dranch at trinnet dot net
TrinityOS(TM)(c) http://www.ecst.csuchico.edu/~dranch/LINUX/index.html#TrinityOS
Written, Maintained, Trademarked, and Copyrighted by David A. Ranch (dranch at trinnet dot net)
Sorry for all the legal stuff...
I've already had one company try to take the name TrinityOS from me (thus the trademark - Reg. Numbers 2440502 and 2525874). I also have had one LDP Guide author ("Securing and Optimizing Linux Red Hat Edition - A Hands on Guide") rip off a large portion of TrinityOS's content without even referencing me or TrinityOS as a source. Unfortunately, this author simply rewrote / rephrased the sections of it to avoid any direct copyright issue though the content is the same. So, with all this bad luck, I had to start covering my butt from the many lowlifes in the world.
Anyway, if you would like to use some of the content from TrinityOS in your project, you NEED to contact me first for permission. I'm an easy going guy so it won't be a big deal. Please just don't use my stuff first and ask second. That's pretty silly.
TrinityOS is a complete Linux server configuration, maintenance, and security guide for the Linux novice and guru alike! Though there are a LOT of features covered in TrinityOS, you don't have to implement all of them. All I can say is, if you are going to connect your Linux box to the Internet, at least INSTALL the packet firewall!!
This document is tailored as a step-by-step, example driven document, instead of a detailed explanation doc on each Linux feature. It doesn't go into many debugging aspects since the Linux Documentation Project's (LDP) HOWTOs already cover this. The TrinityOS document is intended for a techincal audience but hopefully everything is laid out well enough that a new user should be able to follow along without too much trouble!
All of TrinityOS's step-by-step instructions, files, and scripts are fully scripted out for an automatic installation at:
http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS-security/TrinityOS-security.tar.gz
* For the curious, the name TrinityOS and my company, Trinity Designs, is NOT derived from being religious (the holy Trinity). The name "Trinity Designs" came from the Trinity Alps in Northern California and "TrinityOS" came from the name of the first atomic bomb testing site in White Sands, New Mexico.
Like any UNIX document, it must be updated constantly to remain relevant. I will do my best to maintain this document but all comments, ideas, etc. are appreciated to keep TrinityOS valuable!
This guide was initially based off the Slackware v3.2 distribution but due to a disk crash, I then installed Redhat 5.0 to try it out. From that point on, I now try to make TrinityOS doc reflect other distributions.
Note: Most of the initial functionality given in this document is already available in a modern day distribution such as Mandrake, Redhat, Debian, SuSe, etc. If you are using any other distribution than Redhat, Debian, etc., you will need to use this doc as a *reference* or a project management guide only. You will then need to obtain the various software sources or binaries by hand and configure the software via its native methods.
** Please note that this document will always be "Under Construction". **
Everything in the "Current Features List" has been implemented and should be documented. Some things in the "Future Features" section have already been completed though not necessarily documented yet. If you have any specific questions about the "Future" or "Current features".. feel free to ask!
#### Tangent #### # # If you have come to this doc directly, you also might want to # check out the rest of my WWW page at: # # http://www.ecst.csuchico.edu/~dranch # # It covers other topics such as: #
**********************************************************************
** Would you like to be notified when I update my WWW page or **
** specifically the TrinityOS doc? **
** **
** Every "update" e-mail is based from both the ChangeLog WWW page **
** and the TrinityOS ChangeLog section so you will know what **
** exactly was updated without any extra fluff. **
** **
** If you're interested, send an e-mail to **
** **
** mailto:dranch at trinnet dot net **
** **
** with a subject of "Add me to your updates list" and I'll add **
** you to the list! **
** **
** -P.S.- In the same request email, tell me what specifically you **
** were/are looking for on my WWW page or in TrinityOS. **
** I'm always taking new requests for additions and expanded **
** coverage of topics already on my page. **
** **
** So don't be shy! **
**********************************************************************
(Won't be implemented in any particular order)
This document uses methodologies that I have developed over the years. Some of these docs have saved my butt on several occasions (documenting things like Drive partition maps, I/O and IRQ maps). This may seem like a pain in the butt to do initially but when you need them..
YOU NEED THEM!
- Mandrake 7.0 w/ all available patches
v2.2.25
- Intel Pentium 200Mhz / 128MB EDO RAM
- Intel TC430HX motherboard (cannot tune IRQ use)
- Serial port #1: COM1 - IRQ 4
- Serial port #2: COM2 - IRQ 3
- LPT1 - IRQ 7
- IDE 0 (disabled)
- IDE 1 - IRQ 15
- Network:
Eth0: Compaq Netelligent 10/100 Dual port (PCI) - port #1 (IRQ 11)
- cable modem side
Eth1: Compaq Netelligent 10/100 Dual port (PCI) - port #2 (IRQ 14)
- Int LAN
- Video:
Matrox Millennium II (4MB) - (PCI)
- Sound:
Built-in Windows Sound System (IO:530h, IRQ: 9, L-DMA: 0, H-DMA: 1,
MPU: 330h, MPU IRQ: -1
- Controllers:
- Adaptec 2940UW SCSI controller (PCI) - IRQ: 10
- Used for SCSI disks (ext. cabling to RAID enclosure)
- Adaptec 2940U SCSI controller (PCI) - IRQ: 14
- Used for CDROMs and Tape drives (int. & ext. cabling)
- I/O Adapter - (ISA)
(2) port serial / (1) parallel
- COM3 - IRQ 4
- COM4 - IRQ 3
- LPT2 - IRQ 5
- Storage Devices:
== In the primary system case ==
- HDC: Maxtor DiamondMax+ 10.0GB (UDMA)[512k][LBA] [
- HDD: IBM 120GB HD
- SR0-6: Nakamichi 7-CD 2x changer (ID: 4)
- SR7: Philips CM4xx 4x CDROM (ID: 5)
- ST0: HP T4000 TR4 Tape drive (ID: 6) [dead?]
== In the secondary RAID enclosure ==
- SDA: Seagate ST39173N 9GB (20Mb/s) (ID: 0) - Primary HD
- SDB: Seagate ST39173N 9GB (20Mb/s) (ID: 1) -
- SDC: IBM DNES-309170 9GB (20Mb/s) (ID: 2) -
- SDD: Seagate ST39173N 9GB (20Mb/s) (ID: 3) - dd backup of SDA
- I/O:(See docs on IRQTUNE to better understand why these
are like this. It makes a difference!)
ttyS0: COM1 - APC SmartUPS UPS
ttyS1: COM2 - N/A
ttyS3: COM3 - USR Courier v.Everything
ttyS2: COM4 -
LPT1: Hp LaserJet-IIp (UNIX & Samba share)
LPT2: Canon S800 (UNIX & Samba share)
------ I/O Maps and "Expert" fdisk partition tables -----
IRQ Map:
0: timer (system)
1: keyboard (system)
2: Cascade (system)
3: COM2-N/A (Motheboard) & COM4-
4: COM1-APC Smartups (Motherboard & COM3-US Robotics modem
5: Sound (Motherboard)
6: Floppy (system)
7: LPT1-printer (motherboard)
8: Clock (system)
9: Cascade
10: Adaptec 2940U (PCI)
11: Compaq Ethernet#1 (PCI)
12: PS/2 mouse (motherboard)
13: Math coprocessor
14: Adaptec 2940UW (PCI)
15: IDE1 (motherboard)
I/O Port MAP:
170-1F7h: IDE1
1F0-1F7h: IDE0
200-207h: (not used) usually Joystick
278-27Fh: LPT1
2E8-2EFh: COM4
2F8-2FFh: COM2
330-331h: Windows Sound Systye Pro MPU-401
376-376h: IDE1
378-37Fh: LPT1
3E8-3EFh: COM3
3F0-3F5h: Floppy drive
3F6-3F6h: IDE0
530-533h: Windows Sound System
E800h: AHA2940U
EC80h: AHA2940U
FCE0: TLAN #1
FCF0: TLAN #2
E400h: System BIOS
E800h: Systen BIOS
F000h: System BIOS
DMA Map:
0 - Windows Sound System
1 - Windows Sound System
2 - Alternative Floppy DMA
3 - Floppy DMA
4 - Casecade
5 - None
6 - None
-----
All hard Drive partition tables
-----
/dev/hdc (normal mode printout - expert truncates)
==================================================
Disk /dev/hdc: 16 heads, 63 sectors, 19390 cylinders
Units = cylinders of 1008 * 512 bytes
Device Boot Begin Start End Blocks Id System
/dev/hdc1 1 1 19390 9772528+ 83 Linux native
==================================================
/dev/sda (expert mode printout)
==================================================
Disk /dev/sda: 255 heads, 63 sectors, 1106 cylinders
Nr AF Hd Sec Cyl Hd Sec Cyl Start Size ID
1 80 1 1 0 254 63 6 63 112392 06
2 00 0 1 7 254 63 1023 11245517655435 05
3 00 0 0 0 0 0 0 0 0 00
4 00 0 0 0 0 0 0 0 0 00
5 00 1 1 7 254 63 261 63 4096512 83
6 00 1 1 262 254 63 294 63 530082 82
7 00 1 1 295 254 63 1023 6312289662 83
8 00 254 63 1023 254 63 1023 63 738927 83
==================================================
/dev/sdb (expert mode printout)
==================================================
Disk /dev/sdb: 255 heads, 63 sectors, 1106 cylinders
Nr AF Hd Sec Cyl Hd Sec Cyl Start Size ID
1 00 1 1 0 254 63 1023 6317767827 83
2 00 0 0 0 0 0 0 0 0 00
3 00 0 0 0 0 0 0 0 0 00
4 00 0 0 0 0 0 0 0 0 00
==================================================
/dev/sdc (expert mode printout)
==================================================
Disk /dev/sdc: 255 heads, 63 sectors, 1115 cylinders
Nr AF Hd Sec Cyl Hd Sec Cyl Start Size ID
1 00 1 1 0 254 63 1023 6317912412 83
2 00 0 0 0 0 0 0 0 0 00
3 00 0 0 0 0 0 0 0 0 00
4 00 0 0 0 0 0 0 0 0 00
==================================================
/dev/sdd (expert mode printout)
==================================================
Disk /dev/sdd: 255 heads, 63 sectors, 1106 cylinders
Nr AF Hd Sec Cyl Hd Sec Cyl Start Size ID
1 80 1 1 0 254 63 6 63 112392 06
2 00 0 1 7 254 63 1023 11245517655435 05
3 00 0 0 0 0 0 0 0 0 00
4 00 0 0 0 0 0 0 0 0 00
5 00 1 1 7 254 63 261 63 4096512 83
6 00 1 1 262 254 63 294 63 530082 82
7 00 1 1 295 254 63 1023 6312289662 83
8 00 254 63 1023 254 63 1023 63 738927 83
==================================================
-------
--
mkdir /etc/iana
cd /etc/iana/
wget -r -l 1 -nH --no-parent http://www.iana.org/numbers.htm
Any Service Packs, security patches, etc. for your installed Slackware or Redhat distribution(s)
ftp://ftp.kernel.org/pub/linux/kernel/ or ftp://ftp.freesoftware.com/pub/linux/sunsite/kernel/
IPMASQADM port forward patches:
The beginnings of Stateful Inspection for Linux:
Primary site: http://www.samba.org/ppp/index.html/
Very popular user-space client : Primary Site: http://www.roaringpenguin.com/pppoe.html
Kernel-Space client known for somewhat better performance: http://www.davin.ottawa.on.ca/pppoe/
Some other informational URLs as well:
http://www.suse.de/~bk/PPPoE-project.html
http://www.sympaticousers.org/faq.htm
Diald is now maintained by a new author and site:
RPMS: http://ipmasq.webhop.net/juanjox/
Download the original Diald and Diald patches (Diald v0.16.5)
http://www.loonie.net/~eschenk/diald.html
Sources: ftp://ftp.isc.org/isc/bind/src/
Versions: 9.2.2 requires non-vulnverable OpenSSL code. It's also recommend to download both the source code /and/ the associated .asc PGP signature for that version of BIND.
