$%^&*()-_=+{[]}\|'";:,<.>/? ] Fortunately enough, the newer Linux distributions have fixed this issue. But regardless if this has been fixed on your distro or not, it IS important that you choose a strong passwd. - Enable the "sticky" bit in /tmp so only the file's owner can delete a given file in /tmp (Fixed in RH6.x): chmod 1777 /tmp - Disable the Control-Alt-Delete keyboard shutdown command - This is pretty important if you don't have the best physical security on the box: - Do do this, edit /etc/inittab and change the line: ca::ctrlaltdel:/sbin/shutdown -t3 -r now to #ca::ctrlaltdel:/sbin/shutdown -t3 -r now - Now, for the system to understand the change, type in the following at a prompt /sbin/init q - Compile / install vlock (available in most modern distributions). NOTE: Use this command if you are logged in as root and want to LOCK the ttys without having to log fully out and back in again. Nice! - Change what system daemons get loaded by editing the folowing files in "/etc/rc.d/" ----------------------------------------------------------------- NOTE: Regardless of Linux distro, you might want to SKIP some of the following steps if you plan to run: - Samba (smb) - Printing (lpd) - Mail (Sendmail), - NFS etc. ----------------------------------------------------------------- Redhat: (though this is specific to Redhat, the following is a good read for ALL Linux users.) -- The way that Redhat boots is the SysV way. This is where the OS will execute ALL files for a given runlevel (see definition below) that start with a "S" (that's a CAPITAL "S") and have a number after that in a numerical orfer from lowest to highest. For example, it will run "S10network" before it runs "S30syslog". So what's a RUN-level? A run-level is the mode that the machine will load various system programs. Though this varies from Unix to Unix (Linux, Solaris, AIX, HP-UX, etc)... they are similar. For Linux, this is the run-levels (from /etc/inittab): 0: halt (stops the OS and sometimes shuts the power off) 1: single user (doesn't bring up the network, no passwd for root. Needed for system problems, lost root passwds, etc) 2: Multiuser (Brings up the whole OS but doesn't mount remote file systems (NFS, CODA, etc) 3: Full Multiuser (Brings up the whole OS with any remote file systems) 4: Unused 5: X-windows (Brings up the system immeadiately into X-windows) 6: Reboot (reboots the machine; usually into a COLD boot state [counts all the RAM, etc]) Also, if you didn't already notice, all of the files in various runlevel directories like /etc/rc.d/rc0, 1, 2, 3, 4, 5, 6.d are actually just symbolic links to all the real script files in /etc/rc.d/init.d! This makes things more managable. So.. since Linux usually runs in multi-user / non-Xwindows mode, that means runlevel "3" will execute all files in the /etc/rc.d/rc3.d directory. Then.. the system will begin to run ALL files starting with "S" in order. When you shutdown or restart the machine, you change the machine into runlevel "0" or "1". This will first execute all commands from the initial runlevel directory of "3" starting with "K". If the given process isn't already running, like my example for LPD, it will just skip it and move on. Get it? -- Slackware: -- The way that Slackware boots is the BSD way. It will execute the /etc/rc.d/rc.inet1 (network interfaces) file first. Then, it will run the /etc/rc.d/rc.inet2 (network services) file. This is much more readable than the Redhat method but its harder to maintain (IMHO). -- Securing your machine by limiting what daemons load: ---------------------------------------------------- BSD-Style: Edit the following files in /etc/rc.d/ and make these changes unless --------- you need that service. - rc.M (disable email and WWW servers) - line 75: #'d out all lines for Sendmail - line 97: #'d out all lines for httpd - rc.inet2 (disable SERVER and NFS servers) - line 14: #'d out all lines for lpd - line 15: #'d out all lines for lpd - line 31: #'d out all lines for portmap - line 72: #'d out all lines for mountd, nfsd, pcnfsd, bwnfsd There are at least (5) ways to turn on/off what daemons load: Via A GUI interface: -------------------- This process manipulation can be done either via: - "chkconfig" command line utility - "ntsysv" Ncurses GUI utility - "tksysv" Xwindows GUI utility - "control-panel" or "linuxconf" Xwindows GUIs. Note - Though I'm a command line bigot, I feel the "ntsysv" GUI is the fastest way to modify these options! NOTE #2 - I've found that when you first run these GUI tools, they will default to running and disabling some processes they SHOULDN'T! So, be careful and make sure that the tool is starting/stopping the correct daemons. Confirm this by going into the correct runlevel directory, say /etc/rc.d/rc3.d, and making sure only the minimal S* files are there. With "chkconfig": Please note that there might be some daemons that are missing and/or extra in your specific /etc/rc.d/init.d directory so make sure you enable/disable the appropreiate ones for your needs. -- #Disable automounters chkconfig --level 2345 amd off #Disable unless this is a laptop chkconfig --level 2345 apmd off #Disable unless you want to run batch programs within certain loads chkconfig --level 2345 atd off #Disable unless you want emails of EVERY ARP on your network segment chkconfig --level 2345 arpwatch off #Disable unless you want boot diskless workstations chkconfig --level 2345 bootparamd off #Disable unless this machine will be a DHCP *SERVER* chkconfig --level 2345 dhcpd off #Disable unless this machine will be a full blown router chkconfig --level 2345 gated off #Disable unless this machine will be a WWW server chkconfig --level 2345 httpd off #Disable unless this machine uses a modularized kernel # NOTE: Not needed for 2.2.x+ kernels chkconfig --level 2345 kerneld off #Disable unless you really want to configure remote machines via Linuxconf chkconfig --level 2345 linuxconf off #Disable unless this machine will be a print server #(for the local or remote machine) chkconfig --level 2345 lpd off #Disable unless you really need the proprietary MC server chkconfig --level 2345 mcserv off #Disable unless this machine will be a database server chkconfig --level 2345 mysql off #Disable unless this machine will be a caching or full blown DNS server chkconfig --level 2345 named off #Disable unless this machine will be a NFS server chkconfig --level 2345 nfs off #Disable unless this machine is a laptop or the PC has PCMCIA cards chkconfig --level 2345 pcmcia off #Disable unless this machine will be an NFS server or needs RPC tools chkconfig --level 2345 portmap off #Disable all R-cmds chkconfig --level 2345 rusersd off chkconfig --level 2345 rwalld off chkconfig --level 2345 rwhod off #Disable unless this machine is a email server chkconfig --level 345 sendmail off #Disable unless this machine is a Samba (MS File&Print) server chkconfig --level 345 smb off #Disable unless this machine is to support SNMP chkconfig --level 2345 snmpd off #Disable unless this machine is a local/remote HTTP proxy server chkconfig --level 2345 squid off #Disable unless this machine will be running X-windows chkconfig --level 2345 xfs off #Disable unless this machine will be an NTP server chkconfig --level 2345 xntpd off #Disable unless this machine will be part of a NIS/YP domain chkconfig --level 2345 ypbind off chkconfig --level 2345 yppasswdd off #Disable unless this