Difference between revisions of "Isengard Setup Process"

From CSLabsWiki
m (Changed version.)
(Adding archive template to old pages)
 
(44 intermediate revisions by one other user not shown)
Line 1: Line 1:
  +
{{archived}}
This page summarizes how the virtual machine [[isengard]] was set up in April 2008.
 
   
This page also summarizes changes made to [[isengard]] during May 2008.
+
This page summarizes how the virtual machine [[Isengard]] was set up in Spring 2009.
   
 
==Install==
 
==Install==
*Installed CentOS 5.1 x64.
+
*Installed CentOS 5.3 x64.
 
**Partition Scheme
 
**Partition Scheme
***4.5 GB /
+
***2.9 GB /
  +
***100 MB /home
  +
***1.5 GB /var
 
***512 MB swap
 
***512 MB swap
   
 
==Configuration==
 
==Configuration==
===Configured Sudo===
+
===Updated System===
  +
*Added Extra Repositories
*<code>/usr/sbin/visudo</code>
 
  +
**RPMForge Yum Repository
  +
***<code>rpm -Uhv http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS//rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm</code>
  +
****From [http://dag.wieers.com/rpm/FAQ.php#B2 Dag Wieers]
  +
**Fedora EPEL Yum Repository
  +
***<code>rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/x86_64/epel-release-5-3.noarch.rpm</code>
  +
****From [http://download.fedora.redhat.com/pub/epel/5/x86_64/repoview/epel-release.html Fedora]
   
  +
*Configured Yum Priorities & to use our mirror
  +
**Edited <code>/etc/yum.repos.d/CentOS-Base.repo</code>
 
<code><pre>
 
<code><pre>
  +
# CentOS-Base.repo
## sudoers allows particular users to run various commands as
 
  +
#
## the root user, without needing the root password.
 
  +
# This file uses a new mirrorlist system developed by Lance Davis for CentOS.
##
 
## Examples are provided at the bottom of the file for collections
+
# The mirror system uses the connecting IP address of the client and the
  +
# update status of each mirror to pick mirrors that are updated to and
## of related commands, which can then be delegated out to particular
 
  +
# geographically close to the client. You should use this for CentOS updates
## users or groups.
 
  +
# unless you are manually picking other mirrors.
##
 
  +
#
## This file must be edited with the 'visudo' command.
 
  +
# If the mirrorlist= does not work for you, as a fall back you can try the
  +
# remarked out baseurl= line instead.
  +
#
  +
#
   
  +
[base]
## Host Aliases
 
  +
name=CentOS-$releasever - Base
## Groups of machines. You may prefer to use hostnames (perhap using
 
  +
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
## wildcards for entire domains) or IP addresses instead.
 
  +
baseurl=http://mirror.clarkson.edu/centos/$releasever/os/$basearch/
# Host_Alias FILESERVERS = fs1, fs2
 
  +
gpgcheck=1
# Host_Alias MAILSERVERS = smtp, smtp2
 
  +
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
  +
priority=1
  +
exclude=nmap
   
  +
#released updates
## User Aliases
 
  +
[updates]
## These aren't often necessary, as you can use regular groups
 
  +
name=CentOS-$releasever - Updates
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
 
  +
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates
## rather than USERALIAS
 
  +
baseurl=http://mirror.clarkson.edu/centos/$releasever/updates/$basearch/
User_Alias ADMINS = mccarrms,shephezj,lewisrj
 
  +
gpgcheck=1
  +
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
  +
priority=1
  +
exclude=nmap
   
  +
#packages used/produced in the build but not released
  +
[addons]
  +
name=CentOS-$releasever - Addons
  +
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=addons
  +
baseurl=http://mirror.clarkson.edu/centos/$releasever/addons/$basearch/
  +
gpgcheck=1
  +
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
  +
priority=1
   
  +
#additional packages that may be useful
## Command Aliases
 
  +
[extras]
## These are groups of related commands...
 
  +
name=CentOS-$releasever - Extras
  +
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras
  +
baseurl=http://mirror.clarkson.edu/centos/$releasever/extras/$basearch/
  +
gpgcheck=1
  +
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
  +
priority=1
  +
  +
#additional packages that extend functionality of existing packages
  +
[centosplus]
  +
name=CentOS-$releasever - Plus
  +
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus
  +
baseurl=http://mirror.clarkson.edu/centos/$releasever/centosplus/$basearch/
  +
gpgcheck=1
  +
enabled=0
  +
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
  +
priority=2
  +
  +
#contrib - packages by Centos Users
  +
[contrib]
  +
name=CentOS-$releasever - Contrib
  +
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=contrib
  +
baseurl=http://mirror.clarkson.edu/centos/$releasever/contrib/$basearch/
  +
gpgcheck=1
  +
enabled=0
  +
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
  +
priority=2
  +
</pre></code>
  +
  +
**Edited <code>/etc/yum.repos.d/rpmforge.repo</code>
  +
<code><pre>
  +
# Name: RPMforge RPM Repository for Red Hat Enterprise 5 - dag
  +
# URL: http://rpmforge.net/
  +
[rpmforge]
  +
name = Red Hat Enterprise $releasever - RPMforge.net - dag
  +
baseurl = http://mirror.clarkson.edu/rpmforge/redhat/el5/en/$basearch/dag
  +
#mirrorlist = http://apt.sw.be/redhat/el5/en/mirrors-rpmforge
  +
#mirrorlist = file:///etc/yum.repos.d/mirrors-rpmforge
  +
enabled = 1
  +
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmforge-dag
  +
gpgcheck = 1
  +
priority=15
  +
</pre></code>
  +
  +
**Edited <code>/etc/yum.repos.d/epel.repo</code>
  +
<code><pre>
  +
[epel]
  +
name=Extra Packages for Enterprise Linux 5 - $basearch
  +
baseurl=http://mirror.clarkson.edu/epel/5/$basearch
  +
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-5&arch=$basearch
  +
failovermethod=priority
  +
enabled=1
  +
gpgcheck=1
  +
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
  +
priority=30
  +
  +
[epel-debuginfo]
  +
name=Extra Packages for Enterprise Linux 5 - $basearch - Debug
  +
baseurl=http://mirror.clarkson.edu/epel/5/$basearch/debug
  +
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-debug-5&arch=$basearch
  +
failovermethod=priority
  +
enabled=0
  +
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
  +
gpgcheck=1
  +
priority=30
  +
  +
[epel-source]
  +
name=Extra Packages for Enterprise Linux 5 - $basearch - Source
  +
baseurl=http://mirror.clarkson.edu/epel/5/SRPMS
  +
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-source-5&arch=$basearch
  +
failovermethod=priority
  +
enabled=0
  +
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
  +
gpgcheck=1
  +
priority=30
  +
</pre></code>
  +
  +
**Edited <code>/etc/yum.repos.d/epel-testing.repo</code>
  +
<code><pre>
  +
[epel-testing]
  +
name=Extra Packages for Enterprise Linux 5 - Testing - $basearch
  +
baseurl=http://mirror.clarkson.edu/epel/testing/5/$basearch
  +
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-epel5&arch=$basearch
  +
failovermethod=priority
  +
enabled=0
  +
gpgcheck=1
  +
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
  +
priority=40
  +
  +
[epel-testing-debuginfo]
  +
name=Extra Packages for Enterprise Linux 5 - Testing - $basearch - Debug
  +
baseurl=http://mirror.clarkson.edu/epel/testing/5/$basearch/debug
  +
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-debug-epel5&arch=$basearch
  +
failovermethod=priority
  +
enabled=0
  +
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
  +
gpgcheck=1
  +
priority=40
  +
  +
[epel-testing-source]
  +
name=Extra Packages for Enterprise Linux 5 - Testing - $basearch - Source
  +
baseurl=http://mirror.clarkson.edu/epel/testing/5/SRPMS
  +
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-source-epel5&arch=$basearch
  +
failovermethod=priority
  +
enabled=0
  +
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
  +
gpgcheck=1
  +
priority=40
  +
</pre></code>
  +
  +
*Disabled Yum FastestMirror since using local mirror
  +
**<code>sed -i 's/enabled=1/enabled=0/g' /etc/yum/pluginconf.d/fastestmirror.conf</code>
  +
  +
*Installed Yum Priorities (Note: This must be installed prior to installing the packages below.)
  +
**<code>yum install yum-priorities</code>
  +
  +
*Configured Yum Priorities to check for obsoletes
  +
**<code>echo "check_obsoletes=1" >> /etc/yum/pluginconf.d/priorities.conf</code>
  +
  +
*<code>yum install vim-enhanced gcc emacs-nox screen nmap expect pwgen dialog</code>
  +
*<code>yum update</code>
  +
  +
===Created User===
  +
*Created user mccarrms
  +
**<code>/usr/sbin/useradd -m mccarrms</code>
  +
*Set password for mccarrms
  +
**<code>passwd mccarrms</code>
  +
  +
===Configured Sudo===
  +
*<code>/usr/sbin/visudo</code>
  +
  +
<code><pre>
  +
## Sudoers allows particular users to run various commands as
  +
## the root user, without needing the root password.
   
 
## Networking
 
## Networking
Line 66: Line 228:
 
Cmnd_Alias SHELLS = /bin/sh, /bin/bash, /usr/bin/rsh, /bin/dash, /bin/rbash, /bin/su
 
Cmnd_Alias SHELLS = /bin/sh, /bin/bash, /usr/bin/rsh, /bin/dash, /bin/rbash, /bin/su
   
  +
## Users
# Defaults specification
 
  +
Cmnd_Alias USERS = /usr/sbin/useradd, /usr/sbin/userdel
   
#
 
# Disable "ssh hostname sudo <cmd>", because it will show the password in clear.
 
# You have to run "ssh -t hostname sudo <cmd>".
 
#
 
 
Defaults requiretty
 
Defaults requiretty
   
Line 82: Line 241:
 
_XKB_CHARSET XAUTHORITY"
 
_XKB_CHARSET XAUTHORITY"
   
## Next comes the main part: which users can run what software on
 
## which machines (the sudoers file can be shared between multiple
 
## systems).
 
## Syntax:
 
##
 
## user MACHINE=COMMANDS
 
##
 
## The COMMANDS section may have other options added to it.
 
##
 
 
## Allow root to run any commands anywhere
 
## Allow root to run any commands anywhere
 
root ALL=(ALL) ALL
 
root ALL=(ALL) ALL
 
## Allow members of ADMINS to use sudo
 
ADMINS ALL=(root) ALL, !SHELLS
 
 
## Allows members of the 'sys' group to run networking, software,
 
## service management apps and more.
 
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
 
 
## Allows people in group wheel to run all commands
 
 
%wheel ALL=(ALL) ALL
 
%wheel ALL=(ALL) ALL
  +
%admins ALL=USERS, /usr/bin/passwd [[\:alpha\:]]*, !/usr/bin/passwd root
 
