De: http://www.usit.uio.no/it/unix/tru64unix/versions.txt

Version Rev. (mm/yy)
------------------------
HP Tru64 UNIX:
v5.1B 2650 09/02
Compaq Tru64 UNIX:
v5.1A 1885 10/01
v5.1 732 10/00
v5.0A 1094 09/00
v5.0 910 Dept. of astrophysics alphatested it; "do not install.."
v4.0G 1530 10/00
v4.0F 1229
Digital UNIX:
v4.0E 1091 (USB, euro, NetRAIN, Gb ethernet, sys_check, ..)
v4.0D 878 (Y2K, new partitionstables, 100Mb/s, NFS: patchsett #3)
v4.0C 564.32 (=v4.0B + hw drivers. for pws433/500)
V4.0B 564
V4.0A 464
V4.0 386
V3.2G* 62
V3.2F 69.73
V3.2D-2 41.64
V3.2D-1 41
V3.2C 148
V3.2B 214.61
V3.2A 17
V3.2 214
V3.0B 358.78
V3.0 347

Enlace con información, en forma de arbol (gráfica) de la historia de Unix en pdf

http://www.levenez.com/unix/

iostat -En

lscfg -v : Información general del sistema:
http://www.unm.edu/~hamjavar/item/aixcommands/cpuspeed1.txt
lsattr -El sys0: memoria y micro (depende de la version)
oslevel : versión del sistema operativo
uname -M: Modelo de la máquina (depende de la version)
lsdev -Cc disk: Información de los discos
lsattr -El hdisk0: Información detallada del disco 0

topas, si no lo tenemos instalado:
ps -eo "%p %y %C %c %a"
AIX FORMAT DESCRIPTORS
This ps supports AIX format descriptors, which work some-
what like the formatting codes of printf(1) and printf(3).
For example, the normal default output can be produced
with this: ps -eo "%p %y %x %c"
CODE NORMAL HEADER
%C pcpu %CPU
%G group GROUP
%P ppid PPID
%U user USER
%a args COMMAND
%c comm COMMAND
%g rgroup RGROUP
%n nice NI
%p pid PID
%r pgid PGID
%t etime ELAPSED
%u ruser RUSER
%x time TIME
%y tty TTY
%z vsz VSZ

/usr/platform/sun4u/sbin/prtdiag
/usr/sbin/psrinfo
dmesg

Se queda pillado haciendo un ls, y truss muestra
un sleeping...

Hay que desmontar el /vol con un umount, parar el vold y arrancarlo nuevamente
/etc/init.d/volmgt

The question was:

>HOW do I find out how much
>RAM I have. Someone's just asked me & I realised that while I've been
>told "256M" I've got no idea how to confirm that.
>
>There's gotta be a simple query command somewhere (yes, I've looked
>through "man -k ram" & "man -k mem")

NB I was after physical - not virtual - memory

I was stunned by the number of responses & some specific help from one
person who checked my results against her system to make sure my
understanding was correct (Thanks again for that Pam).

Most of the replies were variations of a theme so I've just summarized
them. Alternative scripts / C-code are included as sent, for others
interest.

Thanks to:
========
Alan alan@nabeth.cxo.dec.com
Anil Khullar Anil.Khullar@mailhub.gc.cuny.edu
Andreas atoalu2@ato.abb.se
Becki Kain beckers@josephus.furph.com
Brian H. Mayo brian.mayo@brynmawr.edu
Brian Sherwood sherwood@esu.edu
Cliff Krieger ckrieger@latrade.com
Dave Golden golden@falcon.invincible.com
David Warren warren@atmos.washington.edu
Dick Abraham abrahad@govonca.gov.on.ca
Thomas Eisele eisele@pfa.research.philips.com
Fergal Mc Carthy fergal@ilo.dec.com
Guy Dallaire dallaire@total.net
James Soh jamessoh@post1.com
Jean Schuller schuller@crnal4.in2p3.fr
Jerome Fenal fenal@dcmc.creditlyonnais.fr
Joe Spanicek joe@resptk.bhp.com.au
Joel Healy jsh@mentor.co.nz
Kurt Knochner Kurt.Knochner@Physik.TU-Muenchen.DE
Lucio Chiappetti lucio@ifctr.mi.cnr.it
Martin E. Lally mel1003@phy.cam.ac.uk
Nick Hill N.M.Hill@rl.ac.uk
Pam Woods axsymgr@UAA.ALASKA.EDU
Paul Crittenden crittend@storm.simpson.edu
Paul Henderson henderson@unx.dec.com
Palo paulo@dexel.co.za
Peter Stern peter@wiscpa.weizmann.ac.il
Rainer Landes Computer-Administration@Physik.uni-karlsruhe.de
Randy M. Hayman haymanr@icefog.alaska.edu
Richard Tame Richard.Tame@asx.com.au
Rick Muse m6u@oaunx1.ctd.ornl.gov
rioux@ip6480nl.ce.utexas.edu
Rob Hamm hammr@ucfv.bc.ca
<whew!!!>

Now for the solution(s)

The most suggested themes were around the UERF & /var/adm/messages logs.
As root try:
#uerf -Rr 300 | more

& look for the physical memory

or as any user try
$more /var/adm/messages

Of course you could grep either of these for "mem" or "memory" if you
want. The UERF one is reversed to ensure that you are looking at the
most recent - I was stumped for a while as my log hadn't been cleared
since a memory upgrade ages ago, so I saw, first, the original memory
size.

=========
A few people mentioned :
Try (as root):
# vmstat -P

At the frimware prompt you could try:
>>>>show config
or
>>>>show memory
(or is that "show mem"?)

But I had no intention of bringing the system down for such a query -
could be handy if its shutdown for some other reason though

or

use monitor and magnify the "memory" item (run monitor, type "m", arrow
down to "memory" and type "s")

or use "top" (I don't have it)

Other suggestions were:

Alan:
====
Count the number of bytes in memory:
# wc -c /dev/mem
(I got nervous when I it took a while and after running syd found it to
be the highest process - so killed it - Dave)

Get the number of pages and multiply by the page size:
# dbx -k /vmunix /dev/mem
(dbx) print physmem
(I got some error messages with the first line & the response from the
dbx command was different from that obtained from uerf & messages - but
then I don't know much about dbx)

Thomas Eisele:
===========
for the csh:
dd bs=1048576 if=/dev/mem of=/dev/null |& tail -1 | sed -e 's/\+.*$/
MB/'

and for sh:
dd bs=1048576 if=/dev/mem of=/dev/null 2>&1 | tail -1 | sed -e
's/\+.*$/ MB/'

Jean Schuller
==========
I remember I wrote a shell script using uerf and I called it CONFIG :
It shows Ethernet address, devices, memory size and unix version .

