Linux comes in several favors which you might have heard of before. All of these 'distributions' use free software from the GNU project but they differentiate themselves by user interfaces, file placement, etc. Some of these common distributions are:
The TrinityOS documentation and TrinityOS-Archive Scripts
The CURRENT version is: 05/22/05
Please see below for a full list of TrinityOS documented features, etc
|TrinityOS is available in the following formats||Compressed|
|Chapterized HTML files||TarGZed|
|One Large HTML file||TarGZed|
|One Large ASCII Text file||TarGZed|
|One Large PDF file (output will be improved soon)||TarGZed|
|One Large PS file||TarGZed|
|One Large SGML file||TarGZed|
|All of the above TrinityOS formats in one Large TGZ file||TarGZed|
|The last WRI version (04/15/00)||TarGZed|
|Manually browse the TrinityOS documentation directory structure|
OLDER than 01/12/03
The archive link below contains all of configuration files, firewall rulesets, etc directly from the TrinityOS documentation the with a step-by-step shell script to help the user along to semi-automatically tune and secure the Linux box quickly. You can get/view these files in one of two ways:
10/16/05 - I recently looked at the legacy "TrinityOS and Linux" forum and it seems that this OneCenter system has fallen under Spammer control. Until I find a new solution, feel free to email me.
------------------------------------------------------------------------------------ TrinityOS is a step by step, example driven, HOWTO on building a very functional Linux box with strong security in mind. Current Features: ========= Master References and Recommended Guidelines -------------------------------------------- + An extensive URL library and current version list for all installed and recommended Linux tools and applications + Example guidelines on documenting the hardware and partition layout of your specific hardware Linux Distribution Thoughts: ---------------------------- + Thoughts and recommendations on picking a Linux distribution + A common "Search & Replace" key to customize this doc to YOUR specific environment for both better clarity and the ability to use Search and Replace tools to customize to your specific setup Core OS setup: -------------- + Configuring, compiling, installing, and booting both a 2.2.x & 2.0.x kernel + Lilo configuration, security, and recovery + PCMCIA / CARDBUS PC-Card Services + Software RAID 0 (striping) hard drives + 7-CD SCSI CD-ROM changer system + Automated Patching via RPM notifiers + EXT2 file system tuning + IDE hard drive performance optimization + Dual printing system support for both UNIX and Windows/Samba hosts Network Connectivity: --------------------- + Strong, comfigrable, and well commented IPCHAINS and IPFWADM packet firewall rule sets for SINGLE, DUAL, and THREE NIC environments. This section also includes a complete intro on how Packet and Stateful Inspected firewalls work + Automated rollback script for the loading of rc.firewall rule sets so that if you make an error in the firewall rule set and the rule set doesn't complete execution, a backup rule set will be automatically loaded to restore connectivity. + Full LAN masquerading (NAT or Network Address Translation) using private IP addressing + Masq IP port forwarding support (PORTFW) + Three Ethernet network card support setup and TCP/IP Performance optimization (modem and cable modem users w/ DMZ support) + DNS servers running both primary and secondary zones using Bind in a CHROOTed and and SPLIT Zone configuration + Full Sendmail e-mail system support w/ domain masquerading & Anti-SPAM measures with support for more than one Internet domain on one EMAIL server + IMAP4 / POP3 remote email service + DHCPd server for other LAN machines (laptops, etc) + DHCPc client setup for TCP/IP addresses + SAMBA : Full Microsoft Windows file & printing support + NFS: Full Sun RPC-based Network File System support + IPSEC (Swan) VPN [Almost Complete] + PPTP VPN client and forwarding through IPMASQ + HTTPd WWW WWW server + PPP connectivity for primary PPP connectivity AND