files to copy on migration
/home/.cobalt/report - contains the report files for all the sites
/usr/admserv/html/.cobalt/error
/usr/admserv/html/.cobalt/siteManage
/usr/local/majordomo
/var/vacation
/var/spool/mail (symbolic links)
/home/spool/mail
/var/spool/mqueue
/var/log
/home/sites
/home/store
/home/quota*
Services
php
mysql (/etc/my.cnf, /opt/mysql/data)
sendmail (/etc/mail)
procmail (/etc/procmail/ /etc/procmailrc)
tripwire (/etc/tripwire)
rsync (/etc/rsyncd.conf)
snmp (/etc/snmpd.*)
bind (/var/named/, /etc/bind/, /etc/named.conf)
/etc/crontab
/opt/weblog
Logs
touch /var/log/statistics
http://pkgmaster.com/packages/raq/4/#openssh
You find extra packages to be installed
http://sunsolve.sun.com/patches/cobalt/raq4.eng.html
All the patches that must be applied to the RaQ
mkdir /home/store/weblog
mkdir /home/store/etc
mkdir /home/store/soa
mkdir /home/store/soa/named
mkdir /home/store/bind
mkdir /home/store/mysql
mkdir /home/store/mysql/data
mkdir /home/store/passes
mkdir /home/store/quota
ROOT CONFIG
~root/.bashrc and ~admin/.bashrc
--------cut -----------
alias tail='colortail -k /etc/colortail/conf.daemon,/etc/colortail/conf.kernel,/etc/colortail/conf.messages,/etc/colortail/conf.secure,/etc/colortail/conf.xferlog'
# You may uncomment the following lines if you want `ls' to be colorized:
export LS_OPTIONS='--color=auto'
eval `dircolors`
alias ls='ls $LS_OPTIONS'
---------- paste --------------
/etc/admin.motd
/etc/profile
insert:
------------- cut -----------------
/bin/echo "`last -n 1` logged in with these permissions `id`" | /bin/mail -s "SSH login on RaQ" red@tripany.com
alias tail='colortail -k /etc/colortail/conf.daemon,/etc/colortail/conf.kernel,/etc/colortail/conf.messages,/etc/colortail/conf.secure,/etc/colortail/conf.xferlog'
# You may uncomment the following lines if you want `ls' to be colorized:
export LS_OPTIONS='--color=auto'
eval `dircolors`
alias ls='ls $LS_OPTIONS'
alias ll='ls $LS_OPTIONS -l'
alias l='ls $LS_OPTIONS -lA'
------------ paste -----------------------
/etc/syslog.conf
------------ cut --------------------------
# Build Debian style syslogger
*.*;auth,authpriv.none -/var/log/syslog
# Additional logging by RazoR
uucp.* /var/log/uucp.log
user.* /var/log/user.log
mail.info /var/log/mail/mail.info
mail.warn /var/log/mail/mail.warn
mail.err /var/log/mail/mail.err
*.=debug;\
auth,authpriv.none;\
mail.none /var/log/debug
*.warn; auth,authpriv.none;mail /var/log/warnings
#*.=info;*.=notice;*.=warn;\
#auth,authpriv.none;\
#mail /var/log/warnings
*.emerg *
daemon,mail.*;\
news.=crit;news.=err;news.=notice;\
*.=debug;*.=info;\
*.=notice;*.=warn /var/log/console
------------ paste ---------------------------
touch /var/log/syslog
touch /var/log/uucp.log
touch /var/log/user.log
mkdir /var/log/mail
touch /var/log/mail/mail.info
touch /var/log/mail/mail.warn
touch /var/log/mail/mail.err
touch /var/log/debug
touch /var/log/warning
touch /var/log/console
/etc/logrotated.conf
------------- cut -------------
# Report errors to red@tripany.com
errors red@tripany.com
---------- paste ---------------
and change rotate 1 to rotate 5
/etc/logrotate.d/syslog
add following
------------ cut --------------------
/var/log/syslog {
postrotate
/usr/bin/killall -HUP syslogd
endscript
}
/var/log/console {
postrotate
/usr/bin/killall -HUP syslogd
endscript
}
/var/log/uucp.log {
postrotate
/usr/bin/killall -HUP syslogd
endscript
}
/var/log/debug {
postrotate
/usr/bin/killall -HUP syslogd
endscript
}
/var/log/warnings {
postrotate
/usr/bin/killall -HUP syslogd