## Same thing without a password
 
# %wheel ALL=(ALL) NOPASSWD: ALL
 
 
## Allows members of the users group to mount and unmount the
 
## cdrom as root
 
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
 
 
## Allows members of the users group to shutdown this system
 
# %users localhost=/sbin/shutdown -h now
 
 
</pre></code>
 
</pre></code>
 
===Created Admin User===
 
*Created user mccarrms
 
**<code>/usr/sbin/useradd -m mccarrms -s/bin/bash</code>
 
*Set password for mccarrms
 
**<code>passwd mccarrms</code>
 
   
 
===Configured Networks===
 
===Configured Networks===
 
*Configured hostname in <code>/etc/sysconfig/network</code>
 
*Configured hostname in <code>/etc/sysconfig/network</code>
 
 
<code><pre>
 
<code><pre>
 
NETWORKING=yes
 
NETWORKING=yes
NETWORKING_IPV6=yes
+
NETWORKING_IPV6=no
HOSTNAME=isengard.cslabs.clarkson.edu
+
HOSTNAME=isengard
 
</pre></code>
 
</pre></code>
   
*Configured eth0 for Clarkson Network in <code>/etc/sysconfig/network-scripts/ifcfg-eth0</code>
+
*Verified eth0 configuration for Clarkson Network in <code>/etc/sysconfig/network-scripts/ifcfg-eth0</code>
 
<code><pre>
 
<code><pre>
 
# Xen Virtual Ethernet
 
# Xen Virtual Ethernet
Line 136: Line 261:
 
BOOTPROTO=none
 
BOOTPROTO=none
 
BROADCAST=128.153.145.255
 
BROADCAST=128.153.145.255
HWADDR=00:16:3E:31:D1:B7
+
HWADDR=00:16:3E:34:64:A6
 
IPADDR=128.153.145.12
 
IPADDR=128.153.145.12
IPV6_AUTOCONF=yes
 
 
NETMASK=255.255.255.0
 
NETMASK=255.255.255.0
 
NETWORK=128.153.145.0
 
NETWORK=128.153.145.0
Line 146: Line 270:
 
</pre></code>
 
</pre></code>
   
*Configured eth1 for the Server Room Network in <code>/etc/sysconfig/network-scripts/ifcfg-eth1</code>
+
*Verified eth1 configuration for the Server Room Network in <code>/etc/sysconfig/network-scripts/ifcfg-eth1</code>
 
<code><pre>
 
<code><pre>
 
# Xen Virtual Ethernet
 
# Xen Virtual Ethernet
Line 152: Line 276:
 
BOOTPROTO=none
 
BOOTPROTO=none
 
BROADCAST=10.0.1.255
 
BROADCAST=10.0.1.255
HWADDR=00:16:3E:04:C5:85
+
HWADDR=00:16:3E:1C:FE:21
 
IPADDR=10.0.1.5
 
IPADDR=10.0.1.5
IPV6_AUTOCONF=yes
 
 
NETMASK=255.255.255.0
 
NETMASK=255.255.255.0
 
NETWORK=10.0.1.0
 
NETWORK=10.0.1.0
Line 161: Line 284:
 
</pre></code>
 
</pre></code>
   
*Configured eth2 for the Internal Network in <code>/etc/sysconfig/network-scripts/ifcfg-eth2</code>
+
*Verified eth2 configuration for the Internal Network in <code>/etc/sysconfig/network-scripts/ifcfg-eth2</code>
 
<code><pre>
 
<code><pre>
 
# Xen Virtual Ethernet
 
# Xen Virtual Ethernet
Line 167: Line 290:
 
BOOTPROTO=none
 
BOOTPROTO=none
 
BROADCAST=10.0.0.255
 
BROADCAST=10.0.0.255
HWADDR=00:16:3E:74:85:C8
+
HWADDR=00:16:3e:10:25:3f
 
IPADDR=10.0.0.20
 
IPADDR=10.0.0.20
IPV6_AUTOCONF=yes
 
 
NETMASK=255.255.255.0
 
NETMASK=255.255.255.0
 
NETWORK=10.0.0.0
 
NETWORK=10.0.0.0
Line 176: Line 298:
 
</pre></code>
 
</pre></code>
   
===Updated System===
+
====Configured Hosts====
  +
*Edited <code>/etc/hosts</code>
*Installed all updates
 
**<code>yum update</code>
+
<code><pre>
  +
127.0.0.1 localhost.localdomain localhost
*Rebooted system due to new kernel
 
  +
128.153.145.12 isengard.cslabs.clarkson.edu isengard.cslabs isengard
**<code>/sbin/shutdown -r now</code>
 
  +
10.0.1.5 isengard.sr.cslabs.clarkson.edu isengard.sr.cslabs isengard.sr
  +
10.0.0.20 isengard.int.cslabs.clarkson.edu isengard.int.cslabs isengard.int
  +
</pre></code>
  +
  +
*Edited <code>/etc/hosts.allow</code>
  +
<code><pre>
  +
For security purposes, this information has been intentionally left off.
  +
</pre></code>
  +
  +
*Edited <code>/etc/hosts.deny</code>
  +
<code><pre>
  +
ALL: ALL
  +
</pre></code>
  +
  +
====Configured DNS Servers====
  +
*Edited <code>/etc/resolv.conf</code>
  +
<code><pre>
  +
search cslabs.clarkson.edu clarkson.edu
  +
nameserver 128.153.145.3
  +
nameserver 128.153.145.4
  +
</pre></code>
  +
  +
====Disabled IP v6====
  +
*Appended the following to <code>/etc/modprobe.conf</code>
  +
<code><pre>
  +
install ipv6 /bin/true
  +
</pre></code>
  +
*Disabled IP v6 firewall
  +
**<code>/sbin/chkconfig ip6tables off</code>
   
 
===Configured IPtables===
 
===Configured IPtables===
*Edited <code>/etc/sysconfig/iptables</code>
 
 
<code><pre>
 
<code><pre>
Due to the sensitivity of this material, this config file has been left off; however, ssh must be allowed.
+
Due to the sensitivity of this material, this config file has been left off; however, the following rules are needed.
  +
  +
-A INPUT -p udp -m udp --dport 22 -j ACCEPT
 
</pre></code>
 
</pre></code>
*Restarted iptables
 
**<code>/etc/init.d/iptables restart</code>
 
   
 
===Configured SSH===
 
===Configured SSH===
Line 198: Line 348:
 
**<code>/etc/init.d/sshd restart</code>
 
**<code>/etc/init.d/sshd restart</code>
   
===Set Up SSH Login Banner===
+
====Set Up SSH Login Banner====
 
*Edited <code>/etc/issue.net</code>
 
*Edited <code>/etc/issue.net</code>
 
<code><pre>
 
<code><pre>
Line 209: Line 359:
 
</pre></code>
 
</pre></code>
   
  +
===Configured Password Requirements===
===Set Up & Configured NTP===
 
  +
*Edited <code>/etc/login.defs</code>
*Installed NTP
 
**<code>yum install ntp</code>
+
<code><pre>
  +
MAIL_DIR /var/spool/mail
   
  +
PASS_MAX_DAYS 360
*Edited <code>/etc/ntp.conf</code>
 
  +
PASS_MIN_DAYS 0
  +
PASS_MIN_LEN 8
  +
PASS_WARN_AGE 60
  +
  +
UID_MIN 500
  +
UID_MAX 60000
  +
  +
GID_MIN 500
  +
GID_MAX 60000
  +
  +
CREATE_HOME yes
  +
  +
UMASK 077
  +
  +
USERGROUPS_ENAB yes
  +
  +
MD5_CRYPT_ENAB yes
  +
  +
ENCRYPT_METHOD MD5
  +
</pre></code>
  +
  +
===Added Custom PATH Variables===
  +
*Added the following to <code>/etc/profile</code>
 
<code><pre>
 
<code><pre>
  +
PATH=$PATH:/usr/sbin:/sbin
# Permit time synchronization with our time source, but do not
 
  +
export PATH
# permit the source to query or modify the service on this system.
 
  +
</pre></code>
restrict default kod nomodify notrap nopeer noquery
 
restrict -6 default kod nomodify notrap nopeer noquery
 
   
  +
===Configured Aliases===
# Permit all access over the loopback interface. This could
 
  +
*Edited <code>/etc/aliases</code>
# be tightened as well, but to do so would effect some of
 
  +
<code><pre>
# the administrative functions.
 
  +
#
restrict 127.0.0.1
 
  +
# Aliases in this file will NOT be expanded in the header from
restrict -6 ::1
 
  +
# Mail, but WILL be visible over networks or from /bin/mail.
  +
#
  +
# >>>>>>>>>> The program "newaliases" must be run after
  +
# >> NOTE >> this file is updated for any changes to
  +
# >>>>>>>>>> show through to sendmail.
  +
#
   
  +
# Basic system aliases -- these MUST be present.
# Hosts on local network are less restricted.
 
  +
mailer-daemon: postmaster
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
 
  +
postmaster: logwatch@cslabs.clarkson.edu
restrict tick.clarkson.edu mask 255.255.255.255 nomodify notrap noquery
 
restrict tock.clarkson.edu mask 255.255.255.255 nomodify notrap noquery
 
   
  +
# General redirections for pseudo accounts.
# Use public servers from the pool.ntp.org project.
 
