New additions added on: 07/09/03 TrinityOS(c) Written and Maintained by: David A. Ranch These are all of the OLD updates to the TrinityOS doc found at: ------------------------------------------------------------------------------- === Added 07/09/03 ========================================================== N 01/12/03 - Added the example to the Search/Replace * Sent system to show the setup of multiple domains on your DNS Update * server. [Section 7 - Search/Replace] I - Added a subsection about what happens when a MASTER dns server is either GOING to be unavailable for more than a week OR IS ALREADY down will be out for over a week. This is VERY IMPORTANT to read if you don't already understand the issue. G - Updated the internal DNS server's named.conf file to filter "lame server" log messages. I also added a little paragraph explaining what a lame server really is. N - Added the use of the example to make setting up multiple master domains more clear G - Made the recommendation that when picking a domain registrar, make sure they offer the ability to make updates via a SSLed WWW page and not via some old-school email method. N - Generalized the BIND version numbers throughout the section G - Went through the entire chapter and cleaned up the text, removed old NSI pricing of $70/2yrs per domain, [Section 24 - DNS] G - Added a little subsection talking about DNS MX records. I can't believe I didn't explicitly mention this before. Yes, it was implicitly mentioned in the DNS section. Without MX records, an email server just won't work. [Section 25 - SMTP] G - Synced the serial ports to all be 9600 baud - Added a missing sub-section to have the LOGIN process respond to the serial port [Section 55 - Console ports] ------------------ G 01/06/03 - Updated the SMTP aliases section to reflect that it will be rolled into Section 25. - Also updated some of the verbage in this section [Section 18 - SMTP Aliases] G - Significantly updated the Sendmail section to reflect multiple forms of a backup SMTP server. Also expanded on the section to be more clear, address some specific gotchas, why I still use Sendmail vs. other MTAs, etc. [Section 25 - Sendmail] ------------------ G 12/18/02 - Updated the UPS section to reflect some issues with APC's Powerchute software for Linux. I also added to the CONs section of the Powerchute software. Please note that this does NOT reflect APC's new Powerchute Business Edition software. [Section 36 - UPS] ------------------ N 12/15/02 - Updated Samba to 2.2.7a [Section 5 - URLs] G - Added the --with-smbwrapper compile option [Section 33 - Samba] ------------------ G 12/13/02 - Published to WWW site - sorry for the delay * Sent Update * ------------------ G 11/28/02 - Updated to reflect that Sendmail 8.12.6 and 8.11.6 have an smrsh security but but it doesn't effect the TrinityOS configuration. *C* - Updated to reflect that Samba is at 2.2.7 *C* - Updated the DHCPcd version to reflect v 1.3.22-p12 *C* - Updated the kernel versions to 2.4.20 and 2.2.22. The 2.4.20 and 2.2.22 kernel versions fix a locally generated DoS attack that can crash the kernel. [ Section 5 - URLs ] *C* - Updated the section to verify the md5sum hash of the libpcap and tcpdump sources as the site was broken into a trojan code installed. [Section 21 - tcpdump] N - Updated the copying of the Bind man files to reflect issues with not having OpenJade, etc. [Section 24 - DNS] G - Updated to reflect that Sendmail 8.12.6 and 8.11.6 have an smrsh security but but it doesn't effect the TrinityOS configuration. This section also mentions a good G - Updated the RPM and source installation section to verify the the PGP signatures. I - Added a 8.12.6 / 8.11.6 smrsh bug workaround for TrinityOS configurations without the need to patch and recompile. [Section 25 - Sendmail] *C* - Updated the Samba section to reflect 2.2.7. This version fixes a known security problem with the "m" macro. M - Removed the --with-vfs option as it's now built in. N - Added additional comments and information on the Samba section G - Added PGP source code verification commands. This is becoming a critical issue as various OpenSource packages have been trojaned over the years. [Section 33 - Samba] *C* - All versions of DHCPcd prior to 1.3.22-p12 are vunerable to rogue DHCP servers being able to execute any commands on the DHCP client. [Section 34 - DHCPcd] ------------------ N 11/25/02 - Updated the current Bind8 version to 8.3.4 [Section 5 - URLs ] N - Updated the DNS section to reflect Bind 9.2.1 and 8.3.4 *C* - Added missing "mknod" command to create the /dev/random and /dev/zero devices required in the Bind CHROOT jails. This wasn't required for Bind 9.1.x *C* - Changed the default of the EXTERNAL zone to not do recursion. This makes the DNS server only reply to domains YOU run. All remote DNS lookups (recursion) is done by the INTERNAL server. G - Updated the /etc/rc.d/init.d/named script to make sure people edit the script activate the correct Bind version N - Updated the example startup logs to show a Bind 9.2.x startup G - Added a quick bind error troubleshooting section [Section 24 - DNS ] ------------------ N 11/14/02 - Updated the current Bind version to 8.3.3-Patch1 [Section 5 - URLs ] *C* - Updated the Bind section to note that the minimum secure 8.3.x version of Bind is 8.3.3-REL-patch1 [Section 24 - DNS ] ------------------ G 10/20/02 - Released to WWW site * Sent Update * ------------------ N 09/15/02 - Swapped sections 53 and 54 [Section 53 - Linux DESKTOP : Section 53 - Patching] N - Removed a bunch of old exploit patching logs (cruft). Aug.97 - Jan.00 [Section 53 - Patching] G * Added a new section "Section 55 - Serial Linux Consoles and Reverse TELNET" This section shows how to send LILO, kernel, and bootup logs over a serial port. In addition, it also covers how to setup a Reverse TELNET terminal service on Linux with the use of a multi-port serial card. [Section 55 - Linux Serial Console] N - Changed all of my email addresses to use works like "at" and "dot" to see if I can throttle back my SPAM problem. [Multiple Sections] ------------------ N 08/16/02 - Fixed an incorrect MX record from to Thanks to Robbie Read for catching this. [Section 24 - DNS] ------------------ N 07/31/02 - Updated the versions of SSH [Section 5 - URLs] G - Updated the SSH section to use additional configure statements. [Section 30 - SSH] ------------------ G 07/20/02 - Fixed some incorrect referenced drive assignments. /dev/sdc1 to /dev/sda1 - Added some comments into the /etc/raidtab file [Section 31 - RAID] ------------------ N 07/04/02 - Updated Bind to 8.3.3 [Section 3 - URLs] N - Updated the DNS section to read better G - Updated the check Bind version section to use Dig in addition to the depricated nslookup command N - added a Bind version check for chrooted Named binaries I - Updated the minimum secure version to 8.2.5 [Section 24 - DNS] ------------------ G 05/28/02 - Fixed some permission issues for the startppp and stopppp scripts. Thanks to Aaron Powell for the errata [Section 22] ------------------ G 05/12/02 - Updated the Anti-spam note in the Sendmail section. Overall, I'm coming to the impression that the anti-spam blackhole lists don't work very well and cause more problems then filter spam. Stay tuned. [ Section 25- Sendmail ] ------------------ G 05/11/02 - Updated the version for DHCPd [ Section 5 - URLs ] *C* - Added a note that ISC DHCPd server version less than 3.0p1 are vunerable to a dynamic DNS root exploit. [ Section 27 - DHCPd ] ------------------ N 05/05/02 - Consolodated the two PPTP URL sections [ Section 5 - URLs ] N - Tuned the generate-cf script a little more [ Section 25 - Sendmail ] ------------------ N 05/04/02 - Updated the Features section to better what TrinityOS * Sent supports now and in the future Update * [ Section 3 - Features ] G - Updated the file since orbz is dead but added spamcop, dsbl, and osirusoft. I - Added multiple warnings in this section to note that there are downsides to Anti-SPAM black lists G - Updated the .mc-->.cf bit for better error handling and also made it a script called "generate-cf" [ Section 25 - Sendmail ] ------------------ N 05/01/02 - Updated the Features section to ADD PPTP support and moved UPS power quality graphing from Future to Supported. [Section 3 - Features] N - Updated to reflect the 2.2.20 and 2.4.18 kernels [Section 5 - URLs] N - Added additional Search/Replace items for the new PPTP examples [Section 7 - Search/Replace] G - Inserted a new section - Setting up a PPTP client on Linux and allow supporting PPTP pass-through on a MASQ server. Thanks to Luis Palacios for the initial basic form of this HOWTO and permission to integrate it into TrinityOS [Section 48 - PPTP] N - Added OpenOffice, replaced Everybuddy with GAIM for a good universal IM client, Mozzila as a great WWW browser and good email client [Section 54 - Linux desktop] N - Moved the ChangeLOG section from 55 to 100 [Section 100 - ChangeLOG] ------------------ N 04/28/02 - Updated various LDP URLs to reflect the new domain. Thanks to Dean Lewis for the heads up [Section 5] ------------------ G 02/07/02 - Updated the Bind URL as there is a critical bug in 8.3.0 that 8.3.1 fixes. [Section 5] ------------------ N 01/31/02 - Updated the URLs for PPPd and Diald [Section 5] ------------------ I 01/29/02 - Fixed an error in the /etc/rc.d/init.d/sshd script where it was starting SSHD and not SSHD2 G - Added parallel compiling for better compile times [Section 30] ------------------ N 01/26/02 - Updates the URL for the APC Powerchute software [Section 5] ------------------ N 01/21/02 - Updated the and scripts to v1.2 to support additional debugging and also changed the defaults to do more temp file cleanup. [Section 36] N - Moved all ChangeLOG entries older than 11/13/01 to the archived updates file. URL is at the bottom of the ChangeLOG section [Section 58] ------------------ N 01/13/02 - Updated the versions of Sendmail to 8.12.2 and Bind to 9.2.0 and 8.3.0 [Section 5] N - Updated the Distro thoughts section to reflect the newest distros and what I think of them: Mandrake 8.1, Redhat 7.2, Slackware 8.0, Debian 2.2r5, Caldera 3.1, and SuSe 7.3, [Section 6] N - Should have been pointing users to Section 52 for thoughts on RPMs vs. Section 50. N - Noted that Redhat 7.2 is not LSB compliant for the paths for Sendmail files (/etc/ and /etc/aliases) G - Fixed the comments in the 8.11.x .cf configs to reflect that the "local-host-names" file replaced the file. G - Added a .mc method to disable the Sendmail helpfile * Thanks to Chuck Hartley for the reminder and prod! [Section 25] ------------------ N 01/08/02 - Updated the SMB workstation mount point from /tmp/smb-c to /mnt/smb-c. I also added an explicit step to make Samba start upon reboot (it was implied to reverse this from Section 8). Thanks to Robbie Read for the pointer. [Section 33] ------------------ N 01/05/02 - Updated the URLs for APCUPSd [Section 5] N - Noted that users can log in via SMB with different username/passwds than defined in the normal passwd file. [Section 33] G - Kern emailed me back and is now linking to TrinityOS from his APCUPSd site for TrinityOS's graphing tool. In addition, he will be adding Battery Runtime Calibration to newer versions of APCUPSd! [Section 36] ------------------ N 12/30/01 - Updated various versions of software, etc. *Sent - kernel 2.4.17 Update* - PPPd 2.4.1 - noted that pppd 2.4.x now supports ML/PPP - Bind 9.2.0 - DHCP v3.0 - WUFTPd 2.6.2 - SSH 3.1.0 - Apache 1.3.22 - Nmap 2.54Beta30 - Added urls for - Powertweak - preempt 2.2.x patches - everybuddy [Section 5] *C* - Updated the strong rc.firewall to rc.firewall-4.05-123NIC - OUCH! Somehow the final setting of ip_forward got set to "0" instead of "1". Thanks to Chris van der Merwe for catching this! - Added comments when a 2.4.x kernel is found that running IPCHAINS emulation is NOT recommended due to poor MASQ support. It is recommended to run a native IPTABLES ruleset under 2.4.x kernels. [Section 10] G - Updated the info on the state of PPPd dial-on-demand featureset. Since PPPd really does do everything that Diald does, there isnt much reason to use Diald anymore. [Section 22] G - Updated the Diald section to reflect that I no longer recommend the use of Diald. I recommend to use the Dial-on-demand features built into PPPd. If you disagree with this, please email me and I'll try to clarify my point. [Section 23] G - Added a small addition to the Sendmail testing section to to test if the server can accept email from a simple TELNET connection. N - Added some extra clarification and testing proceedures to the Sendmail backup MX section [Section 25] ---------------- N 12/22/01 - Updated the versions of APCUPSd *Sent [Section 5] Update* G - Updated the UPS section - Cleaned up the text a bit and added comparisons between Powerchute and APCUPSd - Updated the setup of APCUPSd to reflect the new configuration and logging setup that was recently introduced - Renamed the script to - Added the to graph APCUPSd logs [Section 36] ---------------- G 12/21/01 - Updated the file to update and expand the Blackhole lists to improve the spam blocking system. Thanks to Frank Pineau for the tip. [Section 25] ---------------- G 12/01/01 - Updated the IPCHAINS ruleset to rc.firewall-4.03-123NIC - New version has some echo statements to let the ruleset load when DHCP is disabled. Thanks to Roger Farrero Tapias for this one - Added some comments to let people know that the lack of the "dynaddr" and "ipdefrag" kernel options is ok - Added explict filtering of the SubSeven trojan [Section 10] ---------------- I 11/23/01 - Fixed the perms of /bin/su to be 4750 instead of 750 as su would then fail since it couldn't read the shadow password file. Thanks to Julian Buckley for catching this. [Section 8] ---------------- I 11/11/01 - Updated the build-it script to both increase build time and make is more reliable. - Some of the text still refered to /usr/src/ and not the newer /usr/src/kernel style [Section 14] ---------------- I 11/09/01 - Updated the IPCHAINS rc.firewall to 4.02 - Disabled external DNSd and SMTPd server options as per the default. - Added comments and #ed out DHCPd for eth1 (input and output) - split up the SSHd and DNSd enable/disable area for eth1 - #ed out SSHd and DNSd access (output) per the correct default Thanks to kent at iastate for the errata. [Section 10] === Added 11/09/01 ============================================================ *C* 11/04/01 - Updated the versions for the kernels and warned people * Sent about all 2.4.x kernels less than 2.4.13 and 2.2.x kernels Update * less than 2.2.20 for the symlink vunerability N - Updated the versions of named to 8.2.5. 8.2.3 is the minimum secure version N - Added new version for the new sendmail code: 8.12.1 G - Added a URL for more DHCP info *C* - Updated the version of SSHv1 and SSHv2 N - Updated the version of Samba to 2.2.2 [Section 5] G - Updated the /etc/securetty section to now support DevFS. [Section 8] G - Updated the network diagram and Search/Replace table to reflect the new DMZ segment supported in the IPCHAINS v4.01-123nic firewall ruleset [Section 6] N - Updated the stateful verbage in the beginning of the section to mention that IPTABLES is Linux's stateful firewall soliution. *I* - Noted that the most secure kernel is 2.2.20. *I* - Updated the IPCHAINS rc.firewall to 123nic-4.01f. * This new firewall supports 1, 2, or 3 network segments. You enable additional segments simply by configurting them in the header. The rest is all taken care of. Note that this new rc.firewall is intended for an external, internal, and a DMZ (802.11b wireless network) setup. 802.11b networks are -NOT- safe and should be considered as so. ** P.S. I'm inclined to stick with the shell scripting for future revs but I have a feeling I might regret it. Thoughts anyone? Should I really obfusigate the learning curve of the rc.firewall with Perl or Python? * This version is my prototype architecure to split the TrinityOS rc.firewall into -2- files. The first file will be simply be the config of the firewall while the other file will be the ruleset itself. So, when I have a new feature or bugfix, you can update the ruleset without changing ANY configs on your side. * It also recognizes 2.4.x kernels and installs the ipchains.o module if needed. [Section 10] I - Updated the path for the kernel source from /usr/src/linux to /usr/src/kernel/linux. Also updated the TrinityOS-security script [Section 11] I - Updated the kernel path to use /usr/src/kernel instead and updated the build-it script to script to reflect this. [Section 14] G - Updated the DHCP server section to include more information, now covers DHCP Relay, etc. [Section 27] *C* - Updated the SSH section to both warn people about the newest vunerabities, recommend users NOT to use SSHv1, and updated the docs and scripts to reflect the use of SSHv2 ONLY. [Section 30] G - Updated the compiling of Samba and to also support Windows2000 Distributed File Shares, etc. [Section 33] G - Added a section in the DHCP client section on how to put DNS search lists into the /etc/resolv.conf file. Thanks to Dan Sandberg for this good idea. [Section 35] N - Deleted empty sections (I'll get back to some of these): 53 - Zip drive connected to the parallel port 54 - Sound card utilities 55 - System optimization and tuning 56 - WWW caching proxy 57 - Transparent WWW banner/Ad filtering N - Started a new section called "Enabling Linux to be a good desktop OS" Thanks to Andy Barclay for this good idea. [Section 53] ---------------- N 10/14/01 - Updates the IPCHAINS to 3.83e - Fixed a typo where I was referring to 172.19.x.x and not 172.16.x.x for RFC1918 private address filtering. Thanks to Barton Hodges for catching this. [Section 10] ---------------- N 09/13/01 - Fixed a typo where I said a /29 netmask was It should be a .248 Thanks to Josh Ward for catching this. [Section 24] ---------------- G 09/09/01 - Added permission and group ownership changes to /bin/su [Section 8] ---------------- N 09/07/01 - Moved from the "Future Feature" section the use of the firewall-confirm script to automatically rollback rc.firewall rulesets in the event of an error in the ruleset. [Section 3] N - Fixed a typo in the "How MASQ works" text where the destination IP was instead of Thanks to Jaroslaw Bruest for catching this. [Section 10] ---------------- N 09/03/01 - Updated the versions of Bind to 8.2.4 and 9.1.3 [Section 5] G - Updated Section 8 to support Xinetd and cleaned up some other stuff in that section N - Added an intro section to what shadow password files are N - Deleted the 8.19 "refer to section 15 for lilo security section [Section 8] G - Fixed a typo in both the ext and int forward zone files where the backup NS record was an IP address and not the correct "" address. - Fixed a comment in the int forward zone that the MX record was saying it was a Secondary NS server. - Reordered the section a little to first TEST Bind. If things work ok, then enable it to load upon boot. - All changes are reflected in the TrinityOS-security script. Thanks to Robbie Read for catching these. [Section 24] N - Corrected the filename and path for some users who have problems compiling Bind. [Section 25] ---------------- G 08/27/01 - Updated the root-hints-update script to v2.6 - Fixed an error where the file was missing from the "results" email. - The script is now deleting the "results" file and is using all absolute paths. - The script is again sending the "result" output as well. - Thanks to Eddie Atherton for catching this [Section 14] ---------------- N 08/26/01 - Added a URL for NTP servers N *Sent - Updated the 2.4.x kernel to 2.4.9 *C* Update* - Noted that Sendmail 8.11.6 is the minimum secure version of Sendmail. [Section 5] *C* - Noted that Sendmail 8.11.6 is the current secure version [Section 25] N - Corrected and moved a URL reference from this section to Section 5. Thanks to Robbie Read for this one. [Section 26] ---------------- N 08/20/01 - Updated the title of the UPS section [Section 5] I - Corrected a bad file path: /etc/ to /etc/mail/ Thanks to John C. Wojtulewicz for the good eye. [Section 25] N - Updated the layout of the UPS section G - Added the script that graphs each day's power conditions in a emailed .PDF N - Added a URL of an example generate-ups-log .PDF file [Section 26] ---------------- N 08/16/01 - Updated the URL for Psionic's Abacus tool Thanks to Tim Barkley for the update. [Section 5] ---------------- G 08/09/01 - Updated the DNS section to help 8.2.x users with compiling problems G - Updated the root-hints-update script to be a little more verbose and and fixed the use of a non-existent file *C* - Added a DNS subsecion that explains a odd but important corner case when 1) using the same domain name on both the internal and external DNS servers; 2) secondary for other remote domains and 3) try to send email to a person at one of those remote domains. Thanks to Andy Barclay for helping me track this one down. [Section 24] ---------------- N 08/07/01 - Updated the URLs for Software RAID [Section 5] G - Updated the Software RAID section to reflect RAID on the 2.2.x and 2.4.x kernels with Auto-Detected RAID setups. [Section 31] ---------------- I 07/19/01 - In the internal chroot DNS zone record for, there was a rogue serial number line in there that prevented the zone from loading. This has been fixed in both TrinityOS and in the archive. Thanks to Frances R. Clark for catching this [Section 24] ---------------- G 06/10/01 - Updated the DNS section to reflect the use of the *Sent server for dig like the Update* root-hints-update has had a for a while. Thanks to Robbie Read for this one [Section 24] *C* 05/28/01 - Updated the DNS section to reflect the more correct zone file names: internal: acme123-int.comdb vs. 192.168.0.db external: vs. - Updated both of the internal and external named.conf files - Fixed a IP address mistake in the external reverse zone that was pointing to instead of - Also notice that I've added the following comment to the internal zone file: ; ; note - If you wish to directly resolve any hosts ; that are currently only defined in the EXTERNAL zone ; files (say, you MUST list them here ; as well since the internal zone assumes that it is ; authoritative for zone and thus would never ; contact the external server for any other ; queries. - Both internal and external forward zone files had a MX record pointing to a CNAME called mail. Redefined "mail" as a "A" record. Doh! Sorry about that! [Section 24] ------------- N 04/06/01 - Changed some formatting and layout - removed specific Redhat version #s - updated the other things available on my WWW site [Section 2] N - Fixed some spelling typos - Removed link speed specific comments for Ethernet - Removed specific Bind version #s - Added that the Sendmail setup does backup SMTP - Deleted redundant "Getting DNS domains", "Fighting Spam", and "Been Hacked?" items - Deleted the old SSH comment for supporting SSH'ed X connections - Moved the Tripwire section to the Futures section since it hasn't been documented yet. I'll probably do this with AIDE anyway. - Removed the backup SMTP section from the Futures section (done) - Removed the Single NIC IPCHAINS setip from teh Future Section (done) [Section 3] N - Updated the kernel to 2.2.19 [Section 4] N - Updated the Mandrake Updates URL - Deleted old Redhat mirrir URLs - Updated the 2.2.x kernel to 2.2.19 - Reversed the Order of the noted Kernels and added 2.4.x kernels [Section 5] --------------- I 03/09/01 DohDoh! Actually removed the # typo from the rc.firewall *Sent errata shown on 03/07/01. Update* [Section 10] G For some reason, when I did the DNS updates, I was thinking Bind was at version 8.9.3 (thinking Sendmail) instead of 8.2.3. [Section 24] ---------------- I 03/07/01 Doh! Updated all the TrinityOS-security.tgz URLs to * Sent point to .tar.gz files. Update * - Thanks to Mark Rushing for catching this N Moved all ChangeLOG updates older than 10/15/01 to the TrinityOS-old-updates.wri file N Moved all IPCHAINS rc.firewall errata older than 3.72 to the TrinityOS-old-updates.wri file G Updated the ISC Bind versions and URLs [Section 5] I Updated the IPCHAINS rc.firewall ruleset to 3.83d # - Fixed a typo (stray #) where the RFC1918 # 10.x.x.x network was NOT being filtered in # the OUTPUT section [Section 10] G Updated the DNS section to include CHROOTed and Split Bind 9.1.0 - Updated the intro text for Section 24 for clarity, cleaned up some formatting issues, removed pricing info for registering domain names (I've seen registrars offering from $14.95 to $45/yr). - Added additional methods on how to figure out what version of Bind is running - Updated the minimum secure version of Bind to 8.2.3 - Removed ALL older BIND information to the TrinityOS-old-configs.txt files - Changed from explicting moving named and named-xfer binaries into the CHROOTed jails to copying named*. The reason for this is that named-xfer no longer exists in Bind9 but there are two new files. This way is a little more generic. - One of the changes from Bind8 to Bind9 is that the TYPE record in the named.conf file must now be the FIRST line. - Changed the filename 192.168.0.db to be since it really was a FORWARD zone file and not a reverse * Updated the TrinityOS-security script to reflect all of these changes as well as cleaned up the chapter numbers, etc. [Section 24] ------------ 03/06/01 - Moved all IPCHAINS rc.firewall Changelogs to the TrinityOS-old-updates.wri file ------------ # v3.72 - 10/07/00 # - Added some more descriptions to the OUTPUT filter section for trojans. # - I updated some of the existing OUTPUT trojans filters and also added a # filter Eggdrop and MySQL connections to the Inet # - Added a master URL for a complete listing of known Trojan ports # - Added some comments to the DHCP rules where some distros do NOT allow # for TCP-based DHCP # - Reversed the RESERVED-192 and RESERVED-2 IANA filters since # is using this domain space. # - Added commented support for an IRC server # - Finally fixed (re-enabled) the Reserved-7 IANA ruleset in both the # INPUT and OUTPUT rules that was blocking the 64.x.x.x network due # to a faulty /3 netmask # # v3.71 - 09/10/00 # - Add a SMB/CIFS rule to block port 137 UDP traffic in both the INPUT # and OUTPUT rules # - Deleted a commented option to list the deleted SECONDARYDNS variable # - Added a comment to the LooseUDP section to note that some distros like # TurboLinux delete this option from their kernel # - Had to disable the BLACKHOLE3 filter since though the Internic shows # it as reserved, is actually in that reserved space! # - Added a comment why Reserved-7 is disabled (the /3 includes the # commonly used 64.x.x.x network # - Added an excellent URL to the comments section of the Advanced ICMP # section # - Reordered, enhanced, added logging, and enabled some Advanced ICMP # filters in both the INPUT and OUTPUT sections # - Did some reformatting of the ruleset for more readibility # - Added another note to the RFC1918 section regarding some specific # ISPs using private addressing space, etc. # - Added a test to make sure that the $EXTIF is up before running the # firewall. Thanks to for the recommendation # - Added a commented INPUT and OUTPUT section for Internet-wide HTTPS # - Deleted some duplicate SMB/CIFS output rules and add added some explict # INPUT and OUTPUT UDP rules for SMB/CIFS # # v3.70 - 07/12/00 # - Added converse rules for IDENT in the INPUT and OUTPUT sections for # better documentation and updated the OUTPUT section description of AUTH # # - Deleted the SECONDARYDNS varable from the firewall rule set as it did # nothing nor could it since both TCP and UDP DNS traffic must be wide # open to the world anyway. # # - Added several new /proc terms to secure or ensure settings are set: # - Added TCPSYN checking # - Added Sanity ICMP filters for # - ICMP broadcasts # - ICMP bad error packet # - ICMP redirects # - Added Sanity filters for source-routing and spoofed packets # - Added explict but disabled by default filters for different types # of ICMP traffic to both the INPUT and OUTPUT sections # # - Cleaned up the DHCP / PUMP issue description section a little # # - The rc.firewall ruleset has been manually aligned with the # TrinityOS-archive rc.firewall ruleset for the last time. The # TrinityOS-archive file is now parsed directly out of the SGML text to # ensure a perfect copy. # # Sorry for any previous differences between the two files. # # - Added a disabled OUTPUT section to support APC Powerchute for Linux # # - Added the new top banner to the rc.firewall file and added a top # section for enduser's personal notations and version changes # # - Added a disabled option for the ICQ MASQ module # # - For some reason, SMTP OUTPUT on the EXTERNAL interface was enabled # by default. This is now DISABLED by default. # # - Put #s in front for the SECUREHOST OUTPUT echo statements though the # IPCHAINS statements were already disabled. # ----------------- I 02/18/01 Made another fix to the root-hints-update script # v2.4 - Updated the dig info lookup from # to [Section 24] ---------------- G 02/14/01 Made some fixed to the root-hints-update script for DNS: # v2.3 - Updated the initial CD into one of the real # CHROOTed dirs vs. /var/named. The old script # was also leaving a stray NEW file in the EXT # directory. Because of all this, the email # notification would show an old root.hints # file though DNS would have the correct # updated file. Thanks to Jehan Bing for this errata. N Moved over the root-hints-update script to the automatic extraction from HTML (no more manual file sync'ing [Section 24] ---------------- N 02/10/01 Cleaned up some formatting issues * Sent N Update * Updated Section 4 to reflect the current hardware I'm running [Section 4] G Updated several URLs and version numbers: Updated the 2.0.x URL to 2.0.39 Updated the 2.2.x URL to 2.2.18 Updated the URLs to reflect the 2.4.x kernels Updated the PPPd URL to 2.3.11 Updated the Bind URL to 8.2.3 Updated the Sendmail URL to 8.11.2 *C* Updated the SSH URLs to 1.2.31 and 2.4.0 * Please note that SSH v1.2.31 still has a critical exploitable bug. The fix has not been posted yet to I will soon post installation instructions for OpenSSH to avoid these technical and new licensing issues (SSHv1 from is no longer free to everyone) [Section 5] ------------ N 01/28/01 Updated the /etc/rc.d/init.d/named startup script # 01/28/01 - Added a few CR-LFs to clean up the output # between starting the internal and external # zones [Section 24] ----------------- G 01/27/01 Updated the IPCHAINS firewall # v3.83c - 01/27/01 # - Fixed a wrong output netmask for NET-TEST-B being # a /12 instead of a /16. But, this really doesn't # matter as I have disabled the filtering of reserved # IP space as ARIN constantly is releasing this # address space to the public without any form of # notification. See the update for v3.83a # Thanks to Keith Mitchell for this one. [Section 10] ---------------- G 01/06/01 Updated the Sendlogs script a bit: - Fixed some formatting issues and moved it over to make the .sgml code the primary source for the script vs. two seperate copies - Added --MARK-- filtering - Made the output more pretty - Cleaned up the error reports in the SUID and RCMD searches - Added an lsof log entry - Added a #ed out section to DD one HD to another backup [Section 9] ---------------- G 12/31/00 Changed the versioning mechanism of TrinityOS. The new system no longer includes the published date of TrinityOS in the actual filename of each file ( i.e. TrinityOS-122100-c-1.html ). I did this because the dates were hosing search engines since once I would push out a new update, it would invalidate all of the various search engines links due to the change in date. N Updated the IPCHAINS firewall - Added a missing .0 to the 72.0.0 networks in the Reserved-7 filters. Thanks to Michael Briegl for this one. [Section 10] N Fixed a spelling error in the title of Chapter 29 [Section 29] ---------------- G 11/11/00 Changed all the archives on the WWW site from .tgz to .tar.gz to fix the corrupted file issue that people are complaining about. Basically, the issue is that the WWW server has the wrong MIME type for .tgz files. I've tried to get them to fix this without results so I'll just use this work around. N - Added links to IPROUTE2 code and documentation N - Also cleaned up the indentation of the 2.0.x URLs [Section 5] N - Fixed two typos where I was restarting syslogd instead of inetd. Thanks to Jason Ramey for the sharp eye [Section 8] G Fixed a BASH version issue for the deletion of the .bash_history file. The new syntax is "trap "rm -f ~$LOGNAME/.bash_history" 0" instead of the older KSH-style of "trap 0 rm -f ~$LOGNAME/.bash_history". Thanks to Jason Schadel for reporting this. [Section 9] N - Fixed a echo typo in the /etc/rc.d/init.d/firewall script where I was setting the default policy to REJECT but the echo statement said ACCEPT. - Also added a "mlist" option to display current MASQ entries. Thanks to Brandon Keirns for catching this [Section 10] N Fixed a typo where I was touching a "var/adm/messages file for Redhat instead of /var/log/messages. Thanks to Jason Schadel for reporting this. [Section 19] ---------------- I 11/09/00 Updates the IPCHAINS ruleset again and ripped out all the Non-RFC1918 filtered addresses. I guess it was my mistake to believe IANA that addresses were reserved when things like 65.x.x.x are used by MediaONE, etc. Sorry peoples.. my mistake. [Section 10] I - Updated the firewall-confirm script # 11/09/00 - The initial release was the wrong version. Ack! # This updated version includes a critical check for # /tmp/fwok. This version includes a 30 second screen # timer. # Please upgrade! Thanks to Ryan Snodgrass for catching this I have also updated the TrinityOS-security script to reflect this. [Section 10] N Moved all old ChangeLOG entries dated 07/14/00 and older to the TrinityOS-old-updates.wri file. N I also cleaned up some formatting issues in the existing ChangeLOG entries. [Section 58] ------------------ N 10/28/00 - Updated the IPCHAINS firewall to v3.82 # Updated the Xwindows filtering to from ports 6000-6010 # to 6000-6063. Thanks to John Soltow for this one. [Section 10] N - Fixed the text for the firewall-confirm script that should reference /tmp/fwok and not /tmp/ok Thanks to Xavier for this one. [Section 10] ------------------- ------------------- N 10/15/00 - Updated some of the URLs *Sent [Section 5] Update* *C* - Updated the IPCHAINS firewall to v3.81 # v3.81 - 10/15/00 # - Crap! Last subnet error in the Reserved-8 IANA # section. Please change the subnet mask on # to a /6! [Section 10] ----------------- N 10/13/00 - Added Ofir Arkin's paper on ICMP protocol fingerprinting *Sent to the main list Update* - Updated the URL for mkisofs - Added a URL for a kernel-based PPPoE client [Section 5] N - Fixed a inetd description that said "swat" was for Apache when it is really for Samba. Thanks to Stephen Lawrence for this one. [Section 8] G - Changed the version to v3.80 since all of these changes are VERY significant. G - Cleaned up and added some additional verbiage to the firewall section to help users troubleshoot connectivity problems. G - Added a little section to help the Linux newbies enable PORTFW access from within the TrinityOS rc.firewall ruleset. [Section 10] I - Fixed a named.conf problem in chroot-dns-int where the internal zone was called "192.168.0" and NOT This would cause forward lookups to fail but reverses to work. G - Also added an MX record in to the internal zone to fix some issues. Thanks to Jeff Robinson for the help on this one. - Updated the TrinityOS-security script to reflect this [Section 24] G - Cleaned up a lot of grammar, etc issues - Updated the REMOVE URL for Scour Thanks to Kenneth Porter for this one. [Section 49] ----------------- N 10/08/00 - Added to the Future Feature section to support smrsh for Sendmail [Section 3] N - Updated the PCMCIA URL - Added a new Master NAT URL that covers not only Linux but other operating systems as well - Rearranged the various Security URLs into one section - Added URL to the IDS list - Added URL to the Resources list - Added URL to the PGP Resource list [Seciton 5] N - Updated the blurb on TurboLinux [Section 6] N - Fixed a formatting typo in the System Search/Replace section [Section 7] N - Added additional BIOS keystrokes for various BIOSes N - Added SysV init level permutations for SuSe in addition to Redhat [Section 8] G - Added documentation on how to interpret various expected and non-expected log messages from the Sendlogs script for SUID, RCMD, and RPM output. [Section 9] I - Updated the v3.72 IPCHAINS firewall # - Reversed the RESERVED-192 and RESERVED-2 IANA filters # since is using this domain space. Thanks to for catching this one I - # - Finally fixed (re-enabled) the Reserved-7 IANA # ruleset in both the INPUT and OUTPUT rules that was # blocking the 64.x.x.x network due to a faulty /3 netmask G - Added comments to support TurboLinux in the /etc/rc.d/init.d/firewall script. I - Changed the /etc/rc.d/init.d/firewall script for the STOP option from ACCEPT to REJECT *C* - Added a new script called "firewall-confirmed" that allows users to safely impliment new rc.firewall rulesets from a remote system w/o possibly taking their machine offline due to an error or typo in their rc.firewall file. This new script was also added to the TrinityOS-security script [Section 10] N - Changed the title of this Subsection to reflect that it has more to do with Kernel compiling. I - Added a URL to this section that discusses some controversy if new kernel sources should be in /usr/src/linux or not. Check it out.. its a good read. Thanks to Aran Cox for the URL [Section 11] G - Expanded the section on the various methods to configuring a kernel. I also added section on how to use "make oldconfig" when upgrading kernels. [Section 12] G - Added a reference to the Sendmail section and Updated the mail Aliases section to reflect the new Sendmail paths. [Section 18] G - Added configs to verify Sendmail's 8.11.x file and path perms - Noted that some aspects of compiling Sendmail have now changed - Added recommendations to move the new Sendmail documentation to the proper place - Added a comment to tell users where to find more information on the various options used in the file - Added some missing zone file serial numbers - The SMTP option now needs to be before the PROCMAIL option in the file - Updated the UUCP section to reflect the new syntax - Added a testing section to verify that Blackhole SPAM filtering is working properly - Added a hint on how to compile Sendmail to hide all version numbers - Added an additional troubleshooting section for specific Sendmail log errors [Section 25] G - Chapterized this section - Added support for TurboLinux [Section 27] G - Fixed a typo in the NFS section for the /etc/exports file where it should be "no_root_squash" and NOT "no-root_squash" [Section 40] N - Updated the "Moving ISPs" section to note that Section 25 now supports the configurationg of backup SMTP servers. [Section 51] Thanks to Harold Bower for his TurboLinux contributions ---------------- I 10/07/00 - Vastly updated and improved the TrinityOS-security script N - Added the future feature to include instructions for compiling Xntp. [Section 3] N - Updated the distro section to note that apt is NOT a new version of dpkg. I also added a few more comments on the cool dependency power in dpkg. Thanks to Marcello Nuccio for catching this. [Section 6] G - Added the recommendation to disable the Interactive INIT script for newer Redhat and Mandrakes. - Fixed a typo where there was a missing space when moving the tetex.cron job. Thanks to Jens Braeuer for catching this. [Section 8] G - Updated the IPCHAINS firewal to v3.72 # - Added some more descriptions to the OUTPUT filter # section for trojans. # - I updated some of the existing OUTPUT trojans filters # and also added a filter Eggdrop and MySQL connections # to the Inet # - Added a master URL for a complete listing of known # Trojan ports # - Added some comments to the DHCP rules where some # distros do NOT allow for TCP-based DHCP # - Added commented support for an IRC server Thanks to Dennis Derks for the MySQL and Eggdrop filters. Thanks to Harondel Sibble for the trojan URL. Thanks to Harold Bower for some typo and spelling fixes. I - Added a note that starting with Mandrake 7.0 and probably Redhat 6.2, if it exists, /etc/rc.d/rc.firewall will be executed from /etc/rc.d/rc.sysinit. It is recommended to edit that file and # out that code. [Section 10] G - Added a comment that DHCP users will NOT get the TCP Window optimizations as described in this section. The reason is that most DHCP clients don't support advanced features like this. If you know of a good way to solve this, I'd like to hear from you. [Section 16] G - Updated the /etc/rc.d/init.d/named script to individually start/stop the internal or external DNS servers. I also added this script to the TrinityOS-archive script. I - Doh! Finally added the $TTL timeout to all the various zone files in both TrinityOS and the TrinityOS-security script. [Section 24] G - Updated the Sendmail section to reflect 8.11.x and cleaned things up N - Chapterized section 25 N - Retired the old 8.8.x configs to a new TrinityOS-Retired document I - Added a new config section for sendmail 8.11.x G - Part of the 8.10/8.11 confs, I added the "access_db" and "relay_mail_from" features to support backup SMTP features G - Added a redhat way to determine the Sendmail version N - Added a small table to describe the various Sendmail config changes over the various 8.8/8.9/8.11 versions I - The "rbl" feature tag has been replaced with the "dnsbl" tag G - Added the Feature(relay_mail_from) to support backup SMTP for remote domains where the remote user is NOT locally defined G - Updated the TrinityOS-security script to reflect these changes Thanks to Andy Barclay for the heads up on the "relay_mail_from" issue [Section 25] N - Updated the NTP section a little, cleaned it up, and added a note for Redhat users to edit the /etc/sysconfig/ntp option for setting the Timezone. [Section 26] I - The "option hostname" line in /etc/dhcpd.conf is no longer valid in newer versions of dhcpd. This was also fixed in the TrinityOS-security script [Section 27] G - Doh! I totally forgot to setup HDPARM to save and restore its settings over a HD reset or reboot. Thanks to Martin Steldinger for catching this. [Section 48] ---------------- N 09/16/00 - Updated the IPCHAINS v3.71 rules # - Deleted some duplicate SMB/CIFS output rules and add # added some explict INPUT and OUTPUT UDP rules for # SMB/CIFS [Section 10] ---------------- G 09/10/00 - Moved the deletion of .bash_history from Section 52 - Added this to the TrinityOS Archive [Section 9] N - Added a detailed explincation of how IP Masq WORKS in the intro section - Updated the IPCHAINS firewall to include #ed out options for secure HTTP (HTTPS) server connections [Section 10] N - Added a small PPPd pros/cons comparison section for the PPP vs. Diald's Dial-on-Demand features. [Section 22] G - Updated the DNS section N - Added a version number comment to all the zone files (v1.0.1) G - Added an "allow-transfer" and "allow-query" statement to the 192.168.0 zone file. G - Added the "cleaning-interval" option to the external zone to make cache entries last longer I - appending the domain to the INTERNAL PTR record. - Added all these changes to the TrinityOS archive [Section 24] N - Added several subsection markers to the SSH chapter to make it easier to navigate [Section 30] I - Fixed a incorrect symbolic link ln -s /etc/rc.d/init.d/firewall /etc/dhcpc/dhcpcd-*EXTIF*.exe to ln -s /etc/rc.d/rc.firewall /etc/dhcpc/dhcpcd-*EXTIF*.exe [Section 35] ------------ G 09/02/00 - Updated the v3.71 IPCHAINS ruleset # A continuation of v3.71 # - Added an excellent URL to the comments section of the # Advanced ICMP section # - Reordered, enhanced, added logging, and enabled some # Advanced ICMP filters in both the INPUT and OUTPUT # sections # - Did some reformatting of the ruleset for more # readability [Section 10] ------------ G 08/17/00 - Changed both TrinityOS and the root-hints script to get the newest root servers list from instead of the now defunct [Section 24] ------------ G 08/12/00 - Updated the IPCHAINS ruleset to v3.71 # v3.71 - 08/12/00 # - Add a SMB/CIFS rule to block port 137 UDP traffic in # both the INPUT and OUTPUT rules # - Deleted a commented option to list the deleted # SECONDARYDNS variable # - Added a comment to the LooseUDP section to note that # some distros like TurboLinux delete this option from # their kernel # - Had to disable the BLACKHOLE3 IANA filter since # though the Internic shows it as reserved, # is actually in that reserved space! # - Added a comment why Reserved-7 is disabled (the /3 # includes the commonly used 64.x.x.x network Thanks to for these comments. [Section 10] N 07/23/00 - Fixed a few spelling errors, etc in the doc. Thanks to "Kenneth Porter" for the help N - Just noticed that I never had an abstract at the very beginning of TrinityOS! [INDEX] N - Deleted the "How to compile BIND/Named" Future