ZeroShell 2.0 RC3

A Linux Live CD distribution aimed at providing the main network services a LAN requires.
Zeroshell is a Linux Live CD distribution aimed at providing the main network services a LAN requires:

Here are some key features of "ZeroShell":

· Kerberos 5 authentication or with X.509 certificates;
· LDAP, NIS and RADIUS authorization;
· X509 certification authority for issuing and managing electronic certificates;
· Unix and Windows Active Directory interoperability using LDAP and Kerberos 5 cross realm authentication;
· Router with static and dynamic routes (RIPv2 with MD5 or plain text authentication and Split Horizon and Poisoned Reverse algorithms);
· 802.1d bridge with Spanning Tree protocol to avoid loops even in the presence of redundant paths;
· 802.1Q Virtual LAN (tagged VLAN);
· Firewall Packet Filter and Stateful Packet Inspection (SPI) with filters applicable in both routing and bridging on all type of interfaces including VPN and VLAN;
· NAT to use private class LAN addresses hidden on the WAN with public addresses;
· TCP/UDP port forwarding (PAT) to create Virtual Servers. This means that real server cluster will be seen with only one IP address (the IP of the virtual server) and each request will be distributed with Round Robin algorithm to the real servers;
· Multizone DNS server with automatic management of the Reverse Resolution in-addr.arpa;
· Multi subnet DHCP server with the possibility to fix IP depending on client's MAC address;
· Host-to-lan VPN with L2TP/IPsec in which L2TP (Layer 2 Tunneling Protocol) authenticated with Kerberos v5 username and password is encapsulated within IPsec authenticated with IKE that uses X.509 certificates;
· Host-to-lan VPN with PPTP protocol (Point to Point Tunneling Protocol), MPPE (Microsoft Point to Point Encryption) and GRE tunneling
· Lan-to-lan VPN with encapsulation of Ethernet datagrams in SSL/TLS tunnel, with support for 802.1Q VLAN and configurable in bonding for load balancing (band increase) or fault tolerance (reliability increase);
· PPPoE client for connection to the WAN via ADSL, DSL and cable lines (requires a suitable MODEM);
· Dynamic DNS client used to easily reach the host on WAN even when the IP is dynamic;
· NTP (Network Time Protocol) client and server for keeping host clocks synchronized;
· RADIUS server for providing secure authentication and automatic management of the WEP keys to the Wireless 802.11b, 802.11g and 802.11a networks supporting the 802.1x protocol in the EAP-TLS, EAP-TTLS and PEAP form or the less secure authentication of the client MAC Address; WPA with TKIP and WPA2 with CCMP (802.11i complaint) are supported too; the RADIUS server may also, depending on the username, group or MAC Address of the supplicant, allow the access on a preset 802.1Q VLAN.
· Syslog server for receiving and cataloging the system logs produced by the remote hosts including Unix systems, routers, switches, WI-FI access points, network printers and others compatible with the syslog protocol;
· Arpwatch monitor for monitoring ARP events on the LAN such as duplication of IP addresses, flip-flops and other faults;