--------------------------------- 8< cut here -------------------

#!/bin/ksh
#
# Show configuration
#
acc=`whoami`
if [ $acc != "root" ]
then
echo "You must be root for this instructions "
return
fi
machine=`hostname`
clear
echo " $machine : Configuration"
echo
echo
"-----------------------------------------------------------------------
--"
#
# 1) Ethernet address
#
echo "Ethernet address"
echo "================"
uerf -r 300 | grep -i "_hardware address" | sort -u
echo
"-----------------------------------------------------------------------
--"
#
# 2) Show devices
#
echo "Devices : "
echo "=========="
let i=0
while [ $i -lt 11 ]
do
dev="/dev/rrz"$i"c"
file $dev 2>/dev/null | grep character
let i=i+1
done
echo
"-----------------------------------------------------------------------
--"
#
# 3) memory size
#
echo "Memoy size"
echo "=========="
uerf -r 300 | grep -i 'physical memory ' | sort -u
echo
"-----------------------------------------------------------------------
--"
#
# 4) Unix Versions
#
echo "Successive Digital Unix Versions"
echo "================================"
uerf -r 300 | egrep -i 'DEC OSF/1 V|Digital UNIX V' | sort -u
echo
"-----------------------------------------------------------------------
--"
--------------------------------- 8< cut here -------------------

Martin E. Lally
==========
Here is the C source code for displaying system RAM size. Compile with
# cc -o memsize filename.c

------------------------------- CUT HERE -------------------------------
#include <stdio.h>
#include <sys/types.h>
#include <sys/sysinfo.h>

main(argc, argv)
int argc;
char **argv;
{
int memsize,err;

err=getsysinfo(GSI_PHYSMEM, &memsize, sizeof(memsize), 0, NULL);

printf("Total Real Memory: %d Mb\n", memsize/1024);
exit(0);
}
------------------------------- CUT HERE -------------------------------
Randy M. Hayman
=============
A variation of that theme is:

compile with: cc -o show_mem show_mem.c
------------------------------- CUT HERE -------------------------------
#include <stdio.h>
#include <sys/sysinfo.h>

int status, *int_buff;

main()
{
if( -1 == (status = getsysinfo(GSI_PHYSMEM, &int_buff, sizeof(int_buff),
0, 0)) )
fprintf(stdout, "error %d getting GSI_PHYSMEM\n", status);
else
fprintf(stdout, "Physical memory in use: %d KB\n",
(int)int_buff);
}
------------------------------- CUT HERE -------------------------------

Theis Jean-Marie
============
(I'm afraid I haven't had a chance to check this - but as Theis was kind
enough to pass it to me, I thought it may be of interest to others in
the list - Dave)

If you are interested I have done a script called cnfg which describes
your configuration (OSF station 2100 or 3000) The drawback of it is
that it is reserved to root , and need editing when a new device
appears (it already knows a lot of them).

------------------------------- CUT HERE -------------------------------
if [ `whoami` != root ]
then
echo "Vous devez etre root pour cette commande . Bye..."
exit 1
fi
trap 'rm -f /tmp/cnfg.tmp 2>/dev/null' 0 1 2 15
PATH="$PATH:/etc:/sbin:/usr/sbin"
nodate=false
long=false
while [ "$1" ]
do
case $1 in
-nodate)nodate=true
shift;;
-l)long=true
shift;;
esac
done
export PATH
hostname=`hostname | awk -F\. '{print $1}'`
HOSTNAME=`echo $hostname | tr 'a-z' 'A-Z'`
adresseIP=`arp $hostname | sed 's/^.*(//;s/).*$//'`
ADRESSEIP=`arp $HOSTNAME 2>/dev/null | sed 's/^.*(//;s/).*$//'`
[ `machine` = "alpha" ] || echo "wait..."
uerf -R -r 300 | head -200 | sed '
s/ //
s/OCCURRED ON SYSTEM/Nom du systeme :/
s/OCCURRED.LOGGED ON/Dernier boot le :/
s/(DEC //
s/RZ25./device:& : disque de 0,42 Gbyte/
s/RZ26./device:& : disque de 1 Gbyte/
s/ST32430./device:& : disque de 2 Gbyte/
s/DSP3105./device:& : disque de 1 Gbyte/
s/DPES-31080./device:& : disque de 1 Gbyte/
s/RZ28./device:& : disque de 2,1 Gbyte/
s/RZ55./device:& : disque de 0,33 Gbyte/
s/RZ56./device:& : disque de 0,6 Gbyte/
s/RZ58./device:& : disque de 1,4 Gbyte/
s/RZ29./device:& : disque de 4 Gbyte/
s/RX26./device:& : floppy 2,8 Mbyte externe/
s/fd[0-1] at fdi[0-1] unit [0-1]/ _ device:& : floppy interne/
s/RRD43./device:& : disque CD-rom/
s/RRD42./device:& : disque CD-rom/
s/RRD40./device:& : disque CD-rom/
s/CD-ROM./device:& : disque CD-rom/
s/IMPRIMIS94601.* /device:& : disque de 1 Gbyte/
s/HEXABYTE./device:& : Bande hexabyte/
s/EXABYTE./device:& : Bande exabyte/
s/gd[0-9][0-9]*:/ _ device:& : Graveur CDrom/
' > /tmp/cnfg.tmp
ed - /tmp/cnfg.tmp <<@@ >/dev/null
/ENTRY *2./,\$d
w
q
@@
egrep -s 'ENTRY *1' /tmp/cnfg.tmp
if [ $? -eq 1 ]
then
echo "Anomalie dans les fichiers log lus par la commande uerf"
echo operation annulee
echo Bye...
exit 1
fi
if [ `machine` = "alpha" ]
then
#swapon -s | tail -5 >> /tmp/cnfg.tmp
swapon -s | egrep "partition|Allocated" >> /tmp/cnfg.tmp
elif [ `machine` = "mips" ]
then
swap=`pstat -s | head -1 | sed 's/k.*//'`
echo " Taille du swap = `expr $swap \/ 1000`
MB" >> /tmp/cnfg.tmp
fi
#sed -f config.sed /tmp/cnfg.tmp
if [ "$long" = true ]
then
cat /tmp/cnfg.tmp
fi
echo
------------------------------------------------------------------------
--------------------
grep "Nom du systeme" /tmp/cnfg.tmp
echo
------------------------------------------------------------------------
--------------------
echo "Version Operating system : `uname -a`"
if [ `machine` = "alpha" ]
then
psrinfo -n | sed 's/number of .*=/nombre de CPU : /'
else
echo "nombre de CPU : 1"
fi
[ "$nodate" = "false" ] && grep "Dernier boot" /tmp/cnfg.tmp
grep "CPU TYPE" /tmp/cnfg.tmp
echo
echo "Ethernet interfaces :"
egrep "Ethernet|address" /tmp/cnfg.tmp
echo "Adresse IP : $adresseIP"
if [ "$ADRESSEIP" != "$adresseIP" -a "$ADRESSEIP" ]
then
echo "Adresse IP : $ADRESSEIP"
fi
echo
------------------------------------------------------------------------
--------
echo "Devices:"
egrep "rz[0-9][0-9]*|tz[0-9][0-9]*|device:|gd[0-9][0-9]*" /tmp/cnfg.tmp
#grep device: /tmp/cnfg.tmp
echo
echo
------------------------------------------------------------------------
--------
echo "Memoire et swap"
if egrep -s "real mem" /tmp/cnfg.tmp
then
memoire=`grep "real mem" /tmp/cnfg.tmp | sed 's/real mem *= //'`
echo " physical memory = `expr $memoire \/
1048576`.00 megabytes" >> /tmp/cnfg.tmp
fi
grep "physical memory" /tmp/cnfg.tmp
grep Taille /tmp/cnfg.tmp
grep "partition" /tmp/cnfg.tmp | sed 's/^/ /'
tail -1 /tmp/cnfg.tmp | grep "Allocated" | sed 's/ *Allocated space:.*(/
Taille du swap = /;s/)//'
#grep "Allocated space:" /tmp/cnfg.tmp | sed 's/ *Allocated space:.*(/
Taille du swap = /;s/)//'
#rm /tmp/cnfg.tmp
echo
------------------------------------------------------------------------