machine will be a NIS/YP server chkconfig --level 2345 ypserv off Manually: --------- NOTE: only do this to the processes you WON'T use. NOTE #2: If, for some reason, any of the K or S* files don't exist and you want them to be there, use one of the GUI tools above. Do this in /etc/rc.d/rc2.d, /etc/rc.d/rc3.d, and /etc/rc.d/rc5.d - mv S08autofs K08autofs - mv S20nfs K20nfs (unless this is for a full or caching NFS server) - mv S20rusersd K20rusersd - mv S20rwalld K20rwalld - mv S20rwhod K20rwhod - mv S30mcserv K30mcserv - mv S98kerneld K98kerneld - mv S35smb K35smb (unless this is for a Samba F&P server) - mv S60lpd K60lpd (unless this is for a print server) - mv S65portmap K65portmap (unless this is for a NFS server) - mv S95nfsfs K95nfsfs (unless this is for a NFS server) - mv S45pcmcia K45pcmcia (unless this for a laptop) - mv S65dhcpd K65dhcpd (unless this is for a DHCP server) - mv S85httpd K85httpd (unless this is for a WWW server) - mv S80sendmail K80sendmail (unless this is for a mail server) ========= Shutting down most of inetd.conf ============= Inetd, called the "super server", will load a network program based upon a request from the network. I personally recommend that any program that you DON'T need shouldn't be able to load. * The exceptions that I leave in and secure via a firewall and * TCPwrappers are: * * TELNET, FTP, SSH, and sometimes TALK, POP-3, IMAP, and FINGER. * * See below.. I recommend to edit the /etc/inetd.conf file and place a "#" in front of the lines to disable them (if not already done). echo - basic network functions that AREN'T needed discard - " chargen - " daytime - For checking the date remotely (or) time - " shell - Remote Shell.. flexible but VERY insecure. A part of the R-command tools login - " exec - " comsat - Email box monitoring server (very old) talk - UNIX Talk (I usually allow this but secure it via the firewall/tcp-wrappers ntalk - " dtalk - " pop-2 - For checking email. Use POP3 instead. uucp - For sending/receiving email the OLD way. tftp - For simple file transfers (unless you need this functionality) bootps - For simple configuration transfer (very old; replaced by DHCP) cfingerd - For probing information on a specific user or who is logged in systat - For probing information about the system itself netstat - For probing information about the system's network auth - For the ident system to see what user is creating specific network traffic linuxconf - For remotely configuring the system via the Linuxconf GUI swat - For remotely configuring the Apache WWW server via Swat Ones you can optionally disable if you don't need them are (many you want to leave available until you install a secure alternative like SSH): ftp - For insecure file transfer telnet - For insecure remote logins talk - For accepting local/remote real-time talk sessions ntalk - " dtalk - " pop-3 - For downloading email. imap - For checking email on the server. finger - For checking out info on system users (most people should disable this) cfinger - " ***** NOTE: If you need to run finger, change the word "root" to "nobody". ***** Once you make these changes, finish editing the file. To make the change take effect, type in: kill -HUP `ps aux | grep inetd | grep -v -e grep | awk '{print $2}'` =========TCP wrapper security========= - Edit "/etc/hosts.deny" and insert the following at the end of the file: ALL: ALL - edit "/etc/host.allow" and insert lines at the end of the file for each IP and or Domain that you want to allow access to the Linux box. ----- NOTE: Do NOT use DNS names for the hosts as DNS can be spoofed. Use TCP/IP addresses instead. ----- ALL: 127.0.0.1 #Needed for some local services like comsat ALL: 200.211.0.40 #Securehost ALL: w.x.y.z For example: ALL: 192.168.0.2 #Allow everything from coyote2 ALL: 200.211.0.40 #Allow all traffic from Explict Allowed #1 ALLL 200.211.1. #Allow *ALL* traffic from all hosts on the 200.211.1.x #network. Yes, the option should END with a single "." Or if you want to be more granular, you can do the following. All TCP wrapper supported daemons that you can put in here are noted in the /etc/inetd.conf file. in.ftpd: 192.168.0.2 #Allow only FTP traffic from coyote2 in.pop3d: 200.211.0.40 #All only pop-3 traffuc from Explict Allowed #1 =========FTP Anonymous users========= Disable anonymous FTP to your box by editing /etc/ftpaccess and make the common first line that looks like: class all real,guest,anonymous * to this (notice the words "guest" and "anonymous" is gone: class all real * =========Shadow Passwords========= Slackware 3.x ------------- Slackware v3.2 did not come with Shadow passwords enabled but v3.4+ does. For several reasons, I recommend that you just upgrade to Slackware v3.4 if you are running an older Slackware distribution. The upgrade will fix numerious security issues and has many other features as well. Redhat ------ Redhat5, out of the box, does NOT do shadow passwords (stupid) but it is fixed in RH 6.1 and onward. Confirm that your system is using SHADOW passwords by looking at the /etc/passwd file and make sure that the second left-hand field next to the username is a ":x:". If so, make sure everthing in this section is setup the same on your box. If it isn't do the following: - login as root - type in "pwconv" - This will convert the /etc/passwd file and move the encrypted passwords over to /etc/shadow and change the encryption algorithm from the weak "crypt" system to "md5" - More info is available in "/usr/doc/pam-0.64/txts/pam.txt" - NOTE: Using passwords more than 8 characters will NOT work. Use larger passwords and prepare NOT to be able to login again! - Edit the /etc/pam.d/passwd file and change the bottom lines NOTE: There are (2) methods shown below. Crypt is the OLD UNIX method and is considered weak. The newer method uses MD5 hashing. I recommend the MD5 method. So, edit the file and change it to the following: For MD5 hashing (more secure and recommended): -- auth required /lib/security/pam_pwdb.so shadow nullok account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so retry=3 password required /lib/security/pam_pwdb.so shadow use_authtok nullok md5 -- For normal CRYPT hashing: -- auth required /lib/security/pam_pwdb.so shadow nullok account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so retry=3 password required /lib/security/pam_pwdb.so shadow use_authtok nullok -- ========= Disable ROOT TELNET/SSH access ======== By default, most Linux distributions don't allow direct "root" logins via TELNET or SSH. This is considered good security. - If you DO need to login via telnet as root then edit or create the /etc/securetty file and ADD: ttyp0 ttyp1 ttyp2 **** MAKE SURE YOU PUT "#"s IN FRONT OF THESE NEW LINES ONCE YOU ARE DONE! **** ========= Disable ROOT FTP access ========= It seems that some Linux distributions do not come with the /etc/ftpusers file. This file basically is for when any usernames in this file, they are NOT allowed to FTP in. Usually, it is considered POOR security to be able to FTP in as ROOT. By putting the word "root" into this file, this disables FTP logins from "root". - If you ever need to FTP into the linux box as ROOT (you shouldn't be able to by default), edit the "/etc/ftpusers" file and put a "#" in front of "root". NOTE: If the /etc/ftpusers file DOESN'T already exist, just create it. Once you are done, LEAVE it there with at least the line "root" without a "#" in