RPMs: Finding new RPMs for the newest versions of Bind isn't very easy. Once place you might have luck is the CONTRIB area of sites like Redhat and Mandrake. Those RPMs seem to work fine but some people do NOT trust someone else's compiled code, so, it's your choice.
You can also find a chroot-ed version of bind here:
ftp://ftp.fi.muni.cz/pub/users/kas/bind-chroot/
Announcement list:
Send email to bind-announce-request@isc.org with "subscribe" in the subject field.
ftp://ftp.freesoftware.com/pub/linux/sunsite/utils/console/vlock-1.0.tar.gz
ftp://ftp.freesoftware.com/pub/linux/sunsite/system/network/management/ or ftp://ftp.ee.lbl.gov/tcpdump.tar.Z
- Current 2.7.0
- Current 0.10.11
ftp://ftp.sendmail.org/pub/sendmail/
Both Sendmail 8.12.9 and 8.11.7 are secure though they have a problem with the "smrsh" shell. TrinityOS doesn't use this but if you are concerned about it, a patch is available. Currently, if you plan to use 8.11.x, you need to run 8.11.7 secure it from a few recently found remote root exploits.
RPMs: The newest Sendmail is NOT available in RPM form from sendmail.org but it IS in Redhat's CONTRIB area. It seems to work fine but some people do NOT trust someone else's compiled code, so, it's your choice.
ftp://ftp.infomagic.com/pub/mirrors/linux/RedHatContrib/libc6/i386
Announcement list:
Send an email to majordomo@Lists.Sendmail.ORG with the text "subscribe sendmail-announce" in the body of the message.
I have taken over ownership of these documents but haven't had a chance to post them yet. If you would like to get a copy of them, please email me
For allowing remote POP-3 clients to be able to use the SMTP server to send email.
To support multple email domains w/ Sendmail, Qmail, etc check out:
http://www.linuxdoc.org/HOWTO/Virtual-Services-HOWTO.html
DHCP Faq: http://www.dhcp-handbook.com/dhcp_faq.html#hddhs
RFC Info: http://www.dhcp.org/rfc2131.html
http://www.dhcp.org/rfc2132.html
Legacy Info: http://www.cis.ohio-state.edu/rfc/rfc1542.txt
Download: http://www.isc.org/dhcp.html
DHCP HOWTO: http://www.tldp.org/HOWTO/mini/DHCP/index.html
dhclient v3.0.2 comes with the server code above
DHCPcd 1.3.22-p14: http://www.phystech.com/download/dhcpcd.html
Other DHCP info:
http://www.linux-firewall-tools.com/linux/firewall/index.html
A HOWTO specific to the RoadRunner Cablemodem setup, but it's still a good site: http://www.vortech.net/rrlinux/
FTP: ftp://ftp.wu-ftpd.org/pub/wu-ftpd/
FAQ: http://www.cetis.hvu.nl/~koos/wu-ftpd-faq.html
ftp://ftp.digital.com/pub/linux/redhat/powertools-5.0/i386/
ftp://metalab.unc.edu/pub/Linux/system/network/misc/getdate_rfc868-1.2.tar.gz
http://www.eecis.udel.edu/~mills/ntp
- BRU (it's not free but it's the best Linux backup software out there IMHO. This is one place you just CAN'T skimp!) Recommended!
http://www.estinc.com
Original Mozilla (deprecated) - 1.7.8 Firefox - 1.0.4 Thunderbird - 1.0.2
Commonly used BSD licensed OpenSSH client/server (totally free) - current: 4.0p1 http://www.openssh.com/
Original Commercial SSH.com client/server (free for Linux :: for now) - current: 3.2.6.1 http://ftp.ssh.com/pub/ssh/
Additional UNIX SSH tunneling URLs:
http://www.ccs.neu.edu/groups/systems/howto/howto-sshtunnel.html
MDADM v1.11.0): http://www.cse.unsw.edu.au/~neilb/source/mdadm/
Good but old info on Linux RAID: http://linas.org/linux/raid.html
Raidtools (DEPRECATED) 1.00.3: http://people.redhat.com/mingo/raidtools/
Also, they have great docs at http://samba.anu.edu.au/
http://pcmcia-cs.sourceforge.net/
Original and quite nice APCUPSd open-source daemon - v3.10.17a: http://www.apcupsd.com/ or http://www.sibbald.com/apcupsd/
Official APC Powerchute for Linux - v4.5.3 - Free closed-source daemon with excellent Xwindows support: http://www.apcc.com/tools/download/index.cfm
Standard Apache: http://www.apache.org or ftp://ftp.redhat.com/pub/contrib/i386/apache-1.2.6-5.i386.rpm
SSL-encrypted Apache:
Tripwire has gone OpenSource for LINUX! Woohoo! Though it isn't available quite yet, it will be there soon:
Also, as of v2.2.1, Tripwire now runs on Glibc.
http://www.tripwiresecurity.com/products/Tripwire_ASR20.cfml
You can also get the older versions here:
ftp://coast.cs.purdue.edu/pub/COAST/Tripwire
AIDE is a GNU version of Tripwire - v0.10
http://sourceforge.net/projects/aide
ViperDB is another GNU version of Tripwire
http://www.resentment.org/projects/viperdb/index.html
http://www.kaybee.org/~kirk/html/linux.html
http://cpan.valueclick.com/modules/by-module/Net/
(does not work for Redhat 5.2+) [Will be phased out] ftp://ftp.iaehv.nl/pub/users/grimaldo/rpmwatch-1.1-1.noarch.rpm
ftp://ftp.fokus.gmd.de/pub/unix/cdrecord/mkisofs/
BZip2 : http://sourceware.cygnus.com/bzip2/index.html
http://www.linuxdoc.org/HOWTO/Bash-Prompt-HOWTO.html Also see Section 42 in TrinityOS
Project home page:
http://www.xs4all.nl/~freeswan or http://www.flora.org/freeswan/
SWAN email list:
http://www.xs4all.nl/~freeswan
Overview http://www.cygnus.com/~gnu/swan.html
Download the IPSec code from:
Broken? ftp://ftp.xs4all.nl/pub/crypto/freeswan
Works ? http://ftp.xs4all.nl/pub/crypto/freeswan
or
http://www.flora.org/freeswan/download
Other Mini-HOWTOs:
https://www.seifried.org/articles/ipsec/
ftp://ftp.tu-graz.ac.at/pub/linux/redhat-contrib/SRPMS/iplogger-0.1-1.src.rpm
ftp://ftp.freesoftware.com/pub/linux/sunsite/system/security/cops_104.tgz
Newer: ftp://ftp.porcupine.org/pub/security/index.html
Older ftp://ftp.win.tue.nl/pub/security/satan.tar.Z
ftp://ftp.huwig.de/pub/linux/mama/2.0/stack_noexec-symlink-security-fix.bz2
https://www.seifried.org/lasg/
http://www.sys-security.com/archive/papers/ICMP_Scanning_v2.0.pdf
Test Exploits: http://www-miaif.lip6.fr/willy/security/
Test Exploits: http://www.rootshell.org
Test Exploits: http://www.l0pht.com
Test Exploits: http://www.geek-girl.com
Security Alerts: Subscribe to BugTraq at mailto://LISTSERV@NETSPACE.ORG
More Security:
http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#security
http://www.ecst.csuchico.edu/~jtmurphy/
Includes host_sentry, port_sentry and logchecker.
