Difference between revisions of "Isengard Setup Process"

From CSLabsWiki
m (Configured DNS Servers)
(Rebuilt)
Line 1: Line 1:
This page summarizes how the virtual machine [[isengard]] was set up in April 2008, changes made during May 2008, and upgrades during August 2008.
+
This page summarizes how the virtual machine [[Isengard]] was set up in Spring 2009.
   
 
==Install==
 
==Install==
*Installed CentOS 5.1 x64.
+
*Installed CentOS 5.3 x64.
 
**Partition Scheme
 
**Partition Scheme
***4.5 GB /
+
***2.9 GB /
  +
***100 MB /home
  +
***1.5 GB /var
 
***512 MB swap
 
***512 MB swap
 
===Upgraded to Latest Version===
 
*Upgraded to CentOS 5.2 x64
 
**<code>yum upgrade</code>
 
**Rebooted for changes to take effect
 
   
 
==Configuration==
 
==Configuration==
  +
===Updated VM===
  +
*Added RPMForge Yum Repository
  +
**<code>rpm -Uhv http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS//rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm</code>
  +
***From [http://dag.wieers.com/rpm/FAQ.php#B2 Dag Wieers]
  +
  +
*<code>yum install yum-fastestmirror vim-enhanced gcc emacs-nox</code>
  +
*<code>yum update</code>
  +
  +
===Created User===
  +
*Created user mccarrms
  +
**<code>/usr/sbin/useradd -m mccarrms</code>
  +
*Set password for mccarrms
  +
**<code>passwd mccarrms</code>
  +
 
===Configured Sudo===
 
===Configured Sudo===
 
*<code>/usr/sbin/visudo</code>
 
*<code>/usr/sbin/visudo</code>
   
 
<code><pre>
 
<code><pre>
## sudoers allows particular users to run various commands as
+
## Sudoers allows particular users to run various commands as
 
## the root user, without needing the root password.
 
## the root user, without needing the root password.
##
 
## Examples are provided at the bottom of the file for collections
 
## of related commands, which can then be delegated out to particular
 
## users or groups.
 
##
 
## This file must be edited with the 'visudo' command.
 
 
## Host Aliases
 
## Groups of machines. You may prefer to use hostnames (perhap using
 
## wildcards for entire domains) or IP addresses instead.
 
# Host_Alias FILESERVERS = fs1, fs2
 
# Host_Alias MAILSERVERS = smtp, smtp2
 
 
## User Aliases
 
## These aren't often necessary, as you can use regular groups
 
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
 
## rather than USERALIAS
 
User_Alias ADMINS = mccarrms,shephezj,lewisrj
 
 
 
## Command Aliases
 
## These are groups of related commands...
 
   
 
## Networking
 
## Networking
Line 69: Line 58:
 
Cmnd_Alias SHELLS = /bin/sh, /bin/bash, /usr/bin/rsh, /bin/dash, /bin/rbash, /bin/su
 
Cmnd_Alias SHELLS = /bin/sh, /bin/bash, /usr/bin/rsh, /bin/dash, /bin/rbash, /bin/su
   
  +
## Users
# Defaults specification
 
  +
Cmnd_Alias USERS = /usr/sbin/useradd, /usr/sbin/userdel
   
#
 
# Disable "ssh hostname sudo <cmd>", because it will show the password in clear.
 
# You have to run "ssh -t hostname sudo <cmd>".
 
#
 
 
Defaults requiretty
 
Defaults requiretty
   
Line 85: Line 71:
 
_XKB_CHARSET XAUTHORITY"
 
_XKB_CHARSET XAUTHORITY"
   
## Next comes the main part: which users can run what software on
 
## which machines (the sudoers file can be shared between multiple
 
## systems).
 
## Syntax:
 
##
 
## user MACHINE=COMMANDS
 
##
 
## The COMMANDS section may have other options added to it.
 
##
 
 
## Allow root to run any commands anywhere
 
## Allow root to run any commands anywhere
 
root ALL=(ALL) ALL
 
root ALL=(ALL) ALL
 
## Allow members of ADMINS to use sudo
 
ADMINS ALL=(root) ALL, !SHELLS
 
 
## Allows members of the 'sys' group to run networking, software,
 
## service management apps and more.
 
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
 
 
## Allows people in group wheel to run all commands
 
 
%wheel ALL=(ALL) ALL
 
%wheel ALL=(ALL) ALL
  +
%admins ALL=USERS, /usr/bin/passwd [[\:alpha\:]]*, !/usr/bin/passwd root
 