front of it. ********************************************************* **** MAKE SURE YOU REMOVE THIS "#" ONCE YOU ARE DONE **** **** SINCE THIS IS A BIG SECURITY ISSUE **** ********************************************************* ========= Disable misc cron stuff ========== * When users install Redhat, they usually install more programs than they plan to initially use. Though Redhat allows users to later choose what daemons are and are NOT run upon boot, this does NOT disable some things that are loaded into the cron file. Redhat users: **NOTE**: DON'T disable: logrotate, tmpwatch, updatebd.cron, makewhatis.cron - Look in the /etc/cron.hourly, /etc/cron.daily, /etc/cron.weekly, and /etc/cron.monthly and make sure that nothing is installed that you don't want. For example, I had to do the following for RH 5.2: mkdir -m 700 /etc/cron.disabled mkdir -m 700 /etc/cron.disabled/cron.hourly mkdir -m 700 /etc/cron.disabled/cron.daily mv /etc/cron.hourly/inn-cron-nntpsend /etc/cron.disabled/cron.hourly mv /etc/cron.daily/inn-cron-expire /etc/cron.disabled/cron.daily mv /etc/cron.daily/inn-cron-rnews /etc/cron.disabled/cron.daily mv /etc/cron.daily/tetex.cron/etc/cron.disabled/cron.daily Slackware Users: **NOTE**: DON'T disable: updatebd.cron - Realistically, you won't have the same issues as Redhat users because Slackware doesn't have as many bells and whistles as RH does. BUT.. check to make sure. All of Slackware's cron configuration is stored here. less /var/spool/cron/crontabs/root ========= File Permission corrections ========== A lot of the default file permissions on Linux distributions just give away too much information to the enduser or hacker. Some people might think that some of these are paranoid but I rather be safe than sorry: NOTE: most of these permissions reflect Redhat 5.2 but most will apply to any Linux distribution. NOTE2: If you receive any ERRORs when appling these changes, don't worry. That just means you don't have that package installed. # Files in /bin echo "Bru is a commercial backup program but some Linux distros come with it" chmod 750 /bin/bru chmod 750 /bin/linuxconf chmod 750 /bin/mount chmod 750 /bin/mt chmod 750 /bin/rpm chmod 750 /bin/setserial chmod 750 /bin/umount # Files in /sbin chmod 750 /sbin/accton chmod 750 /sbin/badblocks chmod 750 /sbin/ctrlaltdel chmod 750 /sbin/chkconfig chmod 750 /sbin/chkraid chmod 750 /sbin/debugfs chmod 750 /sbin/depmod chmod 750 /sbin/dhcpcd chmod 750 /sbin/dump* chmod 750 /sbin/fdisk chmod 750 /sbin/fsck* chmod 750 /sbin/ftl* chmod 750 /sbin/getty chmod 750 /sbin/halt chmod 750 /sbin/hdparm chmod 750 /sbin/hwclock chmod 750 /sbin/ide_info chmod 750 /sbin/if* chmod 750 /sbin/init chmod 750 /sbin/insmod echo "IPFWADM is only installed for v2.0 kernels" chmod 750 /sbin/ipfwadm chmod 750 /sbin/ipx* chmod 750 /sbin/isapnp chmod 750 /sbin/kerneld chmod 750 /sbin/killall* echo "This is the new location for klogd. Please disregard any errors if this doesn't work." chmod 750 /sbin/klogd chmod 750 /sbin/lilo chmod 750 /sbin/mgetty chmod 750 /sbin/mingetty chmod 750 /sbin/mk* chmod 750 /sbin/mod* chmod 750 /sbin/netreport chmod 750 /sbin/pam* chmod 750 /sbin/pcinitrd chmod 750 /sbin/pnpdump chmod 750 /sbin/portmap chmod 750 /sbin/quotaon chmod 750 /sbin/raidadd chmod 750 /sbin/restore chmod 750 /sbin/runlevel chmod 750 /sbin/stinit echo "This is the old location for klogd. Please disregard any errors if this doesn't work." chmod 750 /sbin/syslogd chmod 750 /sbin/swapon chmod 750 /sbin/tune2fs chmod 750 /sbin/uugetty chmod 750 /sbin/vgetty echo "Files in /usr/bin" chmod 750 /usr/bin/control-panel chmod 750 /usr/bin/comanche chmod 750 /usr/bin/eject chmod 750 /usr/bin/glint chmod 750 /usr/bin/gnome* chmod 750 /usr/bin/gpasswd chmod 750 /usr/bin/ipx* chmod 750 /usr/bin/kernelcfg chmod 755 /usr/bin/lp* chmod 4755 /usr/bin/lpr #NOTE: I feel setting "lpr" to allow any group to execute it is # a bad thing. # # I would like to add UNIX users and even the Samba process to # the "lp" group already defined in /etc/groups and then be able # to put things back to to 4750. BUT.. I just talked to a buddy # of mine and this really isn't possible. Linux doesn't support # multiple groups per file and Linux doesn't support access lists # (ACLs') yet. So.. you either have to do all this or run LPRng. # # Stock perms are: # -r-sr-sr-x 1 root lp 15436 Oct 17 06:49 lpq # -r-sr-sr-x 1 root lp 16176 Oct 17 06:49 lpr # -r-sr-sr-x 1 root lp 16132 Oct 17 06:49 lprm chmod 750 /usr/bin/mformat chmod 750 /usr/bin/minicom chmod 750 /usr/bin/mtools chmod 750 /usr/bin/netcfg chmod 750 /usr/bin/rusers chmod 750 /usr/bin/rwall chmod 750 /usr/bin/uucp echo "Files in /usr/sbin" chmod 750 /usr/sbin/am* chmod 750 /usr/sbin/at* chmod 750 /usr/sbin/automount chmod 750 /usr/sbin/bootp* chmod 750 /usr/sbin/crond chmod 750 /usr/sbin/dhc* chmod 750 /usr/sbin/dip chmod 750 /usr/sbin/dump* chmod 750 /usr/sbin/edquota chmod 750 /usr/sbin/exportfs chmod 750 /usr/sbin/fixmount chmod 750 /usr/sbin/ftpshut chmod 750 /usr/sbin/gated chmod 750 /usr/sbin/group* chmod 750 /usr/sbin/grp* chmod 750 /usr/sbin/imapd chmod 750 /usr/sbin/in.* chmod 750 /usr/sbin/inetd chmod 750 /usr/sbin/ipop* echo "This is the old location for klogd. Please disregard any errors if this doesn't work." chmod 750 /usr/sbin/klogd chmod 750 /usr/sbin/logrotate chmod 750 /usr/sbin/lp* chmod 755 /usr/sbin/lsof chmod 750 /usr/sbin/makemap chmod 750 /usr/sbin/mk-amd-map chmod 750 /usr/sbin/mouseconfig chmod 750 /usr/sbin/named* chmod 750 /usr/sbin/nmbd chmod 750 /usr/sbin/newusers chmod 750 /usr/sbin/ntp* chmod 750 /usr/sbin/ntsysv chmod 750 /usr/sbin/pppd chmod 750 /usr/sbin/pnpprobe chmod 750 /usr/sbin/pw* chmod 750 /usr/sbin/quota* chmod 750 /usr/sbin/rdev chmod 750 /usr/sbin/rdist chmod 750 /usr/sbin/repquota chmod 750 /usr/sbin/rhbackup chmod 750 /usr/sbin/rotatelogs chmod 750 /usr/sbin/rpc* chmod 750 /usr/sbin/rwhod chmod 750 /usr/sbin/samba chmod 750 /usr/sbin/setup chmod 750 /usr/sbin/showmount chmod 750 /usr/sbin/smb* chmod 750 /usr/sbin/sndconfig chmod 750 /usr/sbin/snmp* chmod 750 /usr/sbin/squid echo "This is the old location for sysklogd. Please disregard any errors if this doesn't work." chmod 750 /usr/sbin/syslogd chmod 750 /usr/sbin/taper chmod 750 /usr/sbin/tcpd* chmod 750 /usr/sbin/time* chmod 750 /usr/sbin/tmpwatch chmod 750 /usr/sbin/tunelp chmod 750 /usr/sbin/user* chmod 750 /usr/sbin/uu* chmod 750 /usr/sbin/vi* chmod 750 /usr/sbin/wire-test chmod 750 /usr/sbin/xntp* ========= SUID ROOT PROGRAMS ========= - Check that there aren't any SUID ROOT (programs that execute as the ROOT user) that are WRITABLE by other users. To do this, execute this following command (per http://rlz.ne.mediaone.net/linux/index.html): mkdir -m700 /etc/info find / -type f \( -perm -04000 -o -perm -02000 \) -ls > /etc/info/suid-results So what do you do with these results? Figure out the SUID programs that you need and note which ones they are and where they are. The issue is to just make sure that no other unknonwn programs don't get added to this list. What about just changing their perms to NOT be SUID root? This would be bad because most programs that are usually SUID ROOT *must* be this way or they won't work right. But, for example, GnuPlot on a recent copy of SuSE was found SUID though it shouldn't have been. Later, a person on BugTraq found this and created both a root exploit and patch for it. So... this is where you can be proactive and