TrinityOS

From ChekMate Security Group

A Guide to Configuring Your Linux Server for Performance, Security, and Manageability

---

David A. Ranch dranch at trinnet dot net
May 22, 2005

TrinityOS and its associated archive scripts guide the Linux user in a step-by-step fashion using a common example throughout to configure over 50+ Internet services. The main focus of TrinityOS is to do this in a secure fashion while keeping both performance and manageability in mind. The documents also guide the user in other advanced topics such as aquiring their own Internet domain(s), moving DNS servers, confirming if you've been hacked, fighting SPAM email, and fixing various Linux file system, partition, LILO, and data recovery problems.

1 Copyright Notice

TrinityOS ™ © http://www.ecst.csuchico.edu/~dranch/LINUX/index.html#TrinityOS
Written, Maintained, Trademarked, and Copyrighted by David A. Ranch (dranch at trinnet dot net)

2 Introduction

3 Feature Sets

3.1 Current Features:

3.2 Future Features:

4 Hardware Configuration

4.1 Distribution:

4.2 Kernel

4.3 Hardware Used:

5 Software URL download map and checklist

5.1 Master site for all Internet RFCs:

5.2 The Master IANA site

5.3 Master site for all known Internet Trojan ports

5.4 Distribution Sites and Update MIRRORS:

5.5 Newest stable kernel

5.6 IP NAT, MASQ, Load Balancing, and High Availability tools

5.7 PPP - v2.4.3 (not needed for most cable modem users)

5.8 ML/PPP

5.9 PPPoE (PPP over Ethernet) : Needed for some DSL and Cablemodem users

5.10 Diald v1.00 (not needed for cable modem users)

5.11 Bind / Named current: 9.3.1 and 8.4.6

5.12 Vlock (stock in Redhat if installed)

5.13 Network Sniffers

5.14 Sendmail current: v8.13.4, v8.12.11, and v8.11.7

5.15 POPAuth

5.16 Virtual Email domains

5.17 DHCP Server - DHCPd v3.0.2

5.18 DHCP Client

5.19 WU-FTP v2.6.2 - with multiple patches

5.20 NetWatch

5.21 Getdate (NTP) - v1.2 (Was SETTIME)

5.22 NTP Clock Sources

5.23 Tape Back up:

5.24 Mozilla v1.7.8 ( Netscape is dead)

5.25 SSH

5.26 MDADM and Raidtools

5.27 Samba current: 3.0.14a (stock in most distros if installed)

5.28 PCMCIA Services - 3.2.8

5.29 UPS software - APCUPSd and Powerchute

5.30 Apache WWW server - 2.0.54 and 1.3.33

5.31 File Integrity testing/Monitoring

5.32 RPM update tools:

5.33 Mkisofs

5.34 Compression tools

5.35 Bash HOWTO

5.36 Dial-In Server HOWTO

5.37 SWAN / IPSEC VPN

5.38 PPTP VPNs and client software

5.39 PGP Email Encryption

5.40 Serial consoles and Remote TELNET

5.41 IP logger

5.42 Hardware Performance Tuning:

5.43 Security Documentation, Tools, and Resources

5.44 WWW proxy (Apache or Squid)

5.45 WWW Ad banner filtering

5.46 Zip drive

5.47 Linux Applications:

5.48 Linux Games:

5.49 Linux Instant Messenger clients:

6 Thoughts on Picking a Linux Distribution

6.1 Installing Linux distribution

6.2 Redhat: http://www.redhat.com

6.3 Mandrake: http://www.linux-mandrake.com

6.4 SuSE: http://www.suse.com

6.5 Debian: http://www.debian.org

6.6 Gentoo: http://www.gentoo.org/

6.7 Slackware: http://www.slackware.com

6.8 Caldera: http://www.calderasystems.com/

6.9 Other Distributions

7 Installing a distribution, patching it, and doing a Search/Replace on TrinityOS

7.1 Upgrading/Updating your Linux distribution:

7.2 TrinityOS diagrams and Search and Replace Keys

7.3 !!! Fixing Redhat, Mandrake, etc. (bugs) that are right out of the BOX! (ouch!): ##