endscript
}
/var/log/user.log {
postrotate
/usr/bin/killall -HUP syslogd
endscript
}
/var/log/mail/mail.info {
postrotate
/usr/bin/killall -HUP syslogd
endscript
}
/var/log/mail/mail.warn {
postrotate
/usr/bin/killall -HUP syslogd
endscript
}
/var/log/mail/mail.err {
postrotate
/usr/bin/killall -HUP syslogd
endscript
}
/home/spool/mail/from {
postrotate
/usr/bin/killall -HUP syslogd
endscript
}
/var/log/snort/alert {
postrotate
/usr/bin/killall -HUP syslogd
endscript
}
/var/log/snort/portscan.log {
postrotate
/usr/bin/killall -HUP syslogd
endscript
}
/var/log/snort/snort-0820@1947.log
postrotate
/usr/bin/killall -HUP syslogd
endscript
}
------------- paste ----------------------------------
analog
www.analog.cx
colortail
wget http://www.student.hk-r.se/~pt98jan/colortail-0.3.0.tar.gz
Also install the deepsight extractor from aris.securityfocus.com
Install the latest versions of BIND
(http://www.isc.org/products/BIND/)
wget ftp://ftp.isc.org/isc/bind/src/8.3.3/bind-src.tar.gz
wget ftp://ftp.isc.org/isc/bind/src/8.3.3/bind-contrib.tar.gz
make DST=/opt/bind-8.3.3 SRC=`pwd` links /opt/bind-8.3.3
make depend
make all
make install
Midnight commander
wget http://www.ibiblio.org/pub/Linux/utils/file/managers/mc/mc-4.6.0-pre1.tar.gz
link the /etc/rc.d/init.d/mysql file to /etc/rc.d/init.d/mysql.server so that it will start up on boot!
Chkrootkit
ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
make sense
./chkrootkit
Libpcap
http://www.tcpdump.org/release/libpcap-0.7.1.tar.gz
./configure
make
make install
Portsentry
http://www.psionic.com/downloads/portsentry-2.0b1.tar.gz
before make change SYSLOG_LEVEL to LOG_LOCAL0 in portsentry_config.h
NB. leave the '#' symbols!
vi /etc/syslog.conf
And add :
---------- cut ---------
---------- paste -------
vi portsentry.conf
change
INTERFACE_ADDRESS="212.61.33.42"
BLOCK_UDP="0"
BLOCK_TCP="0"
KILL_ROUTE="/sbin/route add -host $TARGET$ reject"
SCAN_TRIGGER="1"
vi portsentry.ignore
add
212.61.26.52
213.84.24.229
213.84.24.228
make linux
make install
/usr/local/psionic/portsentry2/portsentry
Insert this into the /etc/rc.d/init.d/
---------- cut -------------
#!/bin/sh
# Start / Stop portsentry
case "$1" in
'start')
/usr/local/psionic/portsentry2/portsentry
;;
'stop')
PID=`ps -ef | grep portsentry | grep -v grep | awk '{print $2}'`
kill -9 $PID
;;
*)
echo "Please use $0 ( start | stop )"
;;
esac
exit 0
---------- paste --------------
then in /etc/rc.d/rc3.d/
ln -s ../init.d/portsentry ./S90portsentry
in /etc/rc.d/rc0.d and /etc/rc.d/rc6.d
ln -s ../init.d/portsentry ./K90portsentry
Hostsentry
http://www.psionic.com/downloads/hostsentry-0.02.tar.gz
make install
cd /usr/local/abacus/hostsentry
Qpopper longer timeout:
in /etc/inted.conf
pop-3 stream tcp nowait.100 root /usr/sbin/tcpd in.qpopper -R
(the .100 after the nowait is how long to wait before assuming the program is looping)
MyODBC:
wget http://mysql.proserve.nl/Downloads/MyODBC/MyODBC-2.50.39.tar.gz
ln -s /usr/lib/libmysqlclient_r.so.10.0.0 /usr/lib/libmysqlclient
get a client from:
http://www.mysql.com/documentation/mysql/bychapter/manual_ODBC.html#MyODBC_clients
------------ PHP ------------------
The process takes about 1 hour. This all has to be done as ROOT. To prepare
get get a snapshot of your phpinfo() and backup your php.ini file before
starting. I would also recommend getting a copy of PHP 4.0.6 so you can
backtrack if need be.
Rename the link to the modules directory, copy the existing modules to a new
directory, link the new directory and restart the admin server.