Feature and significantly rearranged, added, and deleted some bulletpoints on what TrinityOS has to offer [Section 3] N - Added a URL to the Nessus security toolkit [Section 5] G - Updated the SSH version from ssh-1.2.27 and ssh-2.0.13 to 1.2.30 and 2.2.0 [Section 5] G - Added the addition of a enviroment var in /etc/bashrc to make all C compiles use colorgcc to make compiling things a little more obvious. [Section 8] N - Updated the DNS section label to: "DNS: Acquiring and configuring a CHROOTed and SPLIT master/slave DNS servers" N - Reorganized the BIND section a little G - Added instructions on how to compile up BIND (DNS) I - Sigh.. Fixed another UID creation bug of the chroot-dns-int user. It was "useradd -u 120 -g 121 chroot-dns-int" and should have been "useradd -u 121 -g 121 chroot-dns-int" [Section 24] N - Updated the SSH section to reflect the newer versions of SSH [Section 30] ---------------- N 11/09/00 Moved all IPCHAINS rc.firewall change logs from v.3.60 and older to here # v3.60 - 07/03/00 # - Noted that all kernels less than 2.2.16 have a TCP exploit with tools # like Sendmail # # - As of kernel 2.2.16, LooseUDP is now DISABLED be default. I have # explicitly DISABLE LooseUDP in the final section of the firewall rule # set. Only gamers need the functionality and it can create an added # internal port scanning vunerability. # # - Added port 445 for Windows2000 CIFS / SMB filtering for both INPUT # and OUTPUT. Also enhanced the informational section to explain what # each port does # - Added EXTENSIVE INPUT and OUTPUT filters for the IANA reserved TCP/IP # addressing scheme # # - Noted that newer versions of pump now support the execution of script # upon lease bringup, renew, etc. # # - Added explicit though disabled Multicast filtering on the external # interface per many users requests. per many users requests. # # - Fixed some spelling errors # # - Replaced the EXTIP and EXTBROAD scripts with ones that required only # two programs instead of four to make things faster. # # v3.59 - 05/28/00 # - Fixed an error for the Squid re-direction where all detination traffic # was going to BROADCAST instead of INTLAN. # Thanks to for catching this. # # - Fixed an error where global SMTP allows on all interfaces were actually # limited to the EXTIP address. This should have been UNIVERSE. # # - Fixed a typo where the AOL filtering example had the SMTP port in # destination and not the source address field. # Thanks to for these two reports. # # v3.58 - 04/15/00 # - Fixed a pretty serious issue if you were trying to enable the explicit # input filters for things like DoubleClick, etc. Basically, I was # allowing all internal traffic to get to the Internet before these # firewall rules were being inspected. I have now moved the ALLOW ALL # internal firewall rule sets toward the end of the INPUT section. # Thanks to for catching this! # # v3.57 - 04/09/00 # - Added some spaces in front of the work &dquot;Optional&dquot; for # prettier # output upon loading. # - I've rearranged the enabling of FORWARDING -before- the enabling # of MASQUERADING since IPCHAINS complains. # - As of 2.2.12, the IP_ALWAYS_DEFRAG option has been omitted and is now # a /proc configured option. I have now added this to the FORWARD # section. # - Added an echo statment and additional SILENT blocking statements for # SMB traffic on the external interface # # v3.56 - 04/08/00 # - Added the /sbin path to the commented IPCHAINS lines for setting the # TOS bits. # # v3.55 - 03/26/00 # - Grrr.. reversed the DHCPcd issue since the /etc/dhcpc/dhcpcd-INT.exe # script will NOT execute if the IP address hasn't changed from the one # before reboot. I have deleted some of the commented text from the # EXTIP section. Please see the TrinityOS errata section for more # details. # # v3.54 - 03/25/00 # - Added filters for the new Shaft DDos tools # # v3.53 - 03/19/00 # - Hopefully caught the last DHCP issue. I've added in the comments # that users who need to use DHCP on their extneral interface SHOULD # not enable nor use the /etc/rc.d/init.d/firewall script. The reason # for this is that the DHCP program will run both the # /etc/dhcpcd/dhcpcd-ethX.exe and the /etc/rc.d/rc.firewall. This # will completely hose the loaded firewall rule sets. I have noted this # in the EXTIP sections comments. # # v3.52 - 03/18/00 # - Finally found a 100% solution for DHCPcd users out there that # get DHCP'ed IP addresses on their external INTERFACE. Changes # in the firewall rule set are only comments in the top sections # regarding DHCPcd but please see the DHCPcd section in TrinityOS # for full details. # # - Moved the PORTFW variable to be below the SECUREHOST section # for clarity. # # - Added some comments for PORTFW users on how to allow portfw access # to explicit hosts and/or networks. # # - Added two more PORTFWIP variables to the IPCHAINS rule set # # - Moved the PORTFW section from the INPUT section to the FORWARDing # section for better clarity # # - Added a section in the general INPUT section for Squid w/ JunkBuster. # # - Expanded on the DoubleClick filtering example with network numbers from # # # v3.51 - 03/05/00 # - Removed a duplicate input filter for spoofed packets, etc. # Interestingly enough, trinityos.wri didn't have the duped line. # Thanks to for the sharp eye. # # - Added a new INPUT section to filter out ANY requests for # specific sites (a form of Net-Nanny, etc). You would use these # filters to block access to given sites. I've explicitly shown # disabled examples for and # # v3.50 - 02/26/00 # - Fixed a minor error in the commented Diald line were the $INTLAN # variable needed to have the extra &dquot;/24&dquot; deleted. Thanks to # for reporting this. # --------------- ============================================================================== N 11/09/00 Moved all ChangeLOG entries dated 07/14/00 and older to the G 07/14/00 - Sent out the a notification to the people on the Updates list. * Sent Update * N - Moved all ChangeLOGS dated 04/09/00 and older to the arhives ----------------- N 07/09/00 - In the spirit of automating of building the TrinityOS docs, I have added the and tags to the strong IPCHAINS rule set so that I can have single place for the maintinance of the rule set. Now I don't have to manually maintain and update the ruleset in both TrinityOS and in the TrinityOS-archive. Sorry for any previous differences between the two files. Thanks to Ken Kellam for the Perl code to do this. [Section 10] ---------------- N 07/06/00 - Merge over the ICMP and /proc changes to the rc.firewall archive ---------------- N 07/05/00 Fixed many spelling errors and downright english mistakes throughout the document: explict --> explicit implict --> implicit enviroment -->environment vunerable --> vulnerable ruleset --> rule set i.e. --> e.g. maintinance --> maintenance portscan --> port scan powerdown --> power down cablemodem --> cable modem impliment --> implement distro -->distribution etc --> etc. taylor --> tailor enduser --> end user thats --> that's immeadiately --> immediately occured --> occurred goto --> go to Removed the poor usage of too many ".." THANKS to "Roberts, Mike" for all these. Better late the never eh Mike? I Wow! It looks like some URLs fell through the SGML conversion crack! I Missing URLs included: MLPPP, PPPoE, PPTP, and Netscape. N I also updated the version numbers for Sendmail (8.9.3 to 8.10.2 ) and Wu-FTPd (2.6.0 to 2.6.1). G Finally, I also added URLs for OpenSSH, APCs Powerchute for Linu x, and ViperDB (Tripwire clone). [Section 5] N Updated the fact that I now currently use both Mandrake 6.1 and 7.0 [Section 6] G Added to the TCP Wrappers section how to support advanced logging and sending text banners to remote clients. A belated thanks to for this one. [Section 8] I Updated the IPCHAINS rc.firewall to v3.70 to reflect all the pre vious significant but unpublished changes and also the following: G - Updated the rc.firewall to use newer methods to get the EXTIP and EXTBROAD addresses using two programs instead of four. Thanks to "John E. Christ III" for this one. N - Fixed a spelling error of internface --> interface in the SMB section G - Added additional explicit ACCEPT traffic for INDENT traffic in the INPUT and OUTPUT sections N - Deleted the SECONDARYDNS varable from the firewall rule set as it did nothing nor could it since both TCP and UDP DNS traffic must b e wide open to the world anyway. G - Added several new /proc terms to secure or ensure settings are set: - Added TCPSYN checking - Added Sanity ICMP filters for - ICMP broadcasts - ICMP bad error packet - ICMP redirects - Added Sanity filters for source-routing and spoofed packets G - Added explict but disabled by default filters for different ty pes of ICMP traffic to both the INPUT and OUTPUT sections N - Added more subsection labels to section 10 to make the section easier to navigate G - Deleted the the SECONDARYDNS varanble in the firewall because it wasn't used and authoritative DNS servers must have both UDP a nd TCP DNS ports open to the world to work properly. N - Cleaned up the DHCP / PUMP issue description section a little G - Added a disabled OUTPUT section to support APC Powerchute for Linux G - Added the new top banner to the rc.firewall file and added a t op section for enduser's personal notations and version changes N - Added a disabled option for the ICQ MASQ module I - For some reason, SMTP OUTPUT on the EXTERNAL interface was ena bled by default. This is now DISABLED by default. N - Put #s in front for the SECUREHOST OUTPUT echo statements thou gh the IPCHAINS statements were already disabled. Thanks to "Ian Chilton" for the /proc and I CMP ideas. [Section 10] G Added inline comments to the Sendmail config files for both the Sendmail 8.9 and 8.8 configs to explain what each l ine does. [Section 25] N Changed the name of the tape backup section to something a littl e more straitforward and obvious [Section 29] N Updated the PCMCIA section a little [Section 34] N Updated the APCUPSd section to note that though the official APC Powerchute for Linux software not only works but its FREE, but unfortunatel y it is NOT compatible with MS Windows Powerchute clients for over-the-netwo rk shutdowns. [Section 36] N Updated the IPSEC section to note that typical IPSEC VPNS are ru nning a 168-bit cipher. [Section 47] ---------------- N 07/03/00 Updated all the old/dead links for IPCHAINS and Netfilter N Cleaned up all the stray "X" marks in the URL section. Thanks to John Hardy for the prod. [Section 5] N Noted that I have taken over the POP-Auth documenation and it will be posted to my WWW site soon. [Section 5] N Noted in the various firewall rule sets that newer versions of Pump now support script execution upon lease bringup, renew, etc . Thanks to Mark Baysinger for this one. [Section 10] N Updated the verbage in the Kernel Compiling section to reflect that the 2.4.x kernels are about upon us. N Updated the 2.2.x kernel example to reflect a 2.2.16 kernel [Section 12] G Added some headers to the two different NTP scripts and also added some inline comments for users who want to set the date/time via NTP but save the results in UTC format. Thanks to Anders Oreback for this one [Section 26] G Added a new section called "Gracefully transitioning Internet domains through a IP address or ISP change". This section takes you step by step on how to best notify the Internic and DNS servers of the change without having your domain actually stop responding to email, etc. [Section 51] G Oh wow.. I didn't realize that Section 51 had the wrong name! Before, it had a title for patching Tar to support BZip2 and NOT "Thoughts and procedures about Patching your distribution". Thanks to Chuck Hartley for catching this. Regardless, its now section 52 to make room for the "Changing ISPs and/or IP addresses" section [Section 52] ---------------- G 07/02/00 Fixed all the broken links that were pointing to They should have been pointing to TrinityOS-security. N Fixed all the "layed" spelling errors. Thanks to for this one. N Removed the line from the TODO list: * Impliment external 10.x.x.x and 172.16-31.x.x packet * filtering [Section 2] N Added to the TODO list to modularize the rc.firewall rule set so that users can update their firewall without having to re-edit a nd tailor it to their needs. [Section 2] N Fixed the formatting issues of the /etc/ftpconversions file edit . Thanks to for the sharp eye. [Section 7] I Updated the rc.firewall rule set to v3.60 # Added port 445 for Windows2000 CIFS / SMB filtering for both # I NPUT and # OUTPUT. Also enhanced the informational section to explain # wha t each # port does # Added EXTENSIVE INPUT and OUTPUT filters for the IANA # reserved # TCP/IP addressing scheme This one comes from good discussions with joe@plaguesplace.dyndn # - Added explicit though disabled Multicast filtering on the # ex ternal # interface per many users requests. [Section 10] I Fixed a typo where the second CHMOD should have been for /home/chroot-dns-int and not ext. I Updated the root-hints-update script to v2.1 # v2.1 - Fixed a typo in the CHMOD of the external # file # - Fixed the file ownership of the internal root-hints.db file # - Changed the default path of where the new # w file # is to be placed # - Updated to have a backup copy of the INTERNAL hints # fil e and not # just have an EXTERNAL backup N Added a new subsection to get to the root-hints.db script easier # A strong Thanks to for these corrections [Section 24] ---------------- *C* 06/25/00 Updated the 2.2.x kernel section to remind users that 2.2.16 is and is the ONLY secure kernel version available. See below. [Section 5] *C* Roughly June 7th, it was found that Linux running kernels less then 2.2.16 had a TCP exploit. I have updated the rc.firewall to reflect this info: NOTE: All 2.2.x Linux kernels prior to 2.2.16 have TCP exploit that **** that when combined with tools like Sendmail can lead to a ROOT compromise. In addition to this, all kernels less than 2 .2.11 have a fragmentation bug that renders all strong IPCHAINS rule sets void. It is CRITICAL that users upgrade the Linux kernel to at lease a 2.2.16+ kernel for proper firewall and system sec urity. [Section 10] ---------------- N 06/24/00 Added to the DNS section how to determine the version of BIND simply using "nslookup". [Section 24] ---------------- G 06/22/00 Updated the /etc/logrotate.d/syslog file to reflect that klogd in /sbin and NOT /usr/sbin in RH 6.1 Thanks to for catching that [Section 8] ---------------- N 06/19/00 Added a few options to the TrinityOS "Futures" section - Named compiling walk-thru - GnuPG / PGP support [Section 3] G Heavily went over the DNS section - Cleaned up a lot of the text, fixed many formatting and and layout issues throughout this section, etc. - Fixed two typos where the path for and 192.168.0.db were pointing to chroot-ext and chroot-int instead of chroot-dns-ext and chroot-dns-int [Section 24] I It should be noted that as I mentioned above in the DNS changes, I plan on going through all the various TrinityOS section and cleaning out all the old formatting issues, etc that were left over from the SGML port. Though this will take some time, TrinityOS will ultimately read and look better. It should also be mentioned that I'm in the process of bringing up my new Linux box. Since this machine is MODERN, I'm updating TrinityOS to reflect the new changes in Linux such as the hardwa re map, Software RAID, as well as updated configurations for Sendmail, etc. ---------------- N 05/28/00 Updated the Getdate URL [Section 5] G Updated the IPCHAINS rule set to v3.59 # - Fixed an error for the Squid re-direction where all # detination traffic was going to BROADCAST instead of # INTLAN. Thanks to for catching this. # # - Fixed an error where global SMTP allows on all # interfaces were actually limited to the EXTIP address. # This should have been UNIVERSE. # # - Fixed a typo where the AOL filtering example had the # SMTP port in destination and not the source address # field. # Thanks to for these two reports. [Section 10] G Made some important updates to the DNS section: - The in.addr file for the external DNS zone had the wrong IP address in it. - Missed setting the chown ownerships for the external zone directories. Thanks to for catching these. [Section 24] ---------------- N 04/25/00 Ok, I've started to clean up the SGML code by hand. Though Ian's Perl code did 95% of the work, it isn't as pretty as it should be. N I *DO* know that the PDF looks like crap. I have a possible solution w/ the aid of the new version of GhostScript but it will have to wait for a week or two. N Some of the ASCII border art was mis-aligned. I have started this cleanup but it will take some time to clean up all issues. N The CMOS setup table was mis-aligned. Fixed. [Section 4] N Started to cleanup the formatting of this section. You will notice that the fixed sections DON'T have the "X" in front of them (the old "checkmark" setup). I also updated the 2.2.x kernel to be 2.2.14 [Section 5] N Updated the URL of the TrinityOS security script [Section 7] N Fixed the formatting issues of the MASQ flowchart. [Section 10] G Fixed a typo where copying and then moving /usr/sbin/named-ext should have been named-xfer. Thanks to for catching this. [Section 24] ---------------- G 04/24/00 Finally put up the first SGML version of TrinityOS that had *Sent HTML, PDF, PS, etc versions exported. Finally eh? Update* A HUGE thanks goes out to those users that had given me SGML ports from the past but they never were current with the current version of TrinityOS. Thankfully, wrote a Perl script that converted TrinityOS ASCII to SGML. The current version might still have some conversion errors so I would love any reports of problems but hopefully, things will be smooth sailing from here on! ------------ N 04/15/00 Fixed all &dquot;readable&dquot; spelling errors. Thanks to for catching these. H Updated the sendlgos script. # 04/13/00 - Added the $HOST variable to easily tune the SUBJECT field to # reflect the name of your Linux system. You should edit this # to reflect your system. [Section 9] I Updates the IPCHAINS rule set to v3.58 -- # v3.58 - 04/13/00 # - Fixed a pretty serious issue if you were trying to enabl e the explicit # input filters for things like DoubleClick, etc. Basical ly, I was allowing # all internal traffic to get to the Internet before these firewall rules # were being inspected. I have now moved the ALLOW ALL in ternal firewall # rule sets toward the end of the INPUT section. Thanks t o # for catching this! [Section 10] N Missed the reference for pointing users to the Printing section. [Section 33] N Moved updates older 2/21/00 to the old updates list. The URL is giv en both ABOVE and below. ------------------  --------------- N 04/09/00 Changed the name of the DNS section to reflect that the *Sent TrinityOS documentation now tells users how to setup Update* DNS in both a CHROOTed and SPLIT Zone environment. [Section 2] N Removed the "Edit and move /var/log/sendlogs to /usr/local/sbin" line from the Future Features section. It was already done. [Section 2] N Removed the "Update the DNS setup to be a SPLIT-DNS setup for additional internal security" Future Feature line now that its completed. [Section 2] N Updated the Feature section to reflect that DNS is now done in a both a CHROOTed and SPLIT Zone fashion. [Section 3] I In addition to finding that the copy of Sendlogs in TrinityOS was old compared to the archive, I reversed a change I made a while back. Basically, now dates from 01-09 will now work properly. [Section 9] N Moved all IPCHAINS firewall changelogs older than v3.50 to the old-updates log. The URL is both just above this and at the end of TrinityOS. [Section 10] G Updated the IPCHAINS rc.firewall to v3.57 # - Added some spaces in front of the work # "Optional" for # prettier output upon loading. # - I've rearranged the enabling of FORWARDING # -before- the enabling of MASQUERADING since # IPCHAINS # complains. # - As of 2.2.12, the IP_ALWAYS_DEFRAG option has # been # omitted and is now a /proc configured option. # I # have now added this to the FORWARD section. # - Added an echo statment and additional SILENT # blocking # statements for SMB traffic on the external # interface [Section 10] N More for a self reminder, I added how to address a NIC in Redhat speak at the end of this section. [Section 16] I Wow! This was a LOT more work than I expected but I've finally updated the DNS section to now configure BIND to be in both a CHROOT'ed jail (for security) and have SPLIT Zones for internal and external internfaces. Please see the section for more details on what all this means. I have also slightly reorganized this section and updated and moved the root-hints script. [Section 24] I I have updated the TrinityOS archive with all this as well. ------------------ N 04/08/00 Added a URL for additional SSH tunneling help. Actually, I just moved it from Section 30 to 5. I did the same for the Security HOWTO from section 8 to 5. [Section 5] G Updated the permissions for the various /etc/cron.