backup PPP connections + Dial-on-Demand (Diald) Internet connections (modem users) - Automatic Internet connections every 15 minutes (modem users) + Direct dial-in terminal / PPP access via a modem + NTP time calibration + Full UNIX LPR and SMB printing Security: --------- + Complete physical and OS-level security recommendations and guidelines + Full SSHd (encrypted TELNET) support + Actively Updated Linux system security and patching (Shadow passwords, etc) + Advanced SYSLOG logging and nightly filtered reports emailed to the root user + Prioritized TrinityOS "CRITICALITY" rating system in the CHANGELOG section to gauge the level of urgency of security vulnerabilities, system mis-configurations, etc. + NMAP port scanning to test your packet firewall + Figuring out if you have been hacked.. Confirm it! + Prioritized ChangeLog to let users know what changes are and are NOT too important + Anonymized Sendmail Banners System backup: -------------- + Minimum backups to floppy + Full tape backup to HD drives via a custom Local/NFS/Samba script + Full tape backups via BRU with emergency restore diskette creation + Full APC SmartUPS power down support (APCUPSd) with both paging support and plotting power stats with GNU Plot to a graph which is emailed via "Sendlogs" + Backing up the server to a CD-R [not completed yet] More Extensive Guides: ---------------------- + How to fix LILO, HD partitioning, and file system corruption + How to obtain an Internet domain(s) via a domain registrar + How to successfully move Internet domains across DNS servers and/or TCP/IP addresses + How to recover from your box being hacked and how to RE-secure it + How to understand and fight SPAM email + SSH encrypted PORTFW VPN tunnels for email, etc Future Features: ========= (Won't be implemented in any particular order) * TrinityOS TO-DOs: ------------------- + Add more "Configuration via GUI tools" sections * Network stuff --------------- + Modularize the rc.firewall rulset so updates can be transparent and not require additional tailoring for each update. + Remove LPR and replace it with LPRng or CUPS + IPv6: Configure and setup IPv6 and possibly setup a IPv6 tunnel via the 6Bone + Dial Backup: Add automatic analog modem dial backup when the ADSL/Cable modem goes down + CODA: Replace NFS support with CODA + Add a CACHING only setup for 8.1.x DNS + Setup a email list server (MajorDomo, Petidomo, dunno yet) + Email sent dynamic IP address exception requests for access through the TCP Wrappers and the IPFWADM rule sets + DHCPc client setup for Cablemodems + 128-bit encrypted Apache SSL WWW server + Move over to xinetd for better DoS protection + WWW Proxy services + WWW banner add filtering + Give instructions on compiling Xntp * Security Stuff ---------------- + Replace the Sendlogs script to use either Swatch or LogSentry + Automate the firewall hits logging for trend analysis + Install PGP / GPG for secure and/or verified communications to: other users, Internic, binaries/source code verification, etc. + Tripwire Security Breech monitoring [not completed yet] + SATAN / SAINT / Nessus / COPS / ISS security testing * Application stuff ------------------- + Get Sendmail to run in an SMRSH shell + Implement Procmail to do local email filtering + Setup fetchmail to get remote email vs. setting up a remote .forward * Administration stuff ---------------------- + Rotate the UPS logs + Implement automatic weekly incremental tape backups to the TR4 tape drive. * System Stuff -------------- + Iomega parallel ZIP drive support ------------------------------------------------------------------------------------
These are the most current versions of the Linux IP Masquerading HOWTO. If you find any spelling mistakes, typos, unclear sections, etc., please let me know.
NOTE: I have now made the DocBook version of the HOWTO the primary version and deprecated the obsolete LinuxDoc version. The LinuxDoc version did not support the 2.4.x kernels and no longer meets LDP document requirements. If you would like a copy of the old IPMASQ HOWTO in LinuxDOC format, please email me.