SHADOW (SANS): http://www.nswc.navy.mil/ISSEC/CID/step.htm
Snort: http://www.snort.com
Setup HOWTO: http://www.nswc.navy.mil/ISSEC/CID/nfr.htm
NFR software: http://www.nfr.net/download/
NFR ID Attack ID Packages: http://www.nswc.navy.mil/ISSEC/CID/nfr_id.tar.gz http://www.l0pht.com/NFR/
http://www-math.uni-paderborn.de/~axel/NoShit/index.html
patch: http://www.america.com/~chrisf/web/NoShit/WebFilter_0.5.patch.gz
Example filter: http://www.america.com/~chrisf/web/NoShit/library.txt
http://www.torque.net/~campbell
http://www.xnet.com/~blatura/linapps.shtml
X-Shipwars: http://fox.mit.edu/xsw/
This is too complicated to be completely covered in TrinityOS. But, to get you started, here are a few comments that talk about what Linux distribution might be right for you.
One thing I've been asked over and over is regarding users that are trying out Linux with an old Linux CD ( given to them, etc.). With the new 2.4.x kernels out, all the newest Linux distributions BLOW AWAY the old ones in terms of ease of setup, performance, hardware compatibility, etc. So, I recommend that you get a new copy a given Linux distribution and give that a look. And you can't tell me it's expensive when you can get almost ANY Linux distribution for under $3.00 US a CD from places like http://www.cheapbytes.com.
*-----------------------------------------------------------------------------* * What do I use? I currently use Mandrake v9.1 on my work laptop (Dell) and * * * * 7.0 at home but I'm worried about Mandrake's direction (see more below) * *-----------------------------------------------------------------------------*
So, with that behind us, here is a few notes:
Redhat has recently discontinued both their regular Linux distribution via retail channels as well as their downloadable ISO version (currently 9.0). Moving forward, Redhat has created two projects. The "Fedora" project which is an opensource distribution and then their Redhat Enterprise Linux v3.0 distro line. A good question is if the Fedora project will take over where the RH9.0 distro left off in terms of quality, etc. I have no idea but I do know that the testing won't be nearly as good and I doubt the installer and GUI tools will be as refined as they've been in the past.
Fedora: The main differentiation with with the two RH distros is there isn't any Redhat commercial grade testing or tech support for the Fedora version This is no different than using distros like Debian, Gentoo, etc. which are well supported by the Linux community as a whole. All Fedora support will be via web forums, 3rd party support vendors, etc.
Enterprise Linux: The RH Enterprise Linux line offers email/phone support for 2-3 years for email/phone support and 5 years for critical security patches, etc. which is very good in my option. Unfortunately, the Enterprise line comes in three versions (workstation only (WS), small server (ES), and big server (AS)) and thus charges accordingly:
As of November, 2003 -------------------- WS - $180 - only initial install support :: Full 1 yr support is $299 US. - NO servers support - this is only a workstation (very limiting)
ES - $350 - only initial install support :: Full 1 yr support is $799 US.A - Full servers support - Dual SMP only - limited RPM package list
AS - $1500 - support included but 4 CPU version starts at $2500 US. - Full servers support - 4way CPU + - more complete RPM package list
Yes, this is expensive for a enduser but not bad for an enterprise setup. BUT, my major gripe with RHEL is that the software package list or RPM list Linux is probably < 50% that of RH 9.0 was. Check it out, here is a full list of the RHEL ES 3.0 RPMs - http://www.ecst.csuchico.edu/~dranch/LINUX/Rhel/ As you can tell, not only does this make EL expensive but you don't get a whole lot for your money other than a good software patch policy.
Anyway, Redhat has been a premier Linux distribution that has a strong installation tool and has some great system administration utilities too. One of the best parts of Redhat is its increamental RPM package installation and upgrade system. Redhat is constantly upgraded, they even support / offer patches for their oldest distro versions, and it is well supported in the Linux community.
Redhat is a good choice for the Linux newbie that wants a more server-focused distro or a GUI configuration approach running with all kinds functionality. Don't let the server focus fool you.. this distro is very desktop friendly as well. Redhat is a Gnome shop vs. a KDE-centric distro.
If you are already a UNIX snob, you might find Redhat's layout a little wierd (unless you are a Sun Solaris (SYSV) person - the /etc/rc.d/rc2.d layout is similar).
*BUT*, many people don't like Redhat. Why?
1. Redhat has a LOT of extra software built-in. Yes, you can choose the "Custom" installation process and get rid of most of the options (recommended) but a FULL install is quite large (a full RH8.0 install is 4.6GB!). Yes, you can pick a "custom" install and reduce the number of installed packages but it's still a heavy distro.
2. If you want to *learn* UNIX (not specifically Linux) in the classic LINUX step-by-step fashion and truly understand it (the hardest but BEST way (IMHO)), Redhat probably wouldn't be my first choice! Yet, I do have to admit my opinion is slowly changing though.
3. Redhat changes the entire behavior of how Linux is set up and configured compared to other distributions like Slackware to be more easy to use, modifible via scripts, etc. Unfortunately, Redhat's GUI tools don't easily tell you what it is going to do to your config files. If you want to learn UNIX in a classic fashion, go with Slackware or, to a lesser extent, Debian, SuSe, etc! Those distributions are a LOT more plain and easier to initially figure out.
4. RPM Hell. You've might have heard about this term before. What this basically means is that if you want install a given program, sometimes it has prerequisite of installing another program first. Ok, so you try to install that required program to only find thhat this sub-required program might have THREE other required programs. Then when you try to install the sub-sub programs, they TOO have requirements. Get the idea? Though it is always solved with patience (using RPM manually and installing all the required programs), many people hate RPMs for this reason. Fortunately, Redhat's newest RPM GUI tools determine all the required other programs for youi. Some say this is a fundamental flaw of the RPM system itself. I don't think it's that bad but I'm a patient kind of guy (most of the time at least).
All Newer versions of Redhat have enhanced installation programs for simple installations but with the ability to configure advanced options like software RAID, LVM, etc. Also, the ASCII, NCURSES, and X-Windows versions of the "linuxconf" and "control-panel" GUI interfaces are getting VERY cool!
Mandrake Linux, currently at version 9.2, is a close derivative of Redhat Linux with some significant changes and add-ons. The main difference between Mandrake and Redhat (even today) is that Mandrake is compiled for [ Pentium ] or newer machines. Redhat is currently compiled for Intel 386 (i386) processors though their kernels are optimized. With the Pentium optimizations alone, Mandrake can yeild anywhere from a 10-20% performance increase over RedHat on some platforms.
Next, Mandrake has been adding more customized tools to their distribution. With these tools, like the "Mandrake Updater", administration is easier. If you like GUI tools, Mandrake has them!
One thing I do want to mention is that Mandrake installers within the "Drak" have become very powerful. The installers are very simple for the newbie but can also be very powerful (installtion of software RAID, LVM, etc). Mandrake is also very security conscious and gives the user the option of different default security settings, etc.
Much like Redhat, Mandrake also shares with the RPM hell problem. Fortunately, Mandrake has RPMdrake which determines all of the required dependancies for you and fixes most of this issue.
One last thing that must be noted is that like most Linux vendors, Mandrake has changed their patch support policies. They now only offers security patches for ONE year from the release of the distro. After that, you MUST upgrade to their newest distro. The alternative is to buy their Corporate Server version which is pretty expensive (Corp. Server 1.1 is $799) but will give you support 2+ years. In comparison to Redhat and SuSe's support policies, Mandrake is both expensive and lacking equal support. This pains me as I'm a big Mandrake fan but servers need to be supported and upgrading every two years is silly. Ultimately, if it's a server that you don't plan on upgrading very often, getting the Corporate version might make sense. For a destop system, only getting patches for 1 year sucks but then again, newer distros will have more featuress, etc.
SuSE, currently in version 9.0, is a powerful distribution from Germany. I had previously tried their older releases but there was so much embedded German text in it, it bothered me so I gave up on it. I recently installed newer versions and it seemed much better. The installation program is pretty good though I think Redhat or Mandrake's is better. But, SuSE has a nice configuration tool called YaST and they were one of the first to come with the KDE window manager.
If you like the BSD style of configuring services (much like Slackware, FreeBSD, etc.), you'll like SuSe.
BUT.. recently, Novell with a grant from IBM is trying to buy SuSe. What will this mean to SuSe? Good question but it will take them a while to improve or bury it.