* files and also updated them in the TrinityOS-security script. [Section 7] N Moved the changing of permissions of /bin/rpm from the bottom of section 8 to section 9. [Section 7 to 8] N Moved and updated the URL for the Security HOWTO to Section 5. [Section 8] N Updated some of the verbage in the password section section. Also cleaned up and expanded on the daemon enabling/disabling section for both BSD and SysV systems. [Section 8] G Added a note for the /etc/hosts.allow file to only use TCP/IP addresses and NOT DNS names since they can be spoofed. I also added an example in /etc/hosts.allow to allow all hosts on a given subnet. [Section 8] N Fixed two typos in the source directory when moving the logrotate config files for mysql and and squid. [Section 9] N Added changing the permissions of /etc/issue and /etc/ I've also added this to the script. [Section 9] N Aligned TrinityOS with the script. The "logit" script should be in /root. I also fixed the permissions on it. [Section 9] N Added the creation of the apropos database to the TrinityOS script. N Noted that the "makewhatis" command now runs cleanly in Mandrake 7.0. [Section 9] I Holy Cow! The /usr/local/sbin/sendlogs file in TrinityOS was VERY old. Dunno how this escaped me! Sorry! The old version was 11/26/99, the new version is 2/21/00! The version in the TrinityOS archive was ok. [Section 9] N Updated the IPCHAINS firewall rulset to v3.56 # v3.56 - 04/08/00 # - Added the /sbin path to the commented # IPCHAINS lines # for setting the TOS bits. [Section 10] N Deleted the changing the permissions of IPFWADM or IPCHAINS since they are duplicated in Section 8. [Section 10] N Noted that the 2.2.x kernels have PORTFW functionality built in. [Section 11] N Updated the top comments that TrinityOS covers the compiling of both 2.2.x and 2.0.x kernels. [Section 12] N Updated and reformtted the section for editing of /sbin/ifup to reflect the line numbers for Mandrake 7. [Section 16] N Added the SSH section to reflect that SecureCRT v3.x supports the SSHv2 protocol. I also noted that SSHv2 is not free for commercial and educational use. Thus, many people still use SSHv1 servers. I also moved the URL for additional tunneling help from Section 30 to Section 5 [Section 30] G Added a SysV script file to load SSHd for Linux systems like Redhat, etc. I also clarified the existing system was for BSD systems like Slackware, etc. I also added a few more configuration options for disabling Xwindows and SSH tunnels. [Section 30] G Added a SysV script file to load SSHd to the TrinityOS-security archive. ------------------ N 04/04/00 has moved their Linux archives to I have updated the URLs. [Section 5] ------------------ G 04/02/00 Updated the distribution section to reflect Redhat 6.2 and my thoughts and worries about Mandrake 7.0's installer. [Section 6] I Added a security alert / patch recommendation for ircii [Section 60] ------------------ N 04/01/00 Updated the name of the email section to to reflect the support of IMAP4 as well. [Section 2] G Added a URL to a HOWTO on the LDP for supporting multple virtual domains for email. [Section 5] G Added a large description of what UUCP, POP3, and IMAP4 are, how they work, and how they are better/worse. I also re-wrote part of it to reflect both POP3 and IMAP4 and IPFWADM and IPCHAINS. [Section 28] N Added a pointer to Section 5 for users that need to setup virtual domains for email. [Section 28] I Fixed a type where I was restarting syslog and NOT crond as I was describing. Thanks to for catching this silly mistake. [Section 41] I Fixed a typo in the TrinityOS archive where "touch /etc/dhcpd.leases" had a stray "A" at the end of the line. Thanks to for that one. ------------------ I 3/27/00 Updated the IPCHAINS firewall to v3.55 *Sent Update* Deleted the text from the IPCHAINS firewall rule set and the DHCPcd section: -- # ***************************************************** # ABSOLUTELY CRITICAL: If you run the # /etc/dhcpcd/dhcpcd-ethX.exe file # (needed for DHCP'ed DSL and cable # modem users), # you CANNOT also enable the # /etc/rc.d/init.d/firewall # script below. # ***************************************************** -- The reason for this is that the firewall script file WON'T be executed if the old IP address for the machine was the same after reboot. So, you need to have: Redhat: the /etc/rc.d/init.d/firewall script activated Slackware: have the /etc/rc.d/rc.local script load the /etc/rc.d/rc.firewall rule set. Please NOTE: ------------ I think there still might be some issues with this setup. The problem stems around the fact that the rc.firewall might get loaded from both dhcpcd's /etc/dhcpcd/dhcpcd-ethX.exe AND /etc/rc.d/init.d/firewall. I'm still looking into this and if you have any comments on this, I'd love to hear from you. [Section 10 and 35] *C* There are -6- new security vunerabilities for Linux that depends on the distribution you are running. Check out this section ASAP!! [Section 60] G Updated the TrinityOS archive script to reflect the DHCPcd issues. N Moved all TrinityOS updates older than 01/03/00 to the Changes Archive. The URL is above. ------------------ N 3/25/00 Updated the SSH Url [Section 3] N Fixed a typo where I was calling the "Dial-In Server HOWTO" the "Dial-UP" server HOWTO. [Section 5] G Updated the IPCHAINS firewall to 3.54 - Added filters for the new "Shaft" DDos tools [Section 10] ------------------ I 03/20/00 Found a typo in the /usr/lib/sendmail-cf/cf/ file. Changed "confSTMP" to "confSMTP". Thanks to for this one. [Section 25] ------------------ *C* 03/19/00 I -thought- I solved all the DHCPcd issues but it sounds like DHCP users cannot run both the /etc/rc.d/init.d/firewall and the /etc/dhcpcd/dhcpcd-eth0.exe file. This yeilds BAD results. I have added comments to make DHCP users aware of this in both the IPCHAINS firewall and the DHCP sections. [Section 10, 35] I have changed the enabling the /etc/rc.d/init.d/firewall script from AutoFix to Userfix in the TrinityOS archive script. ------------------ I 03/18/00 Added a top section to clarify why TrinityOS is both Trademarked and Copyrighted: -- Sorry for all the legal stuff... Yet I've already had one company try to have the name TrinityOS taken from me, and one HOWTO author has already ripped off MUCH of TrinityOS's content though it was re-written to avoid and direct copyright issue. I'm just covering my butt here from the many lowlifes in the world. -- [Intro] N Updated the URL for Diald Thanks to for this one. [Section 5] N Tripwire has gone OpenSource for Linux! Woohoo! They have also released a version that runs on Glibc. I've updated the Tripwire section with all the new URLs. Thanks to for this one. [Section 5] N Added a few URLs for PPPoE [Section 5] N Added a few URLs for PPTP and Encrypted PPTP VPNs [Section 5] G Added a URL to Robert Gram's FAQ on how to understand what Firewall logs mean. [Section 5] N Added a URL for Linux Real Time Messangers (ICQ, AIM, etc) [Section 5] N Deleted the reference to /etc/localhosts. This is OLD stuff. Thanks to for this one. [Section 7] G Fixed the permission setting locations of klogd and syslogd Thanks to for this one. [Section 8] G Updated the IPCHAINS rc.firewall rule set to v3.52 # v3.52 - 03/18/00 # - Finally found a 100% solution for DHCPcd users # out there that # get DHCP'ed IP addresses on their external # INTERFACE. Changes # in the firewall rule set is only the DELETION # of comments in the # top section to then refer users to the DHCPcd # section in TrinityOS # for full details (as it should be to minimize # confusion). # # The syntax "dhcpcd -D -H $EXTINT # /etc/rc.d/rc.firewall" was WRONG. # # - Moved the PORTFW variable to be below the # SECUREHOST section # for clarity. # # - Added some comments for PORTFW users on how to # allow portfw acces # to explicit hosts and/or networks. # # - Added two more PORTFWIP variables to the # IPCHAINS rule set # # - Moved the PORTFW section from the INPUT section # to the FORWARDing # section for better clarity # # - Added a section in the general INPUT section # for Squid w/ JunkBuster. # # - Expanded on the DoubleClick filtering example # with network numbers from # Thanks to for helping troubleshoot this for me. [Section 10] G Deleted an extra "#" from the /etc/rc.d/init.d/firewall script that kept it running with Linuxconf. Thanks to for catching this one. [Section 10] G Updated the IPFWADM rc.firewall rule set to v2.97 # v2.97 - Deleted the DHCPcd commands as the syntax was # old an misleading. # Update to IPCHAINS for a far superior # firewall rule set. [Section 10] G Added a recommendation for users to check out Robert Gram's Firewall hit FAQ to understand what their firewall logs really mean. [Section 10] I Finally found the proper solution to get users that use DHCPcd on their external interfaces to re-run the rc.firewall rule set upon a lease renew. [Section 35] I Updates to the TrinityOS archives: - Fixed the permission setting locations of klogd and syslogd Thankd to for catching this. - Fixed an error in the TrinityOS archive where chkconfig was enabling "network" instead of "firewall" in the various /etc/rc.d/rc.Xd dirs. Thanks to for catching this one. - Updated the firewall to v3.52 ----------------- N 03/13/00 Added the URL for the DHCPcd homepage [Section 5] ----------------- N 03/05/00 informed me that the Trinity site, the first nuclear test site, wasn't in Nevada but White Planes, New Mexico. Thanks James! N Updated the rc.firewall rule set to v3.51 - Removed a duplicate input filter for spoofed packets, etc. Interestingly enough, trinityos.wri didn't have the duped line. Thanks to for the sharp eye. [Section 10] N Updated the TrinityOS archive ------------------ N 02/29/00 Updated the proceedures for installing Sendmail manually. Before I did: cp /usr/src/archive/sendmail/sendmail-x.x.x/ \ /usr/lib/sendmail-cf now it is: mkdir /usr/lib/sendmail-cf tar cpf - /usr/src/archive/sendmail/sendmail-x.x.x/* | \ (cd /usr/lib/sendmail-cf; tar xvpf -) This fixes an issue where the /usr/lib/sendmail-cf dir isn't already present or when its on the same file system. Thanks to for bringing this to my attention. [Section 25] ------------------ N 02/26/99 Updated the IPCHAINS rc.firewall to v3.50 - Fixed a minor error in the commented Diald line were the $INTLAN variable needed to have the extra "/24" deleted. Thanks to for reporting this. [Section 10] G Fixed a missing "fi" statement in the script that would kill it after the PPP section. ------------------ N 02/21/99 Added a URL to the PopAuth site for users that have *Sent remote users that are having issues with sending Update* email via SMTP. Thanks to Frank Pineau for reminding me about this. [Section 5] I Doh! When I converted over the date function in the sendlogs script to %d over %e, I should have left the SPACE between the two variables. This will solve the issue where users are getting EMPTY sendlog emails. Thanks to for catching this. [Section 9] N Changed the order of the /etc/rc.d/init.d/firewall commands to be start|stop|reload|status vs. start|stop|status|reload [Section 10] G Updated the IPCHAINS firewall ruleset to v3.49 - Added some error checking where if the EXTIP variable is not properly set, the firewall ruleset will abort. Thanks to for the ideas. - Updated the rp_filter setting to "2" for the highest level of anti-spoof protection. G Updated the root-hints-update script to send better success / failure update emails. Thanks to for the thoughts. [Section 24] N Cleaned up a few typos and such in the Sendmail intro. [Section 25] G Added a few comments about why sending of email for POP-3 clients might not work and offered a few resolutions. I then referenced the PopAuth URL in section 5 for a complete solution. [Section 28] N Changed the date filter to use %d over %e. [Section 29] G Updated the archive N Moved all TrinityOS updates older that 11/30/99 to the archives. ------------------ N 02/17/00 Updated the Slackware and Debian descriptions. [Section 6] ------------------ N 02/15/00 Updated the IPCHAINS ruleset to v3.48 - Added some clarification comments why I don't log INPUT SMB and NFS rejects (grows the logs much too fast) [Section 10] G Added an additional section to the DNS section on how to properly setup a secondary DNS server for someone that have a "subnet of IPs" and not just a single IP address. [Section 24] Updated the TrinityOS-security.tgz archive to have a "ls -laR" of the directory ------------------ N 01/29/00 Cleaned up the Index a little [Section 2] ------------------ N 01/24/00 Posted Robert Hembrook 's port of TrinityOS v01/03/00 in both MS Word 2K and PDF. The formatting isn't perfect but it works. ------------------ G 01/22/00 Added (4) URLs for ML/PPP. Though these ML/PPP drivers work, some need stability or performance tuning still. [Section 5] G Added to the PPP section about current issues (performance, latency, # of lines, etc with the various ML/PPP implimentations. ML/PPP setup and installation is not included in TrinityOS yet. Thanks to Charles @ for his thoughts. [Section 22] G Fixed the compression exclusion for spanned ARJ and RAR files. Also added file exclusions for gif/jpg/mpg. [Section 29] ------------------ N 01/19/00 Cleaned up the IPFWADM ruleset for the IPSEC firewall rulesets and added examples for IPCHAINS. [Section 48] ------------------ N 01/17/00 I just overwrote a new TrinityOS that had many updates to it and references to the users that submitted the ideas. Doh! Though I can't remember your email addresses and thus can't give you credit here, I still appreciate your emails. Please keep them comming and I hope I don't do this stupid move again. N Noted that Mandrake is now on version 7.0 [Section 6] G Fixed all the "date" issues in the "sendlogs" script. Date now uses %d over %e and doesn't use any spaces. Contributor's email lost. [Section 9] G Updated the IPCHAINS firewal to v3.47 - Added a script to support dynamic interface names via the EXTIF variable. Contributor's email lost. - Clarified that PPP and DHCP users MUST understand that the firewall ruleset MUST understand your new IP addresses to work at ALL. Contributor's email lost. - removed the #s in the diabled "echo" statements for "SECUREHOST" and "INTERNALHOST" IPs. Contributor's email lost. - Added UDP for NTPd time serving. Please note that some NTP servers use TCP while others use UDP. Contributor's email was lost. [Section 10] G Fixed the date issues in the "build-it" script to use %d over %e and remove any spaces in the date format. I also changed the layout a little and added some beeps at the end. Contributor's email lost. [Section 14] G Updated the following scripts to use "%d" instead of "%e" in the date setup: bru-fullbackup bru-viewtape bru-find-changes bre-restore [Section 29] N Added (4) security RPMs [Section 60] ------------------ N 01/03/00 TrinityOS is starting to get some good press. Sharing a Six Pack: ------------------ Moved all IPCHAINS firewall changes older than v3.50 to the old-updates log: # ------------------------------------------------------------------------------- # v3.49 - 02/21/00 # - Added some error checking where if the EXTIP variable is not # properly set, the firewall ruleset will abort. Thanks to # for the ideas. # # - Updated the rp_filter setting to "2" for the highest level of # anti-spoof protection. # # v3.48 - 02/15/00 # - Added comments about NOT logging INPUT SMB and NFS traffic because # of log file size issues # # v3.47 - 01/15/00 # - Added a script to support dynamic interface names via the EXTIF # variable # # - Clarified that PPP and DHCP users MUST understand that the # firewall ruleset MUST understand your new IP addresses to # work at ALL. #-- # v3.46 - 01/09/00 # - removed the #s in the diabled "echo" statements for SECUREHOST, # INTERNALHOST IPs # - Added UDP for NTPd time serving. Please note that some # NTP servers use TCP while others use UDP. # # v3.45 - 12/26/99 # - Added a echo statement for explict INPUT filters # - Reordered the INPUT section a little to flow with the explict INPUT filters # - Moved the explict OUTPUT filters to be BELOW the explict ALLOWs # - Added an explict output filter for un-authorized IPSEC VPNs # - Moved a few of the OUTPUT spoofing filters to be in the explict # output filter section # # v3.42 - 12/19/99 # - Doh! Didn't delete the garbage at the top before the !/bin/sh line! # - Cleaned up some formatting, added more echo statements. Nothing # critical # -- # v3.41 - 12/18/99 # - Added a commented section on setting the TOS bits # - Added a recommendation for ICQ users to change the UDP timeout # -- # v3.40 - 12/14/99 # - Added filters for the new Trinoo trojan flooder # - Fixed typos for commented out ECHO lines that had missing open " # -- # v3.35 - 11/26/99 # - Changed a typo where the ruleset would run but say it was version 3.20 # - Added #ed out echo lines for optional sections that could be re-enabled # by the user. This makes the ruleset execute more readible # - Added more SECUREHOST variables (5 in total now) and reordered them a # little to be more consitant # - Fixed the default ruleset NOT allow the server to be an NNTP server # - Added an explict INPUT fiter to block SMB traffix IN or OUT on the # external interface # - Deleted the generic Samba filter since it works on ALL interfaces which # wasn't granular. # - Added explict OUTPUT filters for SMB traffic # - Added a blurb that someday, we won't have to allow out ALL high ports # (stateful) # -- # v3.30 - 10/28/99 # - Re-ordered the ruleset to set the policies first and then flush them # # - Moved the enabling of the kernel's IP forwarding to the END of the # firewall to slightly strengthen the ruleset. # -- # v3.20 - (9/26/99) # *CRITICAL* The ordering of the ACCEPT of the HIGH PORTS in the # output ruleset are WRONG!! Moved them to be AFTER # all the various REJECT lines but before the final # output reject. # # Several comment additions # # Changed the DGW variable to EXTGW, added the XWINDOWS_PORTS # variable. # # Put a copy of the actual firewall ruleset up on the WWW site # -- # v3.13 - (9/20/99 # Added a commented FORWARD ruleset to support Diald users that # have a SL0 slip interface # -- # v3.12 - (9/14/99) # Very minor: Aligned the IP examples with the TrinityOS # search/replace section. # # Fixed the IPCHAINS ruleset to use the $EXTIF variable when doing the # dynamic EXTBROAD variable. It was hard coded to ETH1. # # Added additional explict OUTPUT filters for NetBus Pro, Win Crash, # Socket De Troye, and the Unknown Trojan Horse (Master's Paradise # [CHR]) trojans in the OUTPUT filter of the IPCHAINS ruleset. # -- # v3.11 - (9/8/99) # Enabled external DHCP client access per default for cablemodem # and DSL users. This change involves enabling both INPUT and # OUTPUT rules. # -- # v3.10 (9/7/99) # - Enabled SYN checking on all HIGH ports. This is VERY important # and I recommend ALL users to use this newer ruleset. # # - Fixed the syntax of the disabled "ipmasqadm portfw" command # - Added the enabling of all "rp_filter" anti-IP spoofing mechanisms # -- # v3.00 - Cleaned up parts of the ruleset and re-ordered parts of it # -- # v2.97 - Fixed a typo in the IPCHAINS port that named the external # interface's IP address variable "EXITIP" instead of # the correct "EXTIP". # -- # v2.96 - Some minor formatting changes # # - Changed David's C.'s default behavior of external NIC # having DHCPed IP addresses to STATIC IPs # # - *IMPORTANT* # Added blurbs and scripts in the EXTIP, EXTBROAD, and DGW variable areas # that DHCP users should use "dhcpcd" with the -c option to re-run # the ruleset upon lease renews. It is also mentioned that both # DHCP and PPP users need to get their EXTBROAD and DGW addresses # dynamically. # # - Changed the debug system to re-create the debug log each time # (removed one of the >'s at the top of the debug setup) # # - Updated the original IPCHAINS port ruleset to v2.95 # -- # v1.01 - Remove row with just -o. # - Replace -o with $LOGGING. # - Use service names instead of service numbers. # - Remove rows that appear to give full access to all protocols. # - Add logging option variable. # - Make the order a bit more logical. # -- # v1.00 - Original TrinityOS v2.94 firewall port of TrinityOS ruleset # from David Cittadini # # ------------------------------------------------------------------------------- ------------------ G 01/02/00 Added the URL for downloading all the various port-numbers, *Sent protocol-numbers, etc from the IANA. To be, ALL of these files Update* belong in a globally readible directory in /etc/iana. [Section 5] G Added a pointer to this IANA archive when describing how to read a firewall IPCHAINS hit. [Section 10] G Fixed two typos in the archive. A missing ending " and a missing "rc.d". Thanks to for the heads up. N Moved all TrinityOS updates older than 11/25/99 to the TrinityOS-updates list. URL is above. ------------------ N 01/01/00 Hehehe.. gotta love that date eh? Anyway, just added a link to the Linux Application page. Lots of these good links are on my main Linux page but some need to be in TrinityOS. [Section 5] N Added a URL for Ethereal. An EXCELLENT GUI network sniffer. [Section 5] N Fixed a missing ">" on line 139. Thanks to for this one. [Section 9] Updated the archive too. ------------------ N 12/29/99 Updated the info in the Partition recovery tools to denote which ones were Linux and DOS utils. As it stands, I lost the partition table on my laptop due to Dell's new "Resume-from-Disk" feature that actually OVER-WROTE my partition table. Grrrr.. [Section 51] ------------------ G 12/26/99 Updated the TrinityOS filewall to v3.45 - Added an explict filter for unauthorized IPSEC VPNs - reordered some input and output filters for better enduser customization. G Updated the TrinityOS-security archive G Its HIGH on my list to make the TrinityOS ruleset modular. What this means is when I update the ruleset, you won't have to re-edit the ruleset itself. All enduser configs that are specific to your environment will be in a different config file, something like /etc/rc.d/rc.firewall.config ------------------ G 12/23/99 Updated the TrinityOS-security.tgz archive - Updated the firewall to 3.43 - Fix the init.d directory to be in the right place - Updated the DHCPcd syntax N Added a new "Completed" section on "LILO / File System Recovery" which is Section 51. [Section 2] N Cleaned up and expanded on the "Feature section" of TrinityOS [Section 3] G Added a Feature section for "Recovery" noting that TrinityOS covers recovery from when your box was hacked into and the recovery of LILO / File system problems. [Section 3] G Updated the rc.firewall to v3.43 - Updated the DHCPcd syntax in the firewall ruleset [Section 10] G Updated the DHCPcd section to reflect the newer DHCPcd syntax. [Section 35] I Added a whole new section on MBR, partition table, and file system recovery and tools. [Section 51] ------------------ N 12/22/99 Updated the URL for Robert Zeigler's firewall site [Section 5] ------------------ N 12/20/99 Updated the SSH alias in /etc/bashrc to use a full path [Section 30] ------------------ G 12/19/99 Added a URL to RPMLevel from the author of RPMWatch. This tool might turn out to be easier than AutoRPM. [Section 5] G Updated the IPCHAINS ruleset to v3.42 - Fixed a HUGE error of the text above the /bin/sh line - Cleaned up and added a few more ECHO lines [Section 10] G Changed the method of loading of the rc.firewall script to be more Redhat-ish. To be specific, I created a /etc/rc.d/init.d/firewall script instead of the manual editing of /etc/rc.d/init.d/network to load the rc.firewall script. [Section 10] G Updated the TrinityOS-security archive to TrinityOS-security-121999.tgz - Added the new v3.42 ruleset - Change the firewall to load after the network comes up via the Redhat method of /etc/rc.d/init.d/firewall ------------------ G 12/18/99 Added the URL for the ICQ kernel modules and their versions. As it stands, there is a new version for the 2.2.x kernels that is greatly improved. [Section 5] N Updated the IPCHAINS ruleset to v3.41 - Added a commented section on setting the TOS bits - Added a recommendation for ICQ users to change the UDP timeout [Section 