fix things. For the other SUID programs you don't need or know what they are, change their perms to 700 (chmod 700 *) or even better yet.. change their perms to 700, move them to a temporary directory to later delete them once you are SURE you don't need the programs. *** Once you have resolved all your SUID issues, rename this *** /etc/info/suid-results file to /etc/info/suid-results-checked and then *** fix the permissions: mv /etc/info/suid-results /etc/info/suid-results-checked chmod 600 /etc/info/suid-results-checked We will use this file later as a template file to check for changed SUID files in [Section 9] ========= Looking for R-command files ======= Much like looking for SUID files above, its also a good idea to look for R-command permission files. find / | grep -e ".rhosts" -e "hosts.equiv" > /etc/info/rcmd-results Once you have reviewed this /etc/info/rcmd-results file for any entries that DON'T belong in there, rename it and fix its permissions: mv /etc/info/rcmd-results /etc/info/rcmd-results-checked chmod 600 /etc/info/rcmd-results-checked ========= Fix Xwindows permissions ========== * This was exploited recently in Xfree86 but I still feel that the sticky bit on the /tmp/.X11-unix directory should be set rm -rf /tmp/.X11-unix mkdir -p -m 1777 /tmp/.X11-unix chmod o+t /tmp/.X11-unix ========= LILO setup ========== * Be sure to read [Section 15] regarding LILO security as well ================================================================================ Section 9 - Advanced System Logging and some Cool Tips ===== SYSLOG tuning ===== - SYSLOG is the main UNIX logging tool. With this system, you can setup logging to be very high level to exteamly detailed and have each logging stream goto a different file. Trust me.. SYSLOG is your friend! Edit /etc/syslog.conf and -ADD- the following lines if they aren't already in there: ******* * NOTE!!! All space from the left and right columns MUST BE TABS. * If they are SPACEs, syslog will NOT load! Kinda stupid eh? * Redhat users: ------------- *.warn;*.err /var/log/syslog auth.*;user.*;daemon.none /var/log/loginlog kern.* /var/log/kernel Slackware users: ---------------- *.warn;*.err /var/adm/syslog mail.* /var/adm/maillog auth.*;user.*;daemon.none /var/adm/loginlog kern.* /var/adm/kernel All Distributions: Once you have edited the /etc/syslog.conf file, save your changes and exit the editor. Now, following files must be created for SYSLOG to work: touch /var/log/syslog touch /var/log/loginlog touch /var/log/kernel Next, you might see in your /var/log/messages and /var/log/syslog files lines that look like: -- Nov 28 08:25:42 hostname -- MARK -- -- This is the SYSLOG daemon telling you that SYSLOG is running but had nothing to report. If you don't like this behavior, you can disable it by editing the following file and changing the MARK time out. In /etc/rc.d/init.d/syslog, find the line that says: -- daemon syslogd -- and replace it with: -- daemon syslogd -m 0 -- To make ALL of the above changes go into effect, run: killall -HUP syslogd Next, close down these new files (and existing files) permissions: Redhat: ------- chmod 600 /var/log/syslog chmod 600 /var/log/loginlog chmod 600 /var/log/kernel echo "Make sure old SYSLOG file perms are ok too." chmod 600 /etc/syslog.conf chmod 600 /var/log/cron chmod 700 /var/log/httpd chmod 600 /var/log/httpd/* chmod 600 /var/log/maillog chmod 600 /var/log/messages chmod 600 /var/log/mysql chmod 600 /var/log/netconf.log chmod 700 /var/log/samba chmod 600 /var/log/samba/* chmod 600 /var/log/sendmail.st chmod 600 /var/log/secure chmod 600 /var/log/spooler chmod 700 /var/log/squid chmod 600 /var/log/squid/* chmod 600 /var/log/xferlog Slackware: ---------- chmod 600 /var/adm/syslog chmod 600 /var/adm/loginlog chmod 600 /var/adm/kernel chmod 600 /etc/syslog.conf Ok.. now restart SYSLOG: kill -HUP `ps aux | grep syslogd | grep -v -e grep | awk '{print $2}'` ====== Log Rotations ====== Stock Redhat comes with a tool that will take your SYSLOG log files, rename them to the day they came from, optionally compress them, and then restart the log files for the next day. This is very handy as SYSLOG files can get VERY large. If you are using some other Linux distribution that doesn't have this feature, I highly recommend installed a program that will do this for you (there are many to choose from). - Redhat: Next, allow the new syslog file to be rotated as well. Add these lines to the /etc/logrotate.d/syslog: -- /var/log/kernel { postrotate /usr/bin/killall -9 klogd /usr/sbin/klogd & endscript } /var/log/loginlog { postrotate /usr/bin/killall -HUP syslogd endscript } /var/log/syslog { postrotate /usr/bin/killall -HUP syslogd endscript } -- Also.. I highly recommend that you edit the /etc/logrotate.conf file and do the following: Find "#compress" and remove the "#" so it only says "compress". I also recommend that your #ed out the sections to look like this: [ Why? If these files are rotated, you won't be easily able to ] [ tell when users have logged in. ] ## no packages own lastlog or wtmp -- we'll rotate them here #/var/log/wtmp { # monthly # rotate 1 #} #/var/log/lastlog { # monthly # rotate 1 #} This will then compress the moved log files with Gzip. Finally, some log files explictly default to no-compression. Why? I recommend to add a "#" before the "nocompress" line in each of the following files: /etc/logrotate.d/ftpd /etc/logrotate.d/linuxconf /etc/logrotate.d/sendfax There might be other files in this directory. Check each one of them. Lastly, I recommend to go into the /etc/logrotate.d/ directory and MOVE log config files that you KNOW you won't be using to a "disabled" directory. This is completely dependant on the services that you installed and then on which ones you opted to NOT run. For me, I did: mkdir -m 700 /etc/logrotate.d.disabled mv /etc/logrotate.d/mysql /etc/logrotate.d.disabled mv /etc/logrotate.d/squid /etc/logrotate.d.disabled ====== rc.local cool tips and tuning ====== - Edit the "/etc/rc.d/rc.local" file and add the following lines at the end: The following tip is a personal idea I like for both Redhat and Slackware. By default, then you login to a Linux box, it tells you the Linux distribution name, version, kernel version, and the name of the server. Even worse, Mandrake puts up a very stupid looking Penguin. To me, this is giving away too much info. I rather just prompt users with a "Login: " prompt (if they ever get that far past your packet firewall and TCP wrappers). To fix this, do the following: Place "#s" in front of the following lines like shown: NOTE: This looks a little different with Mandrake.. /etc/rc.d/rc.local -- ## This will overwrite /etc/issue at every boot. So, make any changes you ## want to make to /etc/issue here or you will lose them when you reboot. #echo "" > /etc/issue #echo "Red Hat Linux $R" >> /etc/issue #echo "Kernel $(uname -r) on $a $(uname -m)" >> /etc/issue # #cp -f /etc/issue /etc/issue.net -- Then, do the following: - rm -f /etc/issue - rm -f /etc/issue.net - touch /etc/issue - touch /etc/issue.net - chmod 400 /etc/issue - chmod 400 /etc/issue.net Also, if your Linux box stays up for several months, any kernel messages, errors, firewall hits, etc will OVERWRITE the output from "dmesg". Personally, I *HATE* this but my work-around is to make a "dmesg" copy upon every boot. Do do this, append the following to the bottom of your /etc/rc.d/rc.local file: /etc/rc.d/rc.local -- dmesg >> /etc/info/dmesg -- * Next, the following tip is a great way of seeing your various logs on your Linux box without having to login, etc. Some people might feel that this is a security risk but the this risk stems from physical security. edit the following file FIND each line for say syslog or messages and add in the respective line: /etc/syslog.conf -- *.warn;*.err /dev/tty7 mail.