Debian is currently on their 3.0R1 release and though I haven't used Debian much, many people out there (mostly power users) seem to like it a lot. Debian is a community distro which means that there is no "Debian" corporation trying to make money at it. It's run and maintained by the community so the distro is only as good as the contributors. It has been best described to me as as a distribution that old Slackware users will LOVE which hate Redhat. Interestingly enough, the defunct Corel and Storm distributions were based on Debian.
Debian doesn't include the kitchen sink in for software like Mandrake or Redhat but it's laid out in a good manner and it has it's own RPM-like installation/upgrade system called dPKG with GUI frontends like "apt" or the older too, "dselect". One thing to note about Debian's package system is that unlike the "RPM hell" situation (see the Redhat section above), it can automatically determine a package's dependancies (what other programs are needed to get this particular program to run) and automatically download AND install the required packages. In this respect, Debian is still untouched in ease of use.
Like Redhat, Debian is reported to be constantly updated and well supported. Many people argue that Debian is even better updated than Redhat though they are considerably slower to release new distributions with the newest versions of Gnome, KDE, etc. compared to the other distro vendors.
Gentoo is a new distro community distro that is very similar to Debian in the respect that there is no "Gentoo" corporation trying to make money from it. It's run and maintained by the community so the distro is only as good as the contributors.
Fortunately, Gentoo brings something new to the Linux distro mix. Most traditional linux distros (Redhat, Mandrake, SuSe, etc.) all install pre-compiled binaries which makes the installation quick and painless but the resulting distro might not take advantage of your hardware (ahem.. Redhat). Gentoo takes a totally different stance on the installation phase. Specifically, after you pick the packages you want to install, Gentoo will compile ALL of them from the sources to maximize your hardware. This is great though a full installation can take DAYS if not even a WEEK or more depending on how fast your hardware is and how many packages you are installing.
Once installed, Gentoo uses the "portage" program installation system which is similar to the *BSD "ports" system. This is where everything is compiled from source. It's a pretty easy system to use as it automatically figures out where to download the programs from and how to compile them. It just is time consuming. But, the sweetest aspect to "portage" system is that with one command, you can upgrade your ENTIRE distro install to the current versions of all packages with ONE command! Very powerful though I also consider this dangerous too (config files change, too many variables if something breaks, etc.)
Slackware, now at version 9.1 is one of the original Linux distributions and it is still one of my favorites. It definately isn't as slick in terms of installation or functionality compared to Mandrake but it's laid out in a clear manner. The INIT scripts (the scripts that are executed to bring the system up) are laid out in a very readable fashion (BSD-style - So is SuSe) and everything is obvious (in the open). Slackware will be a comfortable fit for the UNIX guru peoples out there.
Like Redhat, Slackware uses a software package system (pkg) for modularized system upgrades. Though it isn't as fancy as Redhat's RPM system.. it has almost all the same functionality. Though patches do come out for Slackware, Redhat's community usually has patches available FASTER.
Caldera or SCO, now at v3.1, is the most commercial of all the Linux distributions. They initially pulled ahead of the pack with a better installation program and auto-installing hardware modules but almost everyone has caught up pretty quickly. Caldera was understood to have one of the easiest installation program of ALL the distributions though Mandrake might have them beat now.
Caldera differentiates itself by trying to meet the needs of the corporate market. For example, they have completed a port of Novell's NDS directory services to Linux. Pretty cool!
But, it should be noted that SCO seems to be taking on Linux on the legal front. They are sueing various companies for Millions if not Billions of dollars. In my opinion, this is a last gasp for them to stay alive but this isn't a way to keep the Linux community happy with them.
There are other Distributions out there to pick from depending on your hardware platform (Dec Alpha, Motorola PowerPC, etc) such as:
TurboLinux - popular in Japan / Network clusters
LinuxPPc http://www.linuxppc.org - for PowerPC machines
LinuxPro http://www.wgs.com/
LinuxWare http://www.trans-am.com/
MkLinux http://www.mklinux.apple.com/ - For 680x0 and PPC Apples
Stampede http://www.stampede.org/
You'll have to experiment and ask other Linux people what distribution they like and WHY! Personally, I'd recommend to get one of those multiple Distrobution CD sets from places like http://www.cheapbytes.com and try them out yourself!!
For more Distribution details, check out:
http://www.linux.org/dist/english.html
http://www.tldp.org/HOWTO/CD-Distributions-EN-HOWTO/index.html
http://www.linuxgazette.com/issue31/hughes.html
Like ANY Linux distribution, bug fixes, security releases, etc. are always coming out and you NEED to stay on top of it. Remember, Linux is very functional but without a given security patch, a hacker can break into your box and do ANYTHING! Redhat, Debian, Slackware, etc have their own incremental update systems that makes this easier.
P.S. If the program you update to with "pkgadd" has different configuration file layouts, you will have to the conversion manually. Debian and Redhat's systems can do the conversion for you though I've had mixed results with this.
Go to the Redhat Updates URL in Section 5 and download all the recent patches to a directory (ie. /tmp/patches). Once you have all of the newest RPMs, you should use the "Fresh" option of the RPM tool. This will update the RPMs on your machine ONLY if an older version of the RPM is installed on your machine. So, I recommend thast you do:
rpm -Fvh /tmp/patches/*
Also, please heed these following warnings regarding RPMs:
******************************************************************************* ** Don't always trust RPMs!!!! ** ** ** ** See [Section 50] for more specific instructions on how to use ** ** RPMs, see what files will be installed/replaced/OVERWRITTEN BEFORE you ** ** install them, etc. ** ******************************************************************************* ** Staying on top of new RP Ms ** ** ** ** You should also implement the RPM notification tool that is documented ** ** in [Section 43] to stay on-top of this in the future! ** *******************************************************************************
----------------------------------------------
This is how the TrinityOS network is laid out:
--
Network topology diagram:
________
/ \
|Internet >------------------+
\________/ |
Cablemodem
|
+-----------------------+
| | |
| External Link: eth0 |
| IP: 100.200.0.212 |
_________ | DGW: 100.200.0.1 |
/ Various \ | |
| Remote | | ------------ |
| Sites >-ISDN--|- External Link: ppp0 |
| & | | IP: dynamic |
| Internet| | ------------ |
| link | | DMZ Link: eth2 ---|----< To 802.11b wireless network
\ backup / | IP: 192.168.10.1 | IP: 192.168.10.x
--------- | ------------ | DGW: 192.168.10.1
| | DNS: 192.168.10.1
| Internal Link: eth1 |
| IP: 192.168.0.1 |
| | |
+-----------------------+
|
8-port 100Mb/s switch
|
+----+----+----+----+----+----+----+----+
| | | | | | | | |
PC PC PC PC PC PC PC PC PC
#1 #2 #3 #4 #5 #6 #7 #8 #9
|
|
/----------------\
IP: 192.168.0.2
DGW: 192.168.0.1
DNS: 192.168.0.1
- Next, this section is to custom tailor your copy of TrinityOS to your specific
environment. Do a search/replace on the "Search for" fields and replace them
with your correct "replace with" fields.
PLEASE NOTE: If you are going to use IP Masquerading, you should use one of the private address spaces as described in RFC 1918 http://www.cis.ohio-state.edu/htbin/rfc/rfc1918.html such as:
search for replace with (given as an example)
---------- ----------------------------------
Your main login ID johndoe your-login
Your PPP ISP name your-ppp-isp-name your-ppp-isp-name
Your PPP ISP # 555-1212 555-1234
Your PPP login your-ppp-login your-ppp-login
Your PPP password your-ppp-passwd your-ppp-passwd
The Linux machine
name roadrunner your-linux-boxes-name
Domain Name acme123.com yourdomain.org
Second Domain Name another-domain.com yourseconddomain.org
Internal IP network 192.168.0.0 192.168.0.0
Internal IP address 192.168.0.10 192.168.0.10
Internal gateway IP 192.168.0.1 192.168.0.1
Internal broadcast IP 192.168.0.255 192.168.0.255
Internal DMZ IP network 192.168.10.0 192.168.10.0
Internal DMZ IP address 192.168.10.10 192.168.10.10
Internal DMZ gateway IP 192.168.10.1 192.168.10.1
Internal broadcast DMZ IP 192.168.10.255 192.168.10.255
External IP network 100.200.0.0 100.201.0.0
External IP address 100.200.0.212 100.201.0.212
External gateway IP 100.200.0.1 100.201.0.1
External broadcast IP 100.200.0.255 100.201.0.255
Remote SECONDARY DNS ns.backupacme.com ns.yourdomain.org
External secondary DNS 102.200.0.25 102.201.0.25
Reverse DNS lookup 54.44.80.10 50.0.201.102
Explict allowed IP#1 200.211.0.40 200.244.0.40
Explict allowed IP#2 200.211.0.41 200.244.0.41
Explict allowed IP#3 200.211.0.42 200.244.0.42
Explict allowed IP#4 200.211.0.43 200.244.0.43
ISP DNS server #1 10.200.200.69 10.222.222.44
ISP DNS server #2 10.200.200.96 10.222.222.88
Your SMB Workgroup: ACME123 your-linux-boxes-SMB-workgroup-name
Your pager email: 1234567@skytel.com 2321432342@skytel.com
An internal PORTFWed
MASQ machine name: coyote one-internal-MASQed-machine-name
A internal PORTFWed
MASQ machine IP: 192.168.0.20 192.168.0.20
Internal machines
allowed to connect
to the MASQ server: 192.168.0.11 192.168.0.11
192.168.0.12 192.168.0.12
Remote PPTP setup
PPTP server running at: MyEmployer.com MyEmployer.com
PPTP server IP: 220.1.2.3 220.1.2.3
PPTP username: YourUserNameHERE YourUserNameHERE
PPTP CHAP name: REMOTE-PPTP-CHAP-HERE REMOTE-PPTP-CHAP-HERE
* These are errors, bugs, annoyances, etc that I've notice in Redhat5.x. But, these might be fixed in later CD releases, patches, etc.
http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS-security/TrinityOS-security.tar.gz
chmod -R 750 /etc/cron.hourly
chmod -R 750 /etc/cron.hourly/*
chmod -R 750 /etc/cron.daily
chmod -R 750 /etc/cron.daily/*
chmod -R 750 /etc/cron.weekly
chmod -R 750 /etc/cron.weekly/*
chmod -R 750 /etc/cron.monthly
chmod -R 750 /etc/cron.monthly/*
MINICOM="-c on"
export MINICOM
alias ls='ls --color=yes'
export CC="colorgcc"
TZ=PST8PDT
Now edit the "EXPORT PATH" line and append the word "TZ"
NOTE: Changing this behavior makes the permissions of all NEWLY created files only readable by certain users and groups. This can have a detrimental effect on programs that need to be used by multiple users. The default is "umask 002 else umask 022".