8 Initial System security

8.1 BIOS/CMOS Settings

8.2 Linux root Password

8.3 Enable the "sticky" bit in /tmp

8.4 Disable the Control-Alt-Delete keyboard shutdown command

8.5 Disable the ability to run INIT in interactive mode

8.6 Compile / install vlock (available in most modern distributions).

8.7 Change what system daemons get loaded by editing the following files in "/etc/rc.d/"

8.8 Shutting down most of inetd / xinetd

8.9 TCP wrapper security

8.10 FTP Anonymous users

8.11 Shadow Passwords

8.12 Disable ROOT TELNET/SSH access

8.13 Disable ROOT FTP access

8.14 Disable miscellaneous cron stuff

8.15 File Permission corrections

8.16 SUID ROOT PROGRAMS

8.17 Looking for R-command files

8.18 Fix Xwindows permissions

9 Advanced System Logging and some Cool Tips

9.1 SYSLOG tuning

9.2 Log Rotations

9.3 Cool rc.local tips and LOGIT for logging troubleshooting

9.4 A more readable BASH prompt

9.5 Some security tips for BASH

9.6 Make the apropos database

9.7 Sendlogs - Daily email of system logs with log reduction

10 Advanced firewall rule sets including IP Masquerade for single and multi-NIC setups

10.1 What is packet firewall

10.2 How a packet firewall works

10.3 How IP Masquerade (IP MASQ) works:

10.4 Differences between Packet and Statefull Firewalls

10.5 Debugging / Monitoring your firewall with examples

10.6 Simple IPCHAINS / IPFWADM rule set for initial IPMASQ testing

10.7 Strong TrinityOS IPCHAINS firewall rule set

10.8 The /etc/rc.d/init.d script to load the IPCHAINS rule set upon boot

10.9 An older TrinityOS rc.firewall rule set for 2.0.x kernels (LEGACY)

10.10 An older TrinityOS rc.firewall rule set for 2.0.x kernels not running IPMASQ (LEGACY)

10.11 Tips on editing the rc.firewall to support specific access

10.12 Testing your firewall rulesets

10.13 Remotely running the firewall-confirm file

11 Initial Preparation for Kernel Patching and Compiling

12 Initial Linux Kernel compiling

12.1 Configuring a kernel

12.2 Tricks: Upgrading an existing kernel to a newer one

12.3 A 2.2.16 kernel config

12.4 A 2.0.38 kernel config /w IPPORTFW and LooseUDP patches

13 Compile PPPd

14 Final Linux Kernel compiling and installation

14.1 Manually compiling the kernel

14.2 Automating kernel compiling via the "build-it" script

15 Lilo configuration and installation

16 Additional RC script configuration and TCP/IP network optimization

16.1 Serial Port Optimizations:

16.2 Network Optimization:

17 Patching, Compiling, and installing IPFWADM

18 Mail aliases for system administration

19 Preparing for reboot and clearing the logs

20 Verifing MASQ module installation

21 Install TCPDUMP

22 PPPd configuration [For both PRIMARY and BACKUP PPP connections]

22.1 Thoughts on PPP and its Dial-on-Demand feature

22.2 Primary PPP users using Strong Firewalls:

22.3 FAQ: PPP issues and troubleshooting

23 Diald [For Modem users only]

24 DNS: Acquiring and configuring CHROOTed and SPLIT master/slave DNS servers

24.1 Protecting your Internet Domain Name when Making Changes

24.2 BIND version 9 vs 8 vs 4 and Figuring out what version you have:

24.3 Security Warnings about previous versions of BIND

24.4 Downloading and compiling BIND

24.5 Creating the CHROOTed environments

24.6 Creating the internal named.conf configuration file

24.7 Creating the internal zone files

24.8 Creating the external named.conf configuration file

24.9 Creating the external zone files

24.10 Fixing final CHROOTed permissions and ownerships

24.11 Tuning How NAMED loads the SPLIT zone file configuration

24.12 Fixing SYSLOGing to understand the new CHROOTed setup

24.13 Starting up and testing BIND

24.14 Possible Bind errors upon load

24.15 Enabling Bind to load upon future boots

24.16 Changes for Bind9

24.17 Supporting more than one Internet Domain name on this DNS server

24.18 Setting up Secondary (BACKUP) DNS servers

24.19 Gotchas with Master DNS servers being down for long periods of time

