Difference between revisions of "Dns1 Setup Process"

From CSLabsWiki
m (Created Configs)
m (Created Zone Files)
Line 735: Line 735:
 
<code><pre>
 
<code><pre>
 
$ORIGIN cslabs.clarkson.edu.
 
$ORIGIN cslabs.clarkson.edu.
$TTL 10800 ; 3 hours
+
$TTL 3600 ; 1 hour
 
cslabs.clarkson.edu. IN SOA dns1.cslabs.clarkson.edu. admin.cslabs.clarkson.edu. (
 
cslabs.clarkson.edu. IN SOA dns1.cslabs.clarkson.edu. admin.cslabs.clarkson.edu. (
2010021502 ; serial
+
2010030904 ; serial
1800 ; refresh after 30 minutes
+
900 ; refresh (15 minutes)
300 ; retry after 5 minutes
+
600 ; retry (10 minutes)
604800 ; expire after 1 week
+
1209600 ; expire (2 weeks)
3600 ; minimum TTL of 1 hour
+
1800 ; minimum (30 minutes)
 
)
 
)
 
;
 
;
Line 836: Line 836:
 
<code><pre>
 
<code><pre>
 
$ORIGIN dev.cslabs.clarkson.edu.
 
$ORIGIN dev.cslabs.clarkson.edu.
$TTL 10800 ; 3 hours
+
$TTL 3600 ; 1 hour
 
dev.cslabs.clarkson.edu. IN SOA dns1.cslabs.clarkson.edu. admin.cslabs.clarkson.edu. (
 
dev.cslabs.clarkson.edu. IN SOA dns1.cslabs.clarkson.edu. admin.cslabs.clarkson.edu. (
2010020701 ; serial
+
2010030904 ; serial
1800 ; refresh after 30 minutes
+
900 ; refresh (15 minutes)
300 ; retry after 5 minutes
+
600 ; retry (10 minutes)
604800 ; expire after 1 week
+
1209600 ; expire (2 weeks)
3600 ; minimum TTL of 1 hour
+
1800 ; minimum (30 minutes)
 
)
 
)
 
;
 
;
Line 860: Line 860:
 
<code><pre>
 
<code><pre>
 
$ORIGIN 145.153.128.in-addr.arpa.
 
$ORIGIN 145.153.128.in-addr.arpa.
$TTL 10800 ; 3 hours
+
$TTL 3600 ; 1 hour
 
@ IN SOA dns1.cslabs.clarkson.edu. admin.cslabs.clarkson.edu. (
 
@ IN SOA dns1.cslabs.clarkson.edu. admin.cslabs.clarkson.edu. (
2010020201 ; serial
+
2010030904 ; serial
1800 ; refresh after 30 minutes
+
900 ; refresh (15 minutes)
300 ; retry after 5 minutes
+
600 ; retry (10 minutes)
604800 ; expire after 1 week
+
1209600 ; expire (2 weeks)
3600 ; minimum TTL of 1 hour
+
1800 ; minimum (30 minutes)
 
)
 
)
 
;
 
;
Line 957: Line 957:
 
<code><pre>
 
<code><pre>
 
$ORIGIN int.cslabs.clarkson.edu.
 
$ORIGIN int.cslabs.clarkson.edu.
$TTL 10800 ; 3 hours
+
$TTL 3600 ; 1 hour
 
int.cslabs.clarkson.edu. IN SOA dns1.cslabs.clarkson.edu. admin.cslabs.clarkson.edu. (
 
int.cslabs.clarkson.edu. IN SOA dns1.cslabs.clarkson.edu. admin.cslabs.clarkson.edu. (
2010020701 ; serial
+
2010030904 ; serial
1800 ; refresh after 30 minutes
+
900 ; refresh (15 minutes)
300 ; retry after 5 minutes
+
600 ; retry (10 minutes)
604800 ; expire after 1 week
+
1209600 ; expire (2 weeks)
3600 ; minimum TTL of 1 hour
+
1800 ; minimum (30 minutes)
 
)
 
)
 
;
 
;
Line 994: Line 994:
 
<code><pre>
 
<code><pre>
 
$ORIGIN 0.0.10.in-addr.arpa.
 
$ORIGIN 0.0.10.in-addr.arpa.
$TTL 10800 ; 3 hours
+
$TTL 3600 ; 1 hour
 
@ IN SOA dns1.cslabs.clarkson.edu. admin.cslabs.clarkson.edu. (
 
@ IN SOA dns1.cslabs.clarkson.edu. admin.cslabs.clarkson.edu. (
2010020701 ; serial
+
2010030904 ; serial
1800 ; refresh after 30 minutes
+
900 ; refresh (15 minutes)
300 ; retry after 5 minutes
+
600 ; retry (10 minutes)
604800 ; expire after 1 week
+
1209600 ; expire (2 weeks)
3600 ; minimum TTL of 1 hour
+
1800 ; minimum (30 minutes)
 
)
 
)
 
;
 
;
Line 1,031: Line 1,031:
 
<code><pre>
 
<code><pre>
 
$ORIGIN sr.cslabs.clarkson.edu.
 