------------------------------- CUT HERE -------------------------------
echo "Ethernet interfaces :"
egrep "Ethernet|address" /tmp/cnfg.tmp
echo "Adresse IP : $adresseIP"
if [ "$ADRESSEIP" != "$adresseIP" -a "$ADRESSEIP" ]
then
echo "Adresse IP : $ADRESSEIP"
fi
echo
------------------------------------------------------------------------
--------
echo "Devices:"
egrep "rz[0-9][0-9]*|tz[0-9][0-9]*|device:|gd[0-9][0-9]*" /tmp/cnfg.tmp
#grep device: /tmp/cnfg.tmp
echo
echo
------------------------------------------------------------------------
--------
echo "Memoire et swap"
if egrep -s "real mem" /tmp/cnfg.tmp
then
memoire=`grep "real mem" /tmp/cnfg.tmp | sed 's/real mem *= //'`
echo " physical memory = `expr $memoire \/
1048576`.00 megabytes" >> /tmp/cnfg.tmp
fi
grep "physical memory" /tmp/cnfg.tmp
grep Taille /tmp/cnfg.tmp
grep "partition" /tmp/cnfg.tmp | sed 's/^/ /'
tail -1 /tmp/cnfg.tmp | grep "Allocated" | sed 's/ *Allocated space:.*(/
Taille du swap = /;s/)//'
#grep "Allocated space:" /tmp/cnfg.tmp | sed 's/ *Allocated space:.*(/
Taille du swap = /;s/)//'
#rm /tmp/cnfg.tmp
echo
------------------------------------------------------------------------
--------

------------------------------- CUT HERE -------------------------------

Again,
Many thanks for ALL replies,

Dave

--
Clinical Account Manager, Information Systems
Healthcare Otago (Dunedin NZ)

Ph internal: 8453 External: 64-3-4747699
email: daveb@healthotago.co.nz

Pretentious quote of the week:
"SQL is the Fortran of databases - nobody likes it much, the language is
ugly and ad hoc, every database supports it, and we all use it "
John Levine et al. lex & yacc

From: Jon Buchanan <Jonathan.Buchanan@ska.com>

You asked for the pros and cons of Enhanced Security. Well, here's my view:

Pros:

+ a protected password database
+ records last successful and unsuccessful logins
+ records repeated login failures
+ automatic lockout after repeated login failure
+ configurable minimum password length
+ password lifetimes
+ password quality checks
+ password change history
+ password usage history
+ GUI for user account maintenance
+ templates for user setup
+ audit subsystem (means C2 security requirements can be satisfied)

Cons:

- performance problems with very large user base (>1000 users)
- NIS doesn't work with other operating systems
- still not as secure as Sun's NIS+
- no (official) failover for NIS master -> single point of failure
- new and not very well understood, even by Digital!

To answer your questions:

1) Turn enhanced security on/off with the secsetup utility. However, if
turning it off, you may find that you need to give all users a new password.

2) Follow the procedures in the 'Security' manual to migrate users from base
to enhanced security. They provide scripts which do it for you.

I think you should decide first whether you want Enhanced Security or not,
and then deal with the admin problems that arise. However, don't base your
decision on the admin problems, base it on your need for security.

Attached is a general list of tips and notes regarding Enhanced Security.
It provides detail on some of the issues just mentioned.

Regards,
Jon Buchanan, Zuerich, Switzerland
[ Jonathan.Buchanan@ska.com ]

Some tips and notes about Enhanced Security:

With enhanced security, your user, group and password databases are
divided into many places:

/etc/passwd
This contains entries for local users not defined under NIS.
Passwords are not stored here - a * appears in place of each password.
Typically you would leave the system users like root, deamon etc here.
NIS-defined users must not appear in this file!
At the end of this file is +: for NIS to be searched.

/tcb/files/auth directories
Users defined in /etc/passwd have security profiles in these
directories. Their passwords, and things like successful/unsuccessful
login info are stored here. No NIS users have profiles in these
directories.

/etc/group
This contains entries for local groups not defined under NIS.
At the end of this file is +:

/var/yp/src/passwd
This is your NIS passwd file.
Local users, defined in /etc/passwd, should NOT appear here!
Passwords are not stored here - a * appears in place of each password.
The file should not contain +:

/var/yp/src/prpasswd
This is the 'protected password' NIS file, which functions like the
/tcb directory but for NIS users instead of local users. All users
with an entry in the NIS password file have an entry here.

/var/yp/src/group
This is the NIS group file.
Local groups, defined in /etc/group, should NOT appear here!
The file should not contain +:

Creating the prpasswd file is described in the section 'Moving Local
Accounts to NIS' in the 'Security' manual. You have to copy the script
they give you in the book, which reads all the information from the /tcb
tree and writes it into a file with one line per user. After that you
need to:

- delete (or move) all security profiles below /tcb for NIS registered
users
- delete all prpasswd entries for locally registered users (like root)

this is in accordance with the split described above.

When you are using the advanced security XIsso and XSysAdmin tools you
choose whether to manage the local or NIS registered users by clicking
on the 'Network Control' button. It then updates only the appropriate
files, and in the case of the NIS files, does a make for you.

To change passwords, use passwd for all accounts including the NIS ones.

/etc/svc.conf should contain an entry like: auth=local,yp

Delete the files /etc/passwd.dir and passwd.pag if you have them. These
are 'hashed' password files which adduser offers to make for you when it
finds they are not there. However, you don't need them and it will
probably stop NIS from working properly.

The main problem with switching Enhanced Security/NIS on and off is in
restoring the information to the correct place. Above all, Enhanced
Security passwords CANNOT be re-inserted into the passwd files (in place
of the *'s) - you need to give all users a new password.

A couple of problems that took us a long time to solve:

- The file /etc/auth/system/files must contain entries for
prpasswd and prpasswd:t. We have added them like this:

/var/yp/src/prpasswd:\
:f_type=r:f_mode#0660:f_owner=auth:f_group=auth:\
:chkent:
/var/yp/src/prpasswd\:t:\
:f_type=r:f_mode#0660:f_owner=auth:f_group=auth:\
:chkent:

- An Enhanced Security NIS Slave cannot operate independently of the
Enhanced Security NIS Master. This is because the prpasswd file
is updated with every login attempt, and is only mastered on the
NIS Master. In other words, there's no point having a Slave because
it won't be able to function without the Master running.

DEC have refused to acknowledge this as a problem, so a fix is
unlikely for the forseeable future. We have worked around it by
setting up a second Master and copying certain files from the
'real' master to the 'second' master periodically using rdist.
It is not an altogether satisfactory solution but it works and we
prefer it to being dependent on the availability of one machine.
Let me know if you would like more details on setting this up.

If you are determined to set up a Slave then you may hit another problem
too, whereby a make of the yp maps pauses for a few minutes. Fix is to
send the Slave the copies of the maps which it is missing by using ypxfr
(but a better fix is to disable the Slave).

