| 1 |
One of the most comprehensive guides for securing linux can be found at |
| 2 |
the TrinityOS homepage found here: |
| 3 |
http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html |
| 4 |
|
| 5 |
It starts at the BIOS and works its way up. There is also a script to |
| 6 |
help you configure your system. At the *very* least this is a great |
| 7 |
starting point. |
| 8 |
|
| 9 |
Zach (see below for some details) |
| 10 |
|
| 11 |
From the website ---> |
| 12 |
|
| 13 |
Here is TrinityOS's current feature set.. |
| 14 |
|
| 15 |
---------------------------------------------------------------------- |
| 16 |
|
| 17 |
TrinityOS is a step by step, example driven, HOWTO on building a very |
| 18 |
functional Linux box with strong security in mind. |
| 19 |
|
| 20 |
|
| 21 |
Current |
| 22 |
Features: |
| 23 |
========= |
| 24 |
|
| 25 |
Master References and Recommended Guidelines |
| 26 |
-------------------------------------------- |
| 27 |
+ An extensive URL library and current version list for all |
| 28 |
installed and recommended Linux tools and applications |
| 29 |
+ Example guidelines on documenting the hardware and partition |
| 30 |
layout of your specific hardware |
| 31 |
|
| 32 |
Linux Distribution Thoughts: |
| 33 |
---------------------------- |
| 34 |
+ Thoughts and recommendations on picking a Linux distribution |
| 35 |
+ A common "Search & Replace" key to customize this doc to YOUR |
| 36 |
specific environment |
| 37 |
|
| 38 |
Core OS setup: |
| 39 |
-------------- |
| 40 |
+ Configuring, compiling, installing, and booting both a 2.2.x & |
| 41 |
2.0.x kernel |
| 42 |
+ Lilo configuration and security |
| 43 |
+ PCMCIA / CARDBUS PC-Card Services |
| 44 |
+ Software RAID 0 (striping) hard drives |
| 45 |
+ 7-CD SCSI CD-ROM changer system |
| 46 |
+ Automated Patching via RPM notifiers |
| 47 |
+ EXT2 file system tuning |
| 48 |
+ IDE hard drive performance optimization |
| 49 |
+ Dual printing system support for both UNIX and Windows/Samba hosts |
| 50 |
|
| 51 |
Network Connectivity: |
| 52 |
--------------------- |
| 53 |
+ Strong, comfigrable, and well commented IPCHAINS and IPFWADM |
| 54 |
packet firewall rule sets with a complete intro on how Packet and |
| 55 |
Stateful Inspected firewalls work |
| 56 |
+ Automated rollback script for the loading of rc.firewall rule sets |
| 57 |
so that if you make an error in the firewall rule set and the rule |
| 58 |
set doesn't complete, a backup |
| 59 |
rule set will be automatically loaded to restore connectivity. |
| 60 |
+ Full LAN masquerading (NAT or Network Address Translation) using |
| 61 |
private IP addressing |
| 62 |
+ Masq IP port forwarding support (IPportfw) |
| 63 |
+ Dual 10Mb/s Ethernet network card support setup and TCP/IP |
| 64 |
Performance optimization (modem and cable modem users) |
| 65 |
+ How to setup fully authoritative primary and secondary DNS servers |
| 66 |
(Bind v8.x) in a CHROOTed and and SPLIT Zone configuration |
| 67 |
+ Full Sendmail e-mail system support w/ domain masquerading & |
| 68 |
Anti-SPAM measures with support for more than one Internet domain |
| 69 |
on one EMAIL server |
| 70 |
+ IMAP4 / POP3 remote email service |
| 71 |
+ Masq IP port forwarding support (IPportfw) |
| 72 |
+ DHCP server for other LAN machines (laptops, etc) |
| 73 |
+ DHCP client setup for TCP/IP addresses |
| 74 |