## Same thing without a password
 
# %wheel ALL=(ALL) NOPASSWD: ALL
 
 
## Allows members of the users group to mount and unmount the
 
## cdrom as root
 
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
 
 
## Allows members of the users group to shutdown this system
 
# %users localhost=/sbin/shutdown -h now
 
 
</pre></code>
 
</pre></code>
 
===Created Admin User===
 
*Created user mccarrms
 
**<code>/usr/sbin/useradd -m mccarrms -s/bin/bash</code>
 
*Set password for mccarrms
 
**<code>passwd mccarrms</code>
 
   
 
===Configured Networks===
 
===Configured Networks===
 
*Configured hostname in <code>/etc/sysconfig/network</code>
 
*Configured hostname in <code>/etc/sysconfig/network</code>
 
 
<code><pre>
 
<code><pre>
 
NETWORKING=yes
 
NETWORKING=yes
Line 133: Line 85:
 
</pre></code>
 
</pre></code>
   
*Configured eth0 for Clarkson Network in <code>/etc/sysconfig/network-scripts/ifcfg-eth0</code>
+
*Verified eth0 configuration for Clarkson Network in <code>/etc/sysconfig/network-scripts/ifcfg-eth0</code>
 
<code><pre>
 
<code><pre>
 
# Xen Virtual Ethernet
 
# Xen Virtual Ethernet
Line 139: Line 91:
 
BOOTPROTO=none
 
BOOTPROTO=none
 
BROADCAST=128.153.145.255
 
BROADCAST=128.153.145.255
HWADDR=00:16:3E:31:D1:B7
+
HWADDR=00:16:3E:34:64:A6
 
IPADDR=128.153.145.12
 
IPADDR=128.153.145.12
 
NETMASK=255.255.255.0
 
NETMASK=255.255.255.0
Line 148: Line 100:
 
</pre></code>
 
</pre></code>
   
*Configured eth1 for the Server Room Network in <code>/etc/sysconfig/network-scripts/ifcfg-eth1</code>
+
*Verified eth1 configuration for the Server Room Network in <code>/etc/sysconfig/network-scripts/ifcfg-eth1</code>
 
<code><pre>
 
<code><pre>
 
# Xen Virtual Ethernet
 
# Xen Virtual Ethernet
Line 154: Line 106:
 
BOOTPROTO=none
 
BOOTPROTO=none
 
BROADCAST=10.0.1.255
 
BROADCAST=10.0.1.255
HWADDR=00:16:3E:04:C5:85
+
HWADDR=00:16:3E:1C:FE:21
 
IPADDR=10.0.1.5
 
IPADDR=10.0.1.5
 
NETMASK=255.255.255.0
 
NETMASK=255.255.255.0
Line 162: Line 114:
 
</pre></code>
 
</pre></code>
   
*Configured eth2 for the Internal Network in <code>/etc/sysconfig/network-scripts/ifcfg-eth2</code>
+
*Verified eth2 configuration for the Internal Network in <code>/etc/sysconfig/network-scripts/ifcfg-eth2</code>
 
<code><pre>
 
<code><pre>
 
# Xen Virtual Ethernet
 
# Xen Virtual Ethernet
Line 168: Line 120:
 
BOOTPROTO=none
 
BOOTPROTO=none
 
BROADCAST=10.0.0.255
 
BROADCAST=10.0.0.255
HWADDR=00:16:3E:74:85:C8
+
HWADDR=00:16:3e:10:25:3f
 
IPADDR=10.0.0.20
 
IPADDR=10.0.0.20
 
NETMASK=255.255.255.0
 
NETMASK=255.255.255.0
Line 176: Line 128:
 
</pre></code>
 
</pre></code>
   
===Updated System===
+
====Configured Hosts====
  +
*Edited <code>/etc/hosts</code>
*Installed all updates
 