NOTE2: If you see two "umask" lines, change them BOTH to 027
- edit /etc/profile, find the umask line(s) and make them it read "umask 027"
NOTE: The changes were:
ln -s /usr/local/bin/tar /bin/tar
:.Z: : :/usr/bin/compress -d -c %s:T_REG|T_ASCII:O_UNCOMPRESS:UNCOMPRESS : : :.Z:/usr/bin/compress -c %s:T_REG:O_COMPRESS:COMPRESS :.gz: : :/bin/gzip -cd %s:T_REG|T_ASCII:O_UNCOMPRESS:GUNZIP : : :.gz:/bin/gzip -9 -c %s:T_REG:O_COMPRESS:GZIP : : :.tar:/bin/tar -c -f - %s:T_REG|T_DIR:O_TAR:TAR : : :.tar.Z:/bin/tar -c -Z -f - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+COMPRESS : : :.tar.gz:/bin/tar -c -z -f - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+GZIP
Bad, Bad, Bad. Only "root" and admin groups should be able to do this type of adminstration.
chmod -R 770 /etc/rc.d/init.d/*
================================================================================
This covers CMOS setups, disable ports, TCP wrappers, shadow passwds, etc.
First thing, I would recommend to do in addition to following TrinityOS for your needed purposes, read LDP's Security HOWTO for a more detailed explanation of what to do. Interestingly enough, I never read it until recently and a LOT of things I had independantly recommend was already in the Security HOWTO too! So, it sounds like we are on-track! I recommend you read it too! The URL is in Section 5.
Upon system boot, enter into the CMOS setup
- I recommend the combination of upper and lower case characters with numbers!
By changing the BIOS boot order from A:,C: to C:,A:
If you are extra paranoid, you can set the floppy drive to READ only or even disable the floppy drive all together if you wish.
- Now, boot back into Linux and make sure you have a password for the root login
passwd root
Pl3a5eGet0ut and Pl3a5eGe
Because of this, you need a strong password and it can ONLY be 8-characters long. You REALLY should use a combination of UPPER and lower case characters, numbers, and special characters such as:
[ `~!@#$%^&*()-_=+{[]}\|'";:,<.>/? ]
Fortunately enough, the newer Linux distributions have fixed this issue. But regardless if this has been fixed on your distribution or not, it IS important that you choose a strong passwd.
This ensures that only the file's owner can delete
a given file in /tmp (Fixed in RH6.x):
chmod 1777 /tmp
- This is pretty important if you don't have the best physical security on the box:
- Do implement this, edit /etc/inittab and change the line:
ca::ctrlaltdel:/sbin/shutdown -t3 -r now
to
#ca::ctrlaltdel:/sbin/shutdown -t3 -r now
- Now, for the system to understand the change, type in the following at a prompt
/sbin/init q
Newer Redhat:
prompt=yes
prompt=no
NOTE: Use this command if you are logged in as root and want to LOCK the ttys without having to log fully out and back in again. Nice!
NOTE: Regardless of Linux distribution, you might want to SKIP some of the following steps if you plan to run:
(though this is specific to Redhat, the following is a good read for ALL Linux users.)
The way that Redhat boots is the SysV way. This is where the OS will execute ALL files for a given runlevel (see definition below) that start with a "S" (that's a CAPITAL "S") and have a number after that in a numerical order from lowest to highest. For example, it will run "S10network" before it runs "S30syslog".
So what's a RUN-level? A run-level is the mode that the machine will load various system programs. Though this varies from Unix to Unix (Linux, Solaris, AIX, HP-UX, etc.), they are similar. For Linux, this is the run-levels (from /etc/inittab):
Please note that some Linux distributions have slight variations:
Also, if you didn't already notice, all of the files in various runlevel directories like /etc/rc.d/rc0, 1, 2, 3, 4, 5, 6.d are actually just symbolic links to all the real script files in /etc/rc.d/init.d! This makes things more manageable.
So, since Linux usually runs in multi-user / non-Xwindows mode, that means runlevel "3" will execute all files in the /etc/rc.d/rc3.d directory. Then, the system will begin to run ALL files starting with "S" in order. When you shutdown or restart the machine, you change the machine into runlevel "0" or "1". This will first execute all commands from the initial runlevel directory of "3" starting with "K". If the given process isn't already running, like my example for LPD, it will just skip it and move on. Get it?
The way that Slackware boots is the BSD way. It will execute the /etc/rc.d/rc.inet1 (network interfaces) file first. Then, it will run the /etc/rc.d/rc.inet2 (network services) file. This is much more readable than the Redhat method but its harder to maintain (IMHO).
BSD-Style: Edit the following files in /etc/rc.d/ and make these changes unless you need that service.
- rc.M (disable email and WWW servers)
- line 75: #'d out all lines for Sendmail
- line 97: #'d out all lines for httpd
- rc.inet2 (disable SERVER and NFS servers)
- line 14: #'d out all lines for lpd
- line 15: #'d out all lines for lpd
- line 31: #'d out all lines for portmap
- line 72: #'d out all lines for mountd, nfsd, pcnfsd, bwnfsd
There are at least (6) ways to turn on/off what daemons load:
Via A GUI interface:
This process manipulation can be done either via:
Note - Though I'm a command line bigot, I feel the "ntsysv" GUI is the fastest way to modify these options!
NOTE #2 - It should be noted that some people really feel that if you are going to disable a package, you might as well REMOVE IT. This is technically MORE secure (nothing to run an exploit against) nor does it take up any disk space. Personally, I usually side with functionality and rather just disable the service vs. delete it all together. Now, if you're sure that you'll NEVER use this service, definately recommend to delete the package.
To DELETE a given package:
To remove packages:
NOTE #3 - I've found that when you first run these GUI tools, they will default to running and disabling some processes they SHOULDN'T! So, be careful and make sure that the tool is starting/stopping the correct daemons. Confirm this by going into the correct runlevel directory, say /etc/rc.d/rc3.d, and making sure only the minimal S* files are there.
With "chkconfig":
Please note that there might be some daemons that are missing and/or extra in your specific /etc/rc.d/init.d directory so make sure you enable/disable the appropriate ones for your needs.
--
#Disable automounters
chkconfig --level 2345 amd off
#Disable unless this is a laptop
chkconfig --level 2345 apmd off
#Disable unless you want to run batch programs within certain loads
chkconfig --level 2345 atd off
#Disable unless you want emails of EVERY ARP on your network segment
chkconfig --level 2345 arpwatch off
#Disable unless you want boot diskless workstations
chkconfig --level 2345 bootparamd off
#Disable unless this machine will be a DHCP *SERVER*
chkconfig --level 2345 dhcpd off
#Disable unless this machine will be a full blown router
chkconfig --level 2345 gated off
#Disable unless this machine will be a WWW server
chkconfig --level 2345 httpd off
#Disable unless this machine uses a modularized kernel
# NOTE: Not needed for 2.2.x+ kernels
chkconfig --level 2345 kerneld off
#Disable unless you really want to configure remote machines via Linuxconf
chkconfig --level 2345 linuxconf off
#Disable unless this machine will be a print server
#(for the local or remote machine)
chkconfig --level 2345 lpd off
#Disable unless you really need the proprietary MC server
chkconfig --level 2345 mcserv off
#Disable unless this machine will be a database server
chkconfig --level 2345 mysql off
#Disable unless this machine will be a caching or full blown DNS server
chkconfig --level 2345 named off
#Disable unless this machine will be a NFS server
chkconfig --level 2345 nfs off
#Disable unless this machine is a laptop or the PC has PCMCIA cards
chkconfig --level 2345 pcmcia off
#Disable unless this machine will be an NFS server or needs RPC tools
chkconfig --level 2345 portmap off
#Disable all R-cmds
chkconfig --level 2345 rusersd off
chkconfig --level 2345 rwalld off
chkconfig --level 2345 rwhod off
#Disable unless this machine is a email server
chkconfig --level 345 sendmail off
#Disable unless this machine is a Samba (MS File&Print) server
chkconfig --level 345 smb off
#Disable unless this machine is to support SNMP
chkconfig --level 2345 snmpd off
#Disable unless this machine is a local/remote HTTP proxy server
chkconfig --level 2345 squid off
#Disable unless this machine will be running X-windows
chkconfig --level 2345 xfs off
#Disable unless this machine will be an NTP server
chkconfig --level 2345 xntpd off
#Disable unless this machine will be part of a NIS/YP domain
chkconfig --level 2345 ypbind off
chkconfig --level 2345 yppasswdd off
#Disable unless this machine will be a NIS/YP server
chkconfig --level 2345 ypserv off
Manually:
NOTE: only do this to the processes you WON'T use.