* /dev/tty8 kern.* /dev/tty8 -- To make these changes take effect, run the following line: kill -HUP `ps aux | grep syslogd | grep -v -e grep | awk '{print $2}'` Now, whenever anything is added to those log files, just Goto the ALT-F7 or F8 VTY and see the messages roll by in real-time. - Like the real-time log monitor above, its nice to be able to see errors in real time whenever you suspect problems via a TELNET, SSH, etc. To do this, create the file with the following: Slackware: /root/logit -- #/bin/sh tail -f /var/adm/samba/log.nmb & tail -f /var/adm/samba/log.smb & tail -f /var/adm/xferlog & tail -f /var/adm/maillog & tail -f /var/adm/secure & tail -f /var/adm/syslog & tail -f /var/adm/messages & -- Redhat: /root/logit -- #!/bin/sh tail -f /var/log/samba/log.nmb & tail -f /var/log/samba/log.smb & tail -f /var/log/xferlog & tail -f /var/log/maillog & tail -f /var/log/secure & tail -f /var/log/syslog & tail -f /var/log/messages & -- Now, fix the permissions for it: chmod 700 /root/logit Close the file and then fix it's permissions with "chmod 700 /usr/local/sbin/logit". Now, whenever you are suspecting problems with ANYTHING on your Linux box, just run "/root/logit" and watch the error logs go by in real-time. I A few tips: - type in "clear" at the UNIX prompt now and then to clean the screen up for readibility sake. - When logs are scrolling by but you are looking for something that should show up in a few seconds, hit ENTER a few times to move up the old log info a few lines. When you are done with "logit", run the command "killall tail" to stop all the logging. ====== A more readable BASH prompt ====== Being a command line junky, I use the CLI (command line interface) most of the time. To make things a little more easy on the eye, I recommend that you make the BASH prompt a little more easy on the eye. All NON-root users will get a "green" colored prompt but ROOT users will get a "red" colored prompt. You can do this one of two ways. Have it setup on a PER USER basis or for ALL users. For this example, lets do it just for the ROOT user. 1. Copy the main bash profile to the root user's home directory: cp /etc/bashrc /root/.bashrc NOTE: Why bashrc and not profile? The reason being is that bashrc OVERRIDES anything in the profile. 2. Edit it and find the line for the "PS1" variable and REPLACE it with the following. This will make the prompt be a bright green (easy on the eyes) color for NON-root users and red for ROOT uses. It will also show the machine name and a condensed directory prompt: if [ `id -un` = root ]; then PS1='\[\033[1;31m\]\h:\w\$\[\033[0m\] ' else PS1='\[\033[1;32m\]\h:\w\$\[\033[0m\] ' fi 3. Save the .bashrc, login as the root user or run "su -" and then you should have the new prompt. For more good Bash ideas, check out the BASH howto from Section 5. If you wanted to do it for ALL users, do the above changed to the /etc/bashrc file. ====== Make the apropos database ====== One powerful command in UNIX is the "apropos" or "man -k" command. This will let you do command searches on generic words like "modem", etc. BUT, when you first install Linux, this database isn't complete. It is usually run as a weekly cron job but I recommend to start it now: makewhatis -w & NOTE: This command will take a while depending on HD and CPU speed. If you get ERRORs on the "makewhatis" command as I did in Mandrake 6.1, some of this is how to fix them. I received the following errors (bugs in the distro - already reported as Bug #206). Running this command in Mandrake 7.0 runs without error. -- bzcat: Can't open input file ./fetchmailconf.1.bz2: No such file or directory. bzcat: ./ksh.1.bz2 is not a bzip2 file. bzcat: Can't open input file ./pdksh.1.bz2: No such file or directory. Read file error: ./rec.1 No such file or directory bzcat: ./tixwish.1.bz2 is not a bzip2 file. bzcat: ./efence.3.bz2 is not a bzip2 file. Read file error: ./stm.8 No such file or directory Read file error: ./clockprobe.8 No such file or directory -- line 1: The /usr/man/man1/fetchmailconf.1.bz2 file is a symbolic link to fetchmail.1. This file doesn't exist since its compressed with bz2. To fix it, do: rm /usr/man/man1/fetchmailconf.1.bz2 ln -s /usr/man/man1/fetchmail.1.bz2 /usr/man/man1/fetchmailconf.1.bz2 line 2: The /usr/man/man1/ksh.1.bz2 file isn't really bz2'ed. To fix it, do: mv /usr/man/man1/ksh.1.bz2 /usr/man/man1/ksh.1 bzip2 -z /usr/man/man1/ksh.1 line 3: The /usr/man/man1/pdksh.1.bz2 file points to a non-bz2 file. (sloppy). To fix it, do: Do the line-2 fix above rm /usr/man/man1/pdksh.1.bz2 ln -s /usr/man/man1/ksh.1.bz2 /usr/man/man1/pdksh.1.bz2 line 4: The /usr/man/man1/rec.1 file points to a bogus path /var/tmp/sox-root//usr/man/man1/play.1 (sloppy). To fix it, do: rm /usr/man/man1/rec.1 ln -s /usr/man/man1/play.1.bz2 /usr/man/man1/rec.1.bz2 line 5: The /usr/man/man1/tixwish.1.bz2 file is not a bz2 file. To fix it, do: mv /usr/man/man1/tixwish.1.bz2 /usr/man/man1/tixwish.1 bzip2 -z /usr/man/man1/tixwish.1 line 6: The /usr/man/man3/efence.3.bz2 file is not a valid man page To fix it, do: rm /usr/man/man3/efence.3.bz2 line 7: The /usr/man/man8/stm.8 file points to a non existing file. To fix it, do: rm /usr/man/man8/stm.8 ln -s /usr/man/man8/SVGATextMode.8.bz2 /usr/man/man8/stm.8.bz2 line 8: The /usr/man/man8/clockprobe.8 file points to a non existing file. To fix it, do: rm /usr/man/man8/clockprobe.8 ln -s /usr/man/man8/grabmode.8.bz2 /usr/man/man8/clockprobe.8.bz2 Once you have fixed these problems, re-run "makewhatis -w" and make sure it completes cleanly. ====== Daily email Log ====== ** HIGHLY RECOMMENDEDD for ALL Administrators ** If you are like me, you would like to know if any strange things are happening to your system like (processes failing, hacker attempts, etc). This script also optionally monitors how many times your modem line came online (or failed due to busies,etc) and report what speeds it connected at in a nice summarized table. To do this, follow these next steps (note: this isn't the pretties script I've wrote and it needs a LOT of cleaning but it should work for you). *** Note: Other tools like Psionic LogCheck and Stanford's Swatch tools do this but in in a MUCH cleaner fashion. As I get get those solutions running, this script will be replaced. ALL USERS: The first time this script executes, you will receive some errors regarding: - todays-date and yesterdays-date You can safely ignore these errors! Slackware users: This file should be called "/usr/local/sbin/sendlogs" Redhat users: This file should be called "/usr/local/sbin/sendlogs" (Note: All users: you will need to substitute in your proper mail address ( so you will get your logs ( ( Slackware users.. please edit this file and change the /var/log ( references to /var/adm ( ( Modem users: You will need to un-# out the modem fields and ( make sure that the temp file swaping from ( $1.tmp to $2.tmp etc transisions are correct. ( ( I have this disabled because I'm a cablemodem dude ( now but this worked