**<code>yum update</code>
+
<code><pre>
  +
127.0.0.1 localhost.localdomain localhost
*Rebooted system due to new kernel
 
  +
::1 localhost6.localdomain6 localhost6
**<code>/sbin/shutdown -r now</code>
 
  +
128.153.145.12 isengard.cslabs.clarkson.edu isengard.cslabs isengard
  +
10.0.1.5 isengard.sr.cslabs.clarkson.edu isengard.sr.cslabs isengard.sr
  +
10.0.0.20 isengard.int.cslabs.clarkson.edu isengard.int.cslabs isengard.int
  +
</pre></code>
  +
  +
====Configured DNS Servers====
  +
*Edited <code>/etc/resolv.conf</code>
  +
<code><pre>
  +
search cslabs.clarkson.edu
  +
nameserver 128.153.145.2
  +
nameserver 128.153.0.254
  +
nameserver 128.153.5.254
  +
</pre></code>
   
 
===Configured IPtables===
 
===Configured IPtables===
*Edited <code>/etc/sysconfig/iptables</code>
 
 
<code><pre>
 
<code><pre>
Due to the sensitivity of this material, this config file has been left off; however, ssh must be allowed.
+
Due to the sensitivity of this material, this config file has been left off; however, the following rules are needed.
  +
  +
-A INPUT -p udp -m udp --dport 22 -j ACCEPT
 
</pre></code>
 
</pre></code>
*Restarted iptables
 
**<code>/etc/init.d/iptables restart</code>
 
   
 
===Configured SSH===
 
===Configured SSH===
Line 198: Line 162:
 
**<code>/etc/init.d/sshd restart</code>
 
**<code>/etc/init.d/sshd restart</code>
   
===Set Up SSH Login Banner===
+
====Set Up SSH Login Banner====
 
*Edited <code>/etc/issue.net</code>
 
*Edited <code>/etc/issue.net</code>
 
<code><pre>
 
<code><pre>
Line 209: Line 173:
 
</pre></code>
 
</pre></code>
   
  +
===Configured Password Requirements===
===Set Up & Configured NTP===
 
  +
*Edited <code>/etc/login.defs</code>
*Installed NTP
 
**<code>yum install ntp</code>
 
 
*Edited <code>/etc/ntp.conf</code>
 
 
<code><pre>
 
<code><pre>
  +
MAIL_DIR /var/spool/mail
# Permit time synchronization with our time source, but do not
 
# permit the source to query or modify the service on this system.
 
restrict default kod nomodify notrap nopeer noquery
 
restrict -6 default kod nomodify notrap nopeer noquery
 
   
  +
PASS_MAX_DAYS 360
# Permit all access over the loopback interface. This could
 
  +
PASS_MIN_DAYS 0
# be tightened as well, but to do so would effect some of
 
  +
PASS_MIN_LEN 8
# the administrative functions.
 
  +
PASS_WARN_AGE 60
restrict 127.0.0.1
 
restrict -6 ::1
 
   
  +
UID_MIN 500
# Hosts on local network are less restricted.
 
  +
UID_MAX 60000
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
 
restrict tick.clarkson.edu mask 255.255.255.255 nomodify notrap noquery
 
restrict tock.clarkson.edu mask 255.255.255.255 nomodify notrap noquery
 
   
  +
GID_MIN 500
# Use public servers from the pool.ntp.org project.
 
  +
GID_MAX 60000
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
 
#server 0.rhel.pool.ntp.org
 
#server 1.rhel.pool.ntp.org
 
#server 2.rhel.pool.ntp.org
 
server tick.clarkson.edu
 
server tock.clarkson.edu
 
   
  +
CREATE_HOME yes
#broadcast 192.168.1.255 key 42 # broadcast server
 
#broadcastclient # broadcast client
 
#broadcast 224.0.1.1 key 42 # multicast server
 
#multicastclient 224.0.1.1 # multicast client
 
#manycastserver 239.255.254.254 # manycast server
 
#manycastclient 239.255.254.254 key 42 # manycast client
 
   
  +
UMASK 077
# Undisciplined Local Clock. This is a fake driver intended for backup
 
# and when no outside source of synchronized time is available.
 
server 127.127.1.0 # local clock
 
fudge 127.127.1.0 stratum 10
 
   
  +
USERGROUPS_ENAB yes
# Drift file. Put this in a directory which the daemon can write to.
 