# mv /etc/admserv/modules /etc/admserv/modules.old
# cp -r /usr/lib/apache /usr/lib/apache_old
# ln -s /usr/lib/apache_old /etc/admserv/modules
# /etc/init.d/admserv restart
Then I got the PHP 4.2.3 source (you have to navigate to the right mirror
wget just didn't work)
# lynx http://www.php.net/get_download.php?df=php-4.2.3.tar.gz
Then I extracted the files
# tar -zxvf php-4.2.3.tar.gz
ran configure
# cd php-4.2.3
#
./configure --prefix=/usr --with-apxs=/usr/sbin/apxs --enable-safe-mode --wi
th-config-file-path=/etc/httpd --with-exec-dir=/usr/bin --with-zlib --enable
-magic-quotes --with-regex=system --enable-track-vars --with-iconv --enable-
xml --disable-debug --with-gd --enable-mbstring --enable-mbstr-enc-trans --w
ith-interbase=shared --with-mysql=shared --with-pgsql=shared --with-openssl=
/usr --with-jpeg-dir=/usr --with-png-dir=/usr
I then ran make and make install.
# make
# make install
I then copied mysql.so from the modules directory where I compiled the
source to where PHP could get it
# cp ./modules/mysql.so /etc/httpd/modules/php/mysql.so
Then I updated the /etc/httpd/php.ini file using vi to have the following
lines
extension=mysql.so
;extension=i18n.so
;extension=cce.so
You need to comment out the i18n.so and the cce.so or else you'll get some
unecessary error messages in your error log.
Then restart the main web service
# /etc/init.d/httpd restart
------------------
chmod 700 /usr/bin/gprof
-------------------
Bind 9.2.1
./configure --prefix=/home/opt/bind-9.2.1 --sysconfdir=/etc/bind --with-openssl=/home/opt/openssl-0.9.6g
nb - without --enable-ipv6!
----------------------------------------
LaBrea
http://www.hackbusters.net/
http://www.bizsystems.net/downloads/labrea/
Need to download the OLD libnet libs at
http://www.packetfactory.net/
the make the libnet
make labrea
shellscript to start it:
#!/bin/sh
/opt/LaBrea -lvs -p 10 -bz -O >> /var/log/labrea &
then to make the reporter:
tar -xzvf LaBrea-Tarpit-X.XX.tgz
cd LaBrea-Tarpit-X.XX
perl Makefile.PL
make
make test
make install
touch /opt/labrea.log
touch /etc/logrotate.d/labrea.log
/opt/labrea {
rotate 10
compress
missingok
size 10M
}
---------------------------------------------------
NTOP
http://snapshot.ntop.org/
http://sourceforge.net/project/showfiles.php?group_id=17233&release_id=101707
first make the other library in the project, then go to the ntop dir and run ./autogen.sh then make and make install, unless you re-untar it and then go ./configure --prefix=/opt/ntop
then add a user and mkdir /opt/ntop/data
chown ntop /opt/ntop/data
For the 1st run:
ntop -P /opt/ntop/data -u ntop -A
then:
/opt/ntop/bin/ntop -a /var/log/httpd/access -i eth0 -u ntop -w 3281 -P /opt/ntop/data/ eth1 -d
--------------------------------------------------
Logwatch
http://www.logwatch.org/tabs/download/
ftp://ftp.kaybee.org/pub/linux/logwatch-4.3.2.tar.gz
copy the conf and scripts dir to /opt/logwatch, edit the conf/ and remove the -d option from mktemp
then in crontab:
30 2 * * * root /opt/logwatch/scripts/logwatch.pl
-----------------------------------------------------------
PKILL
http://belnet.dl.sourceforge.net/sourceforge/proctools/proctools-0.3.1.tar.gz
----------------------------------------------------------------
Spamassasin - BEWARE: Processor load goes through the roof with a systemwide installation!
upgrade perl!
sh Configure -de -Dprefix=/opt/perl-5.8.0
make
make test
./perl installperl -n (for the simulation)
make install
in /usr/bin/
rm perl
ln -s ./perl5.003 ./perl
First from cpan.org get and install HTML-Tagset then HTML-Parser
(perl Makefile.PL;make;make test;make install)
./configure
/usr/bin/perl5.8.0 Makefile.PL PREFIX=/opt/Spamassasin
make
make install
then in /etc/procmailrc add
DROPPRIVS=yes
:0fw
* < 256000
| /opt/Spamassasin/bin/spamc
http://spamassassin.org/sitewide.html
move the spamd/redhat-rc-script.sh to /etc/rc.d/init.d/