well. ------------------------------------------------------------------------------ All of TrinityOS's step-by-step instructions, files, and scripts are fully scripted out for an automatic installation at: http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS-files/TrinityOS-security.tgz ----------------------------------------------------------------------------- /usr/local/sbin/sendlogs -- /bin/sh # TrinityOS-sendlogs.sh # v04/15/00 # # Part of the copyrighted and servicemarked TrinityOS document. # http://www.ecst.csuchico.edu/~dranch # # Written and Maintained by David A. Ranch # dranch@trinnet.net # Updates: # # 04/15/00 - Added the $HOST variable to easily tune the SUBJECT field to # reflect the name of your Linux system. You should edit this # to reflect your system. # # 04/09/00 - Hmmm.. we need %e and NOT %d for catching dates 01-09. # Basically, I need to reverve the change on 01/17/00. # # 02/21/00 - Doh! We do need the spaces between %b and %d # # 01/17/00 - Fixed all the "date" issues. Date now uses %d over %e and # doesn't use any spaces. # # 01/01/00 - Fixed a missing ">" on line 139 # # 12/16/99 - Fixed the RCMD mailer command at the end. The "mail -s" line # needed to be ONE line # # 11/26/99 - Cleaned things up a bit # - Made all file references absolute # # 02/01/99 - Added "w" to the vitals output # Change this variable to reflect the HOSTNAME of this box # -------------------------------------------------------- HOST="TrinityOS" #Make sure that the "yesterdays-date" file exists. If not, create it. # if [ -f /var/log/todays-date ]; then mv /var/log/todays-date /var/log/yesterdays-date; else date +'%b %e' > /var/log/yesterdays-date; fi #Make sure that the "/etc/info/logs" dir exists. If not, create it. # if [ -a /etc/info ]; then if [ -a /etc/info/logs ]; then echo ""; else mkdir /etc/info/logs; fi else mkdir /etc/info; mkdir /etc/info/logs; fi date +'%b %e' > /var/log/todays-date cat /var/log/messages | grep "`cat /var/log/yesterdays-date`" > /var/log/messlog.`date +'%b%d%y'` export f1=/var/log/messlog.`date +'%b%d%y'` export f2=/var/log/testfile echo "File 1: $f1" echo "File 2: $f2" sed -e "/PWD/d" -e "/PASV/d" -e "/TYPE/d" -e "/PORT/d" -e "/NLST/d" -e "/SYST/d" $f1 > $f1.tmp sed -e "/PASS/d" -e "/QUIT/d" -e "/LIST/d" -e "/CDUP/d" -e "/ATDT/d" -e "/Welcome/d" $f1.tmp > $f2.tmp sed -e "/Using/d" -e "/Connect/d" -e "/Remote/d" -e "/IP address/d" -e "/CHECKSUM/d" $f2.tmp > $f1.tmp sed -e "/Terminated/d" -e "/Terminating/d" -e "/diald/d" -e "/2.2.0/d" -e "/Exit./d" $f1.tmp > $f2.tmp sed -e "/(passwd=guest)/d" -e "/alarm/d" -e "/Failed/d" $f2.tmp > $f1.tmp #For messages - modem specific stuff # #sed -e "/send /d" -e "/expect/d" -e "/OK/d" -e "/AT&F/d" -e "/ATZ/d" -e "/ ^M /d" $f1.tmp > $f2.tmp #sed -e "/Swansea/d" -e "/logging/d" -e "/starting/d" -e "/Ready/d" -e "/0x03f8/d" -e "/0x02f8/d" $f2.tm p > $f1.tmp #sed -e "/sbpcd.c/d" -e "/CR-563/d" -e "/copyright/d" -e "/sockets/d" -e "/Serial/d" -e "/registered/d" $f1.tmp > $f2.tmp #sed -e "/SLIP/d" -e "/sbpcd-0/d" -e "/ATM0X7/d" -e "/1.44M/d" -e "/8272A/d" -e "/statistics/d" $f2.tmp > $f1.tmp #sed -e "/Please/d" -e "/hangup/d" -e "/ip-down/d" -e "/scans/d" $1.tmp -e "/abort on/d" $f1.tmp > $f2.t mp #sed -e "/CONNECT /d" -e "/BUSY/d" -e "/SIGHUP/d" $f2.tmp > $f1.tmp #echo -e "---------------------------------------" > /var/log/header.tmp #echo -e "TrinityOS Call stats for \c" >> /var/log/header.tmp #date >> /var/log/header.tmp #echo -e " " >> /var/log/header.tmp #echo -e "Total number of connects: \c" >> /var/log/header.tmp #grep -c "CONNECT" $f1.tmp >> /var/log/header.tmp #echo -e " 21600: \c" >> /var/log/header.tmp #grep -c "21600" $f1.tmp >> /var/log/header.tmp #echo -e " 26400: \c" >> /var/log/header.tmp #grep -c "26400" $f1.tmp >> /var/log/header.tmp #echo -e " 28800: \c" >> /var/log/header.tmp #grep -c "28800" $f1.tmp >> /var/log/header.tmp #echo -e " 31200: \c" >> /var/log/header.tmp #grep -c "31200" $f1.tmp >> /var/log/header.tmp #echo -e " 33600: \c" >> /var/log/header.tmp #grep -c "33600" $f1.tmp >> /var/log/header.tmp #echo -e " 33600: \c" >> /var/log/header.tmp #grep -c "41333" $f1.tmp >> /var/log/header.tmp #echo -e " 41333: \c" >> /var/log/header.tmp #grep -c "42666" $f1.tmp >> /var/log/header.tmp #echo -e " 42666: \c" >> /var/log/header.tmp #echo -e " " >> /var/log/header.tmp #echo -e "Total number of busys: \c" >> /var/log/header.tmp #grep -c "BUSY" $f1.tmp >> /var/log/header.tmp #echo -e "---------------------------------------" >> /var/log/header.tmp #echo -e " " >> /var/log/header.tmp #cat /var/log/header.tmp >> $f1.tmp #For messages - named specific stuff # sed -e "/Cleaned/d" -e "/USAGE/d" -e "/NSTATS/d" -e "/XSTATS/d" $f1.tmp > $f2.tmp sed -e "/points/d" -e "/Lame server/d" $f2.tmp > $f1.tmp #For messges - SSH specific sed -e "/Generating /d" -e "/generation /d" -e "/NSTATS/d" -e "/XSTATS/d" $f1.tmp > $f2.tmp mv $f2.tmp $f1 rm -R /var/log/*.tmp mail -s "$HOST messages for `cat /var/log/yesterdays-date`" root@localhost < /var/log/messlog.`date +'%b%d%y'` rm /var/log/messlog.`date +'%b%d%y'` echo -e "\tParsed, filtered, mailed and deleted messages" #--------------------------------------------- cat /var/log/syslog | grep "`cat /var/log/yesterdays-date`" > /var/log/syslog.`date +'%b%d%y'` export f1=/var/log/syslog.`date +'%b%d%y'` echo "file 1: $f1" echo "file 2: $f2" #Syslog - modem specific #sed -e "/ got /d" -e "/abort on/d" -e "/expect/d" -e "/ ^M /d" -e "/AT&F1^M^M/d" $f1 > $f1.tmp #sed -e "/ATZ^M^M/d" -e "/ATM0X7S11=40^M^M/d" -e "/Executed/d" -e "/ATDT/d" $f1.tmp > $f2.tmp #sed -e "/Welcome/d" -e "/Using/d" -e "/Connect/d" -e "/Remote/d" -e "/IP address/d" $f2.tmp > $f1.tmp #sed -e "/CHECKSUM/d" -e "/Terminated/d" -e "/Terminating/d" -e "/diald/d" -e "/2.2.0/d" $f1.tmp > $f2.t mp #sed -e "/Exit./d" -e "/(passwd=guest)/d" -e "/alarm/d" -e "/Failed/d" -e "/CONNECT/d" $f2.tmp > $f1.tmp #sed -e "/hangup/d" -e "/RINGING^M/d" $f1.tmp > $f2.tmp #mv $f2.tmp $f1 #syslog FTP, sed -e "/PWD/d" -e "/PASV/d" -e "/LIST/d" -e "/CDUP/d" -e "/RETR/d" -e "/CWD/d" $f1 > $f1.tmp sed -e "/TYPE/d" -e "/PASS/d" -e "/QUIT/d" $f1.tmp > $f2.tmp #For messages sed -e "/send /d" -e "/expect/d" -e "/OK/d" -e "/AT&F/d" -e "/ATZ/d" -e "/ ^M /d" $f2.tmp > $f1.tmp sed -e "/Swansea/d" -e "/logging/d" -e "/starting/d" -e "/Ready/d" -e "/0x03f8/d" $f1.tmp > $f2.tmp sed -e "/0x02f8/d" -e "/sbpcd.c/d" -e "/CR-563/d" -e "/copyright/d" -e "/sockets/d" $f2.tmp > $f1.tmp sed -e "/SLIP/d" -e "/sbpcd-0/d" -e "/1.44M/d" -e "/8272A/d" -e "/statistics/d" $f1.tmp > $f2.tmp sed -e "/Please/d" -e "/hangup/d" -e "/ip-down/d" -e "/scans/d" $f2.tmp > $f1.tmp sed -e "/abort on/d" -e "/Serial/d" -e "/registered/d" $f1.tmp > $f2.tmp mv $f2.tmp $f1 rm -r /var/log/*.tmp mail -s "$HOST syslog for `cat /var/log/yesterdays-date`" root@localhost < /var/log/syslog.`date +'% b%d%y'` rm /var/log/syslog.`date +'%b%d%y'` echo -e "\tParsed, filtered, mailed and deleted syslog" cat /var/log/secure | grep "`cat /var/log/yesterdays-date`" > /var/log/secure.`date +'%b%d%y'` export f1=/var/log/secure.`date +'%b%d%y'` echo "file 1: $f1" echo "file 2: $f2" sed -e "/127/d" $f1 > $f1.tmp mv $f1.tmp /var/log/secure.`date +'%b%d%y'` mail -s "$HOST secure for `cat /var/log/yesterdays-date`" root@localhost < /var/log/secure.`date +'% b%d%y'` rm -r /var/log/*.tmp rm /var/log/secure.`date +'%b%d%y'` echo -e "\tParsed, filtered, mailed and deleted secure" cat /var/log/xferlog | grep "`cat /var/log/yesterdays-date`" > /var/log/xferlog.