  +
bin: logwatch@cslabs.clarkson.edu
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
 
  +
daemon: logwatch@cslabs.clarkson.edu
#server 0.rhel.pool.ntp.org
 
  +
adm: logwatch@cslabs.clarkson.edu
#server 1.rhel.pool.ntp.org
 
  +
lp: logwatch@cslabs.clarkson.edu
#server 2.rhel.pool.ntp.org
 
server tick.clarkson.edu
+
sync: logwatch@cslabs.clarkson.edu
server tock.clarkson.edu
+
shutdown: logwatch@cslabs.clarkson.edu
  +
halt: logwatch@cslabs.clarkson.edu
  +
mail: logwatch@cslabs.clarkson.edu
  +
news: logwatch@cslabs.clarkson.edu
  +
uucp: logwatch@cslabs.clarkson.edu
  +
operator: logwatch@cslabs.clarkson.edu
  +
games: logwatch@cslabs.clarkson.edu
  +
gopher: logwatch@cslabs.clarkson.edu
  +
ftp: logwatch@cslabs.clarkson.edu
  +
nobody: logwatch@cslabs.clarkson.edu
  +
radiusd: logwatch@cslabs.clarkson.edu
  +
nut: logwatch@cslabs.clarkson.edu
  +
dbus: logwatch@cslabs.clarkson.edu
  +
vcsa: logwatch@cslabs.clarkson.edu
  +
canna: logwatch@cslabs.clarkson.edu
  +
wnn: logwatch@cslabs.clarkson.edu
  +
rpm: logwatch@cslabs.clarkson.edu
  +
nscd: logwatch@cslabs.clarkson.edu
  +
pcap: logwatch@cslabs.clarkson.edu
  +
apache: logwatch@cslabs.clarkson.edu
  +
webalizer: logwatch@cslabs.clarkson.edu
  +
dovecot: logwatch@cslabs.clarkson.edu
  +
fax: logwatch@cslabs.clarkson.edu
  +
quagga: logwatch@cslabs.clarkson.edu
  +
radvd: logwatch@cslabs.clarkson.edu
  +
pvm: logwatch@cslabs.clarkson.edu
  +
amanda: logwatch@cslabs.clarkson.edu
  +
privoxy: logwatch@cslabs.clarkson.edu
  +
ident: logwatch@cslabs.clarkson.edu
  +
named: logwatch@cslabs.clarkson.edu
  +
xfs: logwatch@cslabs.clarkson.edu
  +
gdm: logwatch@cslabs.clarkson.edu
  +
mailnull: logwatch@cslabs.clarkson.edu
  +
postgres: logwatch@cslabs.clarkson.edu
  +
sshd: logwatch@cslabs.clarkson.edu
  +
smmsp: logwatch@cslabs.clarkson.edu
  +
postfix: logwatch@cslabs.clarkson.edu
  +
netdump: logwatch@cslabs.clarkson.edu
  +
ldap: logwatch@cslabs.clarkson.edu
  +
squid: logwatch@cslabs.clarkson.edu
  +
ntp: logwatch@cslabs.clarkson.edu
  +
mysql: logwatch@cslabs.clarkson.edu
  +
desktop: logwatch@cslabs.clarkson.edu
  +
rpcuser: logwatch@cslabs.clarkson.edu
  +
rpc: logwatch@cslabs.clarkson.edu
  +
nfsnobody: logwatch@cslabs.clarkson.edu
   
  +
ingres: logwatch@cslabs.clarkson.edu
#broadcast 192.168.1.255 key 42 # broadcast server
 
  +
system: logwatch@cslabs.clarkson.edu
#broadcastclient # broadcast client
 
  +
toor: logwatch@cslabs.clarkson.edu
#broadcast 224.0.1.1 key 42 # multicast server
 
  +
manager: logwatch@cslabs.clarkson.edu
#multicastclient 224.0.1.1 # multicast client
 
  +
dumper: logwatch@cslabs.clarkson.edu
#manycastserver 239.255.254.254 # manycast server
 
  +
abuse: logwatch@cslabs.clarkson.edu
#manycastclient 239.255.254.254 key 42 # manycast client
 
   
  +
newsadm: news
# Undisciplined Local Clock. This is a fake driver intended for backup
 
  +
newsadmin: news
# and when no outside source of synchronized time is available.
 
server 127.127.1.0 # local clock
+
usenet: news
  +
ftpadm: ftp
fudge 127.127.1.0 stratum 10
 
  +
ftpadmin: ftp
  +
ftp-adm: ftp
  +
ftp-admin: ftp
  +
www: webmaster
  +
webmaster: logwatch@cslabs.clarkson.edu
  +
noc: logwatch@cslabs.clarkson.edu
  +
security: logwatch@cslabs.clarkson.edu
  +
hostmaster: logwatch@cslabs.clarkson.edu
  +
info: postmaster
  +
marketing: postmaster
  +
sales: postmaster
  +
support: postmaster
   
# Drift file. Put this in a directory which the daemon can write to.
 
# No symbolic links allowed, either, since the daemon updates the file
 
# by creating a temporary in the same directory and then rename()'ing
 
# it to the file.
 
driftfile /var/lib/ntp/drift
 
   
  +
# trap decode to catch security attacks
# Key file containing the keys and key identifiers used when operating
 
  +
decode: logwatch@cslabs.clarkson.edu
# with symmetric key cryptography.
 
keys /etc/ntp/keys
 
   
  +
# Person who should get roots's mail
# Specify the key identifiers which are trusted.
 
  +
root: logwatch@cslabs.clarkson.edu
#trustedkey 4 8 42
 
  +
</pre></code>
   
  +
*Updated aliases
# Specify the key identifier to use with the ntpdc utility.
 
  +
**<code>/usr/bin/newaliases</code>
#requestkey 8
 
   
  +
===Disabled Various Kernel Modules===
# Specify the key identifier to use with the ntpq utility.
 
  +
*Added the following to <code>/etc/modprobe.conf</code>
#controlkey 8
 
  +
<code><pre>
  +
install pppox /bin/true
  +
install bluetooth /bin/true
  +
install sctp /bin/true
 
</pre></code>
 
</pre></code>
   
  +
===Installed & Configured SNMP===
*Edited <code>/etc/ntp/step-tickers</code>
 
  +
*Installed needed packages
 
<code><pre>
 
<code><pre>
  +
yum install net-snmp ntp
tick.clarkson.edu
 
tock.clarkson.edu
 
 
</pre></code>
 
</pre></code>
   
*Configured ntpd to start on boot
+
*Configured SNMP Daemon <code>/etc/snmp/snmpd.conf</code>
**<code>/sbin/chkconfig ntpd on</code>
+
<code><pre>
  +
rocommunity <passphrase> 127.0.0.1
  +
rocommunity <passphrase> <ipsallowed>
  +
  +
syslocation Clarkson University Applied CS Labs
  +
syscontact Matt McCarrell <mccarrms@gmail.com>
  +
disk /
  +
disk /var
  +
exec timeskew /usr/local/sbin/ntp_check
  +
exec uptime /usr/bin/uptime
  +
</pre></code>
   
  +
*Deployed <code>ntp_check</code> script
*Started ntpd immediately
 
**<code>/sbin/service ntpd start</code>
+
**Copied over <code>ntp_check</code> to /usr/local/sbin/
  +
**<code>chown root.root /usr/local/sbin/ntp_check</code>
   
===Configured DNS Servers===
+
*Configured SNMP to start at specific run levels
*Edited <code>/etc/resolv.conf</code>
 
 
<code><pre>
 
<code><pre>
  +
/sbin/chkconfig --levels 2345 snmpd on
search sr.cs.clarkson.edu
 
nameserver 10.0.1.1
 
nameserver 10.0.0.1
 
nameserver 128.153.128.2
 
nameserver 128.153.4.2
 
 
</pre></code>
 
</pre></code>
   
  +
*Started daemon
===Configured Hosts File===
 
*Edited <code>/etc/hosts</code>
 
 
<code><pre>
 
<code><pre>
  +
/etc/init.d/snmpd start
# Do not remove the following line, or various programs
 
# that require network functionality will fail.
 
127.0.0.1 localhost.localdomain localhost
 
::1 localhost6.localdomain6 localhost6
 
#Clarkson Network
 
128.153.145.2 dns.cslabs.clarkson.edu dns.cslabs dns
 
128.153.145.3 indns.cslabs.clarkson.edu indns.cslabs
 
128.153.145.4 srdns.cslabs.clarkson.edu srdns.cslabs
 
128.153.145.12 isengard.cslabs.clarkson.edu isengard.cslabs isengard
 
128.153.145.16 netstat.cslabs.clarkson.edu netstat.cslabs
 
128.153.145.100 itlad.cslabs.clarkson.edu itlad.cslabs
 
128.153.145.101 itlfs1.cslabs.clarkson.edu itlfs1.cslabs
 
128.153.145.102 itlfs2.cslabs.clarkson.edu itlfs2.cslabs
 
128.153.145.103 itlwsus.cslabs.clarkson.edu itlwsus.cslabs
 
128.153.145.201 hydrogen.cslabs.clarkson.edu hydrogen.cslabs
 
128.153.145.202 helium.cslabs.clarkson.edu helium.cslabs
 
128.153.145.203 lithium.cslabs.clarkson.edu lithium.cslabs
 
128.153.145.204 beryllium.cslabs.clarkson.edu beryllium.cslabs
 
128.153.145.205 boron.cslabs.clarkson.edu boron.cslabs
 
128.153.145.206 carbon.cslabs.clarkson.edu carbon.cslabs
 
128.153.145.207 nitrogen.cslabs.clarkson.edu nitrogen.cslabs
 
128.153.145.208 oxygen.cslabs.clarkson.edu oxygen.cslabs
 
128.153.145.209 fluorine.cslabs.clarkson.edu fluorine.cslabs
 
128.153.145.210 neon.cslabs.clarkson.edu neon.cslabs
 
128.153.145.211 sodium.cslabs.clarkson.edu sodium.cslabs
 
128.153.145.212 magnesium.cslabs.clarkson.edu magnesium.cslabs
 
128.153.145.213 aluminum.cslabs.clarkson.edu aluminum.cslabs
 
128.153.145.214 silicon.cslabs.clarkson.edu silicon.cslabs
 
128.153.145.215 righteous.cslabs.clarkson.edu righteous.cslabs
 
#Internal Network
 
10.0.0.1 indns.in.cs.clarkson.edu indns.in.cs indns.in indns
 
10.0.0.10 righteous.in.cs.clarkson.edu righteous.in.cs righteous.in
 
10.0.0.11 itlad.in.cs.clarkson.edu itlad.in.cs itlad.in itlad
 
10.0.0.12 itlfs1.in.cs.clarkson.edu itlfs1.in.cs itlfs1.in itlfs1
 
10.0.0.13 itlfs2.in.cs.clarkson.edu itlfs2.in.cs itlfs2.in itlfs2
 
10.0.0.14 itlwsus.in.cs.clarkson.edu itlwsus.in.cs itlwsus.in itlwsus
 
10.0.0.20 isengard.in.cs.clarkson.edu isengard.in.cs isengard.in
 
10.0.0.21 netstat.in.cs.clarkson.edu netstat.in.cs netstat.in
 
10.0.0.254 hadoop.in.cs.clarkson.edu hadoop.in.cs hadoop.in hadoop
 
#Server Room Network
 
10.0.1.1 srdns.sr.cs.clarkson.edu srdns.sr.cs srdns.sr srdns
 
10.0.1.2 animal.sr.cs.clarkson.edu animal.sr.cs animal.sr animal
 
10.0.1.5 isengard.sr.cs.clarkson.edu isengard.sr.cs isengard.sr
 
10.0.1.25 hydrogen.sr.cs.clarkson.edu hydrogen.sr.cs hydrogen.sr hydrogen
 
10.0.1.26 helium.sr.cs.clarkson.edu helium.sr.cs helium.sr helium
 
10.0.1.27 lithium.sr.cs.clarkson.edu lithium.sr.cs lithium.sr lithium
 
10.0.1.29 itlad.sr.cs.clarkson.edu itlad.sr.cs itlad.sr
 
10.0.1.30 itlfs1.sr.cs.clarkson.edu itlfs1.sr.cs itlfs1.sr
 
10.0.1.31 itlfs2.sr.cs.clarkson.edu itlfs2.sr.cs itlfs2.sr
 
10.0.1.32 itlwsus.sr.cs.clarkson.edu itlwsus.sr.cs itlwsus.sr
 
10.0.1.33 righteous.sr.cs.clarkson.edu righteous.sr.cs righteous.sr righteous
 
10.0.1.55 netstat.sr.cs.clarkson.edu netstat.sr.cs netstat.sr netstat
 
 
</pre></code>
 
</pre></code>
   
  +
===Increased Detail of Logwatch Reports===
===Set up DenyHosts ===
 
  +
*Set detail level to be high
*Installed denyhosts
 
**<code>yum install denyhosts</code>
 
*Configured denyhosts
 
 
<code><pre>
 
<code><pre>
  +
echo "Detail = High" >> /etc/logwatch/conf/logwatch.conf
############ THESE SETTINGS ARE REQUIRED ############
 