# No symbolic links allowed, either, since the daemon updates the file
 
# by creating a temporary in the same directory and then rename()'ing
 
# it to the file.
 
driftfile /var/lib/ntp/drift
 
   
  +
MD5_CRYPT_ENAB yes
# Key file containing the keys and key identifiers used when operating
 
# with symmetric key cryptography.
 
keys /etc/ntp/keys
 
   
  +
ENCRYPT_METHOD MD5
# Specify the key identifiers which are trusted.
 
#trustedkey 4 8 42
 
 
# Specify the key identifier to use with the ntpdc utility.
 
#requestkey 8
 
 
# Specify the key identifier to use with the ntpq utility.
 
#controlkey 8
 
 
</pre></code>
 
</pre></code>
   
  +
===Added Custom PATH Variables===
*Edited <code>/etc/ntp/step-tickers</code>
 
  +
*Added the following to <code>/etc/profile</code>
 
<code><pre>
 
<code><pre>
  +
PATH=$PATH:/usr/sbin:/sbin
tick.clarkson.edu
 
  +
export PATH
tock.clarkson.edu
 
 
</pre></code>
 
</pre></code>
   
  +
===Modified Root's Crontab===
*Configured ntpd to start on boot
 
**<code>/sbin/chkconfig ntpd on</code>
+
*<code>crontab -e</code>
 
*Started ntpd immediately
 
**<code>/sbin/service ntpd start</code>
 
 
===Configured DNS Servers===
 
*Edited <code>/etc/resolv.conf</code>
 
 
<code><pre>
 
<code><pre>
  +
# Used to update locate database
search cslabs.clarkson.edu
 
  +
0 * * * * /usr/bin/updatedb
nameserver 128.153.145.2
 
nameserver 128.153.0.254
 
nameserver 128.153.5.254
 
 
</pre></code>
 
</pre></code>
   
===Configured Hosts File===
+
===Installed DenyHosts===
  +
*Installed DenyHosts
*Edited <code>/etc/hosts</code>
 
<code><pre>
+
**<code>yum install denyhosts</code>
# Do not remove the following line, or various programs
 