The current IP Masquerade HOWTO covering the 2.4.x / 2.2.x / 2.0.x kernels
- See the ChangeLog at the end of the HOWTO for recent changes:
|The IP Masquerade HOWTO is available in the following formats:||Compressed|
|Chapterized HTML files||TAR.GZed|
|One Large HTML file||GZIPed|
|One PDF file [11/13/05] - (might be out of date)||GZIPed|
|One Large SGML file||GZIPed|
|All of the above IP MASQ HOWTO formats in one Large TGZ file||TAR.GZed|
|Example rc.firewall rulesets from the HOWTO:||Tgz of all 6 |
IPMI is a newer PC hardware management system that lets you monitor the state of hardware (fan RPM, thermal temps), gain console access, and issue power commands (reset, power on, off, cycle) all from the machine's built-in Ethernet port without even having an operating system installed on the machine! That's right, no dedicated hardware for terminal servers, power management, no functioning operating system! This standard is impressive but the documentation from the various vendor tools and OpenSource sites are either vague, incomplete, or just completely incorrect. This document discusses getting full IPMI support on Linux Fedora Core3 on a SuperMicro P8SCi motherboard. Feedback and other vendor IPMI gotchas is welcome.
Check out my ipmi-s-v.sh script which does:
Details: The Grip program is a flexible tool so I wrote up how to use it in example-based way much like TrinityOS and the IPMASQ howto. Also included is a Grip shell script I wrote that encodes the initial WAV file with both the lossless FLAC format as well as 256bit high quality MP3 format. The script was written to be very flexible and it saves me a LOT of time.
I recently ran some firewire benchmarks to better understand how the same IDE HD installed into a Compucable 525DX enclosure would run behind an Agere OHCI vs. Ti OHCI IEEE1394 Firewire cards vs. natively on a UDMA100 IDE controller. Testing was run using HDPARM, Bonnie++, and "dd" on EXT2, EXT3, and ReiserFS file systems.
If you like TrinityOS but find it missing some specific topics or you need something a little more readible, check out the *original* "Securing Linux: Step-by-Step" guide I co-wrote for SANS. It was well received by the SANS Conference in San Francisco and I think you'll like it too. The above link also has the book's Table of Contents, some example pages, and other information available if you are interested. It's worth mentioning that SANS re-wrote this book without any of my input so the new version is most likely completely different.
Please note that some of the book's content DOES overlap with TrinityOS but many things covered in the "Securing Linux" book is not covered in TrinityOS and vice versa. These two documents truely complement eachother at this point in time.
In addition to the IP Masq HOWTO, I wrote a decent magazine article for "Linux Magazine" on how IP Masq works.
Click on the magazine's front cover below to read the HTML version of the article.
Its unfortunate that the graphics within the HTML article are too small, fortunately, all the text is there. I'll try to get Linux Magazine to fix that.
A Linux site for TRUE beginners: All kinds of intro documents for the new Linux/UNIX user for installation, configuration, etc.
LinuxHQ: A great central site for all kinds of Linux news, tools, software, etc..
Linux.org: The original Linux WWW page. A great central site thats searchable for info, applications, etc.
Josh's LinuxGuide: Josh's Linux Guide is a great resource for the new Linux user. It covers everything from how to mount floppy disks to configuring and running X-windows!
The Signal 11 FAQ: Do you get a bunch of Signal 11 errors when you compile stuff on your Linux box? If so.. its your HARDWARE. Seriously.. read this FAQ and it will explain a LOT to you. Whenever I build new computers.. this is how I ALWAYS test the stability of the machine. If it can compile Linux kernel.. it will run ANYTHING!
The Master RPM Software Source:Check out this site to find all the RPMs your heart could desire!
You can almost COUNT on the fact that someone else has had your exact problem before and its archived HERE!
Steve Clarke's IPportfw tool to forward non-MASQ'able traffic through Linux's firewall.
IPFWADM rules:How to setup a firewall on your Linux box. (See the TrinityOS doc for more advanced firewall rules).
IPFWADM Dotfile ruleset
A GUI interface to Jesper Pedersen's IPFWADM dotfile module. This will let the
common Linux user setup powerful IPFWADM rulesets for your network.
Also check out:
The Linux Gazette: A !FREE! sister
publication to the Linux Journal with all kinds of great stuff in it.
Check out Alan Cox's Books
List for some other good ideas and recommendations.
Check out this URL on HOWTO integrate Pine with PGP.
Looking to impliment or upgrade PCMCIA services on your laptop? This is PCMCIA headquaters.