  +
</pre></code>
   
  +
===Disabled Unneeded Services===
########################################################################
 
  +
*Referenced [http://www.cyberciti.biz/faq/linux-default-services-which-are-enabled-at-boot/ this page]
#
 
# SECURE_LOG: the log file that contains sshd logging info
 
# if you are not sure, grep "sshd:" /var/log/*
 
#
 
# The file to process can be overridden with the --file command line
 
# argument
 
#
 
# Redhat or Fedora Core:
 
SECURE_LOG = /var/log/secure
 
#
 
# Mandrake, FreeBSD or OpenBSD:
 
#SECURE_LOG = /var/log/auth.log
 
#
 
# SuSE:
 
#SECURE_LOG = /var/log/messages
 
#
 
# Mac OS X (v10.4 or greater -
 
# also refer to: http://www.denyhosts.net/faq.html#macos
 
#SECURE_LOG = /private/var/log/asl.log
 
#
 
# Mac OS X (v10.3 or earlier):
 
#SECURE_LOG=/private/var/log/system.log
 
#
 
########################################################################
 
   
  +
<code><pre>
########################################################################
 
  +
chkconfig nfs off
#
 
  +
/etc/init.d/nfs stop
# HOSTS_DENY: the file which contains restricted host access information
 
  +
chkconfig nfslock off
#
 
  +
/etc/init.d/nfslock stop
# Most operating systems:
 
  +
chkconfig rpcgssd off
HOSTS_DENY = /etc/hosts.deny
 
  +
/etc/init.d/rpcgssd stop
#
 
  +
chkconfig rpcidmapd off
# Some BSD (FreeBSD) Unixes:
 
  +
/etc/init.d/rpcidmapd stop
#HOSTS_DENY = /etc/hosts.allow
 
  +
chkconfig rpcsvcgssd off
#
 
  +
/etc/init.d/rpcsvcgssd stop
# Another possibility (also see the next option):
 
  +
chkconfig portmap off
#HOSTS_DENY = /etc/hosts.evil
 
  +
/etc/init.d/portmap stop
#######################################################################
 
  +
chkconfig netfs off
  +
/etc/init.d/netfs stop
  +
chkconfig anacron off
  +
/etc/init.d/anacron stop
  +
chkconfig autofs off
  +
/etc/init.d/autofs stop
  +
chkconfig avahi-daemon off
  +
/etc/init.d/avahi-daemon stop
  +
chkconfig avahi-dnsconfd off
  +
/etc/init.d/avahi-dnsconfd stop
  +
chkconfig bluetooth off
  +
/etc/init.d/bluetooth stop
  +
chkconfig hidd off
  +
/etc/init.d/hidd stop
  +
chkconfig cups off
  +
/etc/init.d/cups stop
  +
chkconfig firstboot off
  +
/etc/init.d/firstboot stop
  +
chkconfig gpm off
  +
/etc/init.d/gpm stop
  +
chkconfig haldaemon off
  +
/etc/init.d/haldaemon stop
  +
chkconfig irda off
  +
/etc/init.d/irda stop
  +
chkconfig kudzu off
  +
/etc/init.d/kudzu stop
  +
chkconfig messagebus off
  +
/etc/init.d/messagebus stop
  +
chkconfig microcode_ctl off
  +
/etc/init.d/microcode_ctl stop
  +
chkconfig pcscd off
  +
/etc/init.d/pcscd stop
  +
chkconfig readahead_early off
  +
/etc/init.d/readahead_early stop
  +
chkconfig readahead_later off
  +
/etc/init.d/readahead_later stop
  +
chkconfig ypbind off
  +
/etc/init.d/ypbind stop
  +
</pre></code>
   
  +
===Modified Cron Weekly Execution Time===
  +
This was done to reduce load spikes that produce Nagios alerts around 4:30 AM every Sunday. In the event that this VM get moved off of [[righteous]], this should be changed back to the default setting of 4:22 AM.
   
  +
*Modified the following line in <code>/etc/crontab</code>
########################################################################
 
  +
<code><pre>
#
 
  +
42 4 * * 0 root run-parts /etc/cron.weekly
# PURGE_DENY: removed HOSTS_DENY entries that are older than this time
 
  +
</pre></code>
# when DenyHosts is invoked with the --purge flag
 
#
 
# format is: i[dhwmy]
 
# Where 'i' is an integer (eg. 7)
 
# 'm' = minutes
 
# 'h' = hours
 
# 'd' = days
 
# 'w' = weeks
 
# 'y' = years
 
#
 
# never purge:
 
PURGE_DENY =
 
#
 
# purge entries older than 1 week
 
#PURGE_DENY = 1w
 
#
 
# purge entries older than 5 days
 
#PURGE_DENY = 5d
 
#######################################################################
 
   
  +
==Installed DenyHosts==
#######################################################################
 
  +
*Installed DenyHosts
#
 
  +
**<code>yum install denyhosts</code>
# PURGE_THRESHOLD: defines the maximum times a host will be purged.
 
# Once this value has been exceeded then this host will not be purged.
 
# Setting this parameter to 0 (the default) disables this feature.
 
#
 
# default: a denied host can be purged/re-added indefinitely
 
#PURGE_THRESHOLD = 0
 
#
 
# a denied host will be purged at most 2 times.
 
#PURGE_THRESHOLD = 2
 
#
 
#######################################################################
 
   
  +
*Configured DenyHosts <code>/etc/denyhosts/denyhosts.cfg</code>
  +
<code><pre>
  +
SECURE_LOG = /var/log/secure
   
  +
HOSTS_DENY = /etc/hosts.block
#######################################################################
 
#
 
# BLOCK_SERVICE: the service name that should be blocked in HOSTS_DENY
 
#
 
# man 5 hosts_access for details
 
#
 
# eg. sshd: 127.0.0.1 # will block sshd logins from 127.0.0.1
 
#
 
# To block all services for the offending host:
 
#BLOCK_SERVICE = ALL
 
# To block only sshd:
 
BLOCK_SERVICE = sshd
 
# To only record the offending host and nothing else (if using
 
# an auxilary file to list the hosts). Refer to:
 
# http://denyhosts.sourceforge.net/faq.html#aux
 
#BLOCK_SERVICE =
 
#
 
#######################################################################
 
   
  +
PURGE_DENY =
  +
  +
BLOCK_SERVICE =
   
#######################################################################
 
#
 
# DENY_THRESHOLD_INVALID: block each host after the number of failed login
 
# attempts has exceeded this value. This value applies to invalid
 
# user login attempts (eg. non-existent user accounts)
 
#
 
 
DENY_THRESHOLD_INVALID = 5
 
DENY_THRESHOLD_INVALID = 5
#
 
#######################################################################
 
   
#######################################################################
 
#
 
# DENY_THRESHOLD_VALID: block each host after the number of failed
 
# login attempts has exceeded this value. This value applies to valid
 
# user login attempts (eg. user accounts that exist in /etc/passwd) except
 
# for the "root" user
 
#
 
 
DENY_THRESHOLD_VALID = 10
 
DENY_THRESHOLD_VALID = 10
#
 
#######################################################################
 
   
#######################################################################
 
#
 
# DENY_THRESHOLD_ROOT: block each host after the number of failed
 
# login attempts has exceeded this value. This value applies to
 
# "root" user login attempts only.
 
#
 
 
DENY_THRESHOLD_ROOT = 1
 
DENY_THRESHOLD_ROOT = 1
#
 
#######################################################################
 
   
 
#######################################################################
 
#
 
# DENY_THRESHOLD_RESTRICTED: block each host after the number of failed
 
# login attempts has exceeded this value. This value applies to
 
# usernames that appear in the WORK_DIR/restricted-usernames file only.
 
#
 
 
DENY_THRESHOLD_RESTRICTED = 1
 
DENY_THRESHOLD_RESTRICTED = 1
#
 
#######################################################################
 
   
 
#######################################################################
 
#
 
# WORK_DIR: the path that DenyHosts will use for writing data to
 
# (it will be created if it does not already exist).
 
#
 
# Note: it is recommended that you use an absolute pathname
 
# for this value (eg. /home/foo/denyhosts/data)
 
#
 
 
WORK_DIR = /usr/share/denyhosts/data
 
WORK_DIR = /usr/share/denyhosts/data
#
 
#######################################################################
 
   
#######################################################################
 
#
 
# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS
 
#
 
# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES|NO
 
# If set to YES, if a suspicious login attempt results from an allowed-host
 
# then it is considered suspicious. If this is NO, then suspicious logins
 
# from allowed-hosts will not be reported. All suspicious logins from
 
# ip addresses that are not in allowed-hosts will always be reported.
 
#
 
 
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
 
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
######################################################################
 
   
######################################################################
 
#
 
# HOSTNAME_LOOKUP
 
#
 
# HOSTNAME_LOOKUP=YES|NO
 
# If set to YES, for each IP address that is reported by Denyhosts,
 
# the corresponding hostname will be looked up and reported as well
 
# (if available).
 
#
 
 
HOSTNAME_LOOKUP=YES
 
HOSTNAME_LOOKUP=YES
#
 
######################################################################
 
   
 
######################################################################
 
#
 
# LOCK_FILE
 
#
 
# LOCK_FILE=/path/denyhosts
 
# If this file exists when DenyHosts is run, then DenyHosts will exit
 
# immediately. Otherwise, this file will be created upon invocation
 
# and deleted upon exit. This ensures that only one instance is
 
# running at a time.
 
#
 
# Redhat/Fedora:
 
 
LOCK_FILE = /var/lock/subsys/denyhosts
 
LOCK_FILE = /var/lock/subsys/denyhosts
#
 
# Debian
 
#LOCK_FILE = /var/run/denyhosts.pid
 
#
 
# Misc
 
#LOCK_FILE = /tmp/denyhosts.lock
 
#
 
######################################################################
 
   
  +
ADMIN_EMAIL = root@localhost
   
############ THESE SETTINGS ARE OPTIONAL ############
 
 
 