`date +'%b%d%y'` mail -s "$HOST xferlog for `cat /var/log/yesterdays-date`" root@localhost < /var/log/xferlog.`date + '%b%d%y'` rm /var/log/xferlog.`date +'%b%d%y'` echo -e "\tParsed, filtered, mailed and deleted xferlog" cat /var/log/kernel | grep "`cat /var/log/yesterdays-date`" > /var/log/kernel.`date +'%b%d%y'` mail -s "$HOST kernel for `cat /var/log/yesterdays-date`" root@localhost < /var/log/kernel.`date +'% b%d%y'` rm /var/log/kernel.`date +'%b%d%y'` echo -e "\tParsed, filtered, mailed and deleted kernel" df > /var/log/sendlogs.`date +'%b%d%y'` echo -e "\n\n\n" >> /var/log/sendlogs.`date +'%b%d%y'` w >> /var/log/sendlogs.`date +'%b%d%y'` echo -e "\n\n\n" >> /var/log/sendlogs.`date +'%b%d%y'` free >> /var/log/sendlogs.`date +'%b%d%y'` echo -e "\n\n\n" >> /var/log/sendlogs.`date +'%b%d%y'` ps aux >> /var/log/sendlogs.`date +'%b%d%y'` mail -s "$HOST vitals for `cat /var/log/yesterdays-date`" root@localhost < /var/log/sendlogs.`date + '%b%d%y'` rm -f /var/log/sendlogs.`date +'%b%d%y'` echo -e "\tSent system vitals.." # Create a full file system ls-laR archive in /etc/info # # NOTE: You should ALSO copy this file to somewhere on a DIFFERENT HD, # floppy, etc # in case your mail HD fails. # echo -e "\tCreated full file system ls-laR archive in /etc/info" ls -laR / | bzip2 > /etc/info/logs/ls-laR.`date +'%b%d%y'`.bz2 # cp /etc/info/logs/ls-laR.`date +'%b%d%y'`.bz2 /to/some/other/HD # Create a full file system du archive in /etc/info # # NOTE: You should ALSO copy this file to somewhere on a DIFFERENT HD, # floppy, etc # in case your mail HD fails. # echo -e "\tCreated full file system du archive in /etc/info" du / | bzip2 > /etc/info/logs/du.`date +'%b%d%y'`.bz2 # cp /etc/info/logs/du.`date +'%b%d%y'`.bz2 /to/some/other/HD # Search for SUID programs, compare the results to the approved list and email # the results find / -type f \( -perm -04000 -o -perm -02000 \) -ls > /etc/info/suid-results-new diff /etc/info/suid-results-checked /etc/info/suid-results-new > /etc/info/suid-results-diff # mail -s "$HOST SUID results for `cat /var/log/yesterdays-date`" root@localhost < /etc/info/suid-resu lts-diff rm -f /etc/info/suid-results-new rm -f /etc/info/suid-results-diff echo -e "\tSent SUID check..\n\n" # Search for rhost files, compare the results to the approved list and email # the results find / | grep -e ".rhosts" -e "hosts.equiv" > /etc/info/rcmd-results-new diff /etc/info/rcmd-results-checked /etc/info/rcmd-results-new > /etc/info/rcmd-results-diff # mail -s "$HOST RCMD results for `cat /var/log/yesterdays-date`" root@localhost < /etc/info/rcmd-resu lts-diff rm -f /etc/info/rcmd-results-new rm -f /etc/info/rcmd-results-diff echo -e "\tSent RCMD check..\n\n" -- - Next, make the file executable by running "chmod 700 /usr/local/sbin/sendlogs" - Now create the following directories and fix their permissions mkdir /etc/info mkdir /etc/info/logs chmod -R 700 /etc/info * Before you run the "sendlogs" script, follow the procedure in [Section 18] - Now, you have to make cron run this script every day: BSD-style (Slackware, etc): --------------------------- Edit the file /var/spool/cron/crontabs/root and append the following: -- # Run the sendlogs program at 12:00am everyday 0 12 * * * /usr/local/sbin/sendlogs -- - Thats it. Now, make cron re-read it's config files by doing: kill -HUP `ps aux | grep crond | grep -v -e grep | awk '{print $2}'` SysV-style (Redhat): -------------------- Create the file /etc/cron.daily/a-sendlogs and enter in: NOTE: Why the name "a-sendlogs"? The reason is because the crontab runs all the files in /etc/cron.daily in alphabetical order. We need to run the sendlogs script BEFORE the "rotatelogs" script executes. ---- #!/bin/sh cd /usr/local/sbin ./sendlogs ---- Now make it executable via "chmod 700 /etc/cron.daily/a-sendlogs" *********** ** Creating a off-line firewall hit log Once you start getting the parsed nightly logs, I HIGHLY recommend that you start creating a on-going log file of your firewall hits. You can learn how to read the firewall hits in [Section 10]. I do this by manually creating a simple ASCII text file that I populate with the date, port #, port type, the source name (manually found via nslookip), and the IP address. For the sites that won't reverse resolve, I just do a traceroute to the closest named hop. So why do I do this? Because you'll soon see trends of simple telnets to full blown port scans from specific IPs and/or domains. Also.. some hackers run port scans that take weeks and not minutes. If you run a log like this, you'll catch them! Here is one example from my "Firewall hits list" of some dirtbag that tried to do a DoS attack against my IMAP service. Not only did my firewall stop him, but TCP wrappers would have stopped him and I logged the fact. I've changed the IP address to protect the luser and myself. NOTE: Not only is it important to log the destination port the hacker was trying to get to but also their source port. This luser was using source port 0 which is common DoS attack method: -- 01/08/99 143/tcp Name: cc6666666-b..nj.home.com Address: 10.0.0.1 from port 0! -- ================================================================================ ================================================================================ Section 10 - MASQ startup and Advanced firewall rulesets for single and multi-NIC setups If you are unfamiliar with how TCP/IP packet filters work, the following should give you a decent start. Please understand that if you don't understand what is being described below, you should probably do a little research on how TCP/IP works. -- Think of a IPFWADM or IPCHAINS ruleset like the following: - All interfaces (any network cards, the localhost interface, etc) on a Linux box have INPUT, OUTPUT, and FORWARD rules. - What is the difference between DENY and REJECT? DENY: If you TELNET to a box that "denies" TELNET traffic, your TELNET will just sit there and seem to try and try and try to connect. Ultimately, the TELNET request will eventually timeout. REJECT: If you TELNET to a box that "rejects" TELNET traffic, your TELNET will almost immeadiately return with a "Connection Refused". This is the normal behavior for a machine that does not SUPPORT telnet access such as stock versions of MS Windows9x, NT, etc. - Why do I prefer REJECT over DENY? If someone connects to your server and you REJECT their traffic, it seems to them as if your computer cannot serve, say, TELNET connections. If you DENY the traffic, then their TELNET traffic just dies and their TELNET client eventually times out. So.. with REJECT, a hacker doesn't know if your machine can or can not do TELNET. With DENY, a hacker KNOWS that you are filtering them. I feel that a REJECT make your box look "dumber". So , lets explain how a packet firewall works with an example: -------------------------------------------------------------- - Say you have a TELNET packet (port 23) from the Internet that wants to reach your Linux box 1) The TELNET packet is sent from the remote computer on the Internet 2) The packet is received on PORT 23 to the INPUT rule on the -External NIC card- 3) If the TELNET packet is matched on the INPUT to allow the packet through: FYI: Some ideas of possible packet firewall rules can include: - source and destination IP addresses - TCP or UDP traffic - specific source and destinatiopn ports (TELNET, etc) - etc Then let the packet IN though the packet firewall. If not matched, the packet is either REJECTED or DENIED. You can also log the fact that this packet was killed. 