 |
|
|
Home :: International :: Manuals :: Howto :: FAQ :: Man Pages :: Email Login |
5. Software URL download map and checklist
- Software recommended and used for the TrinityOS doc (roughly in this order). ** NOTE** Put all code in /usr/src/archive/ I personally recommend to putting ALL additional software source code, RPMs, etc in /usr/src/archive. In the "archive" directory, I make subdirectories for the various code like dns, ssh, sendmail, etc. This IS your box though so put things ANYWHERE you so wish. :)
5.1 Master site for all Internet RFCs:
5.2 The Master IANA site
- For all Internet port numbers, protocol numbers, etc. A VERY recommended place to go, download them ALL, and put them in /etc/iana.
To create a local copy, do the following:
mkdir /etc/iana cd /etc/iana/ wget -r -l 1 -nH --no-parent http://www.iana.org/numbers.html
5.3 Master site for all known Internet Trojan ports
5.4 Distribution Sites and Update MIRRORS:
Any Service Packs, security patches, etc. for your installed Slackware or Redhat distribution(s)
Mandrake Updates:
- Master URL: http://www.linux-mandrake.com/en/security/
Redhat Updates:
- Master MIRROR URL:
http://www.redhat.com/mirrors.html
- Fast:
ftp://ftp.codemeta.com/pub/mirrors/redhat/updates/;
- 5.2 only: ftp://ftp.infomagic.com/pub/mirrors/linux/RedHatUpdates/
5.5 Newest stable kernel
ftp://ftp.kernel.org or ftp://ftp.freesoftware.com/pub/linux/sunsite/kernel/
2.4.x
- 2.4.22 is stable
- All kernels less that 2.4.20 have the lcall7 local DoS attack vunerability. No REMOTE DoS attack is possible.
- All kernels less than 2.4.13 have a serious symlink vunerability. Please upgrade your kernel.
- Please note that the 2.4.x series of kernels is still quite new and some aspects of it are immature in comparison to 2.2.x kernels ( PCMCIA, Power Management, etc ). But, several new aspects of the 2.4.x kernels might make you want to try it (faster IP stack, stateful firewalls, journaled filesystems, etc. )
2.2.x
- 2.2.25 is stable
- All versions less than 2.2.22 have a local denial of service risk though no REMOTE DoS attack is possible.
- ALL versions less than 2.2.16 have a TCP exploit that when combined with tools such as Sendmail, will leed to a root compromise.
- All kernels below 2.2.12 have a IP fragmentation bug. This will make ALL strong IPCHAINS rule sets vulnerable!
- 2.2.11 has a memory leak issue.
2.0.x
- 2.0.39 is stable
- Any lower version have a DoS attack against the TCP/IP stack
5.6 IP NAT, MASQ, Load Balancing, and High Availability tools
- There are several implementations but here are the common ones:
- A Good Master Reference to the various NAT implimentations for multiple Operating Systems
- Main Linux NAT, Load Balancing, and High Availability reference site:
- Newer NAT implementations:
- IPROUTE2: The primary true Many:Many NAT implimentation for 2.2.x kernels -
ftp://ftp.inr.ac.ru/
- Mirror: ftp://ftp.tux.org/people/alexey-kuznetsov/ip-routing/
- Documentation #1: ftp://post.tepkom.ru/pub/vol2/Linux/docs/
- Documentation #2: http://www.compendium.com.ar/policy-routing.txt
- Advanced Routing HOWTO: This doc covers IPROUTE2, Policy-based routing (source IP), GRE tunnels, Multicast, Queueing, etc, and more - http://www.linuxdoc.org/HOWTO/Adv-Routing-HOWTO.html
- An older NAT implimentation available here: http://proxy.iinchina.net/~wensong/ipnat/
- IPROUTE2: The primary true Many:Many NAT implimentation for 2.2.x kernels -
ftp://ftp.inr.ac.ru/
- Excellent tutorials on Linux NAT and the home of one of the first implementations:
- A Good Master Reference to the various NAT implimentations for multiple Operating Systems
MASQ E-mail list : By far the BEST way to get MASQ-help (very helpful!!)
- Send mail to mailto:masq-request@tiffany.indyramp.com
Linux IP Masq
2.4.x kernels
- NetFilter now provides for both 1:Many Masq-like NAT and true 1:1 NAT:
2.2.x kernels
- NOTE: ALL versions less than 2.2.16 have a IP fragmentation bug (among
other things). This will make ALL strong IPCHAINS rule sets vulnerable! Upgrade
NOW!