#######################################################################
 
#
 
# ADMIN_EMAIL: if you would like to receive emails regarding newly
 
# restricted hosts and suspicious logins, set this address to
 
# match your email address. If you do not want to receive these reports
 
# leave this field blank (or run with the --noemail option)
 
#
 
# Multiple email addresses can be delimited by a comma, eg:
 
# ADMIN_EMAIL = foo@bar.com, bar@foo.com, etc@foobar.com
 
#
 
ADMIN_EMAIL =
 
#
 
#######################################################################
 
 
#######################################################################
 
#
 
# SMTP_HOST and SMTP_PORT: if DenyHosts is configured to email
 
# reports (see ADMIN_EMAIL) then these settings specify the
 
# email server address (SMTP_HOST) and the server port (SMTP_PORT)
 
#
 
#
 
 
SMTP_HOST = localhost
 
SMTP_HOST = localhost
 
SMTP_PORT = 25
 
SMTP_PORT = 25
#
 
#######################################################################
 
   
#######################################################################
 
#
 
# SMTP_USERNAME and SMTP_PASSWORD: set these parameters if your
 
# smtp email server requires authentication
 
#
 
#SMTP_USERNAME=foo
 
#SMTP_PASSWORD=bar
 
#
 
######################################################################
 
 
#######################################################################
 
#
 
# SMTP_FROM: you can specify the "From:" address in messages sent
 
# from DenyHosts when it reports thwarted abuse attempts
 
#
 
 
SMTP_FROM = DenyHosts <nobody@localhost>
 
SMTP_FROM = DenyHosts <nobody@localhost>
#
 
#######################################################################
 
   
  +
SMTP_SUBJECT = Isengard DenyHosts Report
#######################################################################
 
#
 
# SMTP_SUBJECT: you can specify the "Subject:" of messages sent
 
# by DenyHosts when it reports thwarted abuse attempts
 
SMTP_SUBJECT = DenyHosts Report
 
#
 
######################################################################
 
   
  +
SYSLOG_REPORT=YES
######################################################################
 
#
 
# SMTP_DATE_FORMAT: specifies the format used for the "Date:" header
 
# when sending email messages.
 
#
 
# for possible values for this parameter refer to: man strftime
 
#
 
# the default:
 
#
 
#SMTP_DATE_FORMAT = %a, %d %b %Y %H:%M:%S %z
 
#
 
######################################################################
 
   
######################################################################
 
#
 
# SYSLOG_REPORT
 
#
 
# SYSLOG_REPORT=YES|NO
 
# If set to yes, when denied hosts are recorded the report data
 
# will be sent to syslog (syslog must be present on your system).
 
# The default is: NO
 
#
 
#SYSLOG_REPORT=NO
 
#
 
#SYSLOG_REPORT=YES
 
#
 
######################################################################
 
 
######################################################################
 
#
 
# ALLOWED_HOSTS_HOSTNAME_LOOKUP
 
#
 
# ALLOWED_HOSTS_HOSTNAME_LOOKUP=YES|NO
 
# If set to YES, for each entry in the WORK_DIR/allowed-hosts file,
 
# the hostname will be looked up. If your versions of tcp_wrappers
 
# and sshd sometimes log hostnames in addition to ip addresses
 
# then you may wish to specify this option.
 
#
 
#ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO
 
#
 
######################################################################
 
 
######################################################################
 
#
 
# AGE_RESET_VALID: Specifies the period of time between failed login
 
# attempts that, when exceeded will result in the failed count for
 
# this host to be reset to 0. This value applies to login attempts
 
# to all valid users (those within /etc/passwd) with the
 
# exception of root. If not defined, this count will never
 
# be reset.
 
#
 
# See the comments in the PURGE_DENY section (above)
 
# for details on specifying this value or for complete details
 
# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
 
#
 
 
AGE_RESET_VALID=5d
 
AGE_RESET_VALID=5d
#
 
######################################################################
 
   
######################################################################
 
#
 
# AGE_RESET_ROOT: Specifies the period of time between failed login
 
# attempts that, when exceeded will result in the failed count for
 
# this host to be reset to 0. This value applies to all login
 
# attempts to the "root" user account. If not defined,
 
# this count will never be reset.
 
#
 
# See the comments in the PURGE_DENY section (above)
 
# for details on specifying this value or for complete details
 
# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
 
#
 
AGE_RESET_ROOT=25d
 
#
 
######################################################################
 
 
######################################################################
 
#
 
# AGE_RESET_RESTRICTED: Specifies the period of time between failed login
 
# attempts that, when exceeded will result in the failed count for
 
# this host to be reset to 0. This value applies to all login
 
# attempts to entries found in the WORK_DIR/restricted-usernames file.
 
# If not defined, the count will never be reset.
 
#
 
# See the comments in the PURGE_DENY section (above)
 
# for details on specifying this value or for complete details
 
# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
 
#
 
 
AGE_RESET_RESTRICTED=25d
 
AGE_RESET_RESTRICTED=25d
#
 
######################################################################
 
   
 
######################################################################
 
#
 
# AGE_RESET_INVALID: Specifies the period of time between failed login
 
# attempts that, when exceeded will result in the failed count for
 
# this host to be reset to 0. This value applies to login attempts
 
# made to any invalid username (those that do not appear
 
# in /etc/passwd). If not defined, count will never be reset.
 
#
 
# See the comments in the PURGE_DENY section (above)
 
# for details on specifying this value or for complete details
 
# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
 
#
 
 
AGE_RESET_INVALID=10d
 
AGE_RESET_INVALID=10d
#
 
######################################################################
 
   
 
######################################################################
 
#
 
# RESET_ON_SUCCESS: If this parameter is set to "yes" then the
 
# failed count for the respective ip address will be reset to 0
 
# if the login is successful.
 
#
 
# The default is RESET_ON_SUCCESS = no
 
#
 
#RESET_ON_SUCCESS = yes
 
#
 
#####################################################################
 
 
 
######################################################################
 
#
 
# PLUGIN_DENY: If set, this value should point to an executable
 
# program that will be invoked when a host is added to the
 
# HOSTS_DENY file. This executable will be passed the host
 
# that will be added as it's only argument.
 
#
 
#PLUGIN_DENY=/usr/bin/true
 
#
 
######################################################################
 
 
 
######################################################################
 
#
 
# PLUGIN_PURGE: If set, this value should point to an executable
 
# program that will be invoked when a host is removed from the
 
# HOSTS_DENY file. This executable will be passed the host
 
# that is to be purged as it's only argument.
 
#
 
#PLUGIN_PURGE=/usr/bin/true
 
#
 
######################################################################
 
 
######################################################################
 
#
 
# USERDEF_FAILED_ENTRY_REGEX: if set, this value should contain
 
# a regular expression that can be used to identify additional
 
# hackers for your particular ssh configuration. This functionality
 
# extends the built-in regular expressions that DenyHosts uses.
 
# This parameter can be specified multiple times.
 
# See this faq entry for more details:
 
# http://denyhosts.sf.net/faq.html#userdef_regex
 
#
 
#USERDEF_FAILED_ENTRY_REGEX=
 
#
 
#
 
######################################################################
 
 
 
 
 
######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE ##########
 
 
 
 
#######################################################################
 
#
 
# DAEMON_LOG: when DenyHosts is run in daemon mode (--daemon flag)
 
# this is the logfile that DenyHosts uses to report it's status.
 
# To disable logging, leave blank. (default is: /var/log/denyhosts)
 
#
 
 
DAEMON_LOG = /var/log/denyhosts
 
DAEMON_LOG = /var/log/denyhosts
#
 
# disable logging:
 
#DAEMON_LOG =
 
#
 
######################################################################
 
   
#######################################################################
 
#
 
# DAEMON_LOG_TIME_FORMAT: when DenyHosts is run in daemon mode
 
# (--daemon flag) this specifies the timestamp format of
 
# the DAEMON_LOG messages (default is the ISO8061 format:
 
# ie. 2005-07-22 10:38:01,745)
 
#
 
# for possible values for this parameter refer to: man strftime
 
#
 
# Jan 1 13:05:59
 
#DAEMON_LOG_TIME_FORMAT = %b %d %H:%M:%S
 
#
 
# Jan 1 01:05:59
 
#DAEMON_LOG_TIME_FORMAT = %b %d %I:%M:%S
 
#
 
######################################################################
 
 
#######################################################################
 
#
 
# DAEMON_LOG_MESSAGE_FORMAT: when DenyHosts is run in daemon mode
 
# (--daemon flag) this specifies the message format of each logged
 
# entry. By default the following format is used:
 
#
 
# %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s
 
#
 
# Where the "%(asctime)s" portion is expanded to the format
 
# defined by DAEMON_LOG_TIME_FORMAT
 
#
 
# This string is passed to python's logging.Formatter contstuctor.
 
# For details on the possible format types please refer to:
 
# http://docs.python.org/lib/node357.html
 
#
 
# This is the default:
 
#DAEMON_LOG_MESSAGE_FORMAT = %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s
 
#
 
#
 
######################################################################
 
 
 
#######################################################################
 
#
 
# DAEMON_SLEEP: when DenyHosts is run in daemon mode (--daemon flag)
 
# this is the amount of time DenyHosts will sleep between polling
 
# the SECURE_LOG. See the comments in the PURGE_DENY section (above)
 
# for details on specifying this value or for complete details
 
# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
 
#
 
#
 
 
DAEMON_SLEEP = 30s
 
DAEMON_SLEEP = 30s
#
 
#######################################################################
 
   
#######################################################################
 
#
 
# DAEMON_PURGE: How often should DenyHosts, when run in daemon mode,
 
# run the purge mechanism to expire old entries in HOSTS_DENY
 
# This has no effect if PURGE_DENY is blank.
 
#
 
 
DAEMON_PURGE = 1h
 
DAEMON_PURGE = 1h
#
 
#######################################################################
 
   
 
######### THESE SETTINGS ARE SPECIFIC TO ##########
 
######### DAEMON SYNCHRONIZATION ##########
 
 
 
#######################################################################
 
#
 
# Synchronization mode allows the DenyHosts daemon the ability
 
# to periodically send and receive denied host data such that
 
# DenyHosts daemons worldwide can automatically inform one
 
# another regarding banned hosts. This mode is disabled by
 
# default, you must uncomment SYNC_SERVER to enable this mode.
 
#
 
# for more information, please refer to:
 
# http:/denyhosts.sourceforge.net/faq.html#sync
 
#
 
#######################################################################
 
 
 
#######################################################################
 
#
 
# SYNC_SERVER: The central server that communicates with DenyHost
 
# daemons. Currently, denyhosts.net is the only available server
 
# however, in the future, it may be possible for organizations to
 
# install their own server for internal network synchronization
 
#
 
# To disable synchronization (the default), do nothing.
 
#
 
# To enable synchronization, you must uncomment the following line:
 
 
SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
 
SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
#
 
#######################################################################
 
   
#######################################################################
 
#
 
# SYNC_INTERVAL: the interval of time to perform synchronizations if
 
# SYNC_SERVER has been uncommented. The default is 1 hour.
 
#
 
 
SYNC_INTERVAL = 1h
 
SYNC_INTERVAL = 1h
#
 
#######################################################################
 
   
 