+ Samba : Full Microsoft Windows file & printing support |
| 75 |
+ NFS: Full Sun RPC-based Network File System support |
| 76 |
+ IPSEC (Swan) VPN [Almost Complete] |
| 77 |
+ Apache WWW server |
| 78 |
+ PPP connectivity for primary PPP connectivity AND backup PPP |
| 79 |
connections |
| 80 |
+ Dial-on-Demand (Diald) Internet connections (modem users) - |
| 81 |
Automatic Internet connections every 15 minutes (modem users) |
| 82 |
+ Direct dial-in terminal / PPP access via a modem |
| 83 |
+ How to apply for a full Internet domain name via Network Solutions |
| 84 |
+ Full documentation on how understand and FIGHT all that SPAM email |
| 85 |
+ NTP time calibration |
| 86 |
+ Full UNIX (SMB) printing |
| 87 |
|
| 88 |
Security: |
| 89 |
--------- |
| 90 |
+ Complete physical and OS-level security recommendations and |
| 91 |
guidelines |
| 92 |
+ Full SSH telnet support [Future: X-windows encrypted tunnels] |
| 93 |
+ Actively Updated Linux system security and patching (Shadow |
| 94 |
passwords, etc) |
| 95 |
+ Advanced SYSLOG logging and nightly filtered reports emailed to |
| 96 |
the root user |
| 97 |
+ TrinityOS "CRITICALITY" rating in the CHANGELOG section to gauge |
| 98 |
the level of urgency of security vulnerabilities, system |
| 99 |
mis-configurations, etc. |
| 100 |
+ Tripwire Security Breech monitoring [not completed yet] |
| 101 |
+ NMAP port scanning to test your packet firewall |
| 102 |
+ Figuring out if you have been hacked.. Confirm it! |
| 103 |
+ Prioritized ChangeLog to let users know what changes are and are |
| 104 |
NOT too important |
| 105 |
+ Anonymized Sendmail Banners |
| 106 |
|
| 107 |
System backup: |
| 108 |
-------------- |
| 109 |
+ Minimum backups to floppy |
| 110 |
+ Full tape backup via BRU with emergency restore diskette creation |
| 111 |
+ Full APC SmartUPS power down support (APCUPSd) w/ paging support |
| 112 |
+ Backing up the server to a CD-R [not completed yet] |
| 113 |
|
| 114 |
More Extensive Guides: |
| 115 |
---------------------- |
| 116 |
+ How to fix LILO, HD partitioning, and file system corruption |
| 117 |
+ How to obtain an Internet domain(s) |
| 118 |
+ How to successfully move Internet domains across DNS servers |
| 119 |
and/or TCP/IP addresses |
| 120 |
+ How to recover from your box being hacked into and how to |
| 121 |
RE-secure it |
| 122 |
+ How to understand and fight SPAM email |
| 123 |
+ SSH encrypted tunnels for email, etc |
| 124 |
|
| 125 |
|
| 126 |
Future |
| 127 |
Features: |
| 128 |
========= |
| 129 |
|
| 130 |
(Won't be implemented in any particular order) |
| 131 |
|
| 132 |
* TrinityOS TO-DOs: |
| 133 |
------------------- |
| 134 |
+ Add more "Configuration via GUI tools" sections |
| 135 |
|
| 136 |
* Network stuff |
| 137 |
--------------- |
| 138 |
+ Modularize the rc.firewall rulset so updates can be transparent |
| 139 |
and not require additional tailoring for each update. |
| 140 |
+ Add a single interface IPCHAINS rc.firewall for eth0/1/2 and |
| 141 |
ppp0/1/2 users |
| 142 |
+ Remove LPR and replace it with LPRng or CUPS |
| 143 |
+ Mail Backup: Setup high cost MX records and ETRN email backup |
| 144 |
+ IPv6: Configure and setup IPv6 and possibly setup a IPv6 tunnel |
| 145 |
via the 6Bone |
| 146 |
+ Dial Backup: Add automatic analog modem dial backup when the |
| 147 |
ADSL/Cable modem goes down |
| 148 |
+ CODA: Replace NFS support with CODA |
| 149 |