$ORIGIN sr.cslabs.clarkson.edu.
$TTL 10800 ; 3 hours
+
$TTL 3600 ; 1 hour
 
sr.cslabs.clarkson.edu. IN SOA dns1.cslabs.clarkson.edu. admin.cslabs.clarkson.edu. (
 
sr.cslabs.clarkson.edu. IN SOA dns1.cslabs.clarkson.edu. admin.cslabs.clarkson.edu. (
2010020701 ; serial
+
2010030904 ; serial
1800 ; refresh after 30 minutes
+
900 ; refresh (15 minutes)
300 ; retry after 5 minutes
+
600 ; retry (10 minutes)
604800 ; expire after 1 week
+
1209600 ; expire (2 weeks)
3600 ; minimum TTL of 1 hour
+
1800 ; minimum (30 minutes)
 
)
 
)
 
;
 
;
Line 1,063: Line 1,063:
 
<code><pre>
 
<code><pre>
 
$ORIGIN 1.0.10.in-addr.arpa.
 
$ORIGIN 1.0.10.in-addr.arpa.
$TTL 10800 ; 3 hours
+
$TTL 3600 ; 1 hour
 
@ IN SOA dns1.cslabs.clarkson.edu. admin.cslabs.clarkson.edu. (
 
@ IN SOA dns1.cslabs.clarkson.edu. admin.cslabs.clarkson.edu. (
2010020701 ; serial
+
2010030904 ; serial
1800 ; refresh after 30 minutes
+
900 ; refresh (15 minutes)
300 ; retry after 5 minutes
+
600 ; retry (10 minutes)
604800 ; expire after 1 week
+
1209600 ; expire (2 weeks)
3600 ; minimum TTL of 1 hour
+
1800 ; minimum (30 minutes)
 
)
 
)
 
;
 
;

Revision as of 17:08, 9 March 2010

This page summarizes how the virtual machine Dns1 was set up in Spring 2010.

Install

  • Installed CentOS 5.4 x64.
    • Partition Scheme
      • 3 GB /
      • 1.5 GB /var
      • 512 MB swap

Configuration

Updated System

  • Configured Yum Priorities & to use our mirror
    • Edited /etc/yum.repos.d/CentOS-Base.repo
# CentOS-Base.repo
#
# This file uses a new mirrorlist system developed by Lance Davis for CentOS.
# The mirror system uses the connecting IP address of the client and the
# update status of each mirror to pick mirrors that are updated to and
# geographically close to the client.  You should use this for CentOS updates
# unless you are manually picking other mirrors.
#
# If the mirrorlist= does not work for you, as a fall back you can try the
# remarked out baseurl= line instead.
#
#

[base]
name=CentOS-$releasever - Base
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
baseurl=http://mirror.clarkson.edu/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1

#released updates
[updates]
name=CentOS-$releasever - Updates
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates
baseurl=http://mirror.clarkson.edu/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1

#packages used/produced in the build but not released
[addons]
name=CentOS-$releasever - Addons
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=addons
baseurl=http://mirror.clarkson.edu/centos/$releasever/addons/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1

#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras
baseurl=http://mirror.clarkson.edu/centos/$releasever/extras/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1

#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus
baseurl=http://mirror.clarkson.edu/centos/$releasever/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=2

#contrib - packages by Centos Users
[contrib]
name=CentOS-$releasever - Contrib
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=contrib
baseurl=http://mirror.clarkson.edu/centos/$releasever/contrib/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=2
    • Edited /etc/yum.repos.d/rpmforge.repo
# Name: RPMforge RPM Repository for Red Hat Enterprise 5 - dag
# URL: http://rpmforge.net/
[rpmforge]
name = Red Hat Enterprise $releasever - RPMforge.net - dag
baseurl = http://mirror.clarkson.edu/rpmforge/redhat/el5/en/$basearch/dag
#mirrorlist = http://apt.sw.be/redhat/el5/en/mirrors-rpmforge
#mirrorlist = file:///etc/yum.repos.d/mirrors-rpmforge
enabled = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmforge-dag
gpgcheck = 1
priority=15
    • Edited /etc/yum.repos.d/epel.repo
[epel]
name=Extra Packages for Enterprise Linux 5 - $basearch
baseurl=http://mirror.clarkson.edu/epel/5/$basearch
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-5&arch=$basearch
failovermethod=priority
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
priority=30

[epel-debuginfo]
name=Extra Packages for Enterprise Linux 5 - $basearch - Debug
baseurl=http://mirror.clarkson.edu/epel/5/$basearch/debug
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-debug-5&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1
priority=30

[epel-source]
name=Extra Packages for Enterprise Linux 5 - $basearch - Source
baseurl=http://mirror.clarkson.edu/epel/5/SRPMS
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-source-5&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1
priority=30
    • Edited /etc/yum.repos.d/epel-testing.repo
[epel-testing]
name=Extra Packages for Enterprise Linux 5 - Testing - $basearch
baseurl=http://mirror.clarkson.edu/epel/testing/5/$basearch
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-epel5&arch=$basearch
failovermethod=priority
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
priority=40

[epel-testing-debuginfo]
name=Extra Packages for Enterprise Linux 5 - Testing - $basearch - Debug
baseurl=http://mirror.clarkson.edu/epel/testing/5/$basearch/debug
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-debug-epel5&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1
priority=40

[epel-testing-source]
name=Extra Packages for Enterprise Linux 5 - Testing - $basearch - Source
baseurl=http://mirror.clarkson.edu/epel/testing/5/SRPMS
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-source-epel5&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1
priority=40
  • Disabled Yum FastestMirror since using local mirror
    • sed -i 's/enabled=1/enabled=0/g' /etc/yum/pluginconf.d/fastestmirror.conf
  • Installed Yum Priorities (Note: This must be installed prior to installing the packages below.)
    • yum install yum-priorities
  • Configured Yum Priorities to check for obsoletes
    • echo "check_obsoletes=1" >> /etc/yum/pluginconf.d/priorities.conf
  • yum install vim-enhanced gcc emacs-nox screen
  • yum update

Created User

  • Created user mccarrms
    • /usr/sbin/useradd -m mccarrms
  • Set password for mccarrms
    • passwd mccarrms

Configured Sudo

  • /usr/sbin/visudo
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.

