TrinityOS: A Guide to Configuring Your Linux Server for Performance, Security, and Manageability: Installing a distribution, patching it, and doing a Search/Replace on TrinityOS

7. Installing a distribution, patching it, and doing a Search/Replace on TrinityOS

7.1 Upgrading/Updating your Linux distribution:

Like ANY Linux distribution, bug fixes, security releases, etc. are always coming out and you NEED to stay on top of it. Remember, Linux is very functional but without a given security patch, a hacker can break into your box and do ANYTHING! Redhat, Debian, Slackware, etc have their own incremental update systems that makes this easier.

P.S. If the program you update to with "pkgadd" has different configuration file layouts, you will have to the conversion manually. Debian and Redhat's systems can do the conversion for you though I've had mixed results with this.

Redhat users:

Go to the Redhat Updates URL in Section 5 and download all the recent patches to a directory (ie. /tmp/patches). Once you have all of the newest RPMs, you should use the "Fresh" option of the RPM tool. This will update the RPMs on your machine ONLY if an older version of the RPM is installed on your machine. So, I recommend thast you do:

rpm -Fvh /tmp/patches/*

Also, please heed these following warnings regarding RPMs:

*******************************************************************************
** Don't always trust RPMs!!!!                                               **
**                                                                           **
**  See [Section 50] for more specific instructions on how to use  **
**  RPMs, see what files will be installed/replaced/OVERWRITTEN BEFORE you   **
**  install them, etc.                                                       **
*******************************************************************************
** Staying on top of new RP Ms                                               **
**                                                                           **
**  You should also implement the RPM notification tool that is documented   **
**  in [Section 43] to stay on-top of this in the future!          **
*******************************************************************************

7.2 TrinityOS diagrams and Search and Replace Keys

----------------------------------------------

This is how the TrinityOS network is laid out:

Network topology diagram:

 ________
/        \
|Internet >------------------+
\________/                   |
                         Cablemodem
                             |
                   +-----------------------+
                   |         |             |
                   |  External Link: eth0  |
                   |  IP:  100.200.0.212   |
 _________         |  DGW: 100.200.0.1     |
/ Various \        |                       |
|  Remote |        |     ------------      |
|  Sites   >-ISDN--|- External Link: ppp0  |
|    &    |        |  IP: dynamic          |
| Internet|        |     ------------      |
|   link  |        |     DMZ Link: eth2 ---|----< To 802.11b wireless network
\  backup /        |    IP: 192.168.10.1   |            IP: 192.168.10.x
 ---------         |     ------------      |           DGW: 192.168.10.1
                   |                       |           DNS: 192.168.10.1
                   |  Internal Link: eth1  |
                   |  IP: 192.168.0.1      |
                   |          |            |
                   +-----------------------+
                              |
                      8-port 100Mb/s switch
                              |
          +----+----+----+----+----+----+----+----+
          |    |    |    |    |    |    |    |    |
         PC   PC   PC   PC   PC   PC   PC   PC   PC
         #1   #2   #3   #4   #5   #6   #7   #8   #9
          |
          |
       /----------------\
        IP: 192.168.0.2
         DGW: 192.168.0.1
         DNS: 192.168.0.1

- Next, this section is to custom tailor your copy of TrinityOS to your specific environment. Do a search/replace on the "Search for" fields and replace them with your correct "replace with" fields.

PLEASE NOTE: If you are going to use IP Masquerading, you should use one of the private address spaces as described in RFC 1918 http://www.cis.ohio-state.edu/htbin/rfc/rfc1918.html such as:

Class-A: 10.x.x.x
Class-B: 172.16-31.x.x
Class-C: 192.168.x.x

                               search for              replace with (given as an example)
                               ----------              ----------------------------------
     Your main login ID        johndoe                 your-login

     Your PPP ISP name         your-ppp-isp-name       your-ppp-isp-name
     Your PPP ISP #            555-1212                555-1234
     Your PPP login            your-ppp-login          your-ppp-login
     Your PPP password         your-ppp-passwd         your-ppp-passwd

     The Linux machine
     name                      roadrunner              your-linux-boxes-name

     Domain Name               acme123.com             yourdomain.org
     Second Domain Name        another-domain.com      yourseconddomain.org

     Internal IP network       192.168.0.0             192.168.0.0
     Internal IP address       192.168.0.10            192.168.0.10
     Internal gateway IP       192.168.0.1             192.168.0.1
     Internal broadcast IP     192.168.0.255           192.168.0.255

     Internal DMZ IP network   192.168.10.0            192.168.10.0
     Internal DMZ IP address   192.168.10.10           192.168.10.10
     Internal DMZ gateway IP   192.168.10.1            192.168.10.1
     Internal broadcast DMZ IP 192.168.10.255         192.168.10.255


     External IP network       100.200.0.0             100.201.0.0
     External IP address       100.200.0.212           100.201.0.212
     External gateway IP       100.200.0.1             100.201.0.1
     External broadcast IP     100.200.0.255           100.201.0.255

     Remote SECONDARY DNS      ns.backupacme.com       ns.yourdomain.org
     External secondary DNS    102.200.0.25            102.201.0.25