One other note about Enhanced Security - if your system manages X
sessions for X displays (such as PCs) then you will need to add entries
for these remote displays to the files /etc/auth/system/devassign and
/etc/auth/system/ttys. I can let you have more details if you need
them.

From: Spider Boardman <spider@Orb.Nashua.NH.US>

I'm afraid your question didn't make a lot of sense to me, unless
I assume that you don't have Enhanced Security in use, but that
you merely have its subsets installed (which is not enough to
enable it).

In particular, check the output of running this command:
/usr/sbin/rcmgr get SECURITY BASE
If it's BASE then you've not enabled Enhanced Security.

The /usr/sbin/secsetup script is supposed to take care of
creating prpasswd entries (the /tcb/files/auth/?/* files) for the
users which were already in /etc/passwd when you enable the "C2"
login features. If it didn't, then that's a bug. I do seem to
recall that the adduser script had a bad habit of creating
prpasswd entrries even when it shouldn't, because it didn't check
the result of the rcmgr command above. Unless that returns
ENHANCED you're still using "BASE" security.

Con la configuracion apropiada en el kernel, claro:

iptables -t nat -I PREROUTING 1 -s 0/0 -d <IP.LOCAL> -p tcp --dport 443 -j DNAT --to-destination <IP.DESTINO:PORT.DESTINO>
iptables -t nat -I POSTROUTING 1 -s 0/0 -d <IP.REMOTA> -j SNAT --to-source <IP.LOCAL>

Ola,

tenho visto muita gente na lista pesquisando por
Controle de Trafego baseado em endereco IP!

Dah para se conseguir isto com o Traffic Shaper do Linux.
Basta criar varios shapers e adiocar uma rota estatica
de um IP para o shaper.

Vejam um pequeno exemplo:

1) crie varios shapers, faca quantos voce precisar,
cada shaper ira realiza um controle!

$ cd /lib/modules/versao_kernel/net
$ cp shaper.o shaper0.o
$ cp shaper.o shaper1.o
$ cp shaper.o shaper2.o
...

2) Atualize as dependencias parar os novos modulos:

$ depmod -a

3) Carregue os modulos necessarios:

$ insmod shaper0
$ insmod shaper1
...

Obs.: para cada modulo carregado, o kernel disponibiliza
uma interface shaperX, que sera a interface de rota para
o IP onde se quer limitar o trafeo.

4) Atache e configure a velocidade para cada shaper deveice:

$ shapecfg attach shaper0 eth1
$ shapecfg attach shaper1 eth1
$ shapecfg attach shaper2 eth1
...
$ shapecfg speed shaper0 64000
$ shapecfg speed shaper1 256000
$ shapecfg speed shaper2 64000
...

Obs: a partir das versoes 2.2.x do kernel (se nao me engano), ao
configurar uma interface, o kernel automaticamente adiciona uma rota
parao endereco de rede pela interface. Por isso deve-se remover
esta rota logo apos configurar a interface
(queremos fazer shape somente para um IP, certo?).

6) Adicione rotas para os shapers:

$ roude add -host 192.168.1.2 dev shaper0
$ route add -host 192.168.1.3 dev shaper1
$ route add -host 192.168.1.4 dev shaper1
$ route add -host 192.168.1.5 dev shaper1
$ route add -host 192.168.1.6 dev shaper2

a saida do comando route deve ser algo como:

Destino Roteador Mascara Opcoes Metrica Ref Uso Iface
200.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.1.2 0.0.0.0 255.255.255.255 UG 0 0 0 shaper0
192.168.1.3 0.0.0.0 255.255.255.255 UG 0 0 0 shaper1
192.168.1.4 0.0.0.0 255.255.255.255 UG 0 0 0 shaper1
192.168.1.5 0.0.0.0 255.255.255.255 UG 0 0 0 shaper1
192.168.1.6 0.0.0.0 255.255.255.255 UG 0 0 0 shaper2
0.0.0.0 200.1.1.1 0.0.0.0 UH 1 0 0 eth0

7) Pronto!

##############

Eso esta como un poco mal.. no hace falta copiar el modulo como 7 veces para tener 7 shapers xD
DDD

modprobe shaper shapers=7

xD

--
Pablo Ruiz Garcia (Pci)

+---------------------------------------------------------------+
| Guia rapida de Cryptoloop + LVM aramosf @ unsec . net |
| 19/Ene/2004 v1.0 bladi-sec @ novasec . es |
| http://www.unsec.net |
+---------------------------------------------------------------+

Lo Necesario:
+-------------+

El proposito de esta mini guia es crear un volumen logico con LVM2
(Logical Volume Manager) y este a su vez cifrado con el algoritmo AES-128.
Usando dos discos; uno de ellos de sistema, y el otro completamente. Conside-
ramos que ya se tiene el concepto claro de que es un LVM y Cryptoloop.

Toda la documentacion y pruebas se han realizado en un Linux Fedora 1,
con kernel 2.6.1 y lvm version 2.

Partimos de la base de que utilizamos un sistema con un kernel con soporte
loop_aes; 2.6 o 2.4 parcheado, y tiene instalado los paquetes necesarios lvm2
(y su soporte en el kernel). Tambien es necesario la ultima version de mount
y util-linux: 2.12

Las opciones necesarias para LVM en el kernel son:

Device Drivers --->
Multi-device support (RAID and LVM) --->
[*] Multiple devices driver support (RAID and LVM)
...
<*> Device mapper support

Opciones necesarias para CryptoLoop AES:

Cryptographic options --->
<*> AES cipher algorithms

En este ejemplo suponemos que hda2 es el directorio raiz, y hdb un disco
duro adicional (ambos tienen un tamaño de 40Gbs):

hda hdb
.··---··. .··---··.
·..___..· ·..___..·
hda1 | swap | ] 256Mb | | -+
|-------| -+ | | |
| | | | hdb | | 40Gbs
hda2 | / | | 39Gb | | |
| | | | | |
·..___..· -+ ·..___..· -+

Configuracion
+-------------+

A continuacion, se presentan todos los comandos que son necesarios y su
significado:

Creamos un archivo de 35gbs para el lvm, el resto se dejara para el sistema
operativo:

# dd if=/dev/zero of=datos1 bs=1M count=35000

Con este comando se crea un fichero lleno de ceros, de un tamaño de 35000Mb
y de nombre "datos1". Para mayor seguridad se recomienda hacerlo con
/dev/urandom en vez de /dev/zero.