4) If passed, the TELNET packet then goes to the TELNET daemon on the Linux box to be processed. Once the reply TELNET traffic is generated, the actual return traffic will be returned on a HIGH PORT ( port > 1024 ) and NOT on port 23. If you don't understand this, please read up on TCP/IP fundamentals since this discussion is out of the scope of TrinityOS. For this example, lets say the return TELNET traffic is on port 3200. Now, this return port 3200 traffic is then sent to the OUTPUT filter of the EXTERNAL NIC card. 5) If the packet is matched to allow the packet OUT, then let through. (like #3 above ). If not matched, its either REJECTED or DENIED. You can also log the fact that this packet was killed. 6) Next, if the packet is on a DIFFERENT network than the destination address, the packet needs to be "forwarded". If the rule matches, forward the packet onto the correct network. If not matched, its either REJECTED or DENIED. You can also log the fact that this packet was killed. NOTE: This is is what a "router" does on a basic level. 7) If finally passed, the HIGH PORT packet leaves the Linux box to go over the Internet connection destined to that remote computer. +-------------------------------+ | Linux TCP/IP stack | |_______________________________| | (3) Telnetd Server | {PORT 23} |_______________________________| (Port 3200) (2) +--->| Input: Forward: Output: |-------------+ (4) | +-------------------------------+ | | | | | +------------+ | +------------+ | | Input | | | Output |<--+ | Rule | | | Rule | ^ {PORT 23} | | | | | | (1) +-IN--->| P a s s ? |---+ +--------------| P a s s ? | | | | or | | | or | | ^ |Deny/Reject?| | (5) |Deny/Reject?| | --------- +------------+ | +------+-----+ | *Send* | | | | --------- v Check if packet v | Remote Dump Packet No +---- needs to be Dump Packet | Internet (possibly log it) | forwarded (possibly log it) | site | | | --------- | (6) | Yes | *Received* | | | --------- | v | ^ | +--------------+ +---------------^------+ | {PORT 3200} | | Forward | | Write the packet for | (7) +-----------------------------+ | Rule | | the destination | | | | network address | | | | | Dump Packet <------|Don't Forward?| | Possibly re-write the| (possibly log it) | | |SRC addresses for MASQ| | Forward? | +----------------------+ | or | ^ |FWD & MASQ it |-----------------------+ +--------------+ Now, I want to quickly comment on the use of HIGH TCP/IP ports and what is the difference between a PACKET firewall and a STATEFULLY INSPECTED firewall. -- Though you might let port 23 OUT of your Linux box (TELNET), if you don't also allow ports 1024-65535 back INTO your Linux box, TELNET won't work. Now you might be thinking that letting in ALL high ports back into your Linux box is a BAD thing. You know what? YOUR RIGHT! Realistically, it would be nice to only allow in only the return HIGH ports that you need. This is what the "-k" option in IPFWADM or "! -y" is for IPCHAINS. The problem is, IPFWADM and IPCHAINS aren't smart enough yet to understand all TCP/IP programs such like TELNET, WWW, SSH, etc. So, some programs you can lock down the high ports with the "-k" ir "! -y" options while other programs will have to be configured to allow all 1024-65535 ports in. Bummer huh? So your next question should be "Do others firewalls have this problem?" NO! Why? Because they use a technology called "Stateful Inspection". Stateful firewalls actually listen to ALL network traffic step-by-step to make sure that everything is going 100% correctly. Analogy: packet firewall: A packet firewall only checks for source and destination IP addresses and port numbers. Kinda like a strainer for different colored marbles (if one exists). Stateful Firewall: A stateful firewall not only checks for source and destination IP addresses and port numbers, but it also LISTENS to all TCP/IP communications to make sure that all of the "communications" are following all procedures. Think of it as a realtime grammer and spell checker for "languages" like TELNET, WWW, etc. Hackers try to re-write the "language" to try to break into it, crash it, etc. A stateful firewall will see a given TCP/IP connection running a "language" like TELNET doing weird stuff that it shouldn't be doing and then it simply drops that weird packet. Much better huh? So your next question should be: "I want a statefully inspected firewall and NOT a packet firewall. Where do I get one?!?!" Well.. it doesn't exist... YET. The project has started but it isn't finished yet. If you want to find out more about Statefully Inspected firewalls for Linux, check the URLs in [Section 5] Debugging / Monitoring your firewall ------------------------------------- Once you setup one of the firewalls shown below, you might have some problems getting running or your might be getting strange new messages on the console. What do these messages mean? In the below rulesets, any lines that either DENY or REJECT any traffic also have a "-o" to LOG this firewall hit to the SYSLOG messages file found either in: Redhat: /var/log Slackware: /var/adm If you look at one of these firewall logs, do would see something like: The kernel logs this information looking like: --------------------------------------------------------------------- IPFWADM: Feb 23 07:37:01 Roadrunner kernel: IP fw-in rej eth0 TCP 12.75.147.174:1633 100.200.0.212:23 L=44 S=0x00 I=54054 F=0x0040 T=254 IPCHAINS: Packet log: input DENY eth0 PROTO=17 12.75.147.174:1633 100.200.0.212:23 L=44 S=0x00 I=54054 F=0x0040 T=254 --------------------------------------------------------------------- There is a LOT of information in this just one line. Let break out this example so refer back to the original firewall hit as you read this. Please note that this example is for IPFWADM though it is DIRECTLY readable for IPCHAINS users. NOTE: To understand all the various port numbers, protocol numbers, etc., ***** I recommend you to goto the TOP URL in [Section 5] and get all of the various documents from the IANA and put them in /etc/iana. -------------- - This firewall "hit" occured on: "Feb 23 07:37:01" - This hit was on the "RoadRunner" computer. - This hit occured on the "IP" or TCP/IP protocol - This hit came IN to ("fw-in") the firewall * Other logs can say "fw-out" for OUT or "fw-fwd" for FORWARD - This hit was then "rejECTED". * Other logs can say "deny" or "accept" - This firewall hit was on the "eth0" interface (Internet link) - This hit was a "TCP" packet - This hit came from IP address "12.75.147.174" on return port "1633". - This hit was addressed to "100.200.0.212" to port "23" or TELNET. * If you don't know that port 23 is for TELNET, look at your /etc/services file to see what other ports are used for. - This packet was "44" bytes long - This packet did NOT have any "Type of Service" (TOS) set --Don't worry if you don't understand this.. not required to know * divide this by 4 to get the Type of Service for ipchains users - This packet had the "IP ID" number of "18" --Don't worry if you don't understand this.. not required to know - This packet had a 16bit fragment offset including any TCP/IP packet flags of "0x0000" --Don't worry if you don't understand this.. not required to know * A value that started with "0x2..." or "0x3..." means the "More Fragments" bit was set so more fragmente