10] ------------------ N 12/16/99 Added URLs for WU-FTP [Section 5] N I've started adding Application and Game URLs. Namely I've added the URL for Xshipwars that looks VERY cool. [Section 5] I Added a new security warning about a root exploit with HTDIG v3.1.x. Please note this is NOT a standard install on Redhat. This is for initially focused at Debian users *if* it is installed. [Section 10] ------------------ G 12/14/99 Updated the TrinityOS-security.tgz archive. URL is above. G Added the LogSurfer URL. This tool is like Swatch but it understands states to better detect attacks! Very cool! [Section 5] I Updated the rc.firewall ruleset to v3.40 - Added filters for the Trinoo flooder - fixed typos with commented "echo" statements that were missing the front " [Section 10] ------------------- N 12/11/99 Updated the PCMCIA URL] [Section 5] ------------------- N 11/30/99 - Fixed a typo that had "window 8192" instead of "window 16384". [Section 16] --------------- N 11/28/99 - Updated the name of the SSH chapter *Sent [Section 3] Updates* N - Added a future feature to add a new IPCHAINS firewall for single interface users (eth and ppp) [Section 3] N - Added URLs for the CHKLOGs, Swatch, and LogCheck tools [Section 5] N - Added the URL for IP traf for an excellent Ncurses network sniffer/monitor [Section 5] N - Added a URL for a high level intro to Linux hardware and software RAID support [Section 5] I - Added a URL for AutoRPM and mentioned that RpmWatch will be phased out since it doesn't work with Redhat's new WWW layout for Redhat 5.2 and newer distro update pages. [Section 5] N - Added/Changed TrinityOS search/replace entries for: - PPP dialin accounts - the username replacement field - Added (2) more Explictly allowed hosts [Section 5] G - Fixed permissions (made recursively) for all cron directory entries [Section 5] G - Clarified the umask issue with multiple user systems [Section 5] G - Changed the perms for /etc/rc.d/init.d from 700 to 770 in favor of adminstration groups instead of just root users. [Section 7] - Changed some verbage: N - Put the Redhat section on top and Slackware on the bottom N - Put in a testing criteria for shadow passwords and noted that RH6 already supports shadow passwords. N - Put the MD5 method for shadow passwords on top [Section 7] G - Setting the sticky bit for /tmp/.X11-unix wasn't working (using 1777) so I used a different method (u+t). [Section 8] N - Changed the Redhat / Slackware order for the configuration files. [Section 9] G - Added permission changes for Slackware SYSLOG files [Section 9] G - Added extra file permission checks for SYSLOG files [Section 9] G - Added the option of how to disable the "--MARK--" lines in the various syslog files. [Section 9] G - Tuned a few more syslog files to compress via logrotate.d [Section 9] I - Removed the /etc/rc.d/rc.local lines to start the firewall and CDROM programs to their appropreate TrinityOS chapter. This is the kind of leftover old TrinityOS crap that needs to be cleaned up. I'm getting there. [Section 9] G - Cleaned up the "logit" script verbage a little and deleted the "recycle" script as it only pertained to the old "logit" script that used tail to send logs to TTY7/8 [Section 9] N - Mentioned that the "sendlogs" script will be REPLACED once I impliment something like Swatch or CheckLog. [Section 9] G - Significantly cleaned up the "sendlogs" script and added the the search for RCMD files as well. [Section 9] N - Moved the new "sendlogs" script to /usr/local/sbin [Section 9] G - Added running the "makewhatis" program mannually for new installations and if you get ERRORs running this command, there are instructions how to fix them. [Section 9] G - Appended to the logroted section how to fix some of the logrotate error you might be receiving via email. [Section 9] N - Changed the /etc/bashrc file a little to give non-root users a "green" prompt and ROOT users a "red" prompt. [Section 9] I - Updated the IPCHAINS ruleset to v3.35 [Section 10] N - Updated the kernel configs for the 2.2.13 and 2.0.38 kernels [Section 12] N - reversed the kernel configs so that 2.2.13 is first and then 2.0.38 second [Section 12] N - Added a blurb regarding that Setserial isn't really needed for modern 2.2 kernels to get 115,200. [Section 16] N - Added a check when adding rc.serial to rc.sysinit [Section 16] N - Cleaned up some verbage about the /etc/aliases file [Section 18] N - Removed the references for NetWatch. Use IPTraf instead [Section 21] G - Updated /etc/ppp/options file to use LOCKs and to reflect the modern PPPd config file setup [Section 22] G - Changed the formatting of this section [Section 22] I - Integrated my old seperate PPP docs into TrinityOS [Section 22] N - Cleaned up the formatting a little and updated the example root-hints.db file [Section 24] G - Updated the file to reflect the paths for procmail and how to do some .cf tricks via the .mc files directly. Thanks to for some the tips. [Section 25] G - Disable sendmail help in the /etc/ file. [Section 25] G - Added xntp support in addition to getdate [Section 26] N - Deleted the references to PPP within the NTP script [Section 26] N - Made a clarification that this example ONLY runs on eth1 [Section 27] G - Added the config to have DHCPd load upon boot [Section 27] N - Updated the title of the chapter [Section 30] N - Cleaned up a few things in the verbage to configure SSH [Section 30] G - Moved the "ssh" alias to /etc/bashrc [Section 30] G - Added a whole subsection on how to do SSH tunnels with UNIX clients. Its pretty simple once you see it. [Section 30] G - Added the "preferred master = yes" option to the /etc/smb.conf file to make the Samba box the subnet master browser. [Section 33] N - reordered the configuration file to reflect the newer 2.0.5a format [Section 33] G - Added the addition of the send/receive buffers to the "socket options" field [Section 33] N - Added how to start NFS in redhat [Section 40] I - Removed the incomplete section on "rhlupdate" and replaced it with "AutoRPM". AutoRPM is now the preferred method for update checking in TrinityOS because the the old "RpmWatch" tool was not compatible with Redhat's newer WWW site layout, ONLY worked with Redhat, and it required that the WWW site be contantly updated vs. checking the FTP site itself. Please note that I'm still in the process of learning and tuning this tool, if you have comments, etc, please let me know. [Section 43] ------------------ N 11/25/99 Changed some formatting and cleaned up some light verbage throughout. [Sections 1-6] ------------------ N 11/24/99 - Revamped the URL section for MASQ, NAT, Load Balancing, and High availability [Section 5] ------------------ I 11/21/99 - Added a buffer overflow attack for NFS - Added a DoS attack notice for Syslogd [Section 60] ------------------ G 11/16/99 - Added the master Mandrake updates URL [Section 5] N - Fixed the permissions for the /etc/info/suid-results-checked file to 600. [Section 8] G - Added a blurb on checking for .rhosts and host.equiv files much like the SUID search. [Section 8] I - Made several changes to the DNS config section: - Moved the global "allow-transfer" parameter to each zone file. This give better granularity per zone. - Added the "allow-query" parameter PER zone file to restrict what internal DNS info is released to the Internet. This is somewhat like a split DNS setup but not quite. - Fixed the in-addr-arpa names to reflect the backwards TCP/IP address for It was something like instead of (remember, read that backwards octet for octet). - Added the "allow-transfer" parameter to disable slave servers from giving out DNS xfers!! - Doh! Missed the file for the slave section. [Section 24] G - Added the FEATURE(masquerade_envelope) feature to the Sendmail config to better hide internal hosts. [Section 25] G - It should be noted that I've been having a LOT of problems with the mirror sites offered by the MandrakeUpdate tool. The only reliable mechansim I've found is to edit the .mandrake-update file and use the url: mirror: This worked for me. [Section 60] ------------------ G 11/15/99 - Added the email address on how to add yourself to the BIND Annoucement list. [Section 5] *C* - All versions of BIND v8.2.2p5 are vunerable to a ROOT attack. Upgrade your version of BIND NOW! [Section 24] G - Added a recommendation for ALL DNS admins to subscribe to the BIND announcement list. [Section 24] N - Moved the blurb on how to get your own Domain name and legal issues to the end of the section. [Section 24] G - Added a recommendation for ALL Sendmail admins to subscribe to the Sendmail announcement list. [Section 25] G - Noted the ROOT exploit to BIND in the Security hack section [Section 60] ------------------ G 11/13/99 - Changed the IPFWADM NON-MASQ firewall revision to 2A.97. Fixed a variable name typo in the non-MASQed IPFWADM BackOrofice filter. [Section 10] G - Added a line to create the empty files using the "touch" command for secondary DNS zone files. [Section 24] ------------------ G 11/07/99 - Added a little blurb at the top of where the name Trinity * Sent comes from. Update * [Section 1] N - Updated the feature description for DNS to reflect how to apply for a DNS domain name. [Section 3] N - noted that 2.2.12 is stable N - Added a URL to section 5 for MASQing GRE/PPTP tunnels N - Added a URL for AIDE. A GNU version of Tripwire. [Section 5] N - Renamed to "Thoughts on Picking a Linux Distribution" N - Cleaned up some verbage - Updated RH to 6.1 - Updated Caldera to 2.3 [Section 6] N - Moved the search/replace section up towards the top N - noted that the is fixed in rh6.x G - changed the Minicom color fix to use the MINICOM env var instead of an alias N - noted that the "ls" color option was fixed in RH6.x N - Updated some of the comments to reflect if they are fixed in newer distros, re-arranged them for better reading, etc. N - Fixed the comment that tar's BZIP2 support isn't "-I" but "-y" G - Added /etc/ftpconversions to the TrinityOS-files archive subdir on my WWW site. N - removed the blurb: "I've been informed that Netscape Navigator and Communicator rely on "rpm" to determine what version is installed. Unless "rpm" can be executed, Netscape will NOT run." as it isn't true." [Section 7] G - Added a blurb on about Slackware's boots process. There was already a blurb for Redhat G - Cleaned up the Redhat SYS-V section and added verbage on what runlevels are. G - Updated the verbage in the GUI notes and greatly expanded on the "chkconfig" section to enable/disable system daemons. G - Fixed a mistake where loading inetd changes was done by "init q". This is wrong.. you should HUP the inetd process. Heheh.. this is an OLD mistake! G - Removed the entire section about deleting lines out of /etc/services. Not only did this NOT give anyone more security but it broke a lot of things too. There ya go Andy! [Section 8] N - Deleted all references to the old "" script file. This included the scripts: "recycle" and "sendlogs". "" has been replaced by logging directly from syslog. Thanks to for catching this. [Section 9] G - Updated the firewall flow diagram to reflect possible MASQing and that the OUTPUT ruleset is run after the FORWARD rule. Thanks to for making me clarify this. I - Consolodated the weak IPFWADM and IPCHAINS MASQ rulesets into one. Also, I added the setup of the initial firewall policies and to flush any old rulesets. I also gave this weak ruleset a version number of 3.00 Thanks to for the heads up. I - Reordered the initial ruleset to set the policies FIRST and then flush the rules. I - Updated the strong IPCHAINS ruleset to turn on ip forwarding at the very end. Thanks to Rob Hutton ( for the thoughts above. G - Changed the URL to directly download the TrinityOS firewall ruleset file to [Section 10] G - Changed the TCP R-WIN window size from 8192 to 16384 [Section 16] G - Added a pretty comprehensive blurb on how to get your own domain name. This covers new legal changes in the US, trademark issues, and how to secure chamges for your domain name by evil remote people. [Section 24] G - Updated the SSH1 config to not allow ROOT logins too. Thanks to for the pointer. [Section 30] ------------------ N 9/26/99 Updated the Bzip2 URL * Sent [Section 5] Update * G Added a URL to Scott Gentry's Linux Dialup RAS server HOWTO [Section 5] *C* ** Updated the IPCHAINS ruleset to fix a critical ordering mistake. ** ALL TrinityOS IPCHAINS users should at least FIX your ** rulesets (simply MOVE 5 lines) Here is the notes from the firewall comments: # *CRITICAL* The ordering of the ACCEPT of the HIGH PORTS # in the output ruleset are WRONG!! Moved them to be AFTER # all the various REJECT lines but before the final # output reject. # # Several comment additions # # Changed the DGW variable to EXTGW, added the XWINDOWS_PORTS # variable. # # Put a copy of the actual firewall ruleset up on the WWW site # at: # # [Section 10] N Added a pointer for users to see Section 46's URLs in section 5 [Section 42] N Moved all TrinityOS updatess 8/27/99 to 5/23/99 to the TrinityOS-old-updates page. [Section 100] ------------------ N 9/22/99 Changed the name of Section 6 to "Advanced System Logging and some Cool Tips" [Section 2] N Added the URL to the BASH HOWTO [Section 5] N Changed the name of the section to "Advanced System Logging and some Cool Tips" [Section 6] N Updated the Distributions section a little and added URLs and more pointers to other distros. [Section 6] N Added a little blurb on creating more readible BASH prompts (coloring it). [Section 9] ------------------ G 9/20/99 Updated the IPCHAINS ruleset to 3.13 to support a commented FORWARD rule for Diald users. [Section 10] I I have officially announced that the IPFWADM rulesets are DEAD. No worries though, there are IPCHAINS patches for 2.0.x kernel users. with these patches in place, 2.0.x kernel users can use IPCHAINS. As it stands, the IPCHAINS rulesets in TrinityOS are much better than the IPFWADM ones. [Section 10] ------------------ N 9/16/99 Added a few more search and replace items to match with the firewall rulesets. [Section 7] Updated some of the IP addresses in the IPCHAINS rulesets to reflect the Search&Replace section of TrinityOS [Section 10] ------------------ N 9/15/99 Moved the output of the various Sendlog log files to /etc/info/logs. [section 9] G Added a little section on's SMB crawler [Section 50] ------------------ N 9/14/99 Fixed the IPCHAINS ruleset to use the $EXTIF variable when doing the dynamic EXTBROAD variable. It was hard coded to ETH1. I Also added additional filtering for NetBus Pro, Win Crash, Socket De Troye, and the Unknown Trojan Horse (Master's Paradise [CHR]) trojans in the OUTPUT filter of the IPCHAINS ruleset. Thanks to for both of these. [Section 10] ------------------ N 9/13/99 Fixed the SSH v1. version from 1.0.27 to 1.2.27. [Section 5] ------------------ G 9/11/99 I've added a whole Anti-SPAM email section. It talks about how to cryptic email headers, how to notify innocent spam relayers, and how to report careless SPAM relay sites. [Section 50] N I moved the Security patching section from Section 50 to 60. ------------------ I 9/8/99 Updated the IPCHAINS ruleset to enable DHCP on the external internface per default. This was the stated default but the configuration wasn't correct. [Section 10] ------------------ I 9/7/99 I've finally posted a firewall ruleset that supports the HIGH PORT *Sent SYN/ACK checking. This helps reduce the number of high port attacks Update* from the Internet since the only HIGH port traffic that is accepted is REPLY traffic. PLEASE NOTE that this checking is NOT possible for UDP traffic and some specific application traffic. I also fixed a few other things in the IPCHAINS ruleset. See the version control header of the ruleset for more details. ** IF YOU HAVE ANY PROBLEMS WITH THIS RULESET, PLEASE LET ME KNOW ASAP ** [Section 10] I also changed the order of the rulesets to make IPCHAINS the first one since IPFWADM support is dieing and you can get IPCHAINS to run on 2.0.x kernels with a patch. [Section 10] ----------------- G 9/6/99 Finally changed the docs to reflect the sending of real-time SYSLOG data to the F7 and F8 VTYs via the SYSLOG daemon itself and not via a re-directed "tail". This is the cleaner way to do this which I've been doing for a WHILE but TrinityOS didn't reflect that. [Section 9] ------------------ G 9/5/99 Marcio sent me a 9/3/99 PDF version of TrinityOS and I've put it up. Looks VERY nice! One day all TrinityOS versions will be this nice but be re-orged, spell checked, and updated. *C* You know.. I *CAN'T* believe I didn't document this in TrinityOS before since I've always taken it for granted. *ALL* users should disable all unneeded programs in /etc/inetd.conf. Doh! [Section 8] ------------------ G 9/3/99 As an experiment, I'm trying a TrinityOS/Linux Forum via It offers a nice interface and hopefully people will want to use it for any Linux-related issue. Check it out and let me know what you think. If it isn't used much or people have issues with it, I will either create my own Forum tool or delete the feature all together. You can get to the forum either via the main URL at: Or via my main Linux WWW page. G Also, "Marcio Almeida (M)" , exported the 3/30/99 Word version of TrinityOS to .PDF. Its on the WWW site but PLEASE understand that the 3/30/99 version is VERY old. I promise that I'll start hacking away on the SGML version once the SANS book is finished. ------------------ G 9/2/99 Recommended to change the perms on /etc/lilo.conf to 700 for people that use the "password" option. [Section 15] N Moved all Updates older than 5/23/99 to ------------------ G 8/31/99 After these waves of SPAM I've been getting, I'm getting pretty HARSH on spam. I just updated the /etc/aliases file to reflect the "abuse" alias. [Section 18] Added another SSH-forwarding example and fixed some issues on my example. [Section 30] ------------------ G 8/30/99 Updated the build-it script to include the System.Map file and to cp and not mv the bzImage file to /boot. [Section 14] ------------------ I 8/29/99 I finally updated ALL of my WWW pages to include both WWW counters and a SEARCH Engine. Its all outsourced (I'm too busy to do it myself) but we'll see how well it works out. N Updated the RPM Watch URL [Section 5] G Updated the Redhat Errata URLs for RPM Watch [Section 43] ------------------ N 8/27/99 Minor changes.. *Sent Update* I also added a change to allow internal MASQed hosts to send email. Doh! [Section 25] ------------------ N 8/26/99 Deleted section 44 since it was integrated into section 10. [Section 3] *C* There is a fragmentation bug in all 2.2.x linux kernels less than 2.2.11 that makes strong IPCHAINS rulesets worthless. Because of this, it is critical that you upgrade your kernel. [Section 5, 10] G Deleted [Section 44] and integrated it into [Section 10] N Added pointers to 2.2.x people that need port forwarding to read the IP-MASQ-HOWTO for full details. Currently, TrinityOS only covers 2.0.x's IPPORTFW tool. [Section 11] ------------------ N 8/25/99 Updated the TOC *C* Vastly updated the Sendmail section and moved up to 8.9.3. You might not beleive it but your domain might be an OPEN Relay though you -think- you FIXED it. I'm Serious.. go look at I was vunerable. [Section 25] ------------------- N 8/13/99 Removed the echo line from the NTP script so people wouldn't get emailed once every 15 minutes. Doh! Didn't have that on my box though it was in TrinityOS. [Section 26] ------------------ G 8/3/99 Added a cool little trick to find out what version and what features were compiled into your version of Sendmail. [Section 25] ------------------ N 8/1/99 Updated the distribution sections to reflect RH6, Slackware 4, and added a little blurb on Mandrake. [Section 6] ------------------ G 7/27/99 Added the .iso, .mp3, and .asf files to the /etc/bruxpat file to have Bru NOT compress those types of files. [Section 29] ------------------ G 7/19/99 I recently learned that BIND updates its "listening" interfaces every 60 seconds. Thus, if you bring up a PPP interface, BIND will start automatically answering queries on that PPP interfaces's IP address! This might not be a problem to you but I notices that after the PPP link was disconnected, named was still listening on that IP address though it was gone. Ack! I have now implimented the "listen-on" option to only allow BIND to listen on the external interface, the interal interface (if you have one), and localhost. [Section 24] ------------------ G 7/18/99 Updated the SSH section to make the recommendation to disable the ability to login as root. User's needing root priv's can SU in. [Section 30] ------------------ N 7/14/99 Removed the 2.2.x kernel config from the Future Features section. [Section 3] G I never realized this but its important to run ppp'd "make kernel" script before you compile the kernel so you get all the various compression codecs into the kernel. [Section 13] G Added "deflate 15,15" to the /etc/ppp/options file to enable the Gzip-based deflate compressor for PPPd. [Section 22] -------------------- G 7/13/99 Added the build-it script to aid in the compiling and installation of a new kernel [Section 12] N Updated the 2.0.x kernel config to reflect a kernel with the IPPORTFW and LooseUDP patches [Section 12] G Added a 2.2.x kernel config though it applies to different hardware than documented in TrinityOS (the 2.2.x kernel is running on a Dual P-90 box) [Section 12] ------------------ I 7/11/99 Fixed a typo in the IPCHAINS port that named the external interface's IP address variable "EXITIP" instead of the correct "EXTIP". The IPCHAINS ruleset is not v2.97. Thanks to for the sharp eye. [Section 10] ------------------ N 7/7/99 Updated the hardware section and parition tables to reflect that /dev/hdb died and added /dev/sdb [Section 3] N Updated the RAID section to reflect that /dev/hdb is gone and replaced it with /dev/sdb [Section 31] ------------------ N 6/29/99 Updated the URL for PPPd [Section 5] ------------------ N 6/28/99 Change in the "Future Feature" section the logging of the UPS from 10 sections to 1 second increments [Section 3] N Added to the "Future Feature" section the rotation of UPS logs and the deletion of "LPR" and replacing it with "LPRng". [Section 3] N I was notified by that the file permissions for /usr/bin/lpr were incorrectly set to 4750 instead of 4755 as shown in [Section 47]. I added a little NOTE to the changing of all the file permissions to let users know that the correct LPR setting of 4755 isn't the best for system security. The proper solution is to DELETE LPR and install LPRng. [Section 8] N I removed the note in the