- IPCHAINS Main site:
IPMASQADM port forward patches:
The beginnings of Stateful Inspection for Linux:
- 2.0.x kernels
- 2.1.x / 2.2.x kernels
2.0.x kernels
- IPFWADM (source must download regardless if installed with Redhat)
- Slackware:
- Redhat:
- IPFWADM patches (if required for pre-2.0.30 kernels) at:
- IPCHAINS support for the 2.0.3x kernels
- http://aemiaif.lip6.fr/willy/pub/linux-patches/ipnat/
- http://www-miaif.lip6.fr/willy/pub/linux-patches/
- IPPORTFW Port forwarding for 2.0.x kernels
- Homepage:
- Patches:
- Interpreting Firewall hits:
- This is a great URL in addition to the content in Section 10 on how to interpret your firewall logs and what all the information means:
5.7 PPP - v2.4.1 (not needed for most cable modem users)
Primary site: http://www.samba.org/ppp/index.html/
5.8 ML/PPP
- PPPd now supports ML/PPP as of 2.4.x (see above)
- Strong Implimentation: http://mp.mansol.net.au/mp/
- Lots of data, little code: ftp://ftp.east.telecom.kz/pub/src/networking/ppp/multilink
- Another implementation (runs on 2.2.x+ and he is looking for testers) http://linux-mp.terz.de
- Dead link? http://mp.ins-coin.de
5.9 PPPoE (PPP over Ethernet) : Needed for some DSL and Cablemodem users
Very popular user-space client : Primary Site: http://www.roaringpenguin.com/pppoe.html
Kernel-Space client known for somewhat better performance: http://www.davin.ottawa.on.ca/pppoe/
Some other informational URLs as well:
http://www.suse.de/~bk/PPPoE-project.html
http://www.sympaticousers.org/faq.htm
5.10 Diald v0.99.4 (not needed for cable modem users)
Diald is now maintained by a new author and site:
RPMS: http://ipmasq.webhop.net/juanjox/
Download the original Diald and Diald patches (Diald v0.16.5)
http://www.loonie.net/~eschenk/diald.html
5.11 NAMED current: 8.4.1 and 9.2.3
Sources: ftp://ftp.isc.org/isc/bind/src/
Versions: 9.2.2 requires non-vulnverable OpenSSL code. It's also recommend to download both the source code /and/ the associated .asc PGP signature for that version of BIND.
RPMs: Finding new RPMs for the newest versions of Bind isn't very easy. Once place you might have luck is the CONTRIB area of sites like Redhat and Mandrake. Those RPMs seem to work fine but some people do NOT trust someone else's compiled code, so, it's your choice.
You can also find a chroot-ed version of bind here:
ftp://ftp.fi.muni.cz/pub/users/kas/bind-chroot/
Announcement list:
Send email to bind-announce-request@isc.org with "subscribe" in the subject field.
5.12 Vlock (stock in Redhat if installed)
ftp://ftp.freesoftware.com/pub/linux/sunsite/utils/console/vlock-1.0.tar.gz
5.13 Network Sniffers
- TCPDUMP (stock in Redhat if installed) - Excellent network packet sniffer
ftp://ftp.freesoftware.com/pub/linux/sunsite/system/network/management/ or ftp://ftp.ee.lbl.gov/tcpdump.tar.Z
- IPtraf - Excellent high level network protocol watcher
- Current 2.1.0
ftp://ftp.cebu.mozcom.com/pub/linux/net
- EtherReal - An excellent GUI decoder
5.14 Sendmail current: v8.11.7 and v8.12.10
ftp://ftp.sendmail.org/pub/sendmail/
Both Sendmail 8.12.9 and 8.11.7 are secure though they have a problem with the "smrsh" shell. TrinityOS doesn't use this but if you are concerned about it, a patch is available. Currently, if you plan to use 8.11.x, you need to run 8.11.7 secure it from a few recently found remote root exploits.
RPMs: The newest Sendmail is NOT available in RPM form from sendmail.org but it IS in Redhat's CONTRIB area. It seems to work fine but some people do NOT trust someone else's compiled code, so, it's your choice.
ftp://ftp.infomagic.com/pub/mirrors/linux/RedHatContrib/libc6/i386
Announcement list:
Send an email to majordomo@Lists.Sendmail.ORG with the text "subscribe sendmail-announce" in the body of the message.
5.15 POPAuth
I have taken over ownership of these documents but haven't had a chance to post them yet. If you would like to get a copy of them, please email me
For allowing remote POP-3 clients to be able to use the SMTP server to send email.