## Networking
Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

## Installation and management of software
Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

## Services
Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig

## Updating the locate database
Cmnd_Alias LOCATE = /usr/sbin/updatedb

## Storage
Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount

## Delegating permissions
Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp

## Processes
Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

## Drivers
Cmnd_Alias DRIVERS = /sbin/modprobe

## Shells
Cmnd_Alias SHELLS = /bin/sh, /bin/bash, /usr/bin/rsh, /bin/dash, /bin/rbash, /bin/su

## Users
Cmnd_Alias USERS = /usr/sbin/useradd, /usr/sbin/userdel

Defaults    requiretty

Defaults    env_reset,tty_tickets,lecture=always,logfile=/var/log/sudo.log
Defaults    env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
                        LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
                        LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
                        LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
                        LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \
                        _XKB_CHARSET XAUTHORITY"

## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
%wheel  ALL=(ALL)       ALL
%admins ALL=(root) ALL, !SHELLS

Configured Networks

  • Configured hostname in /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=dns1
GATEWAY=128.153.145.1
  • Verified eth0 configuration for Clarkson Network in /etc/sysconfig/network-scripts/ifcfg-eth0
# Xen Virtual Ethernet
DEVICE=eth0
BOOTPROTO=static
DHCPCLASS=
HWADDR=00:16:36:15:A4:3D
IPADDR=128.153.145.3
NETMASK=255.255.255.0
ONBOOT=yes

Configured Hosts

  • Edited /etc/hosts
127.0.0.1       localhost.localdomain   localhost
128.153.145.3  dns1.cslabs.clarkson.edu dns1.cslabs dns1
  • Edited /etc/hosts.allow
For security purposes, this information has been intentionally left off.
  • Edited /etc/hosts.deny
ALL: ALL

Configured DNS Servers

  • Edited /etc/resolv.conf
search cslabs.clarkson.edu clarkson.edu
nameserver 128.153.145.3
nameserver 128.153.145.4

Disabled IP v6

  • Appended the following to /etc/modprobe.conf
install ipv6 /bin/true
  • Disabled IP v6 firewall
    • /sbin/chkconfig ip6tables off

Configured IPtables

Due to the sensitivity of this material, this config file has been left off; however, the following rule is needed.

-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT

Configured SSH

  • Edited /etc/ssh/sshd_config
Due to the sensitivity of this material, this config file has been left off.
  • Restarted sshd
    • /etc/init.d/sshd restart

Set Up SSH Login Banner

  • Edited /etc/issue.net
     __        ___
 ___/ /__  ___<  /
/ _  / _ \(_-</ / 
\_,_/_//_/___/_/  
                  

Configured Password Requirements

  • Edited /etc/login.defs
MAIL_DIR        /var/spool/mail

PASS_MAX_DAYS   360
PASS_MIN_DAYS   0
PASS_MIN_LEN    8
PASS_WARN_AGE   60

UID_MIN                   500
UID_MAX                 60000

GID_MIN                   500
GID_MAX                 60000

CREATE_HOME     yes

UMASK           077

USERGROUPS_ENAB yes

MD5_CRYPT_ENAB yes

ENCRYPT_METHOD MD5

Added Custom PATH Variables

  • Added the following to /etc/profile
PATH=$PATH:/usr/sbin:/sbin
export PATH

Configured Aliases

  • Edited /etc/aliases
#
#  Aliases in this file will NOT be expanded in the header from
#  Mail, but WILL be visible over networks or from /bin/mail.
#
#       >>>>>>>>>>      The program "newaliases" must be run after
#       >> NOTE >>      this file is updated for any changes to
#       >>>>>>>>>>      show through to sendmail.
#

# Basic system aliases -- these MUST be present.
mailer-daemon:  postmaster
postmaster:     logwatch@cslabs.clarkson.edu

# General redirections for pseudo accounts.
bin:            logwatch@cslabs.clarkson.edu
daemon:         logwatch@cslabs.clarkson.edu
adm:            logwatch@cslabs.clarkson.edu
lp:             logwatch@cslabs.clarkson.edu
sync:           logwatch@cslabs.clarkson.edu
shutdown:       logwatch@cslabs.clarkson.edu
halt:           logwatch@cslabs.clarkson.edu
mail:           logwatch@cslabs.clarkson.edu
news:           logwatch@cslabs.clarkson.edu
uucp:           logwatch@cslabs.clarkson.edu
operator:       logwatch@cslabs.clarkson.edu
games:          logwatch@cslabs.clarkson.edu
gopher:         logwatch@cslabs.clarkson.edu
ftp:            logwatch@cslabs.clarkson.edu
nobody:         logwatch@cslabs.clarkson.edu
radiusd:        logwatch@cslabs.clarkson.edu
nut:            logwatch@cslabs.clarkson.edu
dbus:           logwatch@cslabs.clarkson.edu
vcsa:           logwatch@cslabs.clarkson.edu
canna:          logwatch@cslabs.clarkson.edu
wnn:            logwatch@cslabs.clarkson.edu
rpm:            logwatch@cslabs.clarkson.edu
nscd:           logwatch@cslabs.clarkson.edu
pcap:           logwatch@cslabs.clarkson.edu
apache:         logwatch@cslabs.clarkson.edu
webalizer:      logwatch@cslabs.clarkson.edu
dovecot:        logwatch@cslabs.clarkson.edu
fax:            logwatch@cslabs.clarkson.edu
quagga:         logwatch@cslabs.clarkson.edu
radvd:          logwatch@cslabs.clarkson.edu
pvm:            logwatch@cslabs.clarkson.edu
amanda:         logwatch@cslabs.clarkson.edu
privoxy:        logwatch@cslabs.clarkson.edu
ident:          logwatch@cslabs.clarkson.edu
named:          logwatch@cslabs.clarkson.edu
xfs:            logwatch@cslabs.clarkson.edu
gdm:            logwatch@cslabs.clarkson.edu
mailnull:       logwatch@cslabs.clarkson.edu
postgres:       logwatch@cslabs.clarkson.edu
sshd:           logwatch@cslabs.clarkson.edu
smmsp:          logwatch@cslabs.clarkson.edu
postfix:        logwatch@cslabs.clarkson.edu
netdump:        logwatch@cslabs.clarkson.edu
ldap:           logwatch@cslabs.clarkson.edu
squid:          logwatch@cslabs.clarkson.edu
ntp:            logwatch@cslabs.clarkson.edu
mysql:          logwatch@cslabs.clarkson.edu
desktop:        logwatch@cslabs.clarkson.edu
rpcuser:        logwatch@cslabs.clarkson.edu
rpc:            logwatch@cslabs.clarkson.edu
nfsnobody:      logwatch@cslabs.clarkson.edu