Asignamos a /dev/loop1 nuestro fichero:

# losetup /dev/loop1 datos1

Creamos el PV:

# lvm pvcreate /dev/loop1
No physical volume label read from /dev/loop1
Physical volume "/dev/loop1" successfully created

Ahora vamos con el segundo disco: eliminamos la tabla de particiones de
hdb:

# dd if=/dev/zero of=/dev/hdb bs=1k count=1
# blockdev --rereadpt /dev/hdb

Un metodo alternativo a este, y mas paranoico seria utilizar:

# shred -n 1 -v /dev/hdb

Creamos el PV para el disco duro hdb:

# lvm pvcreate /dev/hdb
No physical volume label read from /dev/hdb
Physical volume "/dev/hdb" successfully created

Creamos un volumen llamado "PN":

# lvm vgcreate PN /dev/loop1 /dev/hdb
Volume group "PN" successfully created

Comprobamos que vamos bien, y averiguamos el tamaño de nuestro futuro
volumen:

# lvm pvdisplay
--- Physical volume ---
PV Name /dev/loop1
VG Name PN
PV Size 34.17 GB / not usable 0
Allocatable yes
PE Size (KByte) 4096
Total PE 8748
Free PE 8748
Allocated PE 0
PV UUID SHMmrX-tZy5-2bKV-J2JQ-a6NU-5YOx-xJF1hr

--- Physical volume ---
PV Name /dev/hdb
VG Name PN
PV Size 55.89 GB / not usable 0
Allocatable yes
PE Size (KByte) 4096
Total PE 14308
Free PE 14308
Allocated PE 0
PV UUID dDBCGR-swNs-6oS3-Be2t-TGnf-nFxs-hRJkr6

Creamos el volumen logico de 89G (sumas de los PV SIZE 34.17+55.89)

# lvm lvcreate -n DURO PN -L89G
Logical volume "DURO" created

Configuramos con AES a 128 el loop2 con nuestro nuevo volumen:

# losetup -e aes-128 /dev/loop2 /dev/PN/DURO
Password:

NOTA: pueden usarse otros algoritmos o un tamaño mas grande (256), pero el
rendimiento se vera afectado en torno al 20%. Nos pedira una contraseña que
tendremos que introducir cada vez que montemos el volumen:

Para añadir mayor seguridad, podemos utilizar la opcion -S xxxxxxxxxx,
donde "xxxxxxxxxx", es un seed al azar tecleado por nosotros mismos, esto
ayudara a preveer ataques de diccionario.

Formateamos el volumen:

# mke2fs -j /dev/loop2
mke2fs 1.34 (25-Jul-2003)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
....

Finalizacion
+------------+

YA ESTA TERMINADO !!

Para montar:

# mount -t ext3 -oencryption=aes-128 /dev/PN/DURO /mnt
Password:

Si meteis mal la password, mostrara este error:

# mount -t ext3 -oencryption=aes-128 /dev/PN/DURO /mnt
Password:
mount: wrong fs type, bad option, bad superblock on /dev/loop0,
or too many mounted file systems
(could this be the IDE device where you in fact use
ide-scsi so that sr0 or sda or so is needed?)

Comprobaciones
+--------------+

# df -h

/dev/mapper/PN-DURO 88G 33M 84G 1% /mnt

Cada vez que se desmonte, recuerda que hay que hacer "attach" antes de
montar:

# losetup -e aes-128 /dev/loop2 /dev/PN/DURO
# mount -t ext3 -oencryption=aes-128 /dev/PN/DURO /mnt

Y si quieres que cuando se reinicie la maquina este todo correcto:

# lvm vgchange -an
# lvm lvchange /dev/PN/DURO -ay

Si quereis comprobar la velocidad del volumen creado, lo mejor es utilizar
bonnie++,
http://www.coker.com.au/bonnie++/.

Documentacion y referencia
+--------------------------+

http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/Cryptoloop-HOWTO.html
http://tldp.org/HOWTO/LVM-HOWTO/
http://lists.sistina.com/pipermail/linux-lvm/2002-October/012541.html
http://vware.hypermart.net/howto_filesystem_encryption.htm

CREDITOS: idea,soporte,guru: bladi / dardhal

If you are not sure if the optional, enhanced-security features are
installed on your system, you can check as follows:

$ ls -l /usr/.smdb./OSFC2SEC4??.lk
-rw-r--r-- 1 root system 0 Nov 8 11:02 \
/usr/.smdb./OSFC2SEC400.lk

The presence of the lock file (OSFC2SEC400.lk) indicates that the enhanced
security subset is installed (but not necessarily running) on your system. If
the subset is not installed, you will receive a "not found" message.

To determine if the installed enhanced security is running on your system,
enter the following command:

$ /usr/sbin/rcmgr get SECURITY BASE
ENHANCED

If the string "ENHANCED" is returned, enhanced security is running. If the
string "BASE" is returned, enhanced security is not running

Desde:
http://www.cs.arizona.edu/computer.help/policy/DIGITAL_unix/AA-Q0R2D-TET1_html/sec.c23.html

$ cat /cygwin.bat
@echo off
C:
chdir C:\cygwin\bin
set DISPLAY=:0
rxvt -sl 9999 -rv -e bash --login -i

-----
thx pci =)

Es que le hace falta que este arrancado el rpcbind, y el servicio
/usr/dt/bin/rpc.ttdbserverd (que esta en el inetd.conf), ademas de
dtlogin, claro.

To enable file and folder completion for one use of the command processor,
type CMD /F:ON, which sets the file completion character to CTRL+F and the
path completion to CTRL+D. To disable it for the current session, type CMD
/F:OFF.

To set file name completion via the registry, use Regedt32 to navigate to:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Command Processor

Edit or Add Value name CompletionChar as a REG_DWORD data type. A data value
of 0 turns off filename completion.
A data value in the range of 0x1 - 0x1F turns it on, where the data value is
the ASCII control character.
A data value of 0x4 is CTRL+D, while 0x6 is CTRL+F.

To set path completion, Edit or Add Value name PathCompletionChar as a
REG_DWORD data type. A data value of 0 turns off path completion.
A data value in the range of 0x1 - 0x1F turns it on, where the data value
is the ASCII control character.
A data value of 0x4 is CTRL+D, while 0x6 is CTRL+F.

NOTE: Both these Value Names can also be configured at HKEY_LOCAL_MACHINE.
HKEY_CURRENT_USER takes precedence.

NOTE: When you press the file or path completion, the first matching entry
appears. Pressing it again retrieves the next entry in the list.
To go backwards, press SHIFT+<completion-character>.

Si no os dejan añadir y quitar programas, podeis cambiarlo en:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall]
Key NoAddRemovePrograms tiene que estar a 0

secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

Hay que tener estos ficheros así:
/etc/sysconfig/i18n:
LANG="C"
SUPPORTED="es_ES@euro:es_ES:es"
SYSFONT="lat0-16"
SYSFONTACM=iso15
CHARSET="iso8859-15"

/etc/sysconfig/keyboard
KEYBOARDTYPE="pc"
KEYTABLE="es-cp850"

+---------------------------------------------------------------+
| Guia rapida de DMCRYPT + LVM A. Ramos |
| 29/Jul/2004 v1.0 aramosf@unsec.net |
+---------------------------------------------------------------+

/ 1.- Introduccion /
+--------------------+

El proposito de esta guia es crear un volumen logico con LVM2
(Logical Volume Manager) y este a su vez cifrado con el algoritmo AES.
Se van a utilizar dos discos; uno de ellos de sistema, y el otro completamente.

Toda la documentacion y pruebas se han realizado en un Linux Fedora core 2,
con kernel 2.6.7 y lvm version 2. Aunque evidentemente, el proceso es igual
o muy parecido para otras distribuciones.

/ 2.- Requisitos /
+------------------+

Partimos de la base de que utilizamos un sistema con un kernel con soporte
dm-crypt que viene incluido apartir de la version 2.6.4 o superior, ademas de
soporte loopback, lvm y device-mapper

Las opciones necesarias en el kernel son:

Device Drivers --->
Block devices --->
<*> Loopback device support

Multi-device support (RAID and LVM) --->
<*> RAID support
<*> Device mapper support
<*> Crypt target support

Estas opciones se pueden incluir estaticas o como modulos.

