1 |
One of the most comprehensive guides for securing linux can be found at |
2 |
the TrinityOS homepage found here: |
3 |
http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html |
4 |
|
5 |
It starts at the BIOS and works its way up. There is also a script to |
6 |
help you configure your system. At the *very* least this is a great |
7 |
starting point. |
8 |
|
9 |
Zach (see below for some details) |
10 |
|
11 |
From the website ---> |
12 |
|
13 |
Here is TrinityOS's current feature set.. |
14 |
|
15 |
---------------------------------------------------------------------- |
16 |
|
17 |
TrinityOS is a step by step, example driven, HOWTO on building a very |
18 |
functional Linux box with strong security in mind. |
19 |
|
20 |
|
21 |
Current |
22 |
Features: |
23 |
========= |
24 |
|
25 |
Master References and Recommended Guidelines |
26 |
-------------------------------------------- |
27 |
+ An extensive URL library and current version list for all |
28 |
installed and recommended Linux tools and applications |
29 |
+ Example guidelines on documenting the hardware and partition |
30 |
layout of your specific hardware |
31 |
|
32 |
Linux Distribution Thoughts: |
33 |
---------------------------- |
34 |
+ Thoughts and recommendations on picking a Linux distribution |
35 |
+ A common "Search & Replace" key to customize this doc to YOUR |
36 |
specific environment |
37 |
|
38 |
Core OS setup: |
39 |
-------------- |
40 |
+ Configuring, compiling, installing, and booting both a 2.2.x & |
41 |
2.0.x kernel |
42 |
+ Lilo configuration and security |
43 |
+ PCMCIA / CARDBUS PC-Card Services |
44 |
+ Software RAID 0 (striping) hard drives |
45 |
+ 7-CD SCSI CD-ROM changer system |
46 |
+ Automated Patching via RPM notifiers |
47 |
+ EXT2 file system tuning |
48 |
+ IDE hard drive performance optimization |
49 |
+ Dual printing system support for both UNIX and Windows/Samba hosts |
50 |
|
51 |
Network Connectivity: |
52 |
--------------------- |
53 |
+ Strong, comfigrable, and well commented IPCHAINS and IPFWADM |
54 |
packet firewall rule sets with a complete intro on how Packet and |
55 |
Stateful Inspected firewalls work |
56 |
+ Automated rollback script for the loading of rc.firewall rule sets |
57 |
so that if you make an error in the firewall rule set and the rule |
58 |
set doesn't complete, a backup |
59 |
rule set will be automatically loaded to restore connectivity. |
60 |
+ Full LAN masquerading (NAT or Network Address Translation) using |
61 |
private IP addressing |
62 |
+ Masq IP port forwarding support (IPportfw) |
63 |
+ Dual 10Mb/s Ethernet network card support setup and TCP/IP |
64 |
Performance optimization (modem and cable modem users) |
65 |
+ How to setup fully authoritative primary and secondary DNS servers |
66 |
(Bind v8.x) in a CHROOTed and and SPLIT Zone configuration |
67 |
+ Full Sendmail e-mail system support w/ domain masquerading & |
68 |
Anti-SPAM measures with support for more than one Internet domain |
69 |
on one EMAIL server |
70 |
+ IMAP4 / POP3 remote email service |
71 |
+ Masq IP port forwarding support (IPportfw) |
72 |
+ DHCP server for other LAN machines (laptops, etc) |
73 |
+ DHCP client setup for TCP/IP addresses |
74 |
+ Samba : Full Microsoft Windows file & printing support |
75 |
+ NFS: Full Sun RPC-based Network File System support |
76 |
+ IPSEC (Swan) VPN [Almost Complete] |
77 |
+ Apache WWW server |
78 |
+ PPP connectivity for primary PPP connectivity AND backup PPP |
79 |
connections |
80 |
+ Dial-on-Demand (Diald) Internet connections (modem users) - |
81 |
Automatic Internet connections every 15 minutes (modem users) |
82 |
+ Direct dial-in terminal / PPP access via a modem |
83 |
+ How to apply for a full Internet domain name via Network Solutions |
84 |
+ Full documentation on how understand and FIGHT all that SPAM email |
85 |
+ NTP time calibration |
86 |
+ Full UNIX (SMB) printing |
87 |
|
88 |
Security: |
89 |
--------- |
90 |
+ Complete physical and OS-level security recommendations and |
91 |
guidelines |
92 |
+ Full SSH telnet support [Future: X-windows encrypted tunnels] |
93 |
+ Actively Updated Linux system security and patching (Shadow |
94 |
passwords, etc) |
95 |
+ Advanced SYSLOG logging and nightly filtered reports emailed to |
96 |
the root user |
97 |
+ TrinityOS "CRITICALITY" rating in the CHANGELOG section to gauge |
98 |
the level of urgency of security vulnerabilities, system |
99 |
mis-configurations, etc. |
100 |
+ Tripwire Security Breech monitoring [not completed yet] |
101 |
+ NMAP port scanning to test your packet firewall |
102 |
+ Figuring out if you have been hacked.. Confirm it! |
103 |
+ Prioritized ChangeLog to let users know what changes are and are |
104 |
NOT too important |
105 |
+ Anonymized Sendmail Banners |
106 |
|
107 |
System backup: |
108 |
-------------- |
109 |