5.16 Virtual Email domains
To support multple email domains w/ Sendmail, Qmail, etc check out:
http://www.linuxdoc.org/HOWTO/Virtual-Services-HOWTO.html
5.17 DHCP Server - DHCPd v3.0p2
DHCP Faq: http://www.dhcp-handbook.com/dhcp_faq.html#hddhs
RFC Info: http://www.dhcp.org/rfc2131.html
http://www.dhcp.org/rfc2132.html
Legacy Info: http://www.cis.ohio-state.edu/rfc/rfc1542.txt
Download: http://www.isc.org/dhcp.html
5.18 DHCP Client
DHCP HOWTO: http://www.tldp.org/HOWTO/mini/DHCP/index.html
DHCPcd 1.3.22-p12: http://www.phystech.com/download/dhcpcd.html
Other DHCP info:
http://www.linux-firewall-tools.com/linux/firewall/index.html
A HOWTO specific to the RoadRunner Cablemodem setup, but it's still a good site: http://www.vortech.net/rrlinux/
5.19 WU-FTP v2.6.2 - with multiple patches
FTP: ftp://ftp.wu-ftpd.org/pub/wu-ftpd/
FAQ: http://www.cetis.hvu.nl/~koos/wu-ftpd-faq.html
5.20 NetWatch
ftp://ftp.digital.com/pub/linux/redhat/powertools-5.0/i386/
5.21 Getdate (NTP) - v1.2 (Was SETTIME)
ftp://metalab.unc.edu/pub/Linux/system/network/misc/getdate_rfc868-1.2.tar.gz
5.22 NTP Clock Sources
http://www.eecis.udel.edu/~mills/ntp
5.23 Tape Back up:
- BRU (it's not free but it's the best Linux backup software out there IMHO. This is one place you just CAN'T skimp!) Recommended!
http://www.estinc.com
5.24 Mozilla v1.5 ( Netscape is dead)
5.25 SSH
Commonly used BSD licensed OpenSSH client/server (totally free) - current: 3.7.1p2 http://www.openssh.com/
Original Commercial SSH.com client/server (free for Linux :: for now) - current: 3.2.5 http://ftp.ssh.com/pub/ssh/
Additional UNIX SSH tunneling URLs:
http://www.ccs.neu.edu/groups/systems/howto/howto-sshtunnel.html
5.26 Raidtools
Good info on Linux RAID: http://linas.org/linux/raid.html
Raidtools 1.00.3: http://people.redhat.com/mingo/raidtools/
5.27 Samba current: 3.0.0 (stock in most distros if installed)
Also, they have great docs at http://samba.anu.edu.au/
5.28 PCMCIA Services
http://pcmcia-cs.sourceforge.org/
5.29 UPS software - APCUPSd and Powerchute
Original and quite nice APCUPSd open-source daemon - v3.10.6: http://www.apcupsd.org/ or http://www.sibbald.com/apcupsd/
Official APC Powerchute for Linux - v4.5.3 - Free closed-source daemon with excellent Xwindows support: http://www.apcc.com/tools/download/index.cfm
5.30 Apache WWW server - 2.0.48 and 1.3.29
Standard Apache: http://www.apache.org or ftp://ftp.redhat.com/pub/contrib/i386/apache-1.2.6-5.i386.rpm
SSL-encrypted Apache:
5.31 File Integrity testing/Monitoring
TripWire:
Tripwire has gone OpenSource for LINUX! Woohoo! Though it isn't available quite yet, it will be there soon:
Also, as of v2.2.1, Tripwire now runs on Glibc.
http://www.tripwiresecurity.com/products/Tripwire_ASR20.cfml
You can also get the older versions here:
ftp://coast.cs.purdue.edu/pub/COAST/Tripwire
Aide:
AIDE is a GNU version of Tripwire
ftp://ftp.cs.tut.fi/pub/src/gnu/aide-0.4.tar.gz
ViperDB:
ViperDB is another GNU version of Tripwire
http://www.resentment.org/projects/viperdb/index.html
5.32 RPM update tools:
AutoRPM current version: 1.9.8.1
http://www.kaybee.org/~kirk/html/linux.html
The Perl module "Libbet"
http://cpan.valueclick.com/modules/by-module/Net/
RPM Watch current version: 1.1
(does not work for Redhat 5.2+) [Will be phased out] ftp://ftp.iaehv.nl/pub/users/grimaldo/rpmwatch-1.1-1.noarch.rpm
RPMLevel (from the author of RPMWatch)
5.33 Mkisofs
ftp://ftp.fokus.gmd.de/pub/unix/cdrecord/mkisofs/
5.34 Compression tools
BZip2 : http://sourceware.cygnus.com/bzip2/index.html
5.35 Bash HOWTO
http://www.linuxdoc.org/HOWTO/Bash-Prompt-HOWTO.html Also see Section 42 in TrinityOS
5.36 Dial-In Server HOWTO
5.37 SWAN / IPSEC VPN
Project home page:
http://www.xs4all.nl/~freeswan or http://www.flora.org/freeswan/
SWAN email list:
http://www.xs4all.nl/~freeswan
Overview http://www.cygnus.com/~gnu/swan.html
Download the IPSec code from:
Broken? ftp://ftp.xs4all.nl/pub/crypto/freeswan