#######################################################################
 
#
 
# SYNC_UPLOAD: allow your DenyHosts daemon to transmit hosts that have
 
# been denied? This option only applies if SYNC_SERVER has
 
# been uncommented.
 
# The default is SYNC_UPLOAD = yes
 
#
 
#SYNC_UPLOAD = no
 
 
SYNC_UPLOAD = yes
 
SYNC_UPLOAD = yes
#
 
#######################################################################
 
   
 
#######################################################################
 
#
 
# SYNC_DOWNLOAD: allow your DenyHosts daemon to receive hosts that have
 
# been denied by others? This option only applies if SYNC_SERVER has
 
# been uncommented.
 
# The default is SYNC_DOWNLOAD = yes
 
#
 
#SYNC_DOWNLOAD = no
 
 
SYNC_DOWNLOAD = yes
 
SYNC_DOWNLOAD = yes
#
 
#
 
#
 
#######################################################################
 
   
#######################################################################
 
#
 
# SYNC_DOWNLOAD_THRESHOLD: If SYNC_DOWNLOAD is enabled this parameter
 
# filters the returned hosts to those that have been blocked this many
 
# times by others. That is, if set to 1, then if a single DenyHosts
 
# server has denied an ip address then you will receive the denied host.
 
#
 
# See also SYNC_DOWNLOAD_RESILIENCY
 
#
 
#SYNC_DOWNLOAD_THRESHOLD = 10
 
#
 
# The default is SYNC_DOWNLOAD_THRESHOLD = 3
 
#
 
 
SYNC_DOWNLOAD_THRESHOLD = 3
 
SYNC_DOWNLOAD_THRESHOLD = 3
#
 
#######################################################################
 
   
#######################################################################
 
#
 
# SYNC_DOWNLOAD_RESILIENCY: If SYNC_DOWNLOAD is enabled then the
 
# value specified for this option limits the downloaded data
 
# to this resiliency period or greater.
 
#
 
# Resiliency is defined as the timespan between a hackers first known
 
# attack and it's most recent attack. Example:
 
#
 
# If the centralized denyhosts.net server records an attack at 2 PM
 
# and then again at 5 PM, specifying a SYNC_DOWNLOAD_RESILIENCY = 4h
 
# will not download this ip address.
 
#
 
# However, if the attacker is recorded again at 6:15 PM then the
 
# ip address will be downloaded by your DenyHosts instance.
 
#
 
# This value is used in conjunction with the SYNC_DOWNLOAD_THRESHOLD
 
# and only hosts that satisfy both values will be downloaded.
 
# This value has no effect if SYNC_DOWNLOAD_THRESHOLD = 1
 
#
 
# The default is SYNC_DOWNLOAD_RESILIENCY = 5h (5 hours)
 
#
 
# Only obtain hackers that have been at it for 2 days or more:
 
#SYNC_DOWNLOAD_RESILIENCY = 2d
 
#
 
# Only obtain hackers that have been at it for 5 hours or more:
 
 
SYNC_DOWNLOAD_RESILIENCY = 5h
 
SYNC_DOWNLOAD_RESILIENCY = 5h
#
 
#######################################################################
 
 
</pre></code>
 
</pre></code>
   
  +
*Create <code>/etc/hosts.block</code>
*Configured denyhosts to start on boot
 
**<code>/sbin/chkconfig denyhosts on</code>
+
**<code>touch /etc/hosts.block</code>
   
  +
*Configured DenyHosts to start on boot
*Started denyhosts
 
**<code>/etc/init.d/denyhosts start</code>
+
**<code>/sbin/chkconfig --levels 2345 denyhosts on</code>
 
===Configured Some Password Policy===
 
*Edited /etc/login.defs
 
<code><pre>
 
# *REQUIRED*
 
# Directory where mailboxes reside, _or_ name of file, relative to the
 
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
 
# QMAIL_DIR is for Qmail
 
#
 
#QMAIL_DIR Maildir
 
MAIL_DIR /var/spool/mail
 
#MAIL_FILE .mail
 
 
# Password aging controls:
 
#
 
# PASS_MAX_DAYS Maximum number of days a password may be used.
 
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
 
# PASS_MIN_LEN Minimum acceptable password length.
 
# PASS_WARN_AGE Number of days warning given before a password expires.
 
#
 
PASS_MAX_DAYS 360
 
PASS_MIN_DAYS 0
 
PASS_MIN_LEN 8
 
PASS_WARN_AGE 30
 
 
#
 
# Min/max values for automatic uid selection in useradd
 
#
 
UID_MIN 500
 
UID_MAX 60000
 
 
#
 
# Min/max values for automatic gid selection in groupadd
 
#
 
GID_MIN 500
 
GID_MAX 60000
 
 
#
 
# If defined, this command is run when removing a user.
 
# It should remove any at/cron/print jobs etc. owned by
 
# the user to be removed (passed as the first argument).
 
#
 
#USERDEL_CMD /usr/sbin/userdel_local
 
 
#
 
# If useradd should create home directories for users by default
 
# On RH systems, we do. This option is overridden with the -m flag on
 
# useradd command line.
 
#
 
CREATE_HOME yes
 
 
# The permission mask is initialized to this value. If not specified,
 
# the permission mask will be initialized to 022.
 
UMASK 077
 
 
# This enables userdel to remove user groups if no members exist.
 
#
 
USERGROUPS_ENAB yes
 
</pre></code>
 
 
===Configured to be monitored by [[netstat]] Nagios Server===
 
====Installed xinetd====
 
*<code>yum install xinetd</code>
 
 
====Created nagios user====
 
*<code>/usr/sbin/useradd nagios -s/sbin/nologin</code>
 
*<code>passwd nagios</code>
 
 
====Compiled and Installed Nagios Plugins====
 
*Downloaded Plugins
 
**<code>wget http://superb-east.dl.sourceforge.net/sourceforge/nagiosplug/nagios-plugins-1.4.12.tar.gz</code>
 
 
*Extracted Plugins
 
**<code>tar xzf nagios-plugins-1.4.12.tar.gz</code>
 
 
*Compiled and Installed Plugins
 
**<code>cd nagios-plugins-1.4.12</code>
 
**<code>yum install gcc</code>
 
**<code>./configure --enable-perl-modules</code>
 
**<code>make</code>
 
**<code>make install</code>
 
 
*Set Permissions on plugin folder
 
**<code>chown nagios.nagios /usr/local/nagios</code>
 
**<code>chown -R nagios.nagios /usr/local/nagios/libexec</code>
 
 
====Installed NRPE Daemon====
 
*Downloaded
 
**<code>wget http://internap.dl.sourceforge.net/sourceforge/nagios/nrpe-2.12.tar.gz</code>
 
 
*Extracted nrpe
 
**<code>tar xzf nrpe-2.12.tar.gz</code>
 
 
*Compiled & Installed Plugin
 
**<code>cd nrpe-2.12</code>
 
**<code>./configure</code>
 
**<code>make all</code>
 
**<code>make install-plugin</code>
 
**<code>make install-daemon</code>
 
**<code>make install-daemon-config</code>
 
**<code>make install-xinetd</code>
 
 
*Edited <code>/etc/xinetd.d/nrpe</code> and modified the following line
 
<code><pre>
 
only_from = 128.153.145.16
 
</pre></code>
 
 
*Edited <code>/etc/services</code> and added the following entry
 
<code><pre>
 
nrpe 5666/tcp # NRPE
 
</pre></code>
 
 
*Configured xinetd to start on boot
 
**<code>/sbin/chkconfig xinetd on</code>
 
 
*Started xinetd
 
**<code>/etc/init.d/xinetd start</code>
 
 
*Edited <code>/etc/sysconfig/iptables</code> and added the following rule
 
<code><pre>
 
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5666 -s 128.153.145.16 -j ACCEPT
 
</pre></code>
 
 
*Restarted iptables
 
**<code>/etc/init.d/iptables restart</code>
 
 
====Configured NRPE====
 
*Edited <code>/usr/local/nagios/etc/nrpe.cfg</code> to look like the following
 
<code><pre>
 
#############################################################################
 
# NRPE Config File
 
#
 
# Last Modified: 05-27-2008
 
#############################################################################
 
 
 
# LOG FACILITY
 
# The syslog facility that should be used for logging purposes.
 
 
log_facility=daemon
 
 
 
 
# PID FILE
 
# The name of the file in which the NRPE daemon should write it's process ID
 
# number. The file is only written if the NRPE daemon is started by the root
 
# user and is running in standalone mode.
 
 
pid_file=/var/run/nrpe.pid
 
 
 
 
# PORT NUMBER
 
# Port number we should wait for connections on.
 
# NOTE: This must be a non-priviledged port (i.e. > 1024).
 
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
 
 
server_port=5666
 
 
 
 
# SERVER ADDRESS
 
# Address that nrpe should bind to in case there are more than one interface
 
# and you do not want nrpe to bind on all interfaces.
 
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
 
 
#server_address=127.0.0.1
 
 
 
 
# NRPE USER
 
# This determines the effective user that the NRPE daemon should run as.
 
# You can either supply a username or a UID.
 
#
 
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
 
 
nrpe_user=nagios
 
 
 
 
# NRPE GROUP
 
# This determines the effective group that the NRPE daemon should run as.
 
# You can either supply a group name or a GID.
 
#
 
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
 
 
nrpe_group=nagios
 
 
 
 
# ALLOWED HOST ADDRESSES
 
# This is an optional comma-delimited list of IP address or hostnames
 
# that are allowed to talk to the NRPE daemon.
 
#
 
# Note: The daemon only does rudimentary checking of the client's IP
 
# address. I would highly recommend adding entries in your /etc/hosts.allow
 
# file to allow only the specified host to connect to the port
 
# you are running this daemon on.
 
#
 
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
 
 
allowed_hosts=128.153.145.16
 
 
 
 
# COMMAND ARGUMENT PROCESSING
 
# This option determines whether or not the NRPE daemon will allow clients
 
# to specify arguments to commands that are executed. This option only works
 
# if the daemon was configured with the --enable-command-args configure script
 
# option.
 
#
 
# *** ENABLING THIS OPTION IS A SECURITY RISK! ***
 
# Read the SECURITY file for information on some of the security implications
 
# of enabling this variable.
 
#
 
# Values: 0=do not allow arguments, 1=allow command arguments
 
 
dont_blame_nrpe=0
 
 
 