+ Implement IMAP4 for a complete email subsystem |
| 150 |
+ Add a CACHING only setup for 8.1.x DNS |
| 151 |
+ Setup a email list server (MajorDomo, Petidomo, dunno yet) |
| 152 |
+ Email sent dynamic IP address exception requests for access |
| 153 |
through the TCP Wrappers and the IPFWADM rule sets |
| 154 |
+ DHCPc client setup for Cablemodems |
| 155 |
+ 128-bit encrypted Apache SSL WWW server |
| 156 |
+ Move over to xinetd for better DoS protection |
| 157 |
+ WWW Proxy services |
| 158 |
+ WWW banner add filtering |
| 159 |
|
| 160 |
* Security Stuff |
| 161 |
---------------- |
| 162 |
+ Replace the Sendlogs script to use either Swatch or LogSentry |
| 163 |
+ Automate the firewall hits logging for trend analysis |
| 164 |
+ Install PGP / GPG for secure and/or verified communications to: |
| 165 |
other users, Internic, binaries/source code verification, etc. |
| 166 |
+ SATAN / SAINT / Nessus / COPS / ISS security testing |
| 167 |
|
| 168 |
* Application stuff |
| 169 |
------------------- |
| 170 |
+ Implement Procmail to do local email filtering |
| 171 |
+ Setup fetchmail to get remote email vs. setting up a |
| 172 |
remote .forward |
| 173 |
+ Full SVGA X-Windows support w/ the WindowMaker window Manager |
| 174 |
(Xfree) |
| 175 |
|
| 176 |
* Administration stuff |
| 177 |
---------------------- |
| 178 |
+ Up the logging time on the UPS to 1 second increments and then |
| 179 |
plot all the stuff with GNU Plot to then be emailed via "Sendlogs" |
| 180 |
+ Rotate the UPS logs |
| 181 |
+ Implement automatic weekly incremental tape backups to the TR4 |
| 182 |
tape drive. |
| 183 |
+ BZip2 compression w/ tar patches |
| 184 |
|
| 185 |
* System Stuff |
| 186 |
-------------- |
| 187 |
+ Iomega parallel ZIP drive support |
| 188 |
|
| 189 |
Andreas Waschbuesch wrote: |
| 190 |
> -----BEGIN PGP SIGNED MESSAGE----- |
| 191 |
> Hash: SHA1 |
| 192 |
> |
| 193 |
> electrogramma tua profluit verbis: |
| 194 |
> |
| 195 |
>>Well .. A little bit of both .. its going to be gentoo specific but it will |
| 196 |
>>also include chapters like security polices, backup and intrusion detection |
| 197 |
>>since I think new linux users should be aware of this .. I know that Gentoo |
| 198 |
>>is proberly not used by new linux users (But they should since they can |
| 199 |
>>learn a lot) but still think it should be there .. not mutch but proberly |
| 200 |
>>some links and information why it's needed |
| 201 |
> |
| 202 |
> |
| 203 |
> Would U mind including some hints on naming conventions? It's a very easy |
| 204 |
> step to make footprinting a little harder ... ;-) |
| 205 |
> |
| 206 |
> Andrew |
| 207 |
> |
| 208 |
> - -- |
| 209 |
> Andreas Waschbuesch, GAUniversity KG MA FNZ FK01 |
| 210 |
> eMail: awaschb@××××.de |
| 211 |
> |
| 212 |
> In the long run we are all dead. |
| 213 |
> -- John Maynard Keynes |
| 214 |
> -----BEGIN PGP SIGNATURE----- |
| 215 |
> Version: GnuPG v1.0.6 (GNU/Linux) |
| 216 |
> Comment: For info see http://www.gnupg.org |
| 217 |
> |
| 218 |
> iD8DBQE8kRLd2s5UCjOaQbYRAsJUAJsFi3P4lLxRftBZI+35K6i70hd9pgCfbOLb |
| 219 |
> 8xcNQZuPXV153waWWHktA8U= |
| 220 |
> =fmDZ |
| 221 |
> -----END PGP SIGNATURE----- |
| 222 |
> _______________________________________________ |
| 223 |
> gentoo-dev mailing list |
| 224 |
> gentoo-dev@g.o |
| 225 |
> http://lists.gentoo.org/mailman/listinfo/gentoo-dev |
| 226 |
> |
Archives