NOTE #2: If, for some reason, any of the K or S* files don't exist and you want them to be there, use one of the GUI tools above.
Do this in /etc/rc.d/rc2.d, /etc/rc.d/rc3.d, and /etc/rc.d/rc5.d
- mv S08autofs K08autofs
- mv S20nfs K20nfs
(unless this is for a full or caching NFS server)
- mv S20rusersd K20rusersd
- mv S20rwalld K20rwalld
- mv S20rwhod K20rwhod
- mv S30mcserv K30mcserv
- mv S98kerneld K98kerneld
- mv S35smb K35smb (unless this is for a Samba F&P server)
- mv S60lpd K60lpd (unless this is for a print server)
- mv S65portmap K65portmap (unless this is for a NFS server)
- mv S95nfsfs K95nfsfs (unless this is for a NFS server)
- mv S45pcmcia K45pcmcia (unless this for a laptop)
- mv S65dhcpd K65dhcpd (unless this is for a DHCP server)
- mv S85httpd K85httpd (unless this is for a WWW server)
- mv S80sendmail K80sendmail (unless this is for a mail server)
Inetd and Xinetd are called the "super servers" as they load a network server based upon a request from the network. I personally recommend that any service that you DON'T need shouldn't be able to load. This both minimizes CPU and Memory load as well as greatly reduces your security risk.
* The exceptions that I leave in and secure via a firewall and * TCPwrappers are: * * TELNET, FTP, SSH, sometimes TALK, POP-3, IMAP, and maybe FINGER. *
Newer Linux distributions no longer use "inetd" but instead use a newer version called "xinetd". This new version allows for much more granular configuration as well as superior logging, etc. Overall, I really recommend Xinetd though it does take a little time to get used to.
XINETD: ------- Go into the /etc/xinetd.d directory and edit each of the files in that directoru. In each one of the service files that should be disabled, make sure that a line reading "disable = yes" is present. For example
/etc/xinetd.d/chargen
# default: off
# description: A chargen server. This is the tcp \
# version.
service chargen
{
type = INTERNAL
id = chargen-stream
socket_type = stream
protocol = tcp
user = root
wait = no
disable = yes
}
I recommend to disable the following services and any other services enabled in your machine that you don't need (unless noted below).
To make the change take effect, type in:
INETD: ------ I recommend to edit the /etc/inetd.conf file and place a "#" in front of the lines to disable them (if not already done).
As noted above for Xinetd, some items you might want to leave enabled. Some you might want to leave available until you install a secure alternative like SSH):
Once you make these changes, finish editing the file. To make the change take effect, type in:
More and more Linux distributions are shipping with secure defaults. But, never ASSUME that things are locked down. CONFIRM IT!
- Edit "/etc/hosts.deny" and insert the following at the end of the file:
ALL: ALL
It should also be noted that TCP wrappers supports extensive logging and remote banners. Please see the end of this section for a detailed example.
- edit "/etc/hosts.allow" and insert lines at the end of the file for each IP and or Domain that you want to allow access to the Linux box.
NOTE: Do NOT use DNS names for the hosts as DNS can be spoofed. Use TCP/IP addresses instead.
ALL: 127.0.0.1 #Needed for some local services like comsat
ALL: 200.211.0.40 #Securehost
ALL: w.x.y.z
For example:
ALL: 192.168.0.2 #Allow everything from coyote2
ALL: 200.211.0.40 #Allow all traffic from Explict Allowed #1
ALL: 200.211.1. #Allow *ALL* traffic from all hosts on the 200.211.1.x
#network. Yes, the option should END with a
single "."
in.ftpd: 192.168.0.2 #Allow only FTP traffic from coyote2
in.pop3d: 200.211.0.40 #All only pop-3 traffuc from Explict Allowed #1
TCP Wrapper logging and banner support
As mentioned above, TCP wrappers support advanced features like logging and sending text banners to the remote machine. To do this, you want to change the /etc/hosts.deny file to look something like the following:
# The following example will DENY all traffic except finger.
# For finger, it will allow the request but log it, send a banner and THEN
# deny it
#
# First, set up a booby trap and bounce message for all except finger
# and log attempt to /var/log/tcpwrappers.log
ALL except in.fingerd: ALL \
:spawn (/usr/sbin/safe_finger -l @%h | /bin/mail -s %d-%h root;\
date >>/var/log/tcpwrappers.log;\
echo '%u@%h (%d) connection attempted.' >>/root/access.log)& \
:rfc931 45\
:twist /bin/echo \
$'\nAccess to this system is limited to authorized users. \
\n%u@%h is not a valid ID to access %d \
\non this system. This attempt has been logged. \n'
# Now log and bounce message for finger
#
in.fingerd: ALL\
:spawn (date >>/var/log/tcpwrappers.log; \
echo '%u@%h (%d) connection attempted.' >>/var/log/tcpwrappers.log)& \
:rfc931 45\
:twist /bin/echo \
$'\nAccess to this system is limited to authorized users. \
\n%u@%h is not a valid ID to access %d \
\non this system. This \
attempt has been logged.\
\n'
Disable anonymous FTP to your box by editing /etc/ftpaccess and change the common first line that looks like:
class all real,guest,anonymous *
class all real *
In most earily Linux distributions, all user's passwords were stored in the /etc/passwd file. These passwords were then encrypted by the "crypt" tool. The problem with this setup was that anyone could get these encrypted passwords and crypt's encryption was very poor. These passwords could then be broken with publically available tools. In recent times, the shadow system was implemented where the passwords were hashed with the MD5 algorithm and placed the resulting MD5 hased passwords in /etc/shadow.
To quickly see if your machine is "shadow" enabled, look at the "/etc/passwd" file. In this file, you will see the username, password, UserID (UID), GroupID (GID), Home Directory, and the user's default shell all separated by colons (:). Anyway, if you see "x"s in the second left-hand field, the password field, then you are done! If you DON'T see "x"s in that field.. you need to follow these directions or better yet.. get a newer distribution!
Slackware v3.2 did not come with Shadow passwords enabled but v3.4+ does. For several reasons, I recommend that you just upgrade to Slackware v3.4 if you are running an older Slackware distribution. The upgrade will fix numerous security issues and has many other features as well.
Redhat5, out of the box, does NOT do shadow passwords (stupid) but it is fixed in RH 6.1 and onward.
Confirm that your system is using SHADOW passwords by looking at the /etc/passwd file and make sure that the second left-hand field next to the username is a ":x:". If so, make sure everthing in this section is setup the same on your box.
If it isn't do the following:
- login as root
- type in "pwconv"
- This will convert the /etc/passwd file and move the encrypted passwords over to /etc/shadow and change the encryption algorithm from the weak "crypt" system to "md5"
- More info is available in "/usr/doc/pam-0.64/txts/pam.txt"
- NOTE: Using passwords more than 8 characters will NOT work. Use larger passwords and prepare NOT to be able to login again!
- Edit the /etc/pam.d/passwd file and change the bottom lines
NOTE: There are (2) methods shown below. Crypt is the OLD UNIX method and is considered weak. The newer method uses MD5 hashing. I recommend the MD5 method.
So, edit the file and change it to the following:
For MD5 hashing (more secure and recommended):
--
auth required /lib/security/pam_pwdb.so shadow nullok
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so retry=3
password required /lib/security/pam_pwdb.so shadow use_authtok nullok md5
--
--
auth required /lib/security/pam_pwdb.so shadow nullok
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so retry=3
password required /lib/security/pam_pwdb.so shadow use_authtok nullok
--
By default, most Linux distributions don't allow direct "root" logins via TELNET or SSH. This is considered good security.
- If you DO need to login via telnet as root then edit or create the /etc/securetty file and ADD the following:
ttyp0
ttyp1
ttyp2
Please note that newer Linux distributions now use the DevFS system. If your system uses DevFS, you should add the following in addition to the "ttyp0, ttyp1, etc." system. If you are using DevFS full time, you can delete the ttyp0, etc. lines.
vc/1
vc/2
**** MAKE SURE YOU PUT "#"s IN FRONT OF THESE NEW LINES ONCE YOU ARE DONE! ****
It seems that some Linux distributions do not come with the /etc/ftpusers file. This file basically is for when any usernames in this file, they are NOT allowed to FTP in. Usually, it is considered POOR security to be able to FTP in as ROOT. By putting the word "root" into this file, this disables FTP logins from "root".
- If you ever need to FTP into the linux box as ROOT (you shouldn't be able to by default), edit the "/etc/ftpusers" file and put a "#" in front of "root".
NOTE: If the /etc/ftpusers file DOESN'T already exist, just create it. Once you are done, LEAVE it there with at least the line "root" without a "#" in front of it.