· RADIUS server for providing secure authentication and automatic management of the encryption keys to the Wireless 802.11b, 802.11g and 802.11a networks supporting the 802.1x protocol in the EAP-TLS, EAP-TTLS and PEAP form or the less secure authentication of the client MAC Address; WPA with TKIP and WPA2 with CCMP (802.11i complaint) are supported too; the RADIUS server may also, depending on the username, group or MAC Address of the supplicant, allow the access on a preset 802.1Q VLAN;
· Captive Portal to support the web login on wireless and wired networks. Zeroshell acts as gateway for the networks on which the Captive Portal is active and on which the IP addresses (usually belonging to private subnets) are dynamically assigned by the DHCP. A client that accesses this private network must authenticate itself through a web browser using Kerberos 5 username and password before the Zeroshell's firewall allows it to access the public LAN. The Captive Portal gateways are often used to provide authenticated Internet access in the HotSpots in alternative to the 802.1X authentication protocol too complicated to configure for the users. Zeroshell implements the functionality of Captive Portal in native way, without using other specific software as NoCat or Chillispot;
· QoS (Quality of Service) management and traffic shaping to control traffic over a congested network. You will be able to guarantee the minimum bandwidth, limit the max bandwidth and assign a priority to a traffic class (useful in latency-sensitive network applications like VoIP). The previous tuning can be applied on Ethernet Interfaces, VPNs, bridges and VPN bondings. It is possible to classify the traffic by using the Layer 7 filters that allow the Deep Packet Inspection (DPI) which can be useful to shape VoIP and P2P applications;
· Host-to-lan VPN with L2TP/IPsec in which L2TP (Layer 2 Tunneling Protocol) authenticated with Kerberos v5 username and password is encapsulated within IPsec authenticated with IKE that uses X.509 certificates;
· Lan-to-lan VPN with encapsulation of Ethernet datagrams in SSL/TLS tunnel, with support for 802.1Q VLAN and configurable in bonding for load balancing (band increase) or fault tolerance (reliability increase);
Router with static and dynamic routes (RIPv2 with MD5 or plain text authentication and Split Horizon and Poisoned Reverse algorithms);
802.1d bridge with Spanning Tree protocol to avoid loops even in the presence of redundant paths;
· 802.1Q Virtual LAN (tagged VLAN);
· Firewall Packet Filter and Stateful Packet Inspection (SPI) with filters applicable in both routing and bridging on all type of interfaces including VPN and VLAN;
· It is possible to reject or shape P2P File Sharing traffic by using IPP2P iptables module in the Firewall and QoS Classifier;
NAT to use private class LAN addresses hidden on the WAN with public addresses;
· TCP/UDP port forwarding (PAT) to create Virtual Servers. This means that real server cluster will be seen with only one IP address (the IP of the virtual server) and each request will be distributed with Round Robin algorithm to the real servers;
· Multizone DNS server with automatic management of the Reverse Resolution in-addr.arpa;
· Multi subnet DHCP server with the possibility to fix IP depending on client's MAC address;
· PPPoE client for connection to the WAN via ADSL, DSL and cable lines (requires a suitable MODEM);
· Dynamic DNS client used to easily reach the host on WAN even when the IP is dynamic;
· NTP (Network Time Protocol) client and server for keeping host clocks synchronized;
· Syslog server for receiving and cataloging the system logs produced by the remote hosts including Unix systems, routers, switches, WI-FI access points, network printers and others compatible with the syslog protocol;
· Kerberos 5 authentication using an integrated KDC and cross-authentication between realms;
· LDAP, NIS and RADIUS authorization;
· X509 certification authority for issuing and managing electronic certificates;
· Unix and Windows Active Directory interoperability using LDAP and Kerberos 5 cross realm authentication.
· The following features will be available in the near future and included in the release 1.0.0:

Web proxy server to have a centralized web cache which is able to block the web pages containing virus. This feature is implemented using the ClamAV antivirus and Squid proxy server. The proxy server can be configured to work in transparent proxy mode, in which, you don't need to configure the web browsers to use it, but the http requests will be automatically redirected to the proxy.

Arpwatch monitor for monitoring ARP events on the LAN such as duplication of IP addresses, flip-flops and other faults;
Host-to-lan VPN with PPTP protocol (Point to Point Tunneling Protocol), MPPE (Microsoft Point to Point Encryption) and GRE tunneling;
The following features will be available in the next releases newer than 1.0.0:

HostAP mode for wireless network cards using Intersil Prism2/2.5/3 chipsets. In other words, a Zeroshell box with one of such WiFi cards could become a IEEE 802.11b/g Access Point providing reliable authentication and dynamic WEP keys exchange by 802.1X and WPA protocols. Of course, the authentication takes place using EAP-TLS and PEAP over the integrated RADIUS server;

IMAP v4 server to manage the mailboxes with the authentication provided by the integrated Kerberos 5 server;

SMTP server to receive, send and route mails depending on SMTP routing map stored on the integrated LDAP server. The incoming and outcoming mails are spam and virus checked by the antispam and antivirus filters auto updated from Internet. Moreover, the supported dynamic DNS client, that automatically updates DNS MX record, makes possible to have a mail server for a domain also if the WAN IP address is not statically assigned.