ingres:         logwatch@cslabs.clarkson.edu
system:         logwatch@cslabs.clarkson.edu
toor:           logwatch@cslabs.clarkson.edu
manager:        logwatch@cslabs.clarkson.edu
dumper:         logwatch@cslabs.clarkson.edu
abuse:          logwatch@cslabs.clarkson.edu

newsadm:        news
newsadmin:      news
usenet:         news
ftpadm:         ftp
ftpadmin:       ftp
ftp-adm:        ftp
ftp-admin:      ftp
www:            webmaster
webmaster:      logwatch@cslabs.clarkson.edu
noc:            logwatch@cslabs.clarkson.edu
security:       logwatch@cslabs.clarkson.edu
hostmaster:     logwatch@cslabs.clarkson.edu
info:           postmaster
marketing:      postmaster
sales:          postmaster
support:        postmaster


# trap decode to catch security attacks
decode:         logwatch@cslabs.clarkson.edu

# Person who should get roots's mail
root:           logwatch@cslabs.clarkson.edu
  • Updated aliases
    • /usr/bin/newaliases

Disabled Various Kernel Modules

  • Added the following to /etc/modprobe.conf
install pppox /bin/true
install bluetooth /bin/true
install sctp /bin/true

Installed & Configured SNMP

  • Installed needed packages
yum install net-snmp ntp
  • Configured SNMP Daemon /etc/snmp/snmpd.conf
rocommunity     <passphrase>  127.0.0.1
rocommunity     <passphrase>  <ipsallowed>
 
syslocation Clarkson University Applied CS Labs
syscontact Matt McCarrell <mccarrms@gmail.com>
disk /
disk /var
exec timeskew /usr/local/sbin/ntp_check
exec uptime /usr/bin/uptime
  • Deployed ntp_check script
    • Copied over ntp_check to /usr/local/sbin/
    • chown root.root /usr/local/sbin/ntp_check
  • Configured SNMP to start at specific run levels
/sbin/chkconfig --levels 2345 snmpd on
  • Started daemon
/etc/init.d/snmpd start

Increased Detail of Logwatch Reports

  • Set detail level to be high
echo "Detail = High" >> /etc/logwatch/conf/logwatch.conf

Disabled Unneeded Services

chkconfig nfs off
/etc/init.d/nfs stop
chkconfig nfslock off
/etc/init.d/nfslock stop
chkconfig rpcgssd off
/etc/init.d/rpcgssd stop
chkconfig rpcidmapd off
/etc/init.d/rpcidmapd stop
chkconfig rpcsvcgssd off
/etc/init.d/rpcsvcgssd stop
chkconfig portmap off
/etc/init.d/portmap stop
chkconfig netfs off
/etc/init.d/netfs stop
chkconfig anacron off
/etc/init.d/anacron stop
chkconfig autofs off
/etc/init.d/autofs stop
chkconfig avahi-daemon off
/etc/init.d/avahi-daemon stop
chkconfig avahi-dnsconfd off
/etc/init.d/avahi-dnsconfd stop
chkconfig bluetooth off
/etc/init.d/bluetooth stop
chkconfig hidd off
/etc/init.d/hidd stop
chkconfig cups off
/etc/init.d/cups stop
chkconfig firstboot off
/etc/init.d/firstboot stop
chkconfig gpm off
/etc/init.d/gpm stop
chkconfig haldaemon off
/etc/init.d/haldaemon stop
chkconfig irda off
/etc/init.d/irda stop
chkconfig kudzu off
/etc/init.d/kudzu stop
chkconfig messagebus off
/etc/init.d/messagebus stop
chkconfig microcode_ctl off
/etc/init.d/microcode_ctl stop
chkconfig pcscd off
/etc/init.d/pcscd stop
chkconfig readahead_early off
/etc/init.d/readahead_early stop
chkconfig readahead_later off
/etc/init.d/readahead_later stop
chkconfig ypbind off
/etc/init.d/ypbind stop

Modified Cron Weekly Execution Time

This was done to reduce load spikes that produce Nagios alerts around 4:30 AM every Sunday. In the event that this VM get moved off of righteous, this should be changed back to the default setting of 4:22 AM.