Works ? http://ftp.xs4all.nl/pub/crypto/freeswan
or
http://www.flora.org/freeswan/download
Other Mini-HOWTOs:
https://www.seifried.org/articles/ipsec/
5.38 PPTP VPNs and client software
- Client: http://sourceforge.net/projects/pptpclient/pptp-linux-1.1.0-1.tar.gz
- PPP shim:
http://sourceforge.net/projects/pptpclient/ppp-mppe-2.4.0-4.tar.gz
- Additional docs: http://pptpclient.sourceforge.net/howto.html#setup
- Addition troubleshooting:
http://pptpclient.sourceforge.net/howto-diagnosis.phtml
- IPMASQ patches: ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html
5.39 PGP Email Encryption
5.40 Serial consoles and Remote TELNET
- Remote Serial HOWTO (for more details on configuring serial consoles): http://tldp.org/HOWTO/Remote-Serial-Console-HOWTO/
5.41 IP logger
ftp://ftp.tu-graz.ac.at/pub/linux/redhat-contrib/SRPMS/iplogger-0.1-1.src.rpm
5.42 Hardware Performance Tuning:
- PowerTweak - optimize the BIOS/Chipset/PCI registers http://powertweak.sourceforge.net/
- Preempt patch - make the kernel more responsive under load http://www.tech9.net/rml/linux/
- IRQTune - optimize IRQ response times - good for PPP/Modem users ftp://shell5.ba.best.com/pub/cae/irqtune.tgz
- HDparm - good for hardcore IDE performance users ftp://sunsite.unc.edu/pub/Linux/kernel/patches/diskdrives
5.43 Security Documentation, Tools, and Resources
Various Security Mailing lists and documentation
The Linux Security HOWTO
Logging tools:
- CheckLogs:
- Swatch:
- Psionic LogCheck:
- LogSurfer: (like Swatch but with state checking!)
- Nmap - v3.48
- Nessus:
- COPS (old)
ftp://ftp.freesoftware.com/pub/linux/sunsite/system/security/cops_104.tgz
- Saint (new version of Satan)
- SATAN (Old)
Newer: ftp://ftp.porcupine.org/pub/security/index.html
Older ftp://ftp.win.tue.nl/pub/security/satan.tar.Z
- Solar buffer-overflow fixer
ftp://ftp.huwig.de/pub/linux/mama/2.0/stack_noexec-symlink-security-fix.bz2
- Kurt Seifried's Linux Administrators Security Guide (LASG)
https://www.seifried.org/lasg/
- Ofir Arkin's paper on ICMP protocol fingerprinting
http://www.sys-security.com/archive/papers/ICMP_Scanning_v2.0.pdf
- Other URLs:
Test Exploits: http://www-miaif.lip6.fr/willy/security/
Test Exploits: http://www.rootshell.org
Test Exploits: http://www.l0pht.com
Test Exploits: http://www.geek-girl.com
Security Alerts: Subscribe to BugTraq at mailto://LISTSERV@NETSPACE.ORG
More Security:
http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#security
http://www.ecst.csuchico.edu/~jtmurphy/
- Abacus Security Initiative
Includes host_sentry, port_sentry and logchecker.
- Intrusion Detection Systems (IDS) Tools SHADOW (SANS)
SHADOW (SANS): http://www.nswc.navy.mil/ISSEC/CID/step.htm
Snort: http://www.snort.com
- Network Flight Recorder
Setup HOWTO: http://www.nswc.navy.mil/ISSEC/CID/nfr.htm
NFR software: http://www.nfr.net/download/
NFR ID Attack ID Packages: http://www.nswc.navy.mil/ISSEC/CID/nfr_id.tar.gz http://www.l0pht.com/NFR/
5.44 WWW proxy (Apache or Squid)
5.45 WWW Ad banner filtering
http://www-math.uni-paderborn.de/~axel/NoShit/index.html
patch: http://www.america.com/~chrisf/web/NoShit/WebFilter_0.5.patch.gz
Example filter: http://www.america.com/~chrisf/web/NoShit/library.txt
5.46 Zip drive
http://www.torque.net/~campbell
5.47 Linux Applications:
http://www.xnet.com/~blatura/linapps.shtml
5.48 Linux Games:
X-Shipwars: http://fox.mit.edu/xsw/
5.49 Linux Instant Messenger clients:
- GAIM 0.72 http://gaim.sf.net
- Reviews of different IMs for Linux: http://www.linuxnetmag.com/en/issue2/m2icq1.html http://www.portup.com/~gyandl/
Next Previous Contents
|
|
|
Home :: Copyright :: Privacy :: Credits :: Get a free Linuxinfor Email Account Document on this page is part of "TrinityOS: A Guide to Configuring Your Linux Server for Performance, Security, and Manageability". See Index Page for more info about Authorship and Copyright. 1999-2008 Linuxinfor.com. No rights reserved. |