+ Minimum backups to floppy |
110 |
+ Full tape backup via BRU with emergency restore diskette creation |
111 |
+ Full APC SmartUPS power down support (APCUPSd) w/ paging support |
112 |
+ Backing up the server to a CD-R [not completed yet] |
113 |
|
114 |
More Extensive Guides: |
115 |
---------------------- |
116 |
+ How to fix LILO, HD partitioning, and file system corruption |
117 |
+ How to obtain an Internet domain(s) |
118 |
+ How to successfully move Internet domains across DNS servers |
119 |
and/or TCP/IP addresses |
120 |
+ How to recover from your box being hacked into and how to |
121 |
RE-secure it |
122 |
+ How to understand and fight SPAM email |
123 |
+ SSH encrypted tunnels for email, etc |
124 |
|
125 |
|
126 |
Future |
127 |
Features: |
128 |
========= |
129 |
|
130 |
(Won't be implemented in any particular order) |
131 |
|
132 |
* TrinityOS TO-DOs: |
133 |
------------------- |
134 |
+ Add more "Configuration via GUI tools" sections |
135 |
|
136 |
* Network stuff |
137 |
--------------- |
138 |
+ Modularize the rc.firewall rulset so updates can be transparent |
139 |
and not require additional tailoring for each update. |
140 |
+ Add a single interface IPCHAINS rc.firewall for eth0/1/2 and |
141 |
ppp0/1/2 users |
142 |
+ Remove LPR and replace it with LPRng or CUPS |
143 |
+ Mail Backup: Setup high cost MX records and ETRN email backup |
144 |
+ IPv6: Configure and setup IPv6 and possibly setup a IPv6 tunnel |
145 |
via the 6Bone |
146 |
+ Dial Backup: Add automatic analog modem dial backup when the |
147 |
ADSL/Cable modem goes down |
148 |
+ CODA: Replace NFS support with CODA |
149 |
+ Implement IMAP4 for a complete email subsystem |
150 |
+ Add a CACHING only setup for 8.1.x DNS |
151 |
+ Setup a email list server (MajorDomo, Petidomo, dunno yet) |
152 |
+ Email sent dynamic IP address exception requests for access |
153 |
through the TCP Wrappers and the IPFWADM rule sets |
154 |
+ DHCPc client setup for Cablemodems |
155 |
+ 128-bit encrypted Apache SSL WWW server |
156 |
+ Move over to xinetd for better DoS protection |
157 |
+ WWW Proxy services |
158 |
+ WWW banner add filtering |
159 |
|
160 |
* Security Stuff |
161 |
---------------- |
162 |
+ Replace the Sendlogs script to use either Swatch or LogSentry |
163 |
+ Automate the firewall hits logging for trend analysis |
164 |
+ Install PGP / GPG for secure and/or verified communications to: |
165 |
other users, Internic, binaries/source code verification, etc. |
166 |
+ SATAN / SAINT / Nessus / COPS / ISS security testing |
167 |
|
168 |
* Application stuff |
169 |
------------------- |
170 |
+ Implement Procmail to do local email filtering |
171 |
+ Setup fetchmail to get remote email vs. setting up a |
172 |
remote .forward |
173 |
+ Full SVGA X-Windows support w/ the WindowMaker window Manager |
174 |
(Xfree) |
175 |
|
176 |
* Administration stuff |
177 |
---------------------- |
178 |
+ Up the logging time on the UPS to 1 second increments and then |
179 |
plot all the stuff with GNU Plot to then be emailed via "Sendlogs" |
180 |
+ Rotate the UPS logs |
181 |
+ Implement automatic weekly incremental tape backups to the TR4 |
182 |
tape drive. |
183 |
+ BZip2 compression w/ tar patches |
184 |
|
185 |
* System Stuff |
186 |
-------------- |
187 |
+ Iomega parallel ZIP drive support |
188 |
|
189 |
Andreas Waschbuesch wrote: |
190 |
> -----BEGIN PGP SIGNED MESSAGE----- |
191 |
> Hash: SHA1 |
192 |
> |
193 |
> electrogramma tua profluit verbis: |
194 |
> |
195 |
>>Well .. A little bit of both .. its going to be gentoo specific but it will |
196 |
>>also include chapters like security polices, backup and intrusion detection |
197 |
>>since I think new linux users should be aware of this .. I know that Gentoo |
198 |
>>is proberly not used by new linux users (But they should since they can |
199 |
>>learn a lot) but still think it should be there .. not mutch but proberly |
200 |
>>some links and information why it's needed |
201 |
> |
202 |
> |
203 |
> Would U mind including some hints on naming conventions? It's a very easy |
204 |
> step to make footprinting a little harder ... ;-) |
205 |
> |
206 |
> Andrew |
207 |
> |
208 |
> - -- |
209 |
> Andreas Waschbuesch, GAUniversity KG MA FNZ FK01 |
210 |
> eMail: awaschb@××××.de |
211 |
> |
212 |
> In the long run we are all dead. |
213 |
> -- John Maynard Keynes |
214 |
> -----BEGIN PGP SIGNATURE----- |
215 |
> Version: GnuPG v1.0.6 (GNU/Linux) |
216 |
> Comment: For info see http://www.gnupg.org |
217 |
> |
218 |
> iD8DBQE8kRLd2s5UCjOaQbYRAsJUAJsFi3P4lLxRftBZI+35K6i70hd9pgCfbOLb |
219 |
> 8xcNQZuPXV153waWWHktA8U= |
220 |
> =fmDZ |
221 |
> -----END PGP SIGNATURE----- |
222 |
> _______________________________________________ |
223 |
> gentoo-dev mailing list |
224 |
> gentoo-dev@g.o |
225 |
> http://lists.gentoo.org/mailman/listinfo/gentoo-dev |
226 |
> |