  • Modified the following line in /etc/crontab
22 5 * * 0 root run-parts /etc/cron.weekly

Installed BIND

Installed needed packages

yum install bind bind-chroot bind-libs bind-utils

Created Configs

  • Created /var/named/chroot/etc/named.conf
acl cslabs {
        128.153.144.0/23;
        128.153.146.176;
        127.0.0.1;
};

options {
        directory "/var/named";
        pid-file "/var/run/named/named.pid";
        dump-file "data/cache_dump.db";
        statistics-file "data/named_stats.txt";
        memstatistics-file "data/named_mem_stats.txt";
        version "[secured]";
        forwarders { 128.153.0.254; 128.153.5.254; };
        notify yes;
};

include "/etc/rndc.key";
include "/etc/tsig.key";

controls {
        inet 127.0.0.1 allow { 127.0.0.1; }
        keys { "rndckey"; };
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

view "internal" IN {
        match-clients           { cslabs; };
        recursion yes;

        include "/etc/cslabs-external.inc";

        include "/etc/cslabs-internal.inc";
};

view "external" IN {
        match-clients           { any; };
        recursion no;
        allow-query-cache { none; };

        include "/etc/cslabs-external.inc";
};
  • Created /var/named/chroot/etc/cslabs-external.inc
        zone "cslabs.clarkson.edu" IN {
                type master;
                file "cslabs.clarkson.edu.zone";
                allow-update { none; };
                allow-transfer { key TRANSFER; };
        };

        zone "dev.cslabs.clarkson.edu" IN {
                type master;
                file "dev.cslabs.clarkson.edu.zone";
                allow-update { none; };
                allow-transfer { key TRANSFER; };
        };

        zone "145.153.128.in-addr.arpa" IN {
                type master;
                file "145.153.128.in-addr.arpa";
                allow-update { none; };
                allow-transfer { key TRANSFER; };
        };
  • Created /var/named/chroot/etc/cslabs-internal.inc
        zone "int.cslabs.clarkson.edu" IN {
                type master;
                file "int.cslabs.clarkson.edu.zone";
                allow-update { none; };
                allow-transfer { key TRANSFER; };
        };

        zone "0.0.10.in-addr.arpa" IN {
                type master;
                file "0.0.10.in-addr.arpa";
                allow-update { none; };
                allow-transfer { key TRANSFER; };
        };

        zone "sr.cslabs.clarkson.edu" IN {
                type master;
                file "sr.cslabs.clarkson.edu.zone";
                allow-update { none; };
                allow-transfer { key TRANSFER; };
        };

        zone "1.0.10.in-addr.arpa" IN {
                type master;
                file "1.0.10.in-addr.arpa";
                allow-update { none; };
                allow-transfer { key TRANSFER; };
        };
  • Generated TSIG key and created config file
    • Generated key
dnssec-keygen -a HMAC-MD5 -b 512 -n HOST tsig-key
    • Created /var/named/chroot/etc/tsig.key using key present in /var/named/chroot/etc/Ktsig-key.*.private
key "TRANSFER" {
        algorithm       hmac-md5;
        secret          "";
};

server 128.153.145.4 {
        keys {
                TRANSFER;
        };
};
  • Fixed ownership and permissions on files
chown root.named cslabs-external.inc cslabs-internal.inc named.conf tsig.key
chmod o-rwx cslabs-external.inc cslabs-internal.inc named.conf
chmod 640 /var/named/chroot/etc/tsig.key
  • Fixed permissions on directory (Fixes error I noticed in the logs. See this page for more details.
chmod g+w /var/named/chroot/var/named
  • Created /etc/rndc.conf
options {
        default-key "rndckey";
        default-server 127.0.0.1;
        default-port 953;
};

server 127.0.0.1 {
        key     "rndckey";
};

include "/etc/rndc.key";

Created Zone Files

  • Created /var/named/chroot/var/named/cslabs.clarkson.edu.zone
$ORIGIN cslabs.clarkson.edu.
$TTL 3600       ; 1 hour
cslabs.clarkson.edu.    IN      SOA     dns1.cslabs.clarkson.edu.       admin.cslabs.clarkson.edu. (
                        2010030904      ; serial
                        900             ; refresh (15 minutes)
                        600             ; retry (10 minutes)
                        1209600         ; expire (2 weeks)
                        1800            ; minimum (30 minutes)
                        )
;
                IN      NS      dns1.cslabs.clarkson.edu.
                IN      NS      dns2.cslabs.clarkson.edu.
;
                IN      MX      1       aspmx.l.google.com.
                IN      MX      5       alt1.aspmx.l.google.com.
                IN      MX      5       alt2.aspmx.l.google.com.
                IN      MX      10      aspmx2.googlemail.com.
                IN      MX      10      aspmx3.googlemail.com.
                IN      MX      10      aspmx4.googlemail.com.
                IN      MX      10      aspmx5.googlemail.com.
                IN      TXT     "v=spf1 include:aspmx.googlemail.com ~all"
;
                IN      A       128.153.145.15  ; This makes cslabs.clarkson.edu point to web1.
;
mail            IN      CNAME   ghs.google.com.
;
cusw1           IN      A       128.153.144.1
;
dns             IN      A       128.153.145.2
dns1            IN      A       128.153.145.3
dns2            IN      A       128.153.145.4
cusw4           IN      A       128.153.145.5
isengard        IN      A       128.153.145.12
web1            IN      A       128.153.145.15
rrs             IN      CNAME   web1
xen             IN      CNAME   web1
cosi            IN      CNAME   web1
planet          IN      CNAME   web1
kickstart       IN      CNAME   web1
admin           IN      CNAME   web1
netstat         IN      A       128.153.145.16
mysql           IN      A       128.153.145.17
kernelmirror    IN      A       128.153.145.18
mirror          IN      A       128.153.145.19
web2            IN      A       128.153.145.20
status          IN      CNAME   web2
lab-build       IN      CNAME   web2
vpn             IN      A       128.153.145.21
research-archive        IN      A       128.153.145.22
auth            IN      A       128.153.145.23
svn             IN      A       128.153.145.24
docs            IN      A       128.153.145.26
autoguilt       IN      A       128.153.145.27
dukr            IN      A       128.153.145.28
osp1            IN      A       128.153.145.31
osp2            IN      A       128.153.145.32
emeeting        IN      A       128.153.145.33
latex           IN      A       128.153.145.34
game            IN      A       128.153.145.36
tremulous       IN      CNAME   game
sunrack         IN      A       128.153.145.37
git             IN      A       128.153.145.39
storage         IN      A       128.153.145.40
xen1            IN      A       128.153.145.41
xen2            IN      A       128.153.145.42
xen3            IN      A       128.153.145.43
ds1             IN      A       128.153.145.45
ds2             IN      A       128.153.145.46
sms             IN      A       128.153.145.47
ssl-exploit     IN      A       128.153.145.69
generic-vm      IN      A       128.153.145.70
sambaserver     IN      A       128.153.145.85
groupscheduler  IN      A       128.153.145.94
print           IN      A       128.153.145.100
pepperjack      IN      A       128.153.145.103
barbados        IN      A       128.153.145.123
comm            IN      A       128.153.145.145
management      IN      A       128.153.145.200
hydrogen        IN      A       128.153.145.201
helium          IN      A       128.153.145.202
lithium         IN      A       128.153.145.203
beryllium       IN      A       128.153.145.204
nitrogen        IN      A       128.153.145.207
oxygen          IN      A       128.153.145.208
sodium          IN      A       128.153.145.211
magnesium       IN      A       128.153.145.212
aluminum        IN      A       128.153.145.213
silicon         IN      A       128.153.145.214
righteous       IN      A       128.153.145.215
animal          IN      A       128.153.145.216
monitor         IN      A       128.153.145.250
gde             IN      A       128.153.145.251
printer         IN      A       128.153.145.252
itlwebcam       IN      A       128.153.145.253
downtime        IN      A       128.153.145.254
;
plbackup1       IN      A       128.153.146.176
</code>
  • Created /var/named/chroot/var/named/dev.cslabs.clarkson.edu.zone
$ORIGIN dev.cslabs.clarkson.edu.
$TTL 3600       ; 1 hour
dev.cslabs.clarkson.edu.        IN      SOA     dns1.cslabs.clarkson.edu.       admin.cslabs.clarkson.edu. (
                        2010030904      ; serial
                        900             ; refresh (15 minutes)
                        600             ; retry (10 minutes)
                        1209600         ; expire (2 weeks)
                        1800            ; minimum (30 minutes)
                        )
;
                IN      NS      dns1.cslabs.clarkson.edu.
                IN      NS      dns2.cslabs.clarkson.edu.
;
mirror          IN      A       128.153.145.44
netstat         IN      A       128.153.145.50
vpn             IN      A       128.153.145.51
dns1            IN      A       128.153.145.52
dns2            IN      A       128.153.145.53
ds1             IN      A       128.153.145.54
ds2             IN      A       128.153.145.55
  • Created /var/named/chroot/var/named/145.153.128.in-addr.arpa
$ORIGIN 145.153.128.in-addr.arpa.
$TTL 3600       ; 1 hour
@       IN      SOA     dns1.cslabs.clarkson.edu.       admin.cslabs.clarkson.edu. (
                        2010030904      ; serial
                        900             ; refresh (15 minutes)
                        600             ; retry (10 minutes)
                        1209600         ; expire (2 weeks)
                        1800            ; minimum (30 minutes)
                        )
;
        IN      NS      dns1.cslabs.clarkson.edu.
        IN      NS      dns2.cslabs.clarkson.edu.
;
2       IN      PTR     dns.cslabs.clarkson.edu.
2       IN      PTR     dns.cosi.clarkson.edu.
3       IN      PTR     dns1.cslabs.clarkson.edu.
3       IN      PTR     dns1.cosi.clarkson.edu.
4       IN      PTR     dns2.cslabs.clarkson.edu.
4       IN      PTR     dns2.cosi.clarkson.edu.
5       IN      PTR     cusw4.cslabs.clarkson.edu.
10      IN      PTR     mail.cosi.clarkson.edu.
11      IN      PTR     cosi.clarkson.edu.
12      IN      PTR     isengard.cslabs.clarkson.edu.
13      IN      PTR     planet.cosi.clarkson.edu.
14      IN      PTR     xen.cosi.clarkson.edu.
15      IN      PTR     web1.cslabs.clarkson.edu.
16      IN      PTR     netstat.cslabs.clarkson.edu.
17      IN      PTR     mysql.cslabs.clarkson.edu.
18      IN      PTR     kernelmirror.cslabs.clarkson.edu.
18      IN      PTR     kernelmirror.clarkson.edu.
19      IN      PTR     mirror.cslabs.clarkson.edu.
19      IN      PTR     mirror.clarkson.edu.
20      IN      PTR     web2.cslabs.clarkson.edu.
21      IN      PTR     vpn.cslabs.clarkson.edu.
22      IN      PTR     research-archive.cslabs.clarkson.edu.
23      IN      PTR     auth.cslabs.clarkson.edu.
23      IN      PTR     auth.sclab.clarkson.edu.
24      IN      PTR     svn.cslabs.clarkson.edu.
26      IN      PTR     docs.cslabs.clarkson.edu.
26      IN      PTR     docs.cosi.clarkson.edu.
27      IN      PTR     autoguilt.cslabs.clarkson.edu.
28      IN      PTR     dukr.cslabs.clarkson.edu.
31      IN      PTR     osp1.cslabs.clarkson.edu.
32      IN      PTR     osp2.cslabs.clarkson.edu.
33      IN      PTR     emeeting.cslabs.clarkson.edu.
34      IN      PTR     latex.cslabs.clarkson.edu.
36      IN      PTR     game.cslabs.clarkson.edu.
36      IN      PTR     tremulous.cslabs.clarkson.edu.
37      IN      PTR     sunrack.cslabs.clarkson.edu.
39      IN      PTR     git.cslabs.clarkson.edu.
40      IN      PTR     storage.cslabs.clarkson.edu.
41      IN      PTR     xen1.cslabs.clarkson.edu.
42      IN      PTR     xen2.cslabs.clarkson.edu.
43      IN      PTR     xen3.cslabs.clarkson.edu.
44      IN      PTR     mirror.dev.cslabs.clarkson.edu.
45      IN      PTR     ds1.cslabs.clarkson.edu.
46      IN      PTR     ds2.cslabs.clarkson.edu.
47      IN      PTR     sms.cslabs.clarkson.edu.
50      IN      PTR     netstat.dev.cslabs.clarkson.edu.
51      IN      PTR     vpn.dev.cslabs.clarkson.edu.
52      IN      PTR     dns1.dev.cslabs.clarkson.edu.
52      IN      PTR     dns1.dev.cslabs.clarkson.edu.
53      IN      PTR     dns2.dev.cslabs.clarkson.edu.
54      IN      PTR     ds1.dev.cslabs.clarkson.edu.
55      IN      PTR     ds2.dev.cslabs.clarkson.edu.
69      IN      PTR     ssl-exploit.cslabs.clarkson.edu.
70      IN      PTR     generic-vm.cslabs.clarkson.edu.
85      IN      PTR     sambaserver.cslabs.clarkson.edu.
94      IN      PTR     groupscheduler.cslabs.clarkson.edu.
100     IN      PTR     print.cslabs.clarkson.edu.
103     IN      PTR     pepperjack.cslabs.clarkson.edu.
123     IN      PTR     barbados.cslabs.clarkson.edu.
145     IN      PTR     comm.cslabs.clarkson.edu.
200     IN      PTR     management.cslabs.clarkson.edu.
201     IN      PTR     hydrogen.cslabs.clarkson.edu.
202     IN      PTR     helium.cslabs.clarkson.edu.
203     IN      PTR     lithium.cslabs.clarkson.edu.
204     IN      PTR     beryllium.cslabs.clarkson.edu.
207     IN      PTR     nitrogen.cslabs.clarkson.edu.
208     IN      PTR     oxygen.cslabs.clarkson.edu.
211     IN      PTR     sodium.cslabs.clarkson.edu.
212     IN      PTR     magnesium.cslabs.clarkson.edu.
213     IN      PTR     aluminium.cslabs.clarkson.edu.
214     IN      PTR     silicon.cslabs.clarkson.edu.
215     IN      PTR     righteous.cslabs.clarkson.edu.
215     IN      PTR     righteous.cosi.clarkson.edu.
216     IN      PTR     animal.cslabs.clarkson.edu.
250     IN      PTR     monitor.cslabs.clarkson.edu.
250     IN      PTR     monitor.sclab.clarkson.edu.
251     IN      PTR     gde.cslabs.clarkson.edu.
252     IN      PTR     printer.cslabs.clarkson.edu.
253     IN      PTR     itlwebcam.cslabs.clarkson.edu.
254     IN      PTR     downtime.cslabs.clarkson.edu.
  • Created /var/named/chroot/var/named/int.cslabs.clarkson.edu.zone
$ORIGIN int.cslabs.clarkson.edu.
$TTL 3600       ; 1 hour
int.cslabs.clarkson.edu.        IN      SOA     dns1.cslabs.clarkson.edu.       admin.cslabs.clarkson.edu. (
                        2010030904      ; serial
                        900             ; refresh (15 minutes)
                        600             ; retry (10 minutes)
                        1209600         ; expire (2 weeks)
                        1800            ; minimum (30 minutes)
                        )
;
                IN      NS      dns1.cslabs.clarkson.edu.
                IN      NS      dns2.cslabs.clarkson.edu.
;
insw1           IN      A       10.0.0.2
insw2           IN      A       10.0.0.3
bladecenter     IN      A       10.0.0.4
bcsw1           IN      A       10.0.0.5
bcsw2           IN      A       10.0.0.6
righteous       IN      A       10.0.0.10
unisys-manage   IN      A       10.0.0.11
mirror          IN      A       10.0.0.14
storage         IN      A       10.0.0.15
xen1            IN      A       10.0.0.16
xen2            IN      A       10.0.0.17
xen3            IN      A       10.0.0.18
isengard        IN      A       10.0.0.20
netstat         IN      A       10.0.0.21
ds1             IN      A       10.0.0.22
ds2             IN      A       10.0.0.23
vpndev          IN      A       10.0.0.35
ds1dev          IN      A       10.0.0.36
ds2dev          IN      A       10.0.0.37
pepperjack      IN      A       10.0.0.254
  • Created /var/named/chroot/var/named/0.0.10.in-addr.arpa
$ORIGIN 0.0.10.in-addr.arpa.
$TTL 3600       ; 1 hour
@       IN      SOA     dns1.cslabs.clarkson.edu.       admin.cslabs.clarkson.edu. (
                        2010030904      ; serial
                        900             ; refresh (15 minutes)
                        600             ; retry (10 minutes)
                        1209600         ; expire (2 weeks)
                        1800            ; minimum (30 minutes)
                        )
;
        IN      NS      dns1.cslabs.clarkson.edu.
        IN      NS      dns2.cslabs.clarkson.edu.
;
2       IN      PTR     insw1.int.cslabs.clarkson.edu.
3       IN      PTR     insw2.int.cslabs.clarkson.edu.
4       IN      PTR     bladecenter.int.cslabs.clarkson.edu.
5       IN      PTR     bcsw1.int.cslabs.clarkson.edu.
6       IN      PTR     bcsw2.int.cslabs.clarkson.edu.
10      IN      PTR     righteous.int.cslabs.clarkson.edu.
11      IN      PTR     unisys-manage.int.cslabs.clarkson.edu.
14      IN      PTR     mirror.int.cslabs.clarkson.edu.
15      IN      PTR     storage.int.cslabs.clarkson.edu.
16      IN      PTR     xen1.int.cslabs.clarkson.edu.
17      IN      PTR     xen2.int.cslabs.clarkson.edu.
18      IN      PTR     xen3.int.cslabs.clarkson.edu.
20      IN      PTR     isengard.int.cslabs.clarkson.edu.
21      IN      PTR     netstat.int.cslabs.clarkson.edu.
22      IN      PTR     ds1.int.cslabs.clarkson.edu.
23      IN      PTR     ds2.int.cslabs.clarkson.edu.
35      IN      PTR     vpndev.int.cslabs.clarkson.edu.
36      IN      PTR     ds1dev.int.cslabs.clarkson.edu.
37      IN      PTR     ds2dev.int.cslabs.clarkson.edu.
254     IN      PTR     pepperjack.int.cslabs.clarkson.edu.
  • Created /var/named/chroot/var/named/sr.cslabs.clarkson.edu.zone
$ORIGIN sr.cslabs.clarkson.edu.
$TTL 3600       ; 1 hour
sr.cslabs.clarkson.edu. IN      SOA     dns1.cslabs.clarkson.edu.       admin.cslabs.clarkson.edu. (
                        2010030904      ; serial
                        900             ; refresh (15 minutes)
                        600             ; retry (10 minutes)
                        1209600         ; expire (2 weeks)
                        1800            ; minimum (30 minutes)
                        )
;
                IN      NS      dns1.cslabs.clarkson.edu.
                IN      NS      dns2.cslabs.clarkson.edu.
;
isengard        IN      A       10.0.1.5
animal          IN      A       10.0.1.25
righteous       IN      A       10.0.1.33
storage         IN      A       10.0.1.35
mirror          IN      A       10.0.1.36
xen1            IN      A       10.0.1.37
xen2            IN      A       10.0.1.38
xen3            IN      A       10.0.1.39
ds1             IN      A       10.0.1.50
ds2             IN      A       10.0.1.51
netstat         IN      A       10.0.1.55
auth            IN      A       10.0.1.59
management      IN      A       10.0.1.65
ds1dev          IN      A       10.0.1.200
ds2dev          IN      A       10.0.1.201
  • Created /var/named/chroot/var/named/1.0.10.in-addr.arpa
$ORIGIN 1.0.10.in-addr.arpa.
$TTL 3600       ; 1 hour
@       IN      SOA     dns1.cslabs.clarkson.edu.       admin.cslabs.clarkson.edu. (
                        2010030904      ; serial
                        900             ; refresh (15 minutes)
                        600             ; retry (10 minutes)
                        1209600         ; expire (2 weeks)
                        1800            ; minimum (30 minutes)
                        )
;
        IN      NS      dns1.cslabs.clarkson.edu.
        IN      NS      dns2.cslabs.clarkson.edu.
;
5       IN      PTR     isengard.sr.cslabs.clarkson.edu.
25      IN      PTR     animal.sr.cslabs.clarkson.edu.
33      IN      PTR     righteous.sr.cslabs.clarkson.edu.
35      IN      PTR     storage.sr.cslabs.clarkson.edu.
36      IN      PTR     mirror.sr.cslabs.clarkson.edu.
37      IN      PTR     xen1.sr.cslabs.clarkson.edu.
38      IN      PTR     xen2.sr.cslabs.clarkson.edu.
39      IN      PTR     xen3.sr.cslabs.clarkson.edu.
50      IN      PTR     ds1.sr.cslabs.clarkson.edu.
51      IN      PTR     ds2.sr.cslabs.clarkson.edu.
55      IN      PTR     netstat.sr.cslabs.clarkson.edu.
59      IN      PTR     auth.sr.cslabs.clarkson.edu.
65      IN      PTR     management.sr.cslabs.clarkson.edu.
200     IN      PTR     ds1dev.sr.cslabs.clarkson.edu.
201     IN      PTR     ds2dev.sr.cslabs.clarkson.edu.
  • Fixed ownership of files
chown root.named /var/named/chroot/var/named/*.zone /var/named/chroot/var/named/*.arpa
  • Created symlinks to zone files
ln -s /var/named/chroot/var/named/*.arpa /var/named/
ln -s /var/named/chroot/var/named/*.zone /var/named/

Configured service

  • Configured named to start on boot
chkconfig --levels 345 named on
  • Started named
/etc/init.d/named start