/ 3.- Dispositivos /
+---------------------+

En el ejemplo se supone que hda2 es el directorio raiz, y hdd un disco duro
adicional, ambos tienen un tamaño de 80Gbs y su distribucion seria:

hda hdd
.··---··. .··---··.
·..___..· ·..___..·
hda1 | swap | ] 256Mb | | -+
|-------| -+ | | |
| | | | hdd | | 80Gbs
hda2 | / | | 72Gb | | |
| | | | | |
·..___..· -+ ·..___..· -+

/ 4.- Configuracion /
+----------------------+

A continuacion se presentan todos los comandos que son necesarios y su
la accion que realiza.

Se crea un archivo de 54gbs dentro del directorio /datos para el lvm, el
resto de espacio de esta unidad se deja para el sistema operativo:

# dd if=/dev/urandom of=/datos/datos1 bs=1M count=54000

Este comando crea un fichero con un contenido de bytes al azar, de un tamanyo
54000Mb y de nombre "datos1".

Se asigna al dispositivo loop0 el fichero creado:

# losetup /dev/loop0 /datos/datos1

Ahora se crea el primer PV (physical volume) del LVM:

# lvm pvcreate /dev/loop0
No physical volume label read from /dev/loop0
Physical volume "/dev/loop0" successfully created

Una vez terminado con la parte del primer disco duro, se empieza con el
segundo, eliminando la tabla de particiones de "hdd":

# shred -n 1 -v /dev/hdd

Para la creacion del segundo PV en el disco duro hdd:

# lvm pvcreate /dev/hdd
No physical volume label read from /dev/hdd
Physical volume "/dev/hdd" successfully created

Comprobacion de que ambos PVs han sido creados correctamente:

# lvm pvs
PV VG Fmt Attr PSize PFree
/dev/hdd lvm2 -- 74.53G 74.53G
/dev/loop0 lvm2 -- 53.71G 53.71G

Una vez terminado con los PVs, se realiza la creacion del VG (volume group)
de nombre "aes":

# lvm vgcreate aes /dev/loop0 /dev/hdd
Volume group "aes" successfully created

Para terminar con el LVM, se añade el LV (logical volume) de nombre "rules",
usando como tamanyo la suma de los PVs que se han creado anteriormente:
74.5Gb + 53.7

# lvm lvcreate -n rules aes -L128.20G
Rounding up size to full physical extent 128.20 GB
Logical volume "rules" created

Tras realizar todas estas operaciones se obtine el volumen logico creado
al que podemos acceder en: /dev/aes/rules con un tamaño de 128.20 Gbs.

Cifrar el volumen es sencillo, primero hay que asignarlo nuevamente
a un volumen loop, en este caso seria el numero 1, ya que el 0 se esta
utilizando en el propio LVM.

# losetup /dev/loop1 /dev/aes/rules

Tras esto, se utiliza la utilidad cryptsetup, para crear el volumen cifrado.
Esta utilidad es una manera sencilla de configurar volumenes en dmcrypt sin
tener que utilizar "dmsetup".

Cryptsetup es una utilidad que proporciona el autor de dm-crypt. Para Fedora
Core 2, existe el paquete en rpm llamado: cryptsetup_0.1-1_i386.rpm. Para otras
distribuciones o bien se busca el adecuado o se compila desde:
http://www.saout.de/misc/dm-crypt/cryptsetup-0.1.tar.bz2

# cryptsetup -c aes -y create crypt /dev/loop1
Enter passphrase:
Verify passphrase:

En este comando, "crypt" es el nombre que se asigna al volumen cifrado. Al
ejecutarlo ha de asignarse una contraseña para cada vez que se desee crear y
eliminar el dispositivo.

Una vez creado el nuevo dispositivo cifrado: /dev/mapper/crypt, tan solo
es necesario formatearlo y montarlo para poder disfrutar de el:

# mke2fs -j /dev/mapper/crypt
mke2fs 1.35 (28-Feb-2004)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
16809984 inodes, 33607680 blocks
1680384 blocks (5.00%) reserved for the super user
First data block=0
1026 block groups
32768 blocks per group, 32768 fragments per group
16384 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000, 7962624, 11239424, 20480000, 23887872

Writing inode tables: done
Creating journal (8192 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 22 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.

# mount /dev/mapper/crypt /crypt

Comprobacion de que el montaje es correcto:

# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/hda2 72G 58G 11G 85% /
none 252M 0 252M 0% /dev/shm
/dev/mapper/crypt 127G 33M 120G 1% /crypt

/ 5.- Consideraciones /
+------------------------+

Hay que tener en cuenta, que si se desmonta el volumen /crypt, se podra
acceder a el sin ninguna contrasenya al no ser que se ejecute el comando:

# cryptsetup remove crypt

De esta forma se elimina el volumen "crypt" pero no su contenido.

Una vez que se reinicie el sistema o se desmonte completamente, tanto el LVM
como el dm-crypt, para recuperar los datos hay que ejecutar:

# losetup /dev/loop0 /datos/datos1
# lvm vgchange -a y
# losetup /dev/loop1 /dev/aes/rules
# cryptsetup -c aes -y create crypt /dev/loop1
Enter passphrase:
Verify passphrase:
# mount /dev/mapper/crypt /crypt

Los dos primeros comandos configuran nuevamente el LVM, y los dos siguientes
el volumen cifrado. Con el ultimo se monta el dispositivo.

/ 6.- Otras utilidades - ideas /
+--------------------------------+

Es una buena idea utilizar dm-crypt para otras utilidades como por ejemplo
cifrar los logs del sistema, el directorio tmp o la memoria swap.

Para cifrar la swap es tan sencillo como ejecutar:

# swapoff -a
# cryptsetup --key-file=/dev/urandom create swap /dev/hda1
# mkswap /dev/mapper/swap
# swapon /dev/mapper/swap

El primer comando desactiva la swap para que no haya problemas.
El segundo crea un dispositivo "swap" con la particion hda1, y con
una contrasenya aleatoria que nos es indiferente, ya que en el proximo reinicio,
no queremos recuperar los datos.
El tercer comando crea el area swap en el nuevo dispositivo cifrado:
/dev/mapper/swap.
El ultimo comando activa la nueva swap.

Si ya existe un volumen cifrado con mucho espacio libre y no se desea
repetir varias veces el proceso de agregar nuevos volumenes, la solucion
es utilizar enlaces de sistema, o puntos de montaje:

# mkdir /crypt/logs /crypt/tmp
# chmod 1777 /crypt/tmp
# ln -s /crypt/tmp /tmp
# mount --bind /crypt/logs /var/log

Estos comandos realizan las siguientes acciones:
- Creacion de los directorios "logs" y "tmp" dentro de "crypt"
- Se anyade el bit "sticky" al directorio /crypt/tmp
- Se crea un enlace simbolico de /crypt/tmp a /tmp
- Se monta el directorio /crypt/logs sobre /var/log

Notese que en un ejemplo se utiliza la opcion --bind de mount, y en otro
el comando "ln", esto es indiferente y es el administrador quien decidira
cual de ellos es mas conveniente.