sendlogs area about providing a "multi-user" version of the sendlogs script. The reason I removed this is because too many people were complaining of having things they considered important filtered out. I also removed this offer because I will be putting up a Perl version of this script that will be a lot faster, more efficent, and flexible in the future. [Section 9] N I added some clarifications and copied the note from [Section 8] about LPR's file permissions into this section. [Section 47] ------------------ C* 6/24/99 Redhat has released a new set of NFS server and client fixes. [Section 50] Redhat has released a new nettools patch to fix security issues: [Section 50] Redhat has released a new version of Talk to fix things they broke in RH6. [Section 50] ------------------ C* 6/23/99 Redhat has release a new set of patches for KDE on RH6 to bring it up to final release levels and it also fixes some security issues. [Section 50] Redhat has release new PHP modules for the Apache WWW server: [Section 50] ------------------ G 6/20/99 Added a URL to another IPSEC HOWTO specifically for RH6 [Section 5] ------------------ G 6/19/99 Added to the /var/log/sendlogs scripts to also copy the master ls-laR and du files to another HD in case the primary HD fails. [Section 9] ------------------ N 6/18/99 Changed the top header box about TrinityOS's formatting a little. I also cleaned up a few things in section 1. Man.. lots of spelling errors in there. You all are VERY tolerant of my spelling mistakes! [Section 1] G Added a TrinityOS network topology diagram [Section 7] I Redhat released 3 patches to fix some security problems with terminal programs in RH6. Redhat also has updated their entire Xwindow package for problem fixes for the font server, race conditions, ISO-8859 char conflicts, No Xauth authentication (ack!), and backspace keymapping issues [Section 50] ------------------ N 6/14/99 There was a typo in the replace section of "External IP network" for the master search/replace key for TrinityOS. [Section 7] ------------------ G 6/12/99 Removed the IPCHAINS line from the Future Featutes section. * Sent [Section 3] Update* *I Finally added the IPCHAINS strong firewall ruleset to TrinityOS! This is based off David Cittadini's port of TrinityOS's IPFWADM ruleset [Section 10] I Updated the MASQ and non-MASQ IPFWDAM and IPCHAINS rulesets to v2.96 -- - Added blurbs and scripts in the EXTIP, EXTBROAD, and DGW variable areas that DHCP users should use "dhcpcd" with the -c option to re-run the ruleset upon lease renews. It is also mentioned that both DHCP and PPP users need to get their EXTBROAD and DGW addresses dynamically. - Changed the debug system to re-create the debug log each time (removed one of the >'s at the top of the debug setup) -- [Section 10] I Redhat has released a fix RH6 for killing stray processes after a user was disconnected. [Section 50] I More fixes to the POP-3 protocol [Section 50] N Moved all ChangeLog entries older that 5/05/99 to the archive. [Section 100] ------------------ N 6/6/99 Updated the firewall rulesets to v2.95 that added a /0 netmask to an already implict OUTPUT deny. Good for consistancy though. Also, there were also a few IMPUT rules that DENYed instead of REJECTed traffic for spoofed traffic, etc. Fixed. I also noted that the automatic $extbroad varible will only be properly set if you have a typical netmask. If you don't, you'll have to statically define it vs. use the automatic method. Thanks to for the sharp eye. [Section 10] ------------------ I 6/4/99 Redhat has updated its kernels on 6.0 for DoS attacks. [Section 50] ------------------ I 6/1/99 SSH is now at 1.2.13 and 2.0.13. Its important to update. [Section 30] N There is a Y2K issue in the included "timetool" program. Its not an issue for TrinityOS since I use Getdate but it should be noted N There is a problem with the Apache module for Perl CGIs. [Section 50] ------------------ N 5/27/99 Fixed a typo in the path to the logit script [Section 9] ------------------ N 5/25/99 Added Bzip2 to the URL section [Section 3 - URLs] ------------------ N 5/23/99 I've been told that changing the permissions of rpm to 700 will break Netscape on some versions of Redhat 5.2 w. Gnome. Evidently, Netscape's binary or wrapper (not sure which yet) uses RPM to get the version number before starting up. Lovely huh? [Section 7] ------------------ N 5/21/99 Added the URL for the SSL-encrypted Apache WWW server. Also updated the IPCHAINS * Sent section with a new backup URL to Juanjo's site. Update * [Section 5 - URLs] N Added a little newbie clarification note that the 1,2,9, and 10 numbers in the 192.168.0.db file are the IP addresses of the internal machines. [Section 24 - Named] G Fixed a path problem with the M4 compiling in the Sendmail section [Section 25 - Sendmail] I I didn't realize that my NTP update script for Redhat would spam root every fifteen minutes (the one I use doesn't). So, I've fixed that and I changed the hardware clock update string from "clock -w" to "clock --systohc" [Section 26] N Added the note that users can install either the standard or SSL-encrypted versions of Apache [Section 37 - Apache] N Fixed a typo in the Redhat section where I was editing /etc/crontabs instead of the correct filename /etc/crontab. [Section 41] Thanks to and for the sharp eyes! ------------------ N 5/12/99 Updated the Table of Contents to reflect the use of PPP for both PRIMARY and BACKUP links. [Section 2] Updated the Features list to reflect the PPP section supporting both primary and backup connections. [Section 3] N Added a 2GB IBM Ultrastar SCSI HD to the system. I also lost the WD 1.2GB drive a SECOND time. Nice that it has a 5 yr warantee but this is silly! Thank GOD for backups! [Section 4] G Added the /usr/local/sbin/recycle script to top the output from the "logit" script but restore the TTY logging. [Section 8] N Moved the /root/logit script to /usr/local/sbin [Section 8] N Moved the file permissions stuff to its own little sub-section and described what they are for. [Section 8] I Moved the SUID section and the command line now outputs to /etc/info/suid-results. Once reviewed, the file should be renamed to /etc/info/suid-results-reviewed. This file is then used by the /var/log/sendlogs" file to make sure that no new SUID files have been added to the system! [Section 8] G Added a "ls -laR" and "du" listing of the entire system to /etc/info from the /var/log/sendlogs script. These lists prove to be invaluable if you loose a disk or data and wasn't sure what you might have lost! [Section 9] G Added my "dmesg copy" rc.local hint so that when your Linux box's output of "dmesg" is worthless due to kernel logging junk, you'll have a copy in /etc/info/dmesg [Section 9] I Added a SUID checker to the /var/log/sendlogs script to check the filesystem for any new/changed SUID files. This is a very nice feature but you need to follow the changes I made today in [Section 8] for this to work. [Section 9] G Noted that TrinityOS currently only covers the IPFWADM firewall ruleset. But.. I DO have a IPCHAINS port for the TrinityOS rulesets. Until I integrate them into TrinityOS, feel free to email me for a copy. I also noted that the new IP-MASQ-HOWTO covers IPCHAINS in detail. [Section 10] G Clarified that there ARE simple IPCHAINS rules for IP Masqurading in [Section 44]. This will be integrated into Section 10 with teh SGML port of TrinityOS. [Section 10] G Noted that TrinityOS currently only covers the 2.0.x kernels. I DO have 2.2.x kernel configs for TrinityOS. Until I integrate then into TrinityOS, feel free to email me for a copy. [Section 12] G Added the configuration to to establish a currently MANUAL BACKUP ppp link for any permanent linked users (ADSL, Cablemodems, etc). This includes a short but strong IPFWADM ruleset to enable enable the PPP0 link as a temporary backup link while remaining secure. Once I receive my ISDN line, I plan on adding the configurations on how to do this backup link in a AUTOMATIC fashion based upon specific network connectivity criteria. [Section 22] ------------------ N 5/11/99 Updated the /etc/rc.d/rc.cdrom script to allow the mount/unmount'ing of individual CDs. [Section 32 - CD-ROM changer] ------------------ N 5/10/99 Added PGP/GPG to the Future Feature section [Section 3 - Future Features] I Added a little blurb in the DNS section on how it is important to do all your domain changes, etc to the Internic with PGP or at least CRYPT-PW. [Section 24 - DNS] G Changed the configs so the CD-ROM changer mounts all CDROM-changer CDs under a subdirectory (~hpe/CDROMs/CdromX). This is important because Samba would re-scan all the CDs about every 30 minutes. This was a pain. [Section 29 - BRU - don't backup the CDROMs from the new path] [Section 32 - CD Changer - Mount the CDs to a new sub-directory] [Section 33 - Samba - Don't do locking on the CDROMs] ------------------ N 5/09/99 Updated the IP MASQ email list address [Section 5] ------------------ C* 5/08/99 Added a compatibility report about some security options I added to the /etc/ file. Some of these options might create problems with other broken SMTP servers out on the Internet. [Section 25] ------------------ G 5/06/99 Fixed the chmod'ing of the wrong file of /etc/cron.daily/sendlogs to the correct /etc/cron.daily/a-sendlogs. Thanks to for this one [Section 8] I Added a new section called "Common Observations, Q&A, etc" with common questions, problems, etc. [Section 99] ------------------ C* 5/05/99 There is a new exploit out on Bugtraq for Wu-FTPd. Since Redhat hasn't * Sent updated their RPMs, you need to do it yourself. Update * [Section 100] I 5/03/99 Noted a /etc/shadow fix for Caldera users [Section 100] ------------------ I 5/02/99 Updated the IPFWADM ruleset to v2.94 # v2A.94 - Added explict INPUT filters for NFS and OUTPUT filters for Mountd and RPC [Section 10] I Disabled VRFY and EXPN in sendmail to secure Sendmail up a bit better. [Section 25] ------------------ I 4/26/99 Added a little blurb on what Samba is all about [Section 33] Doh! Updated the /etc/smb.conf file to use ENCRYPTED passwords! I use encrypted passwords now and the section already documented how to set them up but the smb.conf file wasn't configured to use it. Thanks to for this observation! [Section 33] ------------------ N 4/25/99 Added the RFC URLs for DHCP [Section 5] Added a little blurb on what BOOTP/DHCP is. [Section 27] ------------------ C* 4/19/99 Installed (3) new RPMs for security stuff [Section 50] ------------------ G 4/14/99 Updated the APCUPSD URL [Section 5] G Updated the Samba URLs and added URLs for the Abacus, Network Flight Recorder (NFR), and SHADOW network monitoring tools. [Section 5] G Changed to a a recurisive chmod 700 to the /etc/rc.d/init.d dir [Section 7] G Added the note that root and user passwords should include special characters [ `~!@#$%^&*()-_=+{[]}\|'";:,<.>/? ] in addition to the normal upper and lowercase letters and numbers. [Section 8] N Noted that some security paranoid people DELETE all unused lines out of /etc/services instead of #ing the lines out. [Section 8] N Added /etc/hosts.allow examples for more granular access restrictions to remote hosts. [Section 8] G Made a big clarification that when you use Secure CRT for SSH port forwarding, you must re-configure the given to-be-SSHed client, say Eudora for POP-3 email, to connection to IP and NOT the normal POP-3 server. [Section 30] I Added a little blurb that Brad wrote about issues when trying to figure out if your box has been hacked. This is a good little read. [Section 46] N Noted that users should be careful where they download there source code, RPMs, etc. I cited the example where has hacked and had a trojaned version of TCP-wrappers, there. Ack! [Section 50] I I want to thank Bradley M Alexander for all of these great editorial comments to TrinityOS and for his port of TrinityOS to MS Word. ------------------ N 4/12/99 been pointed out to me that the recent sysklogd-1.3-26.i386.rpm RPM from Redhat has a little bug. It seems that upon system shutdown, you will see: Shutting down system loggers: klog:306(PID) syslogd:294(PID) no such pid The previous sysklogd-1.3-25.i386.rpm doesn't exibit this behavior. I don't think is is any big issue but I though you might like to know. [Section 50] G Brad Alexander has ported TrinityOS v.3/31/99 to Microsoft Word. Though this isn't the newest version of TrinityOS, this should help a lot of people who have been complaining about TrinityOS's formatting. This should go a ways while I complete the TrinityOS port to SGML. You can find this Word port on my main Linux WWW page. ------------------ N 04/07/99 Added to the Future Feature section the automation of of the firewall hits trending file. [Section 3] G Added Kurt Seifried's "Linux Administrators Security Guide" (LASG) URL [Section 5] N Added the option to disable floppy WRITE access and even the drive all together for the truely paranoid [Section 8] I Added a little blurb on the importance of creating a little offline firewall hits log on: who, when, and how people are either probing or fully attacking you. This is an important thing for sys admins. I later hope to automate this. [Section 9] G Added the password option to LILO so that unless the password is given a hacker cannot alter its booting procedure. [Section 15] N A user noted that Slackware comes with "netdate" which is very similar to my documented "Getdate" but since its only for Slackware, I've left the NTP section as it is but I have noted this in the section. [Section 26] N Added a recommendation to the truely paranoid that you can convert DHCPd to run in a CHROOT'ed way. This is documented in Kurt Seifried's "Linux Administrators Security Guide" (LASG). The URL was added to Section 5. [Sectiom 27] ------------------ N 03/31/99 Fixed a typo in the ssh2_config referencing "sshd1path" and not the correct "ssh1path" [Section 30] ------------------ G 03/30/99 Updated the security blurb to have initial connections only prompt with "Login:" instead of also showing the Linux kernel version. [Section 9] C* Added (4) Security patches for Redhat. [Section 50] ------------------ C* 03/28/99 There is a new Xfree86 /tmp race condition. Apply the workaround until there is a new Xfree version. I've also noted this sticky bit recommendation at the end of Section 8. [Section 50] ------------------ N 03/27/99 Doh! Though my basic and strong firewalls use REJECT in the explict deny statements, the default policies was DENY. I've changed it to REJECT. [Section 10] ------------------ N 03/24/99 After some recent experimentation, I found that the Probe Multi-LUN support for my SCSI CD-changer was breaking things so I pulled it out of the kernel config [Section 12 - kernel setup] N Like above, I added a blurb on what the Multi-LUN option does in the kernel and made the recommendation to try your changer with OUT this option initially and then to try it out if needed. [Section 32 - CD Changers] ------------------ I 03/20/99 There is a security vunderability in Netscape 4.5's "talkback". * Sent Netscape 4.51 doesn't have this tool. Update* [Section 50 - Security] I There is a SuSE security issue with /proc/kmem [Section 50 - Security] N Moved all Updates older than 2/13/99 to the old-updates file shown above. [Section 100 - Updates] ------------------ I 03/13/99 Noted that IPPORTFW FTP traffic to internal MASQ servers is NOT possible with a stock kernel. It is also mentioned that many Internet games (BattleZone, etc) to NOT work properly behind a stock MASQ server. Fortunately, there are new patches (FTP, LooseUDP, etc) to fix these issues. Though these patch installations aren't covered in TrinityOS, the new IP-MASQ-HOWTO I wrote does cover all this. The URLs for the IP MASQ WWW site is in [Section 5] [Section 11] G Added a blurb in this section to note to users that they need to edit this script to reflect their installed version of Redhat. I also noted that its good to see the other patches for newer Redhat distribution but installing them on older distributions might do BAD things. Check it out. N I also added a request that if any users know of similar tools for Debian, Caldera, SuSe, etc. to please email me. N Lastly, I changed the echo statement at the end of the script to put a few CR/LFs in the output to make it cleaner. [Section 43 - RPM notifier] ------------------ N 3/11/99 Updated the shadow file conversion section a little to make it more strait forward. [Section 8 - security] ------------------ N 3/9/99 Welp, the Conner 540MB SCSI (ID #5) drive died and also I finally removed the dead Panasonic-based CD-ROM drive. I've reflected these changes in the hardware setup section. I also changed the partition setup for /dev/hdd since it wasn't using all of the HD. [Section 4 - hardware] N Added a little blurb to tell users that they should use SSH tunnels when getting POP-3 email, FTP, etc due to username/passwords going over the Internet in cleartext. [Section 28 - POP3 email] I Well, I blew it. Though I mentioned it before, BRU should have its /etc/brutab file configured so the capacity of the tape drive is set to "0MT". This is to allow compression to run fully and have the drive only stop when the tape physically ends. Doh! I also added the "export BRUMAXWARNINGS=20000" variable to the scripts so BRU wouldn't stop after only 1000 messages. I also added the "bru-restore" script [Section 29 - Backups] I Updated the SSH blurb on why it is important and why users should also use SSH to do port forwarding to secure their POP3, FTP, etc traffic. I also made the clarification with the /etc/profile SSH aliase that the user will need to logout and re-login for the alias to take effect. I also added to the SecureCRT setup how to support SSH-encrypted POP-3 and FTP connections. [Section 30 - SSH] N Updated the /etc/rc.d/ script to reflect the removal of the failed Conner 540MB drive [ID#5] (/dev/sdc). I also put in explict paths for the mdadd, mdrun, mount, and umount commands. [Section 31 - RAID] ------------------ N 3/8/99 Added the URL for the updated Satan program now called Saint. [Section 5 - URLs] ------------------ N 3/7/99 Clarified the running of the new SSH server if you already have a SSHv1 server running. [Section 30 - SSH] ------------------ N 3/6/99 Added a little blurb on the SuSE distrobution and a recommendation for users to try out a few distrobutions before they make a final decision. [Section 6 - Distributions] N Added some more explination on what to do with the SUID ROOT files on your system. [Section 8 - Security] G Added instructions on how to hide the name and version of Sendmail on port 25 to slightly aid in security. [Section 25 - Sendmail] N Made a few clarifications to the setup of SSHv2 [Section 30 - SSH] ------------------ N 3/5/99 Added another benchmark blurb to the top of the IPSEC intro [Section 48 - SWAN IPSEC] C* One Security issue for SuSe users with GNUplot installed [Section 50 - Security] ------------------ N 3/3/99 Fixed a few old kernel ver typos in kernel versions [Section 11 - Kernel compile] N Made changes to the final /etc/ file to hide Sendmail's banner [Section 25 - Sendmail] G Fixed a few typos in sendmail version seperators [Section 25 - Sendmail] ------------------ N 02/25/99 Added the DHCP URLs [Section 5 - URL map] G Added some corrections and clarifications to the SWAN instructions [Section 48 - IPSEC VPN] ------------------ N 02/24/99 Fixed a typo where I said adding a # to the "root" line in /etc/ftpusers "disabled" root FTP access. Doh! I was up too late I guess. Its the exact OPPOSITE here. [Section 8 - Initial Security] G Added a "Debugging / Monitoring your firewall" section just below the description of how firewalls work that completely breaks down and describes what a IPFWADM or IPCHAINS log entry means. [Section 10] N Added some more interoperability news for the SWAN IPSEC code [Section 48 - VPNs] ------------------ G 02/23/99 Moved the ROOT login disable recommendations for FTP, TELNET, and SSH to Section 8 [Section 5 - URL map] N Added the recommendation and rational to put all new source code, RPMs, etc in /usr/src/archive. [Section 5 - URL map] N Re-layed out the URLS for all the IP MASQ stuff [Section 5 - URL map] G Added the recommendation to address internal machines via RFC-1918 [Section 7] G Added the Internal IP network, IP address, gateway IP, broadcast IP, and external IP network to the Search/Replace section. [Section 7] G Moved and updated the the disabling of ROOT logins for FTP, and TELNET from Section 5 [Section 8] G Fixed the firewall debugging lines in both the MASQ and NON-MASQed rulesets where they were overwriting the previous output. [Section 10] G Clarified and added some stuff to let users know that if they want to support both SSHv1 and SSHv2, the user will have to FIRST install SSHv1 and then installed SSHv2 server code. No worries.. its VERY simple. [Section 30] N Moved all the IPCHAINS specific and stateful-inspection URLs to Section 5. [Section 44] G Made the recommendation to put all new software including source code, RPMS, etc in /usr/src/archive as described in [Section 5] [Section 50] G Downgraded the 2/17/99 Inetd issue from CRITICAL to important. This is actually a feature and doesn't directly pose any real security threat though I still don't like user copies of INETd. The same goes for user CRON jobs. [Section 100 - Changelog] ------------------ G 02/22/99 I think adding the name of the section in the various Changelog * Sent makes things more readible. What do you think? Update* [ Section ? - Add the section's description here] Added the SWAN / IPSEC URLs to the master URL Section [Section 5 - Software download map] Added the Swan homepage URL and fixed some Typos [Section 48 - IPSEC VPNs] ------------------ G 02/21/99 Wow.. totally left these sections out of the table of contents: Section 46 - So you think you are being hacked.. Confirm it! Section 47 - UNIX and Samba Printing Section 48 - SWAN / IPSEC VPN [Section 2] N Updated the harware to reflect an Epson Stylus 500 Color ink jet [Section 4] N Added the Distribution-HOWTO to the Picking a distribution section. [Section 6] I I made a mistake in the new permission changes that broke Unix and Samba printing. Do the following to get printing working again: chmod 4750 /usr/bin/lpr [Section 8] N Added the Epson ink jet printer to the Samba section [Section 33] N Added the Epson printer and cleaned up a few things in the UNIX and Samba printing section [Section 47] I Though I haven't tested all this yet, I've had a few users report back that it works well. So, with this, I've now added the full instructions on