Smart Card authentication using PKINIT protocol that combines Kerberos 5 credentials and X.509 certificates. Unfortunately, unlike the other features, it is not possible to support Smartcard authentication in short time because MIT Kerberos v5 does not implement PKINIT protocol yet.
Zeroshell is a Live CD distribution, meaning that it is not necessary to install it on the hard disk since it can operate directly from the CDROM on which it is distributed. Obviously, the database, containing all the data and settings, can be stored on ATA, SATA, SCSI and USB disks. Any security Bug Fixes can be downloaded from the automatic update system via Internet and installed in the database. These patches will be automatically removed from the database by subsequent releases of the Zeroshell Live CD already containing the updates.

It is also available a 512MB Compact Flash image useful if you have to boot your box from this device instead from CDROM for example in the embedded devices for network appliances. The Compact Flash image has 400MB available to store the configuration and data.

The name Zeroshell underlines the fact that although it is a Linux system (traditionally administrable from a shell), all the administration operations can be carried out via Web interface: indeed, after having assigned an IP address via a VGA or serial terminal, simply connect to the assigned address by means of a browser to configure everything. Zeroshell was successfully tested to work with Firefox 1.0.6+, Internet Explorer 6+, Netscape 7.2+ e Mozilla 1.7.3+.

Building Zeroshell

Zeroshell is not based on an already existing distribution as for example Knoppix is based on Debian. The author has compiled the whole software of which the distribution is composed starting from the source code in the tar.gz or tar.bz2 packets. The compiler gcc and the glibcs of the GNU have been compiled too and have had the so-called phase of bootstrap in which they have recompiled themselves more times. This has been necessary to optimize the compiler and to eliminate every dependence from the glibcs of the system from which the first compilation took place. Some of the initialization scripts, as well as the guidelines followed by the author are those of Linux From Scratch.

List of Open Source components

· linux for Linux Kernel;
· httpd Apache for Administration web interface krb5 MIT for Kerberos 5 Authentication Server;
· openldap for LDAP Server;
· ypserv for NIS Server (YP);
· openssl for SSL/TLS Tunnel and CA management;
· freeradius for RADIUS server + EAP-TLS and PEAP (802.1x);
· iptables for Firewall Packet Filter and Stateful Packet Inspection (SPI), NAT and Port Forwarding (PAT);
· openvpn for lan-to-lan ethernet VPN with VLAN 802.1Q support;
· bind for DNS Server;
· Stig Venaas'LDAP SD to use LDAP backend for bind DNS using dNSZone schema dhcp for DHCP Server;
· IPP2P iptables module for the peer-to-peer file sharing classification;
· rp-pppoe for PPPoE Client for ADSL connection;
· vconfig for Tagged VLAN 802.1Q;
· bridge-utils for Bridging 802.1d with STP;
· ppp for Point to point IP connections used for the PPPoE and PPTP protocol;
· quagga for RIP protocol version 2 used for dynamic routing management;
· ntp for NTP client and server for system clock synchronization;
· sysklogd for Syslog server for the acquisition and cataloguing of local and remote logs via syslog protocol;
· arpwatch for Monitoring of ARP events such as duplication of IP addresses, flip flops and other faults;
· libpcap for Packet Capture libraries used by arpwatch;
· lzo for Real-time compression in lan-to-lan VPNs;
· wget for guaranteeing automatic updating with the patches found on http://www.zeroshell.net/updates;
· pciutils for recognition of the brand and model of the Ethernet cards on PCI bus;
· ethtool for recognition of the status of the physical link on Ethernet connections;
· e2fsprogs for management of ext2 and ext3 filesystems;
· reiserfsprogs for management of ReiserFS filesystems;
· dosfstools for management of FAT and FAT32 (DOS and Windows) filesystems;
· parted for partition management. In particular partprobe allows viewing new partitions without rebooting;
· udev for automatic management of devfs for hotplugs of USB disks;
· sudo for increasing security by running Apache as an unprivileged process and increasing privileges only if strictly necessary;
· Linux-PAM for PAM (Pluggable Authentication Modules).

last updated on:
August 8th, 2013, 7:18 GMT
price:
FREE!
developed by:
Fulvio Ricciardi
homepage:
www.zeroshell.net
license type:
GPL (GNU General Public License) 
category:
ROOT \ Linux Distributions

FREE!

In a hurry? Add it to your Download Basket!

user rating 40

3.1/5
 

0/5

Rate it!
1 Screenshot
ZeroShell

Add your review!

SUBMIT