# that require network functionality will fail.
 
127.0.0.1 localhost.localdomain localhost
 
::1 localhost6.localdomain6 localhost6
 
#Clarkson Network
 
128.153.145.2 dns.cslabs.clarkson.edu dns.cslabs dns
 
128.153.145.3 indns.cslabs.clarkson.edu indns.cslabs
 
128.153.145.4 srdns.cslabs.clarkson.edu srdns.cslabs
 
128.153.145.12 isengard.cslabs.clarkson.edu isengard.cslabs isengard
 
128.153.145.16 netstat.cslabs.clarkson.edu netstat.cslabs
 
128.153.145.100 vmware1.cslabs.clarkson.edu vmware1.cslabs
 
128.153.145.101 vmware2.cslabs.clarkson.edu vmware2.cslabs
 
128.153.145.201 hydrogen.cslabs.clarkson.edu hydrogen.cslabs
 
128.153.145.202 helium.cslabs.clarkson.edu helium.cslabs
 
128.153.145.203 lithium.cslabs.clarkson.edu lithium.cslabs
 
128.153.145.204 beryllium.cslabs.clarkson.edu beryllium.cslabs
 
128.153.145.205 boron.cslabs.clarkson.edu boron.cslabs
 
128.153.145.206 carbon.cslabs.clarkson.edu carbon.cslabs
 
128.153.145.207 nitrogen.cslabs.clarkson.edu nitrogen.cslabs
 
128.153.145.208 oxygen.cslabs.clarkson.edu oxygen.cslabs
 
128.153.145.209 fluorine.cslabs.clarkson.edu fluorine.cslabs
 
128.153.145.210 neon.cslabs.clarkson.edu neon.cslabs
 
128.153.145.211 sodium.cslabs.clarkson.edu sodium.cslabs
 
128.153.145.212 magnesium.cslabs.clarkson.edu magnesium.cslabs
 
128.153.145.213 aluminum.cslabs.clarkson.edu aluminum.cslabs
 
128.153.145.214 silicon.cslabs.clarkson.edu silicon.cslabs
 
128.153.145.215 righteous.cslabs.clarkson.edu righteous.cslabs
 
#Internal Network
 
10.0.0.1 indns.in.cs.clarkson.edu indns.in.cs indns.in indns
 
10.0.0.10 righteous.in.cs.clarkson.edu righteous.in.cs righteous.in
 
10.0.0.11 vmware1.in.cs.clarkson.edu vmware1.in.cs vmware1.in
 
10.0.0.12 vmware2.in.cs.clarkson.edu vmware2.in.cs vmware2.in
 
10.0.0.20 isengard.in.cs.clarkson.edu isengard.in.cs isengard.in
 
10.0.0.21 netstat.in.cs.clarkson.edu netstat.in.cs netstat.in
 
#Server Room Network
 
10.0.1.1 srdns.sr.cs.clarkson.edu srdns.sr.cs srdns.sr srdns
 
10.0.1.2 animal.sr.cs.clarkson.edu animal.sr.cs animal.sr animal
 
10.0.1.5 isengard.sr.cs.clarkson.edu isengard.sr.cs isengard.sr isengard
 
10.0.1.25 hydrogen.sr.cs.clarkson.edu hydrogen.sr.cs hydrogen.sr hydrogen
 
10.0.1.26 helium.sr.cs.clarkson.edu helium.sr.cs helium.sr helium
 
10.0.1.27 lithium.sr.cs.clarkson.edu lithium.sr.cs lithium.sr lithium
 
10.0.1.29 vmware1.sr.cs.clarkson.edu vmware1.sr.cs vmware1.sr vmware1
 
10.0.1.30 vmware2.sr.cs.clarkson.edu vmware2.sr.cs vmware2.sr vmware2
 
10.0.1.33 righteous.sr.cs.clarkson.edu righteous.sr.cs righteous.sr righteous
 
10.0.1.55 netstat.sr.cs.clarkson.edu netstat.sr.cs netstat.sr netstat
 
</pre></code>
 
   
  +
*Configured DenyHosts <code>/etc/denyhosts/denyhosts.cfg</code>
===Set up DenyHosts ===
 
*Installed denyhosts
 
**<code>yum install denyhosts</code>
 
*Configured denyhosts (<code>/etc/denyhosts/denyhosts.cfg</code>)
 
 
<code><pre>
 
<code><pre>
############ THESE SETTINGS ARE REQUIRED ############
 
 
########################################################################
 
#
 
# SECURE_LOG: the log file that contains sshd logging info
 
# if you are not sure, grep "sshd:" /var/log/*
 
#
 
# The file to process can be overridden with the --file command line
 
# argument
 
#
 
# Redhat or Fedora Core:
 
 
SECURE_LOG = /var/log/secure
 
SECURE_LOG = /var/log/secure
#
 
# Mandrake, FreeBSD or OpenBSD:
 
#SECURE_LOG = /var/log/auth.log
 
#
 
# SuSE:
 
#SECURE_LOG = /var/log/messages
 
#
 
# Mac OS X (v10.4 or greater -
 
# also refer to: http://www.denyhosts.net/faq.html#macos
 
#SECURE_LOG = /private/var/log/asl.log
 
#
 
# Mac OS X (v10.3 or earlier):
 
#SECURE_LOG=/private/var/log/system.log
 
#
 
########################################################################
 
   
########################################################################
 
#
 
# HOSTS_DENY: the file which contains restricted host access information
 
#
 
# Most operating systems:
 
 
HOSTS_DENY = /etc/hosts.deny
 
HOSTS_DENY = /etc/hosts.deny
#
 
# Some BSD (FreeBSD) Unixes:
 
#HOSTS_DENY = /etc/hosts.allow
 
#
 
# Another possibility (also see the next option):
 
#HOSTS_DENY = /etc/hosts.evil
 
#######################################################################
 
   
  +
PURGE_DENY =
   
########################################################################
 
#
 
# PURGE_DENY: removed HOSTS_DENY entries that are older than this time
 
# when DenyHosts is invoked with the --purge flag
 
#
 
# format is: i[dhwmy]
 
# Where 'i' is an integer (eg. 7)
 
# 'm' = minutes
 
# 'h' = hours
 
# 'd' = days
 
# 'w' = weeks
 
# 'y' = years
 
#
 
# never purge:
 
PURGE_DENY =
 
#
 
# purge entries older than 1 week
 
#PURGE_DENY = 1w
 
#
 
# purge entries older than 5 days
 
#PURGE_DENY = 5d
 
#######################################################################
 
 
#######################################################################
 
#
 
# PURGE_THRESHOLD: defines the maximum times a host will be purged.
 
# Once this value has been exceeded then this host will not be purged.
 
# Setting this parameter to 0 (the default) disables this feature.
 
#
 
# default: a denied host can be purged/re-added indefinitely
 
#PURGE_THRESHOLD = 0
 
#
 
# a denied host will be purged at most 2 times.
 
#PURGE_THRESHOLD = 2
 
#
 
#######################################################################
 
 
 