Si por el contrario no se dispone de ninguna unidad cifrada y unicamente
se quiere cifrar los logs del sistema, las ejecuciones serian:

Creacion de un archivo dentro de /datos con nombre "logs":

# dd if=/dev/urandom of=/datos/logs count=100 bs=1M

Se asigna al loopback 0:

# losetup /dev/loop0 /datos/logs

Creacion del mapper cifrado de nombre "logs", nos pedira que introduzcamos
una contrasenya dos veces. Hay que destacar que cuando se quiera desmontar y
no utilizar mas el volumen cifrado hay que volver a llamar a cryptsetup, con la
opcion "remove", como se explico anteriormente.

# cryptsetup -c aes -y create logs /dev/loop0
Enter passphrase:
Verify passphrase:

Formateo con sistema de ficheros ext3 y montaje en el directorio final:

# mkfs.ext3 /dev/mapper/logs
# mount /dev/mapper/logs /var/log

/ 6.- Referencias /
+-------------------+

http://tldp.org/HOWTO/LVM-HOWTO/
http://www.saout.de/misc/dm-crypt/
http://www.saout.de/tikiwiki/
http://www.saout.de/misc/dm-crypt/cryptsetup-0.1.tar.bz2

Port Assignments for Commonly-Used Services

SunOS version Solaris version Release date Supported platforms
4.0.2 none Sep. 89 386i
4.0.3 none May 89 sun2, sun3/3x, sun4
4.0.3c none June 89 Sparc 1
4.0.3 PSR_A none July 89 Sun 4/470, 4/490
4.1 none Mar. 90 sun3, sun4
4.1e none Apr. 91 sun4e
4.1.1 none Mar. 90 sun3/3x, sun4
4.1.1B 1.0 Feb. 91 sun4
4.1.1.1 1.0 Jul. 91 sun3/3x
4.1.1_U1 1.0 Nov. 91 sun3/3x
4.1.2 1.0.1 Dec. 91 sun4, sun4m
4.1.3 1.1A Aug. 92 sun4, sun4c, sun4m
4.1.3C 1.1c Nov. 93 Sparc LX/Classic
4.1.3_U1 1.1.1 Dec. 93 sun4, sun4c, sun4m
4.1.3_U1B 1.1.1B Feb. 94 sun4, sun4c, sun4m
4.1.4 1.1.2 Nov. 94 sun4, sun4c, sun4m
5.0 2.0 Jul. 92 sun4c
5.1 2.1 Dec. 92 sun4, sun4c, sun4m, x86
5.2 2.2 May 93 sun4, sun4c, sun4m, sun4d
5.3 2.3 Nov. 93 sun4, sun4c, sun4m, sun4d
5.4 2.4 Aug. 94 sun4, sun4c, sun4m, sun4d, x86
5.5 2.5 Nov. 95 sun4c, sun4m, sun4d, sun4u, x86
5.5.1 2.5.1 May 96 sun4c, sun4m, sun4d, sun4u, x86, ppc
5.6 2.6 Aug. 97 sun4c, sun4m, sun4d, sun4u, x86
5.7 7 Oct. 98 sun4c, sun4m, sun4d, sun4u, x86
5.8 8 2000 sun4m, sun4d, sun4u, x86

Pues si, he tenido el server caido más de 3 dias hasta que
me han conseguido solucionar el problema que me ha causado
el cambio del paquete dev por el udev.
Si haceis esta actualización, andaros con ojo y aseguraros
bien las cosas ante sde hacer un reboot, sobre todo, si no
teneis acceso fisico, como yo

Podeis encontrar más información aquí

http://www.ornl.gov/lists/mailing-lists/tru64-unix-managers/2001/03/msg00473.html

Seria hacer eso mismo, pero para el valor icmp_rejectcodemask

tal y como dice el siguiente post, siguiendo los pasos de este link:

http://h30097.www3.hp.com/docs/internet/TITLE.HTM

In article , "Jimmy Kelley"
jimmy@federated.com writes:
Is there some way to disable responses to ICMP timestamp requests in
Tru64
UNIX v 4.0f?

I checked the source code; there is indeed a way, although it takes a little
explanation.

There's a kernel global variable (in 4.0F; I'm not sure about earlier releases)
called "icmp_rejectcodemask". This is a bit mask, where each bit corresponds
to an ICMP message type code. If a bit is set, incoming messages with the
corresponding type are not handled by the ICMP protocol code (although they
ARE passed along to the raw-IP input code).

You can set multiple bits, to disable multiple ICMP types.

To disable responses to ICMP timestamp requests, for example, in C the
appropriate assignment would be:

icmp_rejectcodemask |= (1<

Looking in /usr/include/netinet/ip_icmp.h, we find

#define ICMP_TSTAMP 13 /* timestamp request
*/

and (1<<13) = 8192.

So, to disable responses to ICMP_TIMESTAMP, you would set
icmp_rejectcodemask = 8192.

Currently, the only way to change this variable (so far as I know) is via dbx;
instructions are at http://www.unix.digital.com/internet/tuning.htm#mod_atts

I was told by the kernel engineers that "we are adding this to the on-line
internet server tuning guide for the next revision. It keeps coming up lately."

-Jeff

Evidentemente, estos parametros no a todo el mundo le sirven.
(Y si, se que son muy bestias)

echo "0" > /proc/sys/net/ipv4/tcp_sack
echo "0" > /proc/sys/net/ipv4/tcp_timestamps
echo "3129344 3137536 3145728" > /proc/sys/net/ipv4/tcp_mem
echo "65536 1398080 2796160" > /proc/sys/net/ipv4/tcp_rmem
echo "65536 1398080 2796160" > /proc/sys/net/ipv4/tcp_wmem
echo "163840" > /proc/sys/net/core/optmem_max
echo "1048560" > /proc/sys/net/core/rmem_default
echo "2097136" > /proc/sys/net/core/rmem_max
echo "1048560" > /proc/sys/net/core/wmem_default
echo "2097136" > /proc/sys/net/core/wmem_max

Actualizacion: Wed Dec 29 16:42:04 CET 2004
Más elegante con sysctl (/etc/sysctl.conf):

net.ipv4.tcp_sack = 0
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_mem = 3129344 3137536 3145728
net.ipv4.tcp_rmem = 65536 1398080 2796160
net.ipv4.tcp_wmem = 65536 1398080 2796160
net.core.optmem_max = 163840
net.core.rmem_default = 1048560
net.core.rmem_max = 2097136
net.core.wmem_default = 1048560
net.core.wmem_max = 2097136

###Hardening Linux:

net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.ip_default_ttl = 64
net.ipv4.tcp_syn_retries = 5
net.ipv4.tcp_max_syn_backlog = 256

# -Thx Crg

Connection tracking and ftp

Firstly, you need to load the ip_conntrack_ftp module.

Assuming you have a single-homed box, a simple ruleset to allow an ftp connection would be:

iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT

(Please note, I am assuming here you have a separate ruleset to allow any icmp RELATED
to the conection. Please see my example ruleset for this).

This is not the whole story. An ftp connection also needs a data-channel, which can be
provided in one of two ways:

1) Active ftp

The ftp client sends a port number over the ftp channel via a PORT command to the ftp
server. The ftp server then connects from port 20 to this port to send data, such as a
file, or the output from an ls command. The ftp-data connection is in the opposite sense
from the original ftp connection.

To allow active ftp without knowing the port number that has been passed we need a general
rule which allows connections from port 20 on remote ftp servers to high ports
(port numbers > 1023) on ftp clients. This is simply too general to ever be secure.

