TrinityOS
TrinityOS is a step-by-step, example-driven HOWTO on building a very functional Linux box with strong security in mind. TrinityOS is well known for its strong packet firewall ruleset, Chrooted and Split DNS (v9 and v8), secured Sendmail (8.x), Linux PPTP, Serial consoles and Reverse TELNET, DHCPd, SSHd, UPSes, system performance tuning, the automated TrinityOS-Security implementation scripts, and much more.
Recent releases
- 22 May 2005 20:23
Changes: The BOGON list in the IPCHAINS ruleset has been updated. There are some updates to the DNS section, minor updates to the SSH section, and URL section updates.
- 22 Mar 2004 00:49
Changes: The sendlogs section was updated to include selected syslog entry reduction. A backup-to-disk script was added to support both local and remote NFS or SAMBA backups to hard drives. A wget command was added to download a local IANA list. All URLs that pointed to kernelnotes.org were updated or deleted.
- 08 Nov 2003 12:02
Changes: Various daemon versions were updated in the URL section. The thoughts about Redhat, Fedora, and SuSe in the distros section were updated. A Bash OCTAL math issue in the UPS graphing script was fixed.
- 11 Jul 2003 20:27
Changes: An update to the kernel compiling script "build-it", installation of OpenSSH to TrinityOS and deprecation of the use of SSH.com code (though instructions are still present), updated thoughts on RPM hell (it's not that bad now) and patch/errata support, and other bugfixes.
- 10 Apr 2003 03:17
Changes: Many updates were made, including the addition of critical files to the backup floppy and Samba 2.2.8a to resolve security issues. Compilation help for 2.2.8 Samba users was also added. The recommended version of Sendmail was changed to 8.11.7 or 8.12.9, and information on disguising the version of Sendmail running was included.
- All comments
Recent commentsTrinityOS
This is by far the single most helpful document I've ever encountered during my Linux experience. TrinityOS, even if you don't follow it to the letter, is an excellent guide for many facets of a secure Linux system.
Congratulations David; keep up the fine work.
Re: Iptables?
> When will this wonderful
> "howto" include iptables?
> It'd be nice to have the great support
> for ipchains available in iptables
> format.
I'm working on a new ruleset that both supports (1) NIC NON-MASQed setups as well as (4) NIC MASQed setups for the IPCHAINS ruleset. This new ruleset will also be split into two files. With this upgrade, any future upgrades will NOT require users to have to manually edit the entire ruleset ever time. All you'll have to do is replace the actual ruleset and reload it. Yes, you might not get any of the newly added features but you can address those as time permits. Anyway, once this new IPCHAINS mechanism is stable, the port to IPTABLES should be trivial. The other reason I haven't moved over to IPTABLES (though it is stateful) is that the MASQ support is not as good as the 2.2.x kernels. IPTABLES still does not have support for H.323, RealAudio, ICQ, etc. Because of this, my motiviation is somewhat less. No worries though.. I plainly see the writing on the wall and IPTABLES mechanism is a great upgrade for us all. I just need to do the upgrade RIGHT.
Until then, there IS a mode in IPTABLES to support IPCHAINS rulesets. Check it out. I'll see if I can add that into the next revision.
Iptables?
When will this wonderful "howto" include iptables? It'd be nice to have the great support for ipchains available in iptables format.