#######################################################################
 
#
 
# BLOCK_SERVICE: the service name that should be blocked in HOSTS_DENY
 
#
 
# man 5 hosts_access for details
 
#
 
# eg. sshd: 127.0.0.1 # will block sshd logins from 127.0.0.1
 
#
 
# To block all services for the offending host:
 
#BLOCK_SERVICE = ALL
 
# To block only sshd:
 
 
BLOCK_SERVICE = sshd
 
BLOCK_SERVICE = sshd
# To only record the offending host and nothing else (if using
 
# an auxilary file to list the hosts). Refer to:
 
# http://denyhosts.sourceforge.net/faq.html#aux
 
#BLOCK_SERVICE =
 
#
 
#######################################################################
 
   
 
#######################################################################
 
#
 
# DENY_THRESHOLD_INVALID: block each host after the number of failed login
 
# attempts has exceeded this value. This value applies to invalid
 
# user login attempts (eg. non-existent user accounts)
 
#
 
 
DENY_THRESHOLD_INVALID = 5
 
DENY_THRESHOLD_INVALID = 5
#
 
#######################################################################
 
   
#######################################################################
 
#
 
# DENY_THRESHOLD_VALID: block each host after the number of failed
 
# login attempts has exceeded this value. This value applies to valid
 
# user login attempts (eg. user accounts that exist in /etc/passwd) except
 
# for the "root" user
 
#
 
 
DENY_THRESHOLD_VALID = 10
 
DENY_THRESHOLD_VALID = 10
#
 
#######################################################################
 
   
#######################################################################
 
#
 
# DENY_THRESHOLD_ROOT: block each host after the number of failed
 
# login attempts has exceeded this value. This value applies to
 
# "root" user login attempts only.
 
#
 
 
DENY_THRESHOLD_ROOT = 1
 
DENY_THRESHOLD_ROOT = 1
#
 
#######################################################################
 
   
 
#######################################################################
 
#
 
# DENY_THRESHOLD_RESTRICTED: block each host after the number of failed
 
# login attempts has exceeded this value. This value applies to
 
# usernames that appear in the WORK_DIR/restricted-usernames file only.
 
#
 
 
DENY_THRESHOLD_RESTRICTED = 1
 
DENY_THRESHOLD_RESTRICTED = 1
#
 
#######################################################################
 
   
 
#######################################################################
 
#
 
# WORK_DIR: the path that DenyHosts will use for writing data to
 
# (it will be created if it does not already exist).
 
#
 
# Note: it is recommended that you use an absolute pathname
 
# for this value (eg. /home/foo/denyhosts/data)
 
#
 
 
WORK_DIR = /usr/share/denyhosts/data
 
WORK_DIR = /usr/share/denyhosts/data
#
 
#######################################################################
 
   
#######################################################################
 
#
 
# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS
 
#
 
# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES|NO
 
# If set to YES, if a suspicious login attempt results from an allowed-host
 
# then it is considered suspicious. If this is NO, then suspicious logins
 
# from allowed-hosts will not be reported. All suspicious logins from
 
# ip addresses that are not in allowed-hosts will always be reported.
 
#
 
 
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
 
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
######################################################################
 
   
######################################################################
 
#
 
# HOSTNAME_LOOKUP
 
#
 
# HOSTNAME_LOOKUP=YES|NO
 
# If set to YES, for each IP address that is reported by Denyhosts,
 
# the corresponding hostname will be looked up and reported as well
 
# (if available).
 
#
 
 
HOSTNAME_LOOKUP=YES
 
HOSTNAME_LOOKUP=YES
#
 
######################################################################
 
   
 