 
# COMMAND PREFIX
 
# This option allows you to prefix all commands with a user-defined string.
 
# A space is automatically added between the specified prefix string and the
 
# command line from the command definition.
 
#
 
# *** THIS EXAMPLE MAY POSE A POTENTIAL SECURITY RISK, SO USE WITH CAUTION! ***
 
# Usage scenario:
 
# Execute restricted commmands using sudo. For this to work, you need to add
 
# the nagios user to your /etc/sudoers. An example entry for alllowing
 
# execution of the plugins from might be:
 
#
 
# nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/
 
#
 
# This lets the nagios user run all commands in that directory (and only them)
 
# without asking for a password. If you do this, make sure you don't give
 
# random users write access to that directory or its contents!
 
 
# command_prefix=/usr/bin/sudo
 
 
 
 
# DEBUGGING OPTION
 
# This option determines whether or not debugging messages are logged to the
 
# syslog facility.
 
# Values: 0=debugging off, 1=debugging on
 
 
debug=0
 
 
 
 
# COMMAND TIMEOUT
 
# This specifies the maximum number of seconds that the NRPE daemon will
 
# allow plugins to finish executing before killing them off.
 
 
command_timeout=60
 
 
 
 
# CONNECTION TIMEOUT
 
# This specifies the maximum number of seconds that the NRPE daemon will
 
# wait for a connection to be established before exiting. This is sometimes
 
# seen where a network problem stops the SSL being established even though
 
# all network sessions are connected. This causes the nrpe daemons to
 
# accumulate, eating system resources. Do not set this too low.
 
 
connection_timeout=300
 
 
 
 
# WEEK RANDOM SEED OPTION
 
# This directive allows you to use SSL even if your system does not have
 
# a /dev/random or /dev/urandom (on purpose or because the necessary patches
 
# were not applied). The random number generator will be seeded from a file
 
# which is either a file pointed to by the environment valiable $RANDFILE
 
# or $HOME/.rnd. If neither exists, the pseudo random number generator will
 
# be initialized and a warning will be issued.
 
# Values: 0=only seed from /dev/[u]random, 1=also seed from weak randomness
 
 
#allow_weak_random_seed=1
 
 
 
 
# INCLUDE CONFIG FILE
 
# This directive allows you to include definitions from an external config file.
 
 
include=/usr/local/nagios/etc/command_def.cfg
 
</pre></code>
 
 
*Created <code>/usr/local/nagios/etc/command_def.cfg</code>
 
<code><pre>
 
command[check_users]=/usr/local/nagios/libexec/check_users -w 10 -c 15
 
command[check_load]=/usr/local/nagios/libexec/check_load -w 1.20,1.00,0.90 -c 1.30,1.10,1.00
 
command[check_rootfs]=/usr/local/nagios/libexec/check_disk -w 15% -c 10% -p /dev/xvda1
 
command[check_zombie_procs]=/usr/local/nagios/libexec/check_procs -w 5 -c 10 -s Z
 
command[check_total_procs]=/usr/local/nagios/libexec/check_procs -w 80 -c 100
 
command[check_swap]=/usr/local/nagios/libexec/check_swap -w 15% -c 10%
 
command[check_nagios]=/usr/local/nagios/libexec/check_nagios -V
 
</pre></code>
 
   
  +
[[Category:Server Setup Documentation]]
===Final Steps===
 
*Created previous user accounts that existed on righteous
 
*Copied previous user account passwords from <code>/etc/shadow</code> on old righteous to <code>/etc/shadow</code> on isengard
 
*Rebooted and tested that denyhosts started on boot & had other users test accounts
 

Latest revision as of 13:19, 3 September 2015


This page summarizes how the virtual machine Isengard was set up in Spring 2009.

Install

  • Installed CentOS 5.3 x64.
    • Partition Scheme
      • 2.9 GB /
      • 100 MB /home
      • 1.5 GB /var
      • 512 MB swap

Configuration

Updated System

  • Configured Yum Priorities & to use our mirror
    • Edited /etc/yum.repos.d/CentOS-Base.repo
# CentOS-Base.repo
#
# This file uses a new mirrorlist system developed by Lance Davis for CentOS.
# The mirror system uses the connecting IP address of the client and the
# update status of each mirror to pick mirrors that are updated to and
# geographically close to the client.  You should use this for CentOS updates
# unless you are manually picking other mirrors.
#
# If the mirrorlist= does not work for you, as a fall back you can try the
# remarked out baseurl= line instead.
#
#

[base]
name=CentOS-$releasever - Base
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
baseurl=http://mirror.clarkson.edu/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1
exclude=nmap

#released updates
[updates]
name=CentOS-$releasever - Updates
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates
baseurl=http://mirror.clarkson.edu/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1
exclude=nmap

#packages used/produced in the build but not released
[addons]
name=CentOS-$releasever - Addons
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=addons
baseurl=http://mirror.clarkson.edu/centos/$releasever/addons/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1

#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras
baseurl=http://mirror.clarkson.edu/centos/$releasever/extras/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1

#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus
baseurl=http://mirror.clarkson.edu/centos/$releasever/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=2

#contrib - packages by Centos Users
[contrib]
name=CentOS-$releasever - Contrib
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=contrib
baseurl=http://mirror.clarkson.edu/centos/$releasever/contrib/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=2
    • Edited /etc/yum.repos.d/rpmforge.repo
# Name: RPMforge RPM Repository for Red Hat Enterprise 5 - dag
# URL: http://rpmforge.net/
[rpmforge]
name = Red Hat Enterprise $releasever - RPMforge.net - dag
baseurl = http://mirror.clarkson.edu/rpmforge/redhat/el5/en/$basearch/dag
#mirrorlist = http://apt.sw.be/redhat/el5/en/mirrors-rpmforge
#mirrorlist = file:///etc/yum.repos.d/mirrors-rpmforge
enabled = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmforge-dag
gpgcheck = 1
priority=15
    • Edited /etc/yum.repos.d/epel.repo
[epel]
name=Extra Packages for Enterprise Linux 5 - $basearch
baseurl=http://mirror.clarkson.edu/epel/5/$basearch
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-5&arch=$basearch
failovermethod=priority
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
priority=30

[epel-debuginfo]
name=Extra Packages for Enterprise Linux 5 - $basearch - Debug
baseurl=http://mirror.clarkson.edu/epel/5/$basearch/debug
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-debug-5&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1
priority=30

[epel-source]
name=Extra Packages for Enterprise Linux 5 - $basearch - Source
baseurl=http://mirror.clarkson.edu/epel/5/SRPMS
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-source-5&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1
priority=30
    • Edited /etc/yum.repos.d/epel-testing.repo
[epel-testing]
name=Extra Packages for Enterprise Linux 5 - Testing - $basearch
baseurl=http://mirror.clarkson.edu/epel/testing/5/$basearch
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-epel5&arch=$basearch
failovermethod=priority
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
priority=40

[epel-testing-debuginfo]
name=Extra Packages for Enterprise Linux 5 - Testing - $basearch - Debug
baseurl=http://mirror.clarkson.edu/epel/testing/5/$basearch/debug
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-debug-epel5&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1
priority=40

[epel-testing-source]
name=Extra Packages for Enterprise Linux 5 - Testing - $basearch - Source
baseurl=http://mirror.clarkson.edu/epel/testing/5/SRPMS
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-source-epel5&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1
priority=40
  • Disabled Yum FastestMirror since using local mirror
    • sed -i 's/enabled=1/enabled=0/g' /etc/yum/pluginconf.d/fastestmirror.conf
  • Installed Yum Priorities (Note: This must be installed prior to installing the packages below.)
    • yum install yum-priorities
  • Configured Yum Priorities to check for obsoletes
    • echo "check_obsoletes=1" >> /etc/yum/pluginconf.d/priorities.conf
  • yum install vim-enhanced gcc emacs-nox screen nmap expect pwgen dialog
  • yum update

Created User

  • Created user mccarrms
    • /usr/sbin/useradd -m mccarrms
  • Set password for mccarrms
    • passwd mccarrms

Configured Sudo

  • /usr/sbin/visudo
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.

## Networking
Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

## Installation and management of software
Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

## Services
Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig

## Updating the locate database
Cmnd_Alias LOCATE = /usr/sbin/updatedb

## Storage
Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount

## Delegating permissions
Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp

## Processes
Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

## Drivers
Cmnd_Alias DRIVERS = /sbin/modprobe

## Shells
Cmnd_Alias SHELLS = /bin/sh, /bin/bash, /usr/bin/rsh, /bin/dash, /bin/rbash, /bin/su

## Users
Cmnd_Alias USERS = /usr/sbin/useradd, /usr/sbin/userdel

Defaults    requiretty

Defaults    env_reset,tty_tickets,lecture=always,logfile=/var/log/sudo.log
Defaults    env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
                        LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
                        LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
                        LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
                        LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \
                        _XKB_CHARSET XAUTHORITY"

## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
%wheel  ALL=(ALL)       ALL
%admins ALL=USERS, /usr/bin/passwd [[\:alpha\:]]*, !/usr/bin/passwd root

Configured Networks

  • Configured hostname in /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=isengard
  • Verified eth0 configuration for Clarkson Network in /etc/sysconfig/network-scripts/ifcfg-eth0
# Xen Virtual Ethernet
DEVICE=eth0
BOOTPROTO=none
BROADCAST=128.153.145.255
HWADDR=00:16:3E:34:64:A6
IPADDR=128.153.145.12
NETMASK=255.255.255.0
NETWORK=128.153.145.0
ONBOOT=yes
GATEWAY=128.153.145.1
TYPE=Ethernet
  • Verified eth1 configuration for the Server Room Network in /etc/sysconfig/network-scripts/ifcfg-eth1
# Xen Virtual Ethernet
DEVICE=eth1
BOOTPROTO=none
BROADCAST=10.0.1.255
HWADDR=00:16:3E:1C:FE:21
IPADDR=10.0.1.5
NETMASK=255.255.255.0
NETWORK=10.0.1.0
ONBOOT=yes
TYPE=Ethernet
  • Verified eth2 configuration for the Internal Network in /etc/sysconfig/network-scripts/ifcfg-eth2
# Xen Virtual Ethernet
DEVICE=eth2
BOOTPROTO=none
BROADCAST=10.0.0.255
HWADDR=00:16:3e:10:25:3f
IPADDR=10.0.0.20
NETMASK=255.255.255.0
NETWORK=10.0.0.0
ONBOOT=yes
TYPE=Ethernet

Configured Hosts

  • Edited /etc/hosts
127.0.0.1       localhost.localdomain   localhost
128.153.145.12  isengard.cslabs.clarkson.edu isengard.cslabs isengard
10.0.1.5        isengard.sr.cslabs.clarkson.edu isengard.sr.cslabs isengard.sr
10.0.0.20       isengard.int.cslabs.clarkson.edu isengard.int.cslabs isengard.int
  • Edited /etc/hosts.allow
For security purposes, this information has been intentionally left off.
  • Edited /etc/hosts.deny
ALL: ALL

Configured DNS Servers

  • Edited /etc/resolv.conf
search cslabs.clarkson.edu clarkson.edu
nameserver 128.153.145.3
nameserver 128.153.145.4

Disabled IP v6

  • Appended the following to /etc/modprobe.conf
install ipv6 /bin/true
  • Disabled IP v6 firewall
    • /sbin/chkconfig ip6tables off

Configured IPtables

Due to the sensitivity of this material, this config file has been left off; however, the following rules are needed.