*********************************************************
**** MAKE SURE YOU REMOVE THIS "#" ONCE YOU ARE DONE ****
**** SINCE THIS IS A BIG SECURITY ISSUE ****
*********************************************************
* When users install Redhat, they usually install more programs than they plan to initially use. Though Redhat allows users to later choose what daemons are and are NOT run upon boot, this does NOT disable some things that are loaded into the cron file.
As mentioned before in this section, unless you plan on using the functionality of a specific product, DON'T disable a given cron entry. Just delete the package all together as described above.
**NOTE**: DON'T disable: logrotate, tmpwatch, updatedb.cron, makewhatis.cron
- Look in the /etc/cron.hourly, /etc/cron.daily, /etc/cron.weekly, and /etc/cron.monthly and make sure that nothing is installed that you don't want. For example, I had to do the following for RH 5.2:
mkdir -m 700 /etc/cron.disabled
mkdir -m 700 /etc/cron.disabled/cron.hourly
mkdir -m 700 /etc/cron.disabled/cron.daily
mv /etc/cron.hourly/inn-cron-nntpsend /etc/cron.disabled/cron.hourly
mv /etc/cron.daily/inn-cron-expire /etc/cron.disabled/cron.daily
mv /etc/cron.daily/inn-cron-rnews /etc/cron.disabled/cron.daily
mv /etc/cron.daily/tetex.cron /etc/cron.disabled/cron.daily
**NOTE**: DON'T disable: updatedb.cron
- Realistically, you won't have the same issues as Redhat users because Slackware doesn't have as many bells and whistles as RH does. BUT, check to make sure. All of Slackware's cron configuration is stored here.
less /var/spool/cron/crontabs/root
A lot of the default file permissions on Linux distributions just give away too much information to the end user or hacker. Some people might think that some of these are paranoid but I'd rather be safe than sorry:
NOTE: Most of these permissions reflect Redhat 5.2 but most will apply to any Linux distribution.
NOTE2: If you receive any ERRORs when applying these changes, don't worry. That just means you don't have that package installed.
It is highly recommended that you apply these permissions via the TrinityOS-security script to avoid typing mistakes and save time.
# Files in /dev chmod 660 /dev/lp* # Files in /bin echo "Bru is a commercial backup program but some Linux distributions come with it" chmod 750 /bin/bru chmod 750 /bin/linuxconf chmod 750 /bin/mount chmod 750 /bin/mt chmod 750 /bin/rpm chmod 750 /bin/setserial chmod 4750 /bin/su chgrp adm /bin/su chmod 750 /bin/umount # Files in /sbin chmod 750 /sbin/accton chmod 750 /sbin/badblocks chmod 750 /sbin/ctrlaltdel chmod 750 /sbin/chkconfig chmod 750 /sbin/chkraid chmod 750 /sbin/debugfs chmod 750 /sbin/depmod chmod 750 /sbin/dhcpcd chmod 750 /sbin/dump* chmod 750 /sbin/fdisk chmod 750 /sbin/fsck* chmod 750 /sbin/ftl* chmod 750 /sbin/getty chmod 750 /sbin/halt chmod 750 /sbin/hdparm chmod 750 /sbin/hwclock chmod 750 /sbin/ide_info chmod 750 /sbin/if* chmod 750 /sbin/init chmod 750 /sbin/insmod echo "IPFWADM is only installed for v2.0 kernels" chmod 750 /sbin/ipfwadm chmod 750 /sbin/ipx* chmod 750 /sbin/isapnp chmod 750 /sbin/kerneld chmod 750 /sbin/killall* echo "This is the new location for klogd. Please disregard any errors if this doesn't work." chmod 750 /sbin/klogd chmod 750 /sbin/lilo chmod 750 /sbin/mgetty chmod 750 /sbin/mingetty chmod 750 /sbin/mk* chmod 750 /sbin/mod* chmod 750 /sbin/netreport chmod 750 /sbin/pam* chmod 750 /sbin/pcinitrd chmod 750 /sbin/pnpdump chmod 750 /sbin/portmap chmod 750 /sbin/quotaon chmod 750 /sbin/raidadd chmod 750 /sbin/restore chmod 750 /sbin/runlevel chmod 750 /sbin/stinit echo "This is the old location for klogd. Please disregard any errors if this doesn't work." chmod 750 /sbin/syslogd chmod 750 /sbin/swapon chmod 750 /sbin/tune2fs chmod 750 /sbin/uugetty chmod 750 /sbin/vgetty echo "Files in /usr/bin" chmod 750 /usr/bin/control-panel chmod 750 /usr/bin/comanche chmod 750 /usr/bin/eject chmod 750 /usr/bin/glint chmod 750 /usr/bin/gnome* chmod 750 /usr/bin/gpasswd chmod 750 /usr/bin/ipx* chmod 750 /usr/bin/kernelcfg chmod 755 /usr/bin/lp* chmod 4755 /usr/bin/lpr #NOTE: I feel setting "lpr" to allow any group to execute it is # a bad thing. # # I would like to add UNIX users and even the Samba process to # the "lp" group already defined in /etc/groups and then be able # to put things back to to 4750. BUT, I just talked to a buddy # of mine and this really isn't possible. Linux doesn't support # multiple groups per file and Linux doesn't support access lists # (ACLs') yet. So, you either have to do all this or run LPRng. # # Stock permissionss are: # -r-sr-sr-x 1 root lp 15436 Oct 17 06:49 lpq # -r-sr-sr-x 1 root lp 16176 Oct 17 06:49 lpr # -r-sr-sr-x 1 root lp 16132 Oct 17 06:49 lprm chmod 750 /usr/bin/mformat chmod 750 /usr/bin/minicom chmod 750 /usr/bin/mtools chmod 750 /usr/bin/netcfg chmod 750 /usr/bin/rusers chmod 750 /usr/bin/rwall chmod 750 /usr/bin/uucp echo "Files in /usr/sbin" chmod 750 /usr/sbin/am* chmod 750 /usr/sbin/at* chmod 750 /usr/sbin/automount chmod 750 /usr/sbin/bootp* chmod 750 /usr/sbin/crond chmod 750 /usr/sbin/dhc* chmod 750 /usr/sbin/dip chmod 750 /usr/sbin/dump* chmod 750 /usr/sbin/edquota chmod 750 /usr/sbin/exportfs chmod 750 /usr/sbin/fixmount chmod 750 /usr/sbin/ftpshut chmod 750 /usr/sbin/gated chmod 750 /usr/sbin/group* chmod 750 /usr/sbin/grp* chmod 750 /usr/sbin/imapd chmod 750 /usr/sbin/in.* chmod 750 /usr/sbin/inetd chmod 750 /usr/sbin/ipop* echo "This is the old location for klogd. Please disregard any errors if this doesn't work." chmod 750 /usr/sbin/klogd chmod 750 /usr/sbin/logrotate chmod 750 /usr/sbin/lp* chmod 755 /usr/sbin/lsof chmod 750 /usr/sbin/makemap chmod 750 /usr/sbin/mk-amd-map chmod 750 /usr/sbin/mouseconfig chmod 750 /usr/sbin/named* chmod 750 /usr/sbin/nmbd chmod 750 /usr/sbin/newusers chmod 750 /usr/sbin/ntp* chmod 750 /usr/sbin/ntsysv chmod 750 /usr/sbin/pppd chmod 750 /usr/sbin/pnpprobe chmod 750 /usr/sbin/pw* chmod 750 /usr/sbin/quota* chmod 750 /usr/sbin/rdev chmod 750 /usr/sbin/rdist chmod 750 /usr/sbin/repquota chmod 750 /usr/sbin/rhbackup chmod 750 /usr/sbin/rotatelogs chmod 750 /usr/sbin/rpc* chmod 750 /usr/sbin/rwhod chmod 750 /usr/sbin/samba chmod 750 /usr/sbin/setup chmod 750 /usr/sbin/showmount chmod 750 /usr/sbin/smb* chmod 750 /usr/sbin/sndconfig chmod 750 /usr/sbin/snmp* chmod 750 /usr/sbin/squid echo "This is the old location for sysklogd. Please disregard any errors if this doesn't work." chmod 750 /usr/sbin/syslogd chmod 750 /usr/sbin/taper chmod 750 /usr/sbin/tcpd* chmod 750 /usr/sbin/time* chmod 750 /usr/sbin/tmpwatch chmod 750 /usr/sbin/tunelp chmod 750 /usr/sbin/user* chmod 750 /usr/sbin/uu* chmod 750 /usr/sbin/vi* chmod 750 /usr/sbin/wire-test chmod 750 /usr/sbin/xntp*
- Check that there aren't any SUID ROOT (programs that execute as the ROOT user) that are WRITABLE by other users. To do this, execute this following command (per http://rlz.ne.mediaone.net/linux/index.html):
mkdir -m700 /etc/info
find / -type f \( -perm -04000 -o -perm -02000 \) -ls > /etc/info/suid-results
So what do you do with these results?
Figure out the SUID programs that you need and note which ones they are and where they are. The issue is to just make sure that no other unknonwn programs don't get added to this list. What about just changing their permissions to NOT be SUID root? This would be bad because most programs that are usually SUID ROOT *must* be this way or they won't work right.
But, for example, GnuPlot on a recent copy of SuSE was found SUID though it shouldn't have been. Later, a person on BugTraq found this and created both a root exploit and patch for it. So, this is where you can be proactive and fix things.