######################################################################
 
#
 
# LOCK_FILE
 
#
 
# LOCK_FILE=/path/denyhosts
 
# If this file exists when DenyHosts is run, then DenyHosts will exit
 
# immediately. Otherwise, this file will be created upon invocation
 
# and deleted upon exit. This ensures that only one instance is
 
# running at a time.
 
#
 
# Redhat/Fedora:
 
 
LOCK_FILE = /var/lock/subsys/denyhosts
 
LOCK_FILE = /var/lock/subsys/denyhosts
#
 
# Debian
 
#LOCK_FILE = /var/run/denyhosts.pid
 
#
 
# Misc
 
#LOCK_FILE = /tmp/denyhosts.lock
 
#
 
######################################################################
 
 
 
############ THESE SETTINGS ARE OPTIONAL ############
 
 
   
  +
ADMIN_EMAIL = mccarrms@gmail.com
#######################################################################
 
#
 
# ADMIN_EMAIL: if you would like to receive emails regarding newly
 
# restricted hosts and suspicious logins, set this address to
 
# match your email address. If you do not want to receive these reports
 
# leave this field blank (or run with the --noemail option)
 
#
 
# Multiple email addresses can be delimited by a comma, eg:
 
# ADMIN_EMAIL = foo@bar.com, bar@foo.com, etc@foobar.com
 
#
 
ADMIN_EMAIL =
 
#
 
#######################################################################
 
   
#######################################################################
 
#
 
# SMTP_HOST and SMTP_PORT: if DenyHosts is configured to email
 
# reports (see ADMIN_EMAIL) then these settings specify the
 
# email server address (SMTP_HOST) and the server port (SMTP_PORT)
 
#
 
#
 
 
SMTP_HOST = localhost
 
SMTP_HOST = localhost
 
SMTP_PORT = 25
 
SMTP_PORT = 25
#
 
#######################################################################
 
   
  +
SMTP_FROM = DenyHosts <nobody@isengard.cslabs.clarkson.edu>
#######################################################################
 