24.20 Secondary DNS Design considerations

24.21 Automating the maintenance of the root-hints.db file

24.22 How to acquire an Internet Domain Name

25 SMTP MAIL: Sendmail configuration w/ domain masquerading & spam filters

25.1 Determining what version of Sendmail you are running

25.2 Notes about changes in Sendmail over various versions of Sendmail

25.3 Downloading and either compiling or installing Sendmail from binaries

25.4 Final install clean-up

25.5 Configuring Sendmail to support your single or multiple Domain name(s)

25.6 Configuring the Sendmail .mc files via m4 or by hand

25.7 Email Alias and Relay configuration

25.8 Configuring DNS MX records

25.9 Some Possible Sendmail Startup Troubleshooting

25.10 Tuning Sendmail for security

25.11 Running Sendmail as a daemon or as a cron job

25.12 Testing your Sendmail setup

25.13 More troubleshooting help

25.14 Being a Backup SMTP email server (Backup MX) for other Internet domains

26 NTP Time calibration

26.1 The Getdate way:

26.2 The xntp way:

27 DHCPd SERVER configuration

27.1 The Differences between DHCP and BOOTP

27.2 Configuring DHCP support on various Linux Distributions:

27.3 Determining MAC addresses for static DHCP scopes

27.4 Creating the /etc/dhcpd/conf file

27.5 Starting up DHCP

27.6 Using DHCP Relay for LANS seperated by routers

28 POP3 and IMAP4 e-mail services

29 System Backups: Backing up data to HDs, Tape, and floppies

29.1 STATE backups to floppies

29.2 FULL Backups: local and remote backups using a Hard Drive

29.3 Full backups using a Tape drive:

29.4 Using a CD-R or CD-R/W drive

30 SSH Terminal, FTP, X-windows, and tunnel encryption

30.1 What is SSH and the differences between SSH protocol v1 and v2

30.2 Running OpenSSH vs. SSH.com code

30.3 OpenSSH: Thoughts, Issues, and Features

30.4 Compiling OpenSSH:

30.5 Compiling up SSH.com's SSH

30.6 Configuring OpenSSH or SSH.com to load the server daemon upon reboot with startup scripts

30.7 Configuring the Unix services

30.8 Configuring SSH.com SSH:

30.9 Configuring BASH aliases for proper SSH operation through firewalls

30.10 Starting the SSH server:

30.11 SSH Problems? Here are a few possible solutions

30.12 SSH Port Forwarding

31 Software RAID 0 (striping) Hard drives

32 SCSI CD-ROM Changers: Installing and Setup

33 Samba installation and configuration

33.1 Determining what version you Samba you might have now

33.2 Downloading and compiling Samba

33.3 Configuring the smb.conf file

33.4 Testing your smb.conf file

33.5 Loading Samba for the first time

33.6 Creating the smbpasswd file

33.7 Specific Windows issues with Samba

33.8 Samba printing

33.9 Having smbd load upon Linux reboot

33.10 Listing and Mounting remote SMB shares locally on your Linux machine

34 PCMCIA services installation and configuration

34.1 Compiling the PCMCIA tools

34.2 Editing the PCMCIA configuration files

35 DHCPcd : Client DHCP for xDSL / Cablemodem users

36 UPS: Complete UPS Backup & Graphing support for APC UPSes

36.1 The state of the software

36.2 Installing and Using APC's Powerchute

36.3 Installing APCUPSd

36.4 Configuring APCUPSd for logging and paging

36.5 Testing your new UPS setup

36.6 Graphing the UPS stats results each day

37 Apache WWW Server

38 Tripwire file monitoring [Not finished yet]

39 Backing up the new system Linux to a CD-R

40 NFS (Network File System) File sharing

40.1 NFS Security:

40.2 Note about Linux NFS performance:

41 EXT2 File system tuning

42 Dial-in terminal / PPP access via a modem

42.1 For PPP connectivity:

42.2 Dialing in with answering machines:

43 Automated RPM notifiers

43.1 AutoRPM (the preferred solution):

43.2 rpmwatch

44 Nmap port scanner

45 So you think you are being hacked: Confirm it!

46 UNIX and Samba Printing

47 IPSec (SWAN) Virtual Private Network (VPN) [Almost complete]

47.1 Bugs and Gotchas:

48 PPTP support as a Linux client or PPTP through a MASQ server

48.1 Kernel source tree

48.2