how to get a IPSEC VPN running between Linux machines and even to other Cisco, Axent, etc devices as well! [Section 48] C* Changed the perms of ZGV to 0500 due to a root exploit [Section 50] ------------------ G 02/19/99 Added a "Future Feature" of graphing the APCUPSd logs with Gnuplot [Section 3] Added two good little scripts for bru: /usr/local/sbin/bru-viewtape /usr/local/sbin/bru-find-changes [Section 29] G I've removed the Redhat Errata list since it was out of date and you can just as easily get all this information from the "Automatic RPM notifier" from [Section 43] [Section 50] C* Added the lsof-4.40-1.i386.rpm to fix a security issue [Section 50] ------------------- N 02/18/99 Added a Future Feature to impliment external 10.x.x.x and 172.16-31.x.x filtering [Section 3] N Added alias settings to /etc/profile to Let Minicom and "ls" run in Color [Section 7] I Added a little blurb in the "how a firewall works" on why I prefer REJECT rules vs. DENY rules. ------------------- I 02/17/99 I found that ANY user can load a copy of Inetd. This is VERY bad. So, while I was fixing that, I found and changed the permissions of -66- other programs. (at the bottom of this section) [Section 8] I Updated the MASQ and NON-MASQ firewall to v2.93 - # v2A.93 - Added explict OUTPUT filters for the BackOrofice and NetBus Windows trojans [Section 10] I Fixed the permissions of APCUPSD to not allow other users to start APCUPSD. [Section 36] C* There is a root exploit against /usr/sbin/lsof. Change its perms to 755 [Section 50] ------------------- N 02/16/99 Posted a URL for the new 0.98 Diald code that is maintained under a new author. [Section 5] I Added the "free" output and changed the "ps" output to "ps aux" in the nightly Sendlogs cron script [Section 9] G Posted some URLs at the bottom of this section for code that is required for users upgrading to the 2.2.x kernels [Section 12] N Cleaned up and noted that Diald has a new maintainer. [Section 23] ------------------- G 02/15/99 Added a little NOTE in the sendlog section to tell any users that run a true multi-user Linux box, that I have a slightly altered version of the log parser that cuts out a lot of the redundant log info. [Section 9] *C Noted a root exploit in Debian's "Super" Program. [Section 50] ------------------ N 02/13/99 Added the "CRITICALITY" feature to the TrinityOS featureset * Sent [Section 3] Update* G Added a new "Future Feature" to: - Add a WATCHDOG to the rc.firewall ruleset so that if you make an error in the firewall ruleset, a backup ruleset will be automatically loaded to restore connectivity. [Section 3] N Updated Juanjo's URL for the IPCHAINS port forwarders. [Section 5] I Updated the MASQ and non-MASQ rx.firewall rules: v2.92 - Moved the default policy settings and INPUT/OUTPUT/FORWARD flush from the top of each section to the top of the entire ruleset This tip came from [Section 10] G Added an optional line in PPPs'd IP-UP script to use getdate to do a NTP time re-sync. Good idea from [Section 22] I Added a little blurb on what SSH is. I've also updated the SSH instructions for SSH Version 2 with support for compatibility mode back to version 1. [Section 30] N Fixed a typo in the Samba section, missing an "s" in "bind interfaces only = true" [Section 33] Added the "TrinityOS CRITICALITY" list and CHANGELOG "key" to help users track what changes in TrinityOS are important and not so important [Section 100] ------------------- *C 02/12/99 # v2A.91 - Added more firewall DENY rules to stop Xwindows ports 6001-6007 [Section 10] ------------------- N 02/11/99 Placed short header names in each [Section] name. Makes topics *Sent easier to find. Update* [Section 2] G Added the note that there is now a description of how packet and statefully inspected firewalls work. [Section 3] N Changed the "Future Features" section to group similar taskes. ie. Networking, hardware, etc. Also added a future feature to do more GUI help. [Section 3] N Added a backup URL for IPCHAIN's IPmasqadm since Juanjo's main ML.ORG site is now 404. [Section 5] I Indented all the Security URLs and added links to L0pht, Rootshell, etc URLs. [Section 5] G Updated the "How firewalls work" flow diagram to include the FORWARDING rule. [Section 10] G Added a little blurb on what are the differences between packet and statefully inspected firewalls work. [Section 10] *C Doh! The explict OUTPUT firewall ruleset was matching the wrong ports for the MASQ and NON-MASQ strong ruleset! This isn't a super huge issue but it IS sloppy!!! For example: From: /sbin/ipfwadm -O -a accept -W $extif -P tcp -S $extip/32 -D $securehost/32 ftp ftp-data ssh pop-3 $unprivports To: /sbin/ipfwadm -O -a accept -W $extif -P tcp -S $extip/32 ftp ftp-data ssh -D $securehost/32 $unprivports [Section 10] N Fixed the DHCP rules to reflect the port names of "bootps" and "bootpc" vs. ports 67 and 68. Makes things more readible. [Section 10] N Made sure the /etc/services file has: -- bootps 67/udp # bootp server bootpc 68/udp # bootp client -- [Section 27] *C Recently found out on the BRU mailing list that when you use BRU's software compression or your tape drive's hardware compression, you should set the tape drive's capacity setting to "0"! [Section 29] *C Added a little section on how to test Bru's tape backups * VERY IMPORTANT* [Section 29] I Under the RPM testing section, added another RPM test with a double -vv to really look at a given RPM. [Section 50] *C Made Lynx permissions recommentations for Lynx users running older versions than 2.8.1. [Section 50] *C Noted that though not included in Slackware or Redhat, the ProFTPd daemon included with Debian Linux is vunerable to the same FTP root exploit that Wu-ftpd is vunerable. [Section 50] ------------------- G 02/10/99 Updated the Feature Sets to reflect the support of multiple Internet domains on one box for DNS and EMAIL [Section 3] I Changed the default permissions on Redhat's /bin/rpm from 755 to 700. Normal endusers shouldn't have access to something like this. [Section 7] I Clarified that users should ADD the specific lines to the /etc/syslog.conf file and not replace the exitsting file. [Section 9] N Added both a Slackware and Redhat version of the /root/logit script [Section 9] N Cleaned up the "supporting more than one Internet DNS Domain" section and fixed some formatting issues. [Section 24] N Cleaned up the "supporting more than one Internet Email Domain" section and fixed some formatting issues. [Section 25] I Moved the RPM installation pre-installation tests to [Section 50] since you should follow these simple recommendations EVERY TIME before you install an RPM [Section 25] I Upgrade the "run-rpmwatch" script to v1.1. This added "rm -f rh-errata.txt" to the end of the script to clean up the lose tmp files. [Section 43] I Moved from [Section 25] a pre-RPM TEST list to make sure that the user is aware of any files that will be overwritten/DELETED, etc. [Section 50] *C - Installed an RPM to fix security: wu-ftpd-2.4.2b18-2.1.i386.rpm [Section 50] ------------------- N 02/09/99 Added a few Future Feature sets: - Mail Backup: Setup MX email backup - IPv6: Configure and setup IPv6 and possibly setup a IPv6 tunnel via the 6Bone - Dial Backup: Add analog modem dial backup when the ADSL/Cablemodem goes down - CODA: Replace NFS support with CODA - Implement a new 2.2.x kernel [Section 3] G Added a very detailed description and diagram of how any TCP/IP packet firewall (including IPFWADM and IPCHAINS) operates. [Section 10] N Cleaned up area between the MASQ vs. NON-MASQ rc.firewall rulesets [Section 10] I Updated the MASQ and NON-MASQ rc.firewall to v2.90 - Changed the default policy for INPUT/OUTPUT/FORWARD from DENY to REJECT. This is actually just a symantic issue since I was REJECTing all non-allowed packets at the end of each INPUT, OUTPUT, and FORWARD section. [Section 10] G Detailed out how to support muliple Internet domain names from one DNS server. Simple! [Section 24] G Added a note that if you are going to support email for multiple Internet domains on this one box, you need to add those domain names to the /etc/ file. [Section 25] N Added a rough tape drive benchmark output in the /usr/local/sbin/bru-fullbackup file. [Section 29] N Moved a bunch of old Updates to the old Updates URL given at the top of this section. [Section 100] ------------------- I 02/08/99 Updated the "ssh" profile to include the -C and -P options to enable Compression and to disable rsh (tcp ports > 1024) support. This would break the ability to SSH out of the rc.firewall ruleset. [Section 30] ------------------- N 02/07/99 Updated the MASQ and NON-MASQ rc.firewall to v2.80 - Clarified the input/output rules for HTTP to use the -W interface option and added a #ed out rule for allowing HTTP traffic directly to the Linux box from the Internet. [Section 10] ------------------- N 02/04/99 Fixed a typo from /var/adm/ to /var/log/ [Section 9] ------------------- N 02/03/99 Added a Linux Gazzette URL for more distribution discussions * Sent [Section 6] Update * ------------------- N 02/02/99 Added IP multicast and a comment to the rc.firewall scripts. Though it was in the simple rc.firewall script, it was missing from the strong version. Doh! [Section 10] I Caught a serious typo: -V CANNOT have a subnet mask appended to it. Though this is inconsitant with the other commands, this has been confirmed. Thanks to for catching this. [Section 10] N Added an example /etc/brutab file for configuring Bru [Section 29] ------------------- I 02/01/99 Added a little section to make sure that nothing has been added to the cron file that you don't want to run. [Section 8] N Added a few little intro blurbs on what SYSLOG and LOGROTATE are. [Section 9] I Added the "w" output to the sendlog's "vitals" output [Section 9] N In the rc.firewall rulesets, redirectted the debugging info to /tmp/rc.firewall.dump [Section 10] *C Doh! Fixed a script mistake that updated the root.hints.db file for Bind! Was: if [ `grep -c SERVFAIL /var/named/` = 1 || `grep -c ROOT-SERVERS /var/named/` = 0] Now: if [ `grep -c SERVFAIL /var/named/` = 1 ] || [ `grep -c ROOT-SERVERS /var/named/` = 0] [Section 24] ------------------- I 01/30/99 Added the TZ variable to the /etc/profile for Rh5.2 users. Why isn't it preset?!?! N Deleted extra maillog entry in /etc/syslog.conf for RH users. Its there by default [Section 9] ------------------- N 01/29/99 Updated the URL for the Get-date program [Section 5] ------------------- G 01/28/99 MASQ and NON-MASQ rc.firewall: Added commented out debugging echo statements right after the enviroment vars to help users fix their rc.firewalls. N NON-MASQ rc.firewall: Deleted the un-used $intif, $intip, and $intnet enviroment vars [Section 10] N Started a format addition that will be phased into ALL sections of TrinityOS. Specifically, the backup section now has a "prerequisits" section that states what is assumed, files that will be created/edited/etc. Hopefully this will make TrinityOS easier for the newbie. [Section 29] ------------------- N 01/27/99 Fixed the year in the top header. Doh! [Section 1] N Updated the IP MASQ WWW URL [Section 5] N Fixed a spelling mistake [Section 10] N Cleaned up and reminded MASQ users to not use just simple IPFWADM ruleset. I recommend that ALL users use a strong firewall ruleset. [Section 10] N Updated the Internic pricing for registering a domain from $75/2yrs to $70/2yrs [Section 24] Thanks to for all the comments! ------------------- C* 01/26/99 Updated the MASQ and NON-MASQ rc.firewall to v2.65 and v2A.65 - Removed the /32 bit subnet mask from the intip, dgw, secondarydns, and securehost variables and manually placed them back within the rulesets themselves. This is for users who use DHCP and/or PPP that wouldn't get the correct netmask. Also, the netmask built into these variables would break the IPPORTFW section. I - Added the LOOPBACK variable for better readibilty N - Cleaned the comment sections a little [Section 10] ------------------- N 01/24/99 Added a line towards the end of the run-rpmwatch script to remind the user of a good Errata mirrror site. [Section 43] ------------------- I 01/23/99 Added IPFWADM rulesets for both the MASQ and Non-MASQ firewalls to accept DHCP IP addressing from the external interface [Section 10] N Updated the DHCPcd section to remind the user to un #ed out the "DHCP client" ruleset in section [Section10] [Section 25] ------------------- N 01/22/99 Clarified the DHCP statements in the rc.firewall line to reflect that they are for SERVING DHCP addresses and not GETTING DHCP an address. [Section 10] ------------------- I 01/21/99 Corrected an elusive typo for ip_forward [Section 10] G Added a whole little section how to test and check possibly questionable RPMs from the /contrib directories. *C Upgraded to Sendmail v8.9.2 and made the required changes to the 8.9.x config files. The new configs also support anti-spam stuff using the Realtime Blackhole List. [Section 25] ------------------- I 01/20/99 Clarified the need for users to change the IP addresses and internal/external interface names in the rc.firewall script. [Section 10] ------------------- I 01/19/99 Corrected the vars passed to PPPd as [Section 10] ------------------- N 01/15/99 Changed the MASQ and NON-MASQ IPFWADM firewall version to v2.50 [Section 10] I Cleaned up (split up) the explict INPUT section for internal and external hosts. [Section 10] -retracted- Added a /32 mask to the intip, extip, dgw, secondarydns, and securehost variables. Also deleted a few explict and possibly incorrect /24 and /32 bit masks within the IPFWADM ruleset. [Section 10] N Cleaned up the IPPORTFW area to use all environment vars and added the $portfwip var. [Section 10] N Deleted a duplicate line for the "outgoing from local net on remote interface, stuffed masquerading, deny" ruleset [Section 10] N Deleted a errored IPFWADM line that was already #ed out line to allow in ALL incoming traffic. Thanks to for all of these points! [Section 10] N Added a version number to the run-rpmwatch script [Section 43] I Added rpm-watch to a weekly CRON job [Section 43] ------------------- I 01/14/99 Changed the MASQ UDP timeout back to 60 seconds and made the recommendation to ICQ users to change their ICQ Firewall settings to a timeout of 30 seconds. [Section 10] I Added the IDE HD performance optimization section [Section 49] ------------------- 01/13/99 Added the "logit" script to aid in real-time troubleshooting. *Sent [Section 9] Update* Added a note to move the loading of SSHd higher up in the rc.local file to speed up reboots. [Section 30] Added the (no_root_squash) and (ro,nosuid,noexec) NFS examples for more NFS ideas and security [Section 40] 01/12/99 Corrected the Contents page to reflect that Samba does both File and Print sharing Added [Section 47] for UNIX (and thus Samba) Printing Added [Section 48] for SWAN / IP-SEC VPNs [not completed] [Section 2] Corrected the Samba entry to reflect File&Printing Added the UNIX (samba) print feature Added the SWAN / IPSEC VPN feature [not completed] [Section 3] Added a DNS hostname (roadrunner) (doh!), the SMB Workgroup (ACME123) name, added a internal MASQ'ed machine name (coyote), and cleaned up all remaining issues for the the search/replace section [Section 7] Fixed a TERRIBLE mistake where all the /etc/rc.d/init.d script files were 755! Also fixed the perms for /etc/cron.daily.tmpwatch [Section 7] Added a little reminder to periodically use the RPM update tools documented in [Section 43] [Section 7] Made the recommendation to change the default UMASK from 755 to 750. [Section 7] Made a note where I've notied that some of the daemon start/stop GUI tools disable/enable some daemons that you DON'T want upon first use [Section 8] Fixed permission problems (changed to 700) of /var/log/ and /var/log/sendlogs. [Section 9] Clarified that the user needs download IPFWADM before they can user IP MASQ. [Section 10] Enabled and clarified why it is important to load the Real Audio MASQ module for performance reasons. [Section 10] Fixed perms on the commented lines for /etc/ppp/ip-up to be 700. [Section 10] Fixed perms for /etc/rc.d/rc.firewall to 700 [Section 10] Fixed perms on /etc/rc.d/rc.serial to 700 [Section 16] Fixed perms on /etc/cron.15minutes/getdate to 700 [Section 26] Fixed perms on /etc/rc.d/ to 700 [Section 31] Lots of important changes to the Samba section: - Deleted all "s so not to confuse the reader - Added the "server string" line - Changed the "WORKGROUP" to "acme123" - Added the "bind interfaces only = true" setting for more security - Added the "create mask" and "directory mask" to fix Samba to UNIX permission problems (all files were getting set to 755) thus all "other" users could see the files. - Added the "force group" setting to improve SMB/UNIX file sharing. - Added the "fake oplocks" setting to improve performance - Added the "IPTOS_LOWDELAY" setting for LAN segments - Added the "veto oplocks" setting for the CDROM changer - Added the "browsable = no" to [Homes] so users don't see duplicated things in the browse list - Added the "user = %S" to increase security - Added the "[HpLj2p]" section for SMB printing - Added the directions to use "testparm" to check the /etc/smb.conf file. - Added a forgotten (and mandatory section) on creating the /etc/smbpasswd file - Added instructions on how to configure Win95/NT to get all the machines into the same SMB workgroup - Added how to mount your Win95/NT shares onto your Linux box with smbclient and smbmount! [Section 33] Clarified the use of mkisofs [Section 39] Fixed perms on /etc/cron.10minutes/re-sync to 700 [Section Section 41] Added the UNIX (Samba) Printing section. This section is primarily for SMB printing but talks about local UNIX printing too. This section also talks about "lpd" security issues and how to fix them. [Section 47] By popular demand, I've begun to impliemtn a VPN with SWAN / IPSEC. This will take a little while but the URLs are there at least. [Section 48] 01/09/99 Made some clarifications on using command-line vs. GUI /etc/rc.d damon control programs [Section 8] Added "df" and "ps ax" vitals to the sendlogs daily email system Added "/usr/sbin/killall tail" to the /etc/rc.d/rc.local file [Section 9] Added some clarifications to the DHCP section and how to get MAC addresses from WinNT and Linux. Corrected a mistake where I was pointing the DHCP broadcast to the wrong NIC card. Added the fact that you need put all your DHCP leases into DNS and restarting named. [Section 27] 01/08/99 Fixed some spelling issues * Sent [Section 1] Update * Added the Future Feature to move /var/log/sendlogs to /usr/local/sbin Fixed some spelling issues and added the fact in the Future Features section that I think I'm going to implement a SWAN / IPSEC VPN instead of a SSH/PPPd VPN. [Section 2] Added IPCHAINS URLs Added SWAN / IPSEC URLs [Section 5] Documented the fact that most Linuxs truncate all passwords after 8 characters and how its critical to make good passwords. Fixed a anonymous FTP file name typo. Should have been /etc/ftpaccess. [Section 8] Changed the perms on /etc/syslog.conf to 600 [Section 9] Added the pointer to check out [Section 40] for specific NFS IPFWADM exceptions. [Section 10] Added a little text intro on how Linux Alpha and Beta kernels are numbered and what it means to be an "even numbered" kernel. [Section 12] Documeneted the rational to always run/not-run Sendmail and noted a few critical things for users that are NOT always running sendmail but do want to send mail from their Linux box. [Section 25] Did some cleanup to the NFS section, added "635/udp mountd" to /etc/services {Why isn't there now?