Enter the ip_conntrack_ftp module. This module is able to recognize the PORT command and
pick-out the port number. As such, the ftp-data connection can be classified as RELATED
to the original outgoing connection to port 21 so we don't need NEW as a state match for
the connection in the INPUT chain. The following rules will serve our purposes grandly:

iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT

2) Passive ftp

A PORT command is again issued, but this time it is from the server to the client. The
client connects to the server for data transfer. Since the connection is in the same
sense as the original ftp connection, passive ftp is inherently more secure than active
ftp, but note that this time we know even less about the port numbers. Now we have a
connection between almost arbitrary port numbers.

Enter the ip_conntrack_ftp module once more. Again, this module is able to recognize the
PORT command and pick-out the port number. Instead of NEW in the state match for the
OUTPUT chain, we can use RELATED. The following rules will suffice:

iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state \
ESTABLISHED,RELATED -j ACCEPT

http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html

Se utiliza el modprobe.conf:

echo -e "alias ipv6 off\nalias net-pf-10 off\n" >> /etc/modprobe.conf

El problema de que algunos detectores de rootkits encuentren
como "ocultos" algunos procesos es gracias al cambio de
glibc y kernel 2.6

De:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=222179

That's a bug in chkrootkit. With the latest glibc and 2.6 kernel, the
threading model has changed. Threads no longer show up as individual
processes. Chkrootkit should be updated to work with the latest glibc
and 2.6 kernel (i.e. it should check /proc//task too)

-----[ TUNELES GRE ASIMETRICOS ]-----
http://demasie.aditel.org/docs/tuneles-gre-asimetricos.txt
http://spisa.act.uji.es/~peralta/

Autor: Luis Peralta / jaxp
Fecha: 6 Julio 2000
Ultima actualizacion: 13 Julio 2000
TODO: sustituir arp por ip neigh

Definimos tunel asimetrico como aquel en el que las dos direcciones
internas del tunel no pertenecen a una red privada, sino a la propia
Internet. Esto nos va a permitir manejar ip's de una red cualquiera
en otra.

Tenemos el siguiente esquema:

/------------------\ Internet /----------------\
|demasie.aditel.org| < - - - - - - - - - > |spisa.act.uji.es|
\------------------/ \----------------/
eth0: 194.224.81.16 eth1: 150.128.81.246

Y queremos que una de las ip's de la red de demasie (194.224.81.0)
sea una ip mas de spisa.

Montamos el tunel:

demasie-> # ip tunnel add macho mode gre local 194.224.81.16 remote
150.128.81.246
spisa-> # ip tunnel add hembra mode gre local 150.128.81.246
remote 194.224.81.16

Y le asociamos a macho y hembra dos ip's de la red de demasie:

demasie-> # ip addr add 194.224.81.23 dev macho
spisa-> # ip addr add 194.224.81.22 dev hembra

Levantamos los devices:

demasie-> # ip link set macho up
spisa-> # ip link set hembra up

Añadimos rutas:

demasie-> # ip route add 194.224.81.22 dev macho
spisa-> # ip route add 194.224.81.23 dev hembra

Tenemos que jugar con el arp en la red de demasie, ya que queremos que
el trafico a 194.224.81.22 vaya a spisa:

demasie-> # arp -s 194.224.81.22 52:54:05:F5:FC:EB (MAC de demasie) pub

Y con esto hecho tenemos el tunel montado. Todo el trafico a 194.224.81.22
ira a spisa y esta podra responder. El esquema nos queda:

/------------------\ Internet /----------------\
|demasie.aditel.org| < - - - - - - - - - > |spisa.act.uji.es|
\------------------/ \----------------/
eth0: 194.224.81.16 eth1: 150.128.81.246
macho: 194.224.81.23 hembra: 194.224.81.22

Cuando llegue un paquete para 194.224.81.22 en la red de demasie, este
enrutara el paquete a traves del tunel y spisa respondera a traves de
eth1. Que puede ser lo que no queramos en realidad, puesto que en caso
de que alguno de los routers que atravesemos tenga la opcion de evitar
el "source routing" por motivos de seguridad, el tunel fallara y solo
sera accesible desde la red original. Es lo que se llama ruta triangular:

194.224.81.22 - - - - - > demasie - - - > - - - - - > - - - > spisa-tunel
^ /
| /
\ /
\- < - - spisa-eth1 <- - /

Para evitar que pase esto tendremos que usar las facilidades de "policy routing"
del kernel:

spisa-> # ip rule add from 194.224.81.22 table 13
spisa-> # ip route add default via 194.224.81.23 table 13

Ahora hemos desmontado el triangulo y nos queda la cosa:

194.224.81.22 - - - - - > demasie - - - > - - - - > - - - - > spisa-tunel
\ - - - - - - < - - - - < - - - - - - /

luis peralta / jaxp

lspci:

0000:00:00.0 Host bridge: Intel Corp. 82855PM Processor to I/O Controller (rev 03)
0000:00:01.0 PCI bridge: Intel Corp. 82855PM Processor to AGP Controller (rev 03)
0000:00:1d.0 USB Controller: Intel Corp. 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M) USB UHCI Controller #1 (rev 01)
0000:00:1d.1 USB Controller: Intel Corp. 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M) USB UHCI Controller #2 (rev 01)
0000:00:1d.2 USB Controller: Intel Corp. 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M) USB UHCI Controller #3 (rev 01)
0000:00:1d.7 USB Controller: Intel Corp. 82801DB/DBM (ICH4/ICH4-M) USB 2.0 EHCI Controller (rev 01)
0000:00:1e.0 PCI bridge: Intel Corp. 82801 PCI Bridge (rev 81)
0000:00:1f.0 ISA bridge: Intel Corp. 82801DBM LPC Interface Controller (rev 01)
0000:00:1f.1 IDE interface: Intel Corp. 82801DBM (ICH4) Ultra ATA Storage Controller (rev 01)
0000:00:1f.5 Multimedia audio controller: Intel Corp. 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M) AC'97 Audio Controller (rev 01)
0000:00:1f.6 Modem: Intel Corp. 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M) AC'97 Modem Controller (rev 01)
0000:01:00.0 VGA compatible controller: ATI Technologies Inc Radeon R250 Lf [Radeon Mobility 9000 M9] (rev 02)
0000:02:00.0 Ethernet controller: Broadcom Corporation NetXtreme BCM5705M Gigabit Ethernet (rev 01)
0000:02:01.0 CardBus bridge: O2 Micro, Inc. OZ711EC1 SmartCardBus Controller (rev 20)
0000:02:01.1 CardBus bridge: O2 Micro, Inc. OZ711EC1 SmartCardBus Controller (rev 20)

Archivo de configuracion:
/usr/src/linux/.config
/etc/modules/
XF86Config-4.fglrx.conf (/etc/X11/XF86Config)
XF86Config-4.drm.agpgart.conf (/etc/X11/XF86Config)
/etc/lilo.conf

Notas:
* Framebuffer y aceleracion con fglrx no son compatibles (al pasar de X al
framebuffer y volver a las X se cuelgan)
* Hace falta en ambos modos agpgart y intel_agp cargados en el kernel
* El driver de fglrx se baja de la web y de ATI y hay que compilarlo
* Usar glxgears y glxinfo para comprobar la aceleracion

Si no os dejan añadir y quitar programas, podeis cambiarlo en:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall]
Key NoAddRemovePrograms tiene que estar a 0