     Reverse DNS lookup        54.44.80.10             50.0.201.102

     Explict allowed IP#1      200.211.0.40            200.244.0.40
     Explict allowed IP#2      200.211.0.41            200.244.0.41
     Explict allowed IP#3      200.211.0.42            200.244.0.42
     Explict allowed IP#4      200.211.0.43            200.244.0.43

     ISP DNS server #1         10.200.200.69           10.222.222.44
     ISP DNS server #2         10.200.200.96           10.222.222.88

     Your SMB Workgroup:       ACME123                 your-linux-boxes-SMB-workgroup-name

     Your pager email:         1234567@skytel.com      2321432342@skytel.com

     An internal PORTFWed
     MASQ machine name:        coyote                  one-internal-MASQed-machine-name

     A internal PORTFWed
     MASQ machine IP:          192.168.0.20            192.168.0.20

     Internal machines 
       allowed to connect
       to the MASQ server:     192.168.0.11            192.168.0.11
                               192.168.0.12            192.168.0.12

     Remote PPTP setup
       PPTP server running at: MyEmployer.com          MyEmployer.com
       PPTP server IP:         220.1.2.3               220.1.2.3
       PPTP username:          YourUserNameHERE        YourUserNameHERE
       PPTP CHAP name:         REMOTE-PPTP-CHAP-HERE   REMOTE-PPTP-CHAP-HERE

7.3 ## Fixing Redhat, Mandrake, etc. (bugs) that are right out of the BOX! (ouch!): ##

* These are errors, bugs, annoyances, etc that I've notice in Redhat5.x. But, these might be fixed in later CD releases, patches, etc.

http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS-security/TrinityOS-security.tar.gz

- Fix all cron permissions (some fixed in RH6.x)

                                chmod -R 750 /etc/cron.hourly
                                chmod -R 750 /etc/cron.hourly/*
                                chmod -R 750 /etc/cron.daily
                                chmod -R 750 /etc/cron.daily/*
                                chmod -R 750 /etc/cron.weekly
                                chmod -R 750 /etc/cron.weekly/*
                                chmod -R 750 /etc/cron.monthly
                                chmod -R 750 /etc/cron.monthly/*

- Let Minicom and "ls" run in Color:

Edit /etc/profile and add:
- Add the following after the "export" line if you have Minicom installed:
  MINICOM="-c on"
  export MINICOM
- This "ls" issue is fixed in RH6.x but its good to setup regardless. Edit the /etc/bashrc file and add:
  alias ls='ls --color=yes'

- Let ColorGCC always run to make compiling a little more obvious

Add the following to the /etc/bashrc file to make compiling highlight various warnings, errors, etc. I think it helps..
```
    export CC="colorgcc"
  
```

Fix the timezone

NOTE: This is supposed to be already fixed in a Glibc RPM fix
- Edit the /etc/profile file
  - Just above the "EXPORT PATH" line, add the line for Pacific Daylight time (adjust for your Time zone)
    TZ=PST8PDT
    Now edit the "EXPORT PATH" line and append the word "TZ"

- Change the default UMASK (default file/directory create)

NOTE: Changing this behavior makes the permissions of all NEWLY created files only readable by certain users and groups. This can have a detrimental effect on programs that need to be used by multiple users. The default is "umask 002 else umask 022".

NOTE2: If you see two "umask" lines, change them BOTH to 027

- edit /etc/profile, find the umask line(s) and make them it read "umask 027"

- Fix compressed FTP downloads (still broken in RH6.1)

NOTE: The changes were:

"compress" is in /usr/bin and NOT /bin
I had previously patched TAR to understand .BZ2 compression but this is now already done in RH6.x and most other modern Linux distributions (the man pages don't reflect this. Obviously this is STILL a bug as of Mandrake 7.0.).
If you have an old distribution, compile up the new tar executale. Then put this new TAR binary in /usr/local/bin.
Create a link to the new tar file
ln -s /usr/local/bin/tar /bin/tar
Now, to fix FTP so you can get compressed archives automatically from ftpd, edit the /etc/ftpconversions file and make it look like this:

:.Z: :  :/usr/bin/compress -d -c %s:T_REG|T_ASCII:O_UNCOMPRESS:UNCOMPRESS
:   : :.Z:/usr/bin/compress -c %s:T_REG:O_COMPRESS:COMPRESS
:.gz: :  :/bin/gzip -cd %s:T_REG|T_ASCII:O_UNCOMPRESS:GUNZIP
:   : :.gz:/bin/gzip -9 -c %s:T_REG:O_COMPRESS:GZIP
:   : :.tar:/bin/tar -c -f - %s:T_REG|T_DIR:O_TAR:TAR
:   : :.tar.Z:/bin/tar -c -Z -f - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+COMPRESS
:   : :.tar.gz:/bin/tar -c -z -f - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+GZIP

- Fix the permissions on the /etc/rc.d/init.d script files!!!

Bad, Bad, Bad. Only "root" and admin groups should be able to do this type of adminstration.

                        chmod -R 770 /etc/rc.d/init.d/*
        

================================================================================

Next Previous Contents