}. Added specific exceptions to the IPFWADM ruleset to allow NFS traffic to specific hosts on the internet. [Section 40] Did some clean-up to the IPCHAINS section and added a pointer about 2.1.x / 2.2.x kernels to the Kernel section. [Section 44] * Lots of thanks to Andy Barclay for his editorial eye on these * fixes. Added the use of the pwck and grpck commands to check for hacked /etc/passwd and /etc/group files. Added the use of the "last | more" command to check when users last logged in. [Section 46] 01/06/99 Moved all changelogs prior to 12/22/98 to the URL above. (64 changes/additions) [Section 100] 01/05/99 Changed the System backup section name to reflect minimum and quick backups to floppy [Section 2 and 3] Added the LDP's Security HOWTO URL [Section 8] Changed the /var/log file perms from 700 to 600 Changed the cron daily's execution order to correct lost log issues from the "rotatelogs" executing. [Section 9] Change the section name to "Backing up your box (minimum files to floppy and full backup to tape with BRU)" Added minimum critical files to backup to floppy in addition to backing up the whole system to tape or CD. Lots of good stuff in here! [Section 29] Added the "ssh" alias to use the BlowFish codec for outgoing Linux SSH connections [Section 30] Added the "So you think you are being hacked.. Confirm it!" section [Section 46] 12/29/98 Added the NMAP portscanner to the feature set section [Section 3] Added the NMAP URL (doh!) Thanks to Fidor for pointing this out.. [Section 5] Added NMAP portscanner installation and use instructions [Section 45] Added a PAM RPM update [Section 50] 12/28/98 Added the PPPd/SSH VPN in the future features [Section 3] Added the beginnings of the IPCHAINS section [Section 44] 12/27/98 Added the pager search/replace option * Sent [Section 7] Update* Fixed the MRU setting in /etc/ppp/options [Section 22] Fixed the APCUPSD paging scripts. It turns out that you CANNOT setup the /etc/apcupsd.conf file with something like: RETCMD /usr/local/sbin/apcupsd-page retcmd Each file must be unique. So, the fix is to configure and create individual scripts such as: RETCMD /usr/local/sbin/apcupsd-retcmd [Section 36] Added the "Dial-in terminal / PPP access via a modem" section for OOB (Out of Band) access to your linux box if you screw up your IPFWADM rulesets, your Inet connection is down, etc. There are also specific notes on working around answering machines, etc. [Section 42] Added the "Automated RPM notifier / updater" section to have a more automated system to tell you what RPMs have been updated. [Section 43] 12/26/98 Added to future featureslist : IMAP4, Procmail, fetchmail, dial-in access, dial backup [Section 3] 12/23/98 Changed the MASQ UDP timeouts to 2 hrs to stop ICQ users from "flapping". [Section 10] Renamed the SYSLOG monitor from "logit" to "" and moved its execution from the crontab to the execution of "sendlogs" to fix any possible race conditions. [Section 9] 12/22/98 Updated the Table of Contents to reflect Secondary support *Sent [Section 2] Update* Updated the Feature list to reflect that TrinityOS documents SECONDARY servers. [Section 3] Fixed a typo in the shadow conversion where I was refering to /etc/pam.d/password instead of /etc/pam.d/passwd Clarified the shadow file conversion between crypt and MD5 [Section 8] Cleaned up the tty logging stuff to reload after each day. [Section 9] Added how to configure a SECONDARY (SLAVE) DNS server Fixed a typo for the name of the SECONDARY dns server in /var/named/ [Section 24] Updated the sendmail section to install Sendmail 8.9.1 though the anti-spam stuff isn't configured yet. [Section 25] 12/21/98 Caught a typo where I was trying to set "ip_forwarding" instead of the proper "ip_forward" Fixed some inconstancies with files being called /etc/rc.d/rc.masq vs. rc.firewall (Thanks to [Section 10] Added the "ip_dynaddr" kernel parameter to the Diald section [Section 23] 12/18/98 Updated the SSH section to reflect the useage SecureCRT v2.3.1 and the BLOWFISH cipher (from 3DES), the use of SSH compression, and the change of the scrollable buffer. [Section 30] 12/17/98 Updated the standalone and MASQ IPFWADM rulesets to reflect the usage of using PPPd's enviroment variables [Section 10] Added 6 RPMs to fix issues with Netscape, FTP, and Xwindows [Section 50] 12/06/98 Added a "sync" feature in the cron tabs to keep the EXT2 filesystem cleaner [Section 41] 12/05/98 Added a Future feature to "Add analog modem dial backup for email fetching when the ADSL/Cablemodem goes down [Section 3] 12/04/98 Added the Filesystem tuning section regarding heavily used Linux boxes and EXT2 filesystem corruption. [Section 41] 12/03/98 Secured some of the /var/log log files [Section 9] Added a few more TCP/IP window optimizations for DHCP addressed Linux boxes. [Section 16] 12/01/98 Added paging support to the feature set [Section 3] Added the clarifications on the SCSI controller setup to enable DISCONNECT [Section 4] Found a failure in the /var/named/root-hints-update script where one of the root servers would be contacted but NOT report any of the ROOT-SERVERS. Thus.. DNS would then break. I have added another test condition to stop this from happening again. The DNS-HOWTO maintainer has been notified. Moved the /var/log/root-hints-update script to /var/named/root-hints-update Also added version notes to the script [Section 24] Updated the APCUPSD configs to be more specific Added the features to have APCUPSD log notices to SYSLOG and optionally PAGE you when something happens. [Section 36] Disabled RZ and SZ for normal users due to a permissions issue. Hopefully a patch will be released soon. [Section 50] A few spelling corrections in the doc 11/29/98 Added a clarification for the optimization notice to PPPD for users who are having slow WWW browsing issues to specific sites. Donald Spoon [Section 22] 11/27/98 Updated the intro [Section 1] Re-organized the Features section [Section 3] Updated the Distribution intros a little [Section 6] Moved the console TTY syslog logging to /dev/tty8 [Section 9] Expanded the LILO section to understand multiple NIC cards, deal with RAM size recognition, and fixing typical LILO booting problems. [Section 15] Updated the BRU exclude files to not compress RAR files [Section 29] Moved most of the old updates to a seperate file at: [Section 100] 11/22/98 Updated the kernel to 2.0.36 [Section 12] Updated SSH to 1.2.26 [Section 30] 11/20/98 Fixed some security issues posted by the Samba team. All fixes are very simple but probably critical. [Section 30] 11/16/98 Lots of little changes here: *Sent Update* Cleaned up the Intro page a little more [Section 1] Added the NFS section to the Index [Section 2] Added the NFS section to the Feature list [Section 3] Updated the hardware section to reflect the removal of a old 540MB IDE disk and a failing of a 1GB SCSI disk. Replaced both with a 10GB 7200RPM disk. Updated the CMOS and FDISK details to reflect the new hardware. Updated the mount list to show the addition of two more HDs to the RAID0 setup [Section 4] Updated the distribution section to reflect the changes found in Redhat 5.2 and Slackware 3.6. [Section 6] Updated the RAID section to now stripe 4 drives Fixed a typo when we were supposed to format the array. I had "e2fsck" when it should have been "mke2fs". Doh! [Section 31] Added a whole new section on adding NFS to Linux. This section includes setting up botht the NFS server and client. This section also goes into detail about Linux NFS performance and security concerns. [Section 40] 11/15/98 Added new syslogd and samba RPM security updates [Section 50] 11/13/98 Updated the advanced firewall to DISABLE the IPPORTFW support by default Clarified the /etc/ppp/ip-up stuff for dynamically addressed users. Thanks for some of these tips from [Section 10] Added a new libc (not glibc) RPM security update [Section 50] 11/06/98 Added a small description of what all the IPFWADM timout paramteres mean. [Section 10] 11/05/98 Added (3) RPMs for security [Section 50] 11/01/98 Removed the initial module loading for the MASQ IRC and Quake modules. IRC has been recently used as a vehicle for Back Orofice exploits. But.. if you use IRC and Quake a lot, you need to un-# out these lines in the simple, ANAL, and NON-MASQ IPFWADM rulesets. [Section 10] Last night, the "root-hints-update" file for DNS failed for some reason. Because of this, the script then replaced a good /var/named/root-hints.db file with a bad one. I have updated the script to check for the "SERVFAIL" attribute and if it is present, the script will NOT not hose a good hints file. [Section 24] Added the domain name to the /etc/mail/ file for NON-MASQ but mail authoritative servers [Section 25] 10/31/98 Re-arranged the Feature sets to group types of *Sent features together. Update* Moved the Xwindows feature to the TO-DO section since I haven't done it and added the feature set to implement the WindowMaker window manager [Section 3] Re-layed out the Hardware info section [Section 4] Updated the Redhtat 5.0 & 5.1 RPM Patches list Interestingly enough.. there are patches in the Redhat 5.1 area that are NOT in the 5.0 area. This sucks! Installed (14) new RPMs [Section 50] 10/29/98 Added my SCSI IDs to the doc. [Section 4] Added the BRU manual URL Changed the BRU buffer size from 20K to 16K to fix some buffer underruns. Added Bru log file renaming and compression to safe file space Added a URL to a Boot/Root/Util rescue diskette utility for Linux and BRU. Once I get some time, I will document how to use this util. [Section 29] 10/28/98 Corrected a mistake and added a address for the external broadcast address in the search/replace section [Section 7] Added the "securehost" line in the TCP wrappers /etc/hosts.allow file to be consistent with the IPFWADM rulesets [Section 8] Updated the MASQ IPFWADM ruleset to reflect the usage ports 1024-65535 since SSH sometimes creates connections at port 1023. Lame. Updateded the MASQ IPFWADM ruleset to include a variable for the external broadcast address $EXTBROAD. Added TCP DHCP support for the MASQ firewall. Deleted out the header comments from the MASQ firewall to now properly reflect the setup for for the single-host firewall ruleset. DNS outgoing rules for the single-server firewall rulesets should have the Source instead of Destination port 53 for outgoing DNS. DOH! Added #ed out IPFWADM statements to both the MASQ and single server rulesets to -NOT- log stray BOOTP traffic (port 67,68), Samba traffic, (ports 137,138), RIP traffic (port 520), and SNMP (port 161) [Section 10] Added instructions to be able to upload HTML files directly into the /home/httpd/html directory. [Section 37] 10/24/98 Delete the DNS v4.9.x config feature Added the to-do CACHING ONLY config for DNS 8.1.x [Section 3] Clarified the use of the "extif" variable for dynamic PPP users Made recommendations for PPP users to load the /etc/rc.d/rc.firewall script from the /etc/ppp/ip-up script. [Section 9] Updated a few of the comments in the DNS 8.1.x configs DELETED the 4.9.x DNS configs [Section 24] Thanks for the recommendations from 10/21/98 Added the addition of the sticky bit to /tmp [Section 8] 10/15/98 Added a SUID search for files that are group or other writable. [Section 8] Added the automatic execution of the rc.firewall ruleset in the /etc/ppp/ip-up file for PPP users. [Section 22] Added a great LINUX FAQ for DHCPCD, etc [Section 35] 10/14/98 Made two mistakes on the dynamic IP script used for PPP users. It was EXTNIC instead of EXTIP and I needed "Execute" marks instead of apostrophes. Thanks to for this one. [Section 10] 10/12/98 - Made a few downloading clarifications for the IPPORTFW code [Section 11] 10/10/98 - Added the WWW functionality to the feature list *Sent [Section 3] Update* - Added Apache URLs to the download section - Added URLs to COPS, SATAN , and the Solar buffer-overflow fixes [Section 5] - Added the recommendation of passwording the CMOS setup - Added the disabling of shutting down Linux with CNTL-ALT-DEL [Section 8] - Added an additional strong IPFWADM ruleset for single-NIC non-masquerading servers [Section 10] - Added the LILO password protection of booting into DOS from a LILO prompt [Section 15] - Added the option of redirecting root's email to multiple remote email addresses [Section 18] - Added the update of the root.hints.db via the dig command and ADDED an automatic root.hints.db script to Cron. This is important! [Section 24] - Added Section 37 for the setup of the Apache WWW server [Section 37] - Added Section 38 for Tripwire monitoring [Section 38] - Added the beginnings of backing the machine up to a CD-R [Section 39] - Updated the RPM listing in Section 50 and applied all new patches. - Re-aligned the Patching section to be more readible Redhat users: You REALLY should do a "rpm -q -a" and compare what RPM versions you have installed vs. this updated list in Section 50 [Section 50] 10/09/98 - Fixed the /var/named/ to reflect the proper reverse resolution configs. - Corrected the /etc/named.conf to point to the correct root.hints.db file - Deleted NIS entries from the /etc/nsswitch.conf file - Added a testing phase of your NAMED service [Section 24] - Added the APCUPSD configuration [Section 36] - Added the HDPARM to-do optimizations for IDE HDs [Section 5] * Added a search/replace section for endusers to do a search/replace on a downloaded copy of TrinityOS to customly change the doc to reflect their enviroment. I honestly beleive this will help people setup their Linux boxes faster. - This document no longer reflects my real domain name, IPs, etc. [Section 7] 10/08/98 - Fixed an issue with the /etc/hosts file [Section 7] - Updated the inetd.conf section filters for Redhat v5.1 - Updated runlevel process killing via "ntsysv" and "tksysv" - Removed FTP guest access - Added MD5 hashing to the shadow password setup - Added the module to the passwd system [Section 8] - Missed the file "touching of "loginlog" and "kernel" for the /etc/syslog.conf file - Added the "loginlog" to the logrotate.d file - Added monitoring /var/log/maillog on tty9 - Lightly edited the "sendlogs" script to send the output files to root@localhost - Cleaned up the "sendlogs" implimentation stuff [Section 9] 10/03/98 - Added xinetd to the to-do list for better brute force DoS attacks. [Section 3] - I screwed up with the TCP wrapper support for SSH. I changed: "./configure --with-libwrap=/etc]" to "./configure --with-libwrap" [Section 30] 9/27/98 - Added IPPORTFW compiling and rulesets - be sure you read the notes section in there [Section 10] Ruleset addition [Section 11] Patching and compiling - Inserted a new [Section 11] so I had to renumber 12-35. - I'm re-reading over ALL the text in the doc and I'm making light changes to it all to overall format of the doc too. 9/20/98 - Added some RPMS to the Security section [Section 50] 9/14/98 - One of the Security URLs was dead. I replaced it with and [Section 50] 9/10/98 - Changes the Firewall to REJECT outgoing PPTP, Remote Winsock, NFS, PcAnywhere, and Xwindows highports. [Section 10] 9/03/98 - Changed the max interval parameter for NTP to 200 seconds [Section 25] 9/02/98 - Added a little intro blurb on how Redhat start/stops daemons from the various /etc/rc.d dirs. [Section 8] - I just noticed through a "netstat -rn" that my TCP window optimization was wiped out when I installed the initscripts-3.67-1.i386.rpm a while back! Doh! I have updated the docs to reflect the new /sbin/ip-up file. [Section 15] - Added the note that for my 3C509 ISA 10BaseT cards, I have them set for NO analog modem and the optimization is set for "Server". NOTE: The modem setting of "NO modem" will not be appropriate for modem users. See this section explanation for what these settings do. [Section 15] 8/31/98 - Fixed a security issue with Minicom [Section 50] 8/28/98 - Added some security RPMs for NFS [Section 50] 8/26/98 - Completely OVERHAULED the IPFWADM firewall rulesets. To be honest.. the old ones SUCKED! [Section 10] - Fixed the FTPd defaults so that Redhat will properly work with a patched version of Tar (supports Bzip2) and properly support "compress" compression on the fly! [Section 7] 8/23/98 - Added port "22" to the /etc/services file [Section 27] 8/22/98 - Added the LinuxConf security RPM for the Redhat v5.1 peoples 8/21/98 - Added to the "Future Features" a BRU recovery diskette setup 8/18/98 - Updated the Diald URL [Section 5] 8/17/98 - Added the security fix svgalib-1.2.13-5.i386.rpm [Section 50] 8/16/98 - Made a slight format and made the "Patching and Initial Fixing" its own section. [Section 7] - Disabled anonymous FTP VERY IMPORTANT!!!! [Section 7] - Renumbered Sections 7-35 - Fixed the permissions in the rc.cdrom file so people can READ the files. Evidently, though the permissions don't correctly show up in a "ls -la", they DO work! [Section 31] 8/13/98 - Changed the /etc/logrotate.conf file *Sent to compress the old rotated logs files. Update* [Section 7] 8/12/98 - Updated a little info on the security fix for the Apache RPM. This RPM re-enables the logrote stuff. 08/11/98 - Added the URL for DHCPc client configs for cablemodem users. I will expand on this section later. [Section 33] - Moved the Security Patching section from 34 to 50. - Applied the apache-1.2.6-5.i386.rpm RPM [Section 50] 08/08/98 - Major addtions: *Sent Update* + RAID 0 Striping (finished) [Section 29] + Added extra security to the CD-ROM changer [Section 30] + Samba File Services (print services soon) [Section 31] + PCMCIA Services [Section 32] + Updated to the 2.0.35 kernel [Section 10] - Added new Feature requests for: - Email sent dynamic IP address exception requests for access though the TCP Wrappers and the IPFWADM rulesets - Migration from IPAUTOFW to IPPORTFW - DHCP clients for cablemodem users - Other changes to the Intro, fstab and displayed mount list 07/30/98 - Added the future feature of PCMCIA services 07/29/98 - Added a new header section to the Updates section. This now clearly shows how many Redhat RPMs are available, installed on TrinityOS, and when it was last updated. [Section 34] - Added (12) RPM patches [Section 34] - Added the chmod stuff for dumpreg [Section 34] - Added the addition of a CD-ROM changer [Section 30] - Made some changes to the intro and shifted the table of contents to [Section 2] 07/14/98 - This is not an issue for Redhat or Slackware *Sent unless you manually upgraded your copy of PINE. Update* If you are unning Pine v4.00 or the UW IMAP service, you should upgrade ASAP! [Section 34] 07/13/98 - Updated the Samba RPM due to major security issues [Section 34] 07/12/98 - I didn't realize that SSH out of the box does -NOT- observe the /etc/hosts.deny and allow TCP wrapper files!! So.. I updated the SSH section to use wrappers. VERY IMPORTANT!!! [Section 28] 07/09/98 - Added a little plug at the top of the TrinityOS doc for my WWW page. Many people were coming to the TrinityOS doc without knowing that there is a LOT more info available from my main page. 07/08/98 - Added the installation of new RPMs: dosemu-0.66.7-7.i386.rpm libtermcap-2.0.8-9.i386.rpm [Section 34] 07/05/98 - Updated the hardware setup for Trinity2. I need the SCSI *Sent performance of the 2842 for the software RAID but since Update* I only have (2) VLB slots.. I had to sacrafice video performance. - Pulled out the ISA Adaptec 1542b and put in a VLB 2842b - Pulled out the VLB Cirrus Logic 5429 and put in a ISA ProIIs - Updated the HD table to reflect the replaced WD 1.2GB, the addition of two new Conner 540GB drives and a HP TR4 tape drive. [Section 3] - Updated the Future Features to reflect my new projects including software RAID, SPLIT-DNS, Impliment a new 2.1.100+ kernel, migrate IPFWADM to IPCHAINS [Section 3] - Updated my Linux distrobution guide to reflect Patrick J. Volkerding's continued efforts on Slackware. My appologies go out to Pat for propogating the "Death of Slackware" rumors and applaude him for all of this work! [Section 6] - Started the software RAID-5 section which talks about how to build up an external RAID enclose from old CASE parts..etc. Its not complete quite yet though. [Section 29] - Implimented the new slang, libtermcap, and rpm RPMs. I *SKIPPED* the Tin upgrade since I installed Tin v1.4beta. I *SKIPPED* the Bind upgrade since I'm running Bind 8.1.2T3 [Section 34] - Swapped the Feature Set and Table of Contents sections 07/01/98 - Added the "seyon" security patch [Section 34] 06/29/98 - Spelling correction in the shadow passwd conversion noted from Frank Soria ( Section 7 06/19/98 - Changed perms on /usr/bin/lpr since there are some security issues with it. Section 34 - Added more NTP servers since my primary site is down. Section 24 06/15/98 - Added a slight fix to get rid of all the annoying cron mail messages from the NTP updater. Section 24 - Added several RPM upgrades Section 34 06/14/98 - Updated the SSH section to reflect upgrading to v1.2.25 *Sent to avoid a new SSH exploit. Update* Section 28 and 34 - Clarified the POP3 setup Section 26 - Added some DNS (Bind) descriptions and security enhancements using the Bind v8.1.x "allow-transfer" and "xfernets" parameter. Also added a few other updates for my enviroment. Section 22 - Changed over NTP clients to something a little more robust and added the URL to the main NTP site for people to find a local NTP server. Also updated the NTP stuff for both updating at 15mins or 60mins and now have instructions for both Slackware and Redhat users. Section 24 - Updated the distro descriptions and how Slackware, to Redhat, to Debian are different. The more I play with Redhat, the more I realize that it ISN'T a straitforward UNIX. I also added a few fixes for Redhat users on quirks I've noticed in v5.0. Section 6 - Fixed a few things in the /etc/bruxpat file. Multi-volume ARJ files that start with EITHER a "A" or "a" (such as myfile.a01 and myfile.A01) are now not compressed. Section 27 - Changed the DHCPd setup to reflect giving out DHCP addresses to (2) more machines. Section 25 - Noted that I need to merge my existing Masq-PPP and Masq-Diald-PPP docs into TrinityOS. Section 3 and 20 - Added more things to the "Future Features" section including: Adding a CD-ROM changer, installing (2) HDs and (1) tape drive, impliment MD0spanning or software-based RAID-5, setup SPLIT-DNS, impliment automatic weekly incremental tape backups, and move this doc over to HTML format Section 3 - Made a bunch of minor layout changes 06/10/98 - Added SYSLOG (syslog, messages, kernel, maillog, etc date parsing, filtering, and mailing. This is good for when you'd like to know if any strange things are happening to your Linux box (processes failing, hacker attempts, etc). This script also optionally monitors how many times your modem line came online (or failed due to busies,etc) and report what speeds it connected at in a nice summarized table. The logs are then mailed to a specified mail address once a day. Nice! Section 8 - Added the download recommendation of Netwatch for traffic monitoring Section 5 - Updated the kernel section to reflect 2.0.34 and the new v1.16 3c509.c driver Section 10 - Added some slight changes recommended from Spelling, etc 06/01/98 - Added full SSH client and server encryption for TELNET, Xwindows, etc Section 28 - Can't believe I forgot this one: Updated network setup to use a larger TCP window size. Do this.. it makes a HUGE difference in LAN speed. Section 14 - Added the patch-2.5.2.i386.rpm to fix the --nodep issues (should be in Redhat's Errata but isn't) 05/30/98 - Added a Redhat errata section to talk about how to update your machine to the newest, most secure code. I mention how to install RPMs in bulk, how Redhat documents their errata and specifically mention the installation of the following rpms: rpm-2.5.1-1.i386.rpm glibc-2.0.7-13.i386.rpm glibc-devel-2.0.7-13.i386.rpm Section 34 05/15/98 - Added a backup script for BRU to back this all up! Section 28 - Made some format changes 05/08/98 - Added security issues/fixes for DIP and Xterm (apply these fixes! Users can get root EASY!) Section 34 04/27/98 - Added some changes to the /etc/rc.d/init.d/gpm file to properly support the old C7 Logitech mouse Section 14 04/22/98 - Added comsat for Redhat users (dumb to disable) Section 7 04/21/98 - Procps patch Section 34 04/19/98 - Added log rotation configs for the "syslog" file - Application of all recent Redhat OS patches - Added notes on how to choose a Linux distribution - Added rc.serial configs for advanced COMM port design and optimization. - Added patch info on the new OffbyONE Linux DoS attack 04/18/98 - Added a missing broadcast route for DHCP - Added a missing statement for sendmail masquerading 04/17/98 - Added Bind v8 configurations - Added sendmail envelope options - Added DHCPd support - Added Shadow passwords to Redhat5 04/12/98 - Added dynamic IP address configs for the advanced firewall rulesets 04/11/98 - Doh! Forgot the link to my PPP/Diald setup in section 19 04/10/98 - More major layout changes - Added Section labels - Added the Advanced firewall rulesets - Added configuration changes for BIND v8.x (not complete) 04/09/98 - Major document layout changes (hopefully more logical now) - Added modifications for the Redhat distribution - Added configuration setups for Cablemodems 04/06/98 - More Security stuff 04/01/98 - Published to WWW site - Added IP MASQ timeouts - Added additional formatting to this doc 02/09/09 - Added Xkeyboard issue - Device DoS - IMAP & IPOP 02/06/98 - Added Solar buffer-exploit handler 01/01/98 - Added more security stuff 12/09/97 - Added cron security issue and aliases 11/11/97 - WWW proxy / filtering 11/03/97 - Major changes 05/18/97 - Original start