#
 
# SMTP_USERNAME and SMTP_PASSWORD: set these parameters if your
 
# smtp email server requires authentication
 
#
 
#SMTP_USERNAME=foo
 
#SMTP_PASSWORD=bar
 
#
 
######################################################################
 
   
#######################################################################
 
#
 
# SMTP_FROM: you can specify the "From:" address in messages sent
 
# from DenyHosts when it reports thwarted abuse attempts
 
#
 
SMTP_FROM = DenyHosts <nobody@localhost>
 
#
 
#######################################################################
 
 
#######################################################################
 
#
 
# SMTP_SUBJECT: you can specify the "Subject:" of messages sent
 
# by DenyHosts when it reports thwarted abuse attempts
 
 
SMTP_SUBJECT = DenyHosts Report
 
SMTP_SUBJECT = DenyHosts Report
#
 
######################################################################
 
 
######################################################################
 
#
 
# SMTP_DATE_FORMAT: specifies the format used for the "Date:" header
 
# when sending email messages.
 
#
 
# for possible values for this parameter refer to: man strftime
 
#
 
# the default:
 
#
 
#SMTP_DATE_FORMAT = %a, %d %b %Y %H:%M:%S %z
 
#
 
######################################################################
 
 
######################################################################
 
#
 
# SYSLOG_REPORT
 
#
 
# SYSLOG_REPORT=YES|NO
 
# If set to yes, when denied hosts are recorded the report data
 
# will be sent to syslog (syslog must be present on your system).
 
# The default is: NO
 
#
 
#SYSLOG_REPORT=NO
 
#
 
#SYSLOG_REPORT=YES
 
#
 
######################################################################
 
 
######################################################################
 
#
 
# ALLOWED_HOSTS_HOSTNAME_LOOKUP
 
#
 
# ALLOWED_HOSTS_HOSTNAME_LOOKUP=YES|NO
 
# If set to YES, for each entry in the WORK_DIR/allowed-hosts file,
 
# the hostname will be looked up. If your versions of tcp_wrappers
 
# and sshd sometimes log hostnames in addition to ip addresses
 
# then you may wish to specify this option.
 
#
 
#ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO
 
#
 
######################################################################
 
   
######################################################################
 
#
 
# AGE_RESET_VALID: Specifies the period of time between failed login
 
# attempts that, when exceeded will result in the failed count for
 
# this host to be reset to 0. This value applies to login attempts
 
# to all valid users (those within /etc/passwd) with the
 
# exception of root. If not defined, this count will never
 
# be reset.
 
#
 
# See the comments in the PURGE_DENY section (above)
 
# for details on specifying this value or for complete details
 
# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
 
#
 
 
AGE_RESET_VALID=5d
 
AGE_RESET_VALID=5d
#
 
######################################################################
 
   
######################################################################
 
#
 
# AGE_RESET_ROOT: Specifies the period of time between failed login
 
# attempts that, when exceeded will result in the failed count for
 
# this host to be reset to 0. This value applies to all login
 
# attempts to the "root" user account. If not defined,
 
# this count will never be reset.
 
#
 
# See the comments in the PURGE_DENY section (above)
 
# for details on specifying this value or for complete details
 
# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
 
#
 
AGE_RESET_ROOT=25d
 
#
 
######################################################################
 
 
######################################################################
 
#
 
# AGE_RESET_RESTRICTED: Specifies the period of time between failed login
 
# attempts that, when exceeded will result in the failed count for
 
# this host to be reset to 0. This value applies to all login
 
# attempts to entries found in the WORK_DIR/restricted-usernames file.
 
# If not defined, the count will never be reset.
 
#
 
# See the comments in the PURGE_DENY section (above)
 
# for details on specifying this value or for complete details
 
# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
 
#
 
 
AGE_RESET_RESTRICTED=25d
 
AGE_RESET_RESTRICTED=25d
#
 
######################################################################
 
 
   
######################################################################
 
#
 
# AGE_RESET_INVALID: Specifies the period of time between failed login
 
# attempts that, when exceeded will result in the failed count for
 
# this host to be reset to 0. This value applies to login attempts
 
# made to any invalid username (those that do not appear
 
# in /etc/passwd). If not defined, count will never be reset.
 
#
 
# See the comments in the PURGE_DENY section (above)
 
# for details on specifying this value or for complete details
 
# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
 
#
 
 
AGE_RESET_INVALID=10d
 
AGE_RESET_INVALID=10d
#
 
######################################################################
 
   
 
######################################################################
 
#
 
# RESET_ON_SUCCESS: If this parameter is set to "yes" then the
 
# failed count for the respective ip address will be reset to 0
 
# if the login is successful.
 
#
 
# The default is RESET_ON_SUCCESS = no
 
#
 
#RESET_ON_SUCCESS = yes
 
#
 
#####################################################################
 
 
 
######################################################################
 
#
 
# PLUGIN_DENY: If set, this value should point to an executable
 
# program that will be invoked when a host is added to the
 
# HOSTS_DENY file. This executable will be passed the host
 
# that will be added as it's only argument.
 
#
 
#PLUGIN_DENY=/usr/bin/true
 
#
 
######################################################################
 
 
 
######################################################################
 
#
 
# PLUGIN_PURGE: If set, this value should point to an executable
 
# program that will be invoked when a host is removed from the
 
# HOSTS_DENY file. This executable will be passed the host
 
# that is to be purged as it's only argument.
 
#
 
#PLUGIN_PURGE=/usr/bin/true
 
#
 
######################################################################
 
 
######################################################################
 
#
 
# USERDEF_FAILED_ENTRY_REGEX: if set, this value should contain
 
# a regular expression that can be used to identify additional
 
# hackers for your particular ssh configuration. This functionality
 
# extends the built-in regular expressions that DenyHosts uses.
 
# This parameter can be specified multiple times.
 
# See this faq entry for more details:
 
# http://denyhosts.sf.net/faq.html#userdef_regex
 
#
 
#USERDEF_FAILED_ENTRY_REGEX=
 
#
 
#
 
######################################################################
 
 
 
 
 
######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE ##########
 
 
 
 
#######################################################################
 
#
 
# DAEMON_LOG: when DenyHosts is run in daemon mode (--daemon flag)
 
# this is the logfile that DenyHosts uses to report it's status.
 
# To disable logging, leave blank. (default is: /var/log/denyhosts)
 
#
 
 
DAEMON_LOG = /var/log/denyhosts
 
DAEMON_LOG = /var/log/denyhosts
#
 
# disable logging:
 
#DAEMON_LOG =
 
#
 
######################################################################
 
   
#######################################################################
 
#
 
# DAEMON_LOG_TIME_FORMAT: when DenyHