Difference between revisions of "Isengard Setup Process"

From CSLabsWiki
(Rebuilt)
m (added nmap)
Line 15: Line 15:
 
***From [http://dag.wieers.com/rpm/FAQ.php#B2 Dag Wieers]
 
***From [http://dag.wieers.com/rpm/FAQ.php#B2 Dag Wieers]
   
*<code>yum install yum-fastestmirror vim-enhanced gcc emacs-nox</code>
+
*<code>yum install yum-fastestmirror vim-enhanced gcc emacs-nox nmap</code>
 
*<code>yum update</code>
 
*<code>yum update</code>
   

Revision as of 12:35, 6 April 2009

This page summarizes how the virtual machine Isengard was set up in Spring 2009.

Install

  • Installed CentOS 5.3 x64.
    • Partition Scheme
      • 2.9 GB /
      • 100 MB /home
      • 1.5 GB /var
      • 512 MB swap

Configuration

Updated VM

  • yum install yum-fastestmirror vim-enhanced gcc emacs-nox nmap
  • yum update

Created User

  • Created user mccarrms
    • /usr/sbin/useradd -m mccarrms
  • Set password for mccarrms
    • passwd mccarrms

Configured Sudo

  • /usr/sbin/visudo
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.

## Networking
Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

## Installation and management of software
Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

## Services
Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig

## Updating the locate database
Cmnd_Alias LOCATE = /usr/sbin/updatedb

## Storage
Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount

## Delegating permissions
Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp

## Processes
Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

## Drivers
Cmnd_Alias DRIVERS = /sbin/modprobe

## Shells
Cmnd_Alias SHELLS = /bin/sh, /bin/bash, /usr/bin/rsh, /bin/dash, /bin/rbash, /bin/su

## Users
Cmnd_Alias USERS = /usr/sbin/useradd, /usr/sbin/userdel

Defaults    requiretty

Defaults    env_reset,tty_tickets,lecture=always,logfile=/var/log/sudo.log
Defaults    env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
                        LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
                        LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
                        LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
                        LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \
                        _XKB_CHARSET XAUTHORITY"

## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
%wheel  ALL=(ALL)       ALL
%admins ALL=USERS, /usr/bin/passwd [[\:alpha\:]]*, !/usr/bin/passwd root

Configured Networks

  • Configured hostname in /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=isengard.cslabs.clarkson.edu
  • Verified eth0 configuration for Clarkson Network in /etc/sysconfig/network-scripts/ifcfg-eth0
# Xen Virtual Ethernet
DEVICE=eth0
BOOTPROTO=none
BROADCAST=128.153.145.255
HWADDR=00:16:3E:34:64:A6
IPADDR=128.153.145.12
NETMASK=255.255.255.0
NETWORK=128.153.145.0
ONBOOT=yes
GATEWAY=128.153.145.1
TYPE=Ethernet
  • Verified eth1 configuration for the Server Room Network in /etc/sysconfig/network-scripts/ifcfg-eth1
# Xen Virtual Ethernet
DEVICE=eth1
BOOTPROTO=none
BROADCAST=10.0.1.255
HWADDR=00:16:3E:1C:FE:21
IPADDR=10.0.1.5
NETMASK=255.255.255.0
NETWORK=10.0.1.0
ONBOOT=yes
TYPE=Ethernet
  • Verified eth2 configuration for the Internal Network in /etc/sysconfig/network-scripts/ifcfg-eth2
# Xen Virtual Ethernet
DEVICE=eth2
BOOTPROTO=none
BROADCAST=10.0.0.255
HWADDR=00:16:3e:10:25:3f
IPADDR=10.0.0.20
NETMASK=255.255.255.0
NETWORK=10.0.0.0
ONBOOT=yes
TYPE=Ethernet

Configured Hosts

  • Edited /etc/hosts
127.0.0.1       localhost.localdomain   localhost
::1             localhost6.localdomain6 localhost6
128.153.145.12  isengard.cslabs.clarkson.edu isengard.cslabs isengard
10.0.1.5        isengard.sr.cslabs.clarkson.edu isengard.sr.cslabs isengard.sr
10.0.0.20       isengard.int.cslabs.clarkson.edu isengard.int.cslabs isengard.int

Configured DNS Servers

  • Edited /etc/resolv.conf
search cslabs.clarkson.edu
nameserver 128.153.145.2
nameserver 128.153.0.254
nameserver 128.153.5.254

Configured IPtables

Due to the sensitivity of this material, this config file has been left off; however, the following rules are needed.

-A INPUT -p udp -m udp --dport 22 -j ACCEPT

Configured SSH

  • Edited /etc/ssh/sshd_config
Due to the sensitivity of this material, this config file has been left off.
  • Restarted sshd
    • /etc/init.d/sshd restart

Set Up SSH Login Banner

  • Edited /etc/issue.net
   _                               __
  (_)__ ___ ___  ___ ____ ________/ /
 / (_-</ -_) _ \/ _ `/ _ `/ __/ _  /
/_/___/\__/_//_/\_, /\_,_/_/  \_,_/
               /___/

Configured Password Requirements

  • Edited /etc/login.defs
MAIL_DIR        /var/spool/mail

PASS_MAX_DAYS   360
PASS_MIN_DAYS   0
PASS_MIN_LEN    8
PASS_WARN_AGE   60

UID_MIN                   500
UID_MAX                 60000

GID_MIN                   500
GID_MAX                 60000

CREATE_HOME     yes

UMASK           077

USERGROUPS_ENAB yes

MD5_CRYPT_ENAB yes

ENCRYPT_METHOD MD5

Added Custom PATH Variables

  • Added the following to /etc/profile
PATH=$PATH:/usr/sbin:/sbin
export PATH

Modified Root's Crontab

  • crontab -e
# Used to update locate database
0 * * * * /usr/bin/updatedb

Installed DenyHosts

  • Installed DenyHosts
    • yum install denyhosts
  • Configured DenyHosts /etc/denyhosts/denyhosts.cfg
SECURE_LOG = /var/log/secure

HOSTS_DENY = /etc/hosts.deny

PURGE_DENY =

BLOCK_SERVICE  = sshd

DENY_THRESHOLD_INVALID = 5

DENY_THRESHOLD_VALID = 10

DENY_THRESHOLD_ROOT = 1

DENY_THRESHOLD_RESTRICTED = 1

WORK_DIR = /usr/share/denyhosts/data

SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES

HOSTNAME_LOOKUP=YES

LOCK_FILE = /var/lock/subsys/denyhosts

ADMIN_EMAIL = mccarrms@gmail.com

SMTP_HOST = localhost
SMTP_PORT = 25

SMTP_FROM = DenyHosts <nobody@isengard.cslabs.clarkson.edu>

SMTP_SUBJECT = DenyHosts Report

AGE_RESET_VALID=5d

AGE_RESET_RESTRICTED=25d

AGE_RESET_INVALID=10d

DAEMON_LOG = /var/log/denyhosts

DAEMON_SLEEP = 30s

DAEMON_PURGE = 1h

SYNC_SERVER = http://xmlrpc.denyhosts.net:9911

SYNC_INTERVAL = 1h

SYNC_UPLOAD = yes

SYNC_DOWNLOAD = yes

SYNC_DOWNLOAD_THRESHOLD = 3

SYNC_DOWNLOAD_RESILIENCY = 5h
  • Configured DenyHosts to start on boot
    • /sbin/chkconfig --levels 2345 denyhosts on