For the other SUID programs you don't need or know what they are, change their permissions to 700 (chmod 700 *) or even better yet, change their permissionss to 700, move them to a temporary directory to later delete them once you are SURE you don't need the programs.
*** Once you have resolved all your SUID issues, rename this *** /etc/info/suid-results file to /etc/info/suid-results-checked and then *** fix the permissions:
mv /etc/info/suid-results /etc/info/suid-results-checked
chmod 600 /etc/info/suid-results-checked
We will use this file later as a template file to check for changed SUID files in Section 9
Much like looking for SUID files above, it is also a good idea to look for R-command permission files.
find / | grep -e ".rhosts" -e "hosts.equiv" > /etc/info/rcmd-results
Once you have reviewed this /etc/info/rcmd-results file for any entries that DON'T belong in there, rename it and fix its permissions:
mv /etc/info/rcmd-results /etc/info/rcmd-results-checked
chmod 600 /etc/info/rcmd-results-checked
* This was exploited recently in Xfree86 but I still feel that the sticky bit on the /tmp/.X11-unix directory should be set
rm -rf /tmp/.X11-unix
mkdir -p -m 1777 /tmp/.X11-unix
chmod o+t /tmp/.X11-unix
- SYSLOG is the main UNIX logging tool. With this system, you can setup logging to be very high level to extremely detailed and have each logging stream go to a different file. Trust me, SYSLOG is your friend!
Edit /etc/syslog.conf and -ADD- the following lines if they aren't already in there:
******* * NOTE!!! All space from the left and right columns MUST BE TABS. * If they are SPACEs, syslog will NOT load! Kinda stupid eh? *
Redhat users:
*.warn;*.err /var/log/syslog
auth.*;user.*;daemon.none /var/log/loginlog
kern.* /var/log/kernel
Slackware users:
*.warn;*.err /var/adm/syslog
mail.* /var/adm/maillog
auth.*;user.*;daemon.none /var/adm/loginlog
kern.* /var/adm/kernel
All Distributions: Once you have edited the /etc/syslog.conf file, save your changes and exit the editor. Now, following files must be created for SYSLOG to work:
touch /var/log/syslog
touch /var/log/loginlog
touch /var/log/kernel
--
Nov 28 08:25:42 hostname -- MARK --
--
This is the SYSLOG daemon telling you that SYSLOG is running but had nothing to report. If you don't like this behavior, you can disable it by editing the following file and changing the MARK time out.
In /etc/rc.d/init.d/syslog, find the line that says:
--
daemon syslogd
--
and replace it with:
--
daemon syslogd -m 0
--
To make ALL of the above changes go into effect, run:
Next, close down these new files (and existing files) permissions:
chmod 600 /var/log/syslog
chmod 600 /var/log/loginlog
chmod 600 /var/log/kernel
echo "Make sure old SYSLOG file perms are ok too."
chmod 600 /etc/syslog.conf
chmod 600 /var/log/cron
chmod 700 /var/log/httpd
chmod 600 /var/log/httpd/*
chmod 600 /var/log/maillog
chmod 600 /var/log/messages
chmod 600 /var/log/mysql
chmod 600 /var/log/netconf.log
chmod 700 /var/log/samba
chmod 600 /var/log/samba/*
chmod 600 /var/log/sendmail.st
chmod 600 /var/log/secure
chmod 600 /var/log/spooler
chmod 700 /var/log/squid
chmod 600 /var/log/squid/*
chmod 600 /var/log/xferlog
chmod 600 /var/adm/syslog
chmod 600 /var/adm/loginlog
chmod 600 /var/adm/kernel
chmod 600 /etc/syslog.conf
Ok, now restart SYSLOG:
Stock Redhat comes with a tool that will take your SYSLOG log files, rename them to the day they came from, optionally compress them, and then restart the log files for the next day. This is very handy as SYSLOG files can get VERY large. If you are using some other Linux distribution that doesn't have this feature, I highly recommend installed a program that will do this for you (there are many to choose from).
- Redhat:
Next, allow the new syslog file to be rotated as well. Add these lines to the /etc/logrotate.d/syslog:
--
/var/log/kernel {
postrotate
/usr/bin/killall -9 klogd
/sbin/klogd &
endscript
}
/var/log/loginlog {
postrotate
/usr/bin/killall -HUP syslogd
endscript
}
/var/log/syslog {
postrotate
/usr/bin/killall -HUP syslogd
endscript
}
--
Also.. I highly recommend that you edit the /etc/logrotate.conf file and do the following:
Find "#compress" and remove the "#" so it only says "compress".
I also recommend that your #ed out the sections to look like this:
[ Why? If these files are rotated, you won't be easily able to ] [ tell when users have logged in. ]
## no packages own lastlog or wtmp -- we'll rotate them here
#/var/log/wtmp {
# monthly
# rotate 1
#}
#/var/log/lastlog {
# monthly
# rotate 1
#}
This will then compress the moved log files with Gzip.
Finally, some log files explicitly default to no-compression. Why? I recommend to add a "#" before the "nocompress" line in each of the following files:
/etc/logrotate.d/ftpd
/etc/logrotate.d/linuxconf
/etc/logrotate.d/sendfax
There might be other files in this directory. Check each one of them.
Lastly, I recommend to go into the /etc/logrotate.d/ directory and MOVE log config files that you KNOW you won't be using to a "disabled" directory. This is completely dependant on the services that you installed and then on which ones you opted to NOT run.
As mentioned before, for packages that you KNOW you won't ever use, instead of disabling the logrotation for a given package, DELETE the entire package either using RPM or PKGDEL.
To manually disable things:
mkdir -m 700 /etc/logrotate.d.disabled
mv /etc/logrotate.d/mysql /etc/logrotate.d.disabled
mv /etc/logrotate.d/squid /etc/logrotate.d.disabled
- Edit the "/etc/rc.d/rc.local" file and add the following lines at the end:
The following tip is a personal idea I like for both Redhat and Slackware. By default, then you login to a Linux box, it tells you the Linux distribution name, version, kernel version, and the name of the server. Even worse, Mandrake puts up a very stupid looking Penguin.
To me, this is giving away too much info. I rather just prompt users with a "Login: " prompt (if they ever get that far past your packet firewall and TCP wrappers).
To fix this, do the following:
Place "#"s in front of the following lines like shown:
NOTE: This looks a little different with Mandrake:
/etc/rc.d/rc.local
## This will overwrite /etc/issue at every boot. So, make any changes you ## want to make to /etc/issue here or you will lose them when you reboot. #echo "" > /etc/issue #echo "Red Hat Linux $R" >> /etc/issue #echo "Kernel $(uname -r) on $a $(uname -m)" >> /etc/issue # #cp -f /etc/issue /etc/issue.net
Then, do the following:
- rm -f /etc/issue - rm -f /etc/issue.net - touch /etc/issue - touch /etc/issue.net - chmod 400 /etc/issue - chmod 400 /etc/issue.net
/etc/rc.d/rc.local
dmesg >> /etc/info/dmesg
* Next, the following tip is a great way of seeing your various logs on your Linux box without having to login, etc. Some people might feel that this is a security risk but the risk stems from physical security.
Edit the following file and FIND each line for, say syslog or messages, and add in the respective line:
/etc/syslog.conf
*.warn;*.err /dev/tty7 mail.* /dev/tty8 kern.* /dev/tty8
To make these changes take effect, run the following line:
Now, whenever anything is added to those log files, just go to the ALT-F7 or F8 VTY and see the messages roll by in real-time.
* Like the real-time log monitor above, it's nice to be able to see errors in real time whenever you suspect problems via a TELNET, SSH, etc. To do this, create the file with the following:
Slackware:
/root/logit
-- #/bin/sh tail -f /var/adm/samba/log.nmb & tail -f /var/adm/samba/log.smb & tail -f /var/adm/xferlog & tail -f /var/adm/maillog & tail -f /var/adm/secure & tail -f /var/adm/syslog & tail -f /var/adm/messages & --
Redhat:
/root/logit
-- #!/bin/sh tail -f /var/log/samba/log.nmb & tail -f /var/log/samba/log.smb & tail -f /var/log/xferlog & tail -f /var/log/maillog & tail -f /var/log/secure & tail -f /var/log/syslog & tail -f /var/log/messages & --
Now, fix the permissions for it:
chmod 700 /root/logit
Close the file and then fix it's permissions with "chmod 700 /usr/local/sbin/logit".
Now, whenever you are suspecting problems with ANYTHING on your Linux box, just run "/root/logit" and watch the error logs go by in real-time.
A few tips: - type in "clear" at the UNIX prompt now and then to clean the screen up for readibility sake.
- When logs are scrolling by but you are looking for something that should show up in a few seconds, hit ENTER a few times to move up the old log info a few lines.
When you are done with "logit", run the command "killall tail" to stop all the logging.
Being a command line junky, I use the CLI (command line interface) most of the time. To make things a little easier on the eye, I recommend that you make the BASH prompt a little more easy on the eye. All NON-root users will get a "green" colored prompt but ROOT users will get a "red" colored prompt.
You can do this one of two ways. Have it setup on a PER USER basis or for ALL users.
For this example, let's do it just for the ROOT user.
1. Copy the main bash profile to the root user's home directory:
cp /etc/bashrc /root/.bashrc
NOTE: Why bashrc and not profile? The reason being is that bashrc OVERRIDES anything in the profile.
2. Edit it and find the line for the "PS1" variable and REPLACE it with the following. This will