-A INPUT -p udp -m udp --dport 22 -j ACCEPT

Configured SSH

  • Edited /etc/ssh/sshd_config
Due to the sensitivity of this material, this config file has been left off.
  • Restarted sshd
    • /etc/init.d/sshd restart

Set Up SSH Login Banner

  • Edited /etc/issue.net
   _                               __
  (_)__ ___ ___  ___ ____ ________/ /
 / (_-</ -_) _ \/ _ `/ _ `/ __/ _  /
/_/___/\__/_//_/\_, /\_,_/_/  \_,_/
               /___/

Configured Password Requirements

  • Edited /etc/login.defs
MAIL_DIR        /var/spool/mail

PASS_MAX_DAYS   360
PASS_MIN_DAYS   0
PASS_MIN_LEN    8
PASS_WARN_AGE   60

UID_MIN                   500
UID_MAX                 60000

GID_MIN                   500
GID_MAX                 60000

CREATE_HOME     yes

UMASK           077

USERGROUPS_ENAB yes

MD5_CRYPT_ENAB yes

ENCRYPT_METHOD MD5

Added Custom PATH Variables

  • Added the following to /etc/profile
PATH=$PATH:/usr/sbin:/sbin
export PATH

Configured Aliases

  • Edited /etc/aliases
#
#  Aliases in this file will NOT be expanded in the header from
#  Mail, but WILL be visible over networks or from /bin/mail.
#
#       >>>>>>>>>>      The program "newaliases" must be run after
#       >> NOTE >>      this file is updated for any changes to
#       >>>>>>>>>>      show through to sendmail.
#

# Basic system aliases -- these MUST be present.
mailer-daemon:  postmaster
postmaster:     logwatch@cslabs.clarkson.edu

# General redirections for pseudo accounts.
bin:            logwatch@cslabs.clarkson.edu
daemon:         logwatch@cslabs.clarkson.edu
adm:            logwatch@cslabs.clarkson.edu
lp:             logwatch@cslabs.clarkson.edu
sync:           logwatch@cslabs.clarkson.edu
shutdown:       logwatch@cslabs.clarkson.edu
halt:           logwatch@cslabs.clarkson.edu
mail:           logwatch@cslabs.clarkson.edu
news:           logwatch@cslabs.clarkson.edu
uucp:           logwatch@cslabs.clarkson.edu
operator:       logwatch@cslabs.clarkson.edu
games:          logwatch@cslabs.clarkson.edu
gopher:         logwatch@cslabs.clarkson.edu
ftp:            logwatch@cslabs.clarkson.edu
nobody:         logwatch@cslabs.clarkson.edu
radiusd:        logwatch@cslabs.clarkson.edu
nut:            logwatch@cslabs.clarkson.edu
dbus:           logwatch@cslabs.clarkson.edu
vcsa:           logwatch@cslabs.clarkson.edu
canna:          logwatch@cslabs.clarkson.edu
wnn:            logwatch@cslabs.clarkson.edu
rpm:            logwatch@cslabs.clarkson.edu
nscd:           logwatch@cslabs.clarkson.edu
pcap:           logwatch@cslabs.clarkson.edu
apache:         logwatch@cslabs.clarkson.edu
webalizer:      logwatch@cslabs.clarkson.edu
dovecot:        logwatch@cslabs.clarkson.edu
fax:            logwatch@cslabs.clarkson.edu
quagga:         logwatch@cslabs.clarkson.edu
radvd:          logwatch@cslabs.clarkson.edu
pvm:            logwatch@cslabs.clarkson.edu
amanda:         logwatch@cslabs.clarkson.edu
privoxy:        logwatch@cslabs.clarkson.edu
ident:          logwatch@cslabs.clarkson.edu
named:          logwatch@cslabs.clarkson.edu
xfs:            logwatch@cslabs.clarkson.edu
gdm:            logwatch@cslabs.clarkson.edu
mailnull:       logwatch@cslabs.clarkson.edu
postgres:       logwatch@cslabs.clarkson.edu
sshd:           logwatch@cslabs.clarkson.edu
smmsp:          logwatch@cslabs.clarkson.edu
postfix:        logwatch@cslabs.clarkson.edu
netdump:        logwatch@cslabs.clarkson.edu
ldap:           logwatch@cslabs.clarkson.edu
squid:          logwatch@cslabs.clarkson.edu
ntp:            logwatch@cslabs.clarkson.edu
mysql:          logwatch@cslabs.clarkson.edu
desktop:        logwatch@cslabs.clarkson.edu
rpcuser:        logwatch@cslabs.clarkson.edu
rpc:            logwatch@cslabs.clarkson.edu
nfsnobody:      logwatch@cslabs.clarkson.edu

ingres:         logwatch@cslabs.clarkson.edu
system:         logwatch@cslabs.clarkson.edu
toor:           logwatch@cslabs.clarkson.edu
manager:        logwatch@cslabs.clarkson.edu
dumper:         logwatch@cslabs.clarkson.edu
abuse:          logwatch@cslabs.clarkson.edu

newsadm:        news
newsadmin:      news
usenet:         news
ftpadm:         ftp
ftpadmin:       ftp
ftp-adm:        ftp
ftp-admin:      ftp
www:            webmaster
webmaster:      logwatch@cslabs.clarkson.edu
noc:            logwatch@cslabs.clarkson.edu
security:       logwatch@cslabs.clarkson.edu
hostmaster:     logwatch@cslabs.clarkson.edu
info:           postmaster
marketing:      postmaster
sales:          postmaster
support:        postmaster


# trap decode to catch security attacks
decode:         logwatch@cslabs.clarkson.edu

# Person who should get roots's mail
root:           logwatch@cslabs.clarkson.edu
  • Updated aliases
    • /usr/bin/newaliases

Disabled Various Kernel Modules

  • Added the following to /etc/modprobe.conf
install pppox /bin/true
install bluetooth /bin/true
install sctp /bin/true

Installed & Configured SNMP

  • Installed needed packages
yum install net-snmp ntp
  • Configured SNMP Daemon /etc/snmp/snmpd.conf
rocommunity     <passphrase>  127.0.0.1
rocommunity     <passphrase>  <ipsallowed>
 
syslocation Clarkson University Applied CS Labs
syscontact Matt McCarrell <mccarrms@gmail.com>
disk /
disk /var
exec timeskew /usr/local/sbin/ntp_check
exec uptime /usr/bin/uptime
  • Deployed ntp_check script
    • Copied over ntp_check to /usr/local/sbin/
    • chown root.root /usr/local/sbin/ntp_check
  • Configured SNMP to start at specific run levels
/sbin/chkconfig --levels 2345 snmpd on
  • Started daemon
/etc/init.d/snmpd start

Increased Detail of Logwatch Reports

  • Set detail level to be high
echo "Detail = High" >> /etc/logwatch/conf/logwatch.conf

Disabled Unneeded Services

chkconfig nfs off
/etc/init.d/nfs stop
chkconfig nfslock off
/etc/init.d/nfslock stop
chkconfig rpcgssd off
/etc/init.d/rpcgssd stop
chkconfig rpcidmapd off
/etc/init.d/rpcidmapd stop
chkconfig rpcsvcgssd off
/etc/init.d/rpcsvcgssd stop
chkconfig portmap off
/etc/init.d/portmap stop
chkconfig netfs off
/etc/init.d/netfs stop
chkconfig anacron off
/etc/init.d/anacron stop
chkconfig autofs off
/etc/init.d/autofs stop
chkconfig avahi-daemon off
/etc/init.d/avahi-daemon stop
chkconfig avahi-dnsconfd off
/etc/init.d/avahi-dnsconfd stop
chkconfig bluetooth off
/etc/init.d/bluetooth stop
chkconfig hidd off
/etc/init.d/hidd stop
chkconfig cups off
/etc/init.d/cups stop
chkconfig firstboot off
/etc/init.d/firstboot stop
chkconfig gpm off
/etc/init.d/gpm stop
chkconfig haldaemon off
/etc/init.d/haldaemon stop
chkconfig irda off
/etc/init.d/irda stop
chkconfig kudzu off
/etc/init.d/kudzu stop
chkconfig messagebus off
/etc/init.d/messagebus stop
chkconfig microcode_ctl off
/etc/init.d/microcode_ctl stop
chkconfig pcscd off
/etc/init.d/pcscd stop
chkconfig readahead_early off
/etc/init.d/readahead_early stop
chkconfig readahead_later off
/etc/init.d/readahead_later stop
chkconfig ypbind off
/etc/init.d/ypbind stop

Modified Cron Weekly Execution Time

This was done to reduce load spikes that produce Nagios alerts around 4:30 AM every Sunday. In the event that this VM get moved off of righteous, this should be changed back to the default setting of 4:22 AM.

  • Modified the following line in /etc/crontab
42 4 * * 0 root run-parts /etc/cron.weekly

Installed DenyHosts

  • Installed DenyHosts
    • yum install denyhosts
  • Configured DenyHosts /etc/denyhosts/denyhosts.cfg
SECURE_LOG = /var/log/secure

HOSTS_DENY = /etc/hosts.block

PURGE_DENY =

BLOCK_SERVICE  =

DENY_THRESHOLD_INVALID = 5

DENY_THRESHOLD_VALID = 10

DENY_THRESHOLD_ROOT = 1

DENY_THRESHOLD_RESTRICTED = 1

WORK_DIR = /usr/share/denyhosts/data

SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES

HOSTNAME_LOOKUP=YES

LOCK_FILE = /var/lock/subsys/denyhosts

ADMIN_EMAIL = root@localhost

SMTP_HOST = localhost
SMTP_PORT = 25

SMTP_FROM = DenyHosts <nobody@localhost>

SMTP_SUBJECT = Isengard DenyHosts Report

SYSLOG_REPORT=YES

AGE_RESET_VALID=5d

AGE_RESET_RESTRICTED=25d

AGE_RESET_INVALID=10d

DAEMON_LOG = /var/log/denyhosts

DAEMON_SLEEP = 30s

DAEMON_PURGE = 1h

SYNC_SERVER = http://xmlrpc.denyhosts.net:9911

SYNC_INTERVAL = 1h

SYNC_UPLOAD = yes

SYNC_DOWNLOAD = yes

SYNC_DOWNLOAD_THRESHOLD = 3

SYNC_DOWNLOAD_RESILIENCY = 5h
  • Create /etc/hosts.block
    • touch /etc/hosts.block
  • Configured DenyHosts to start on boot
    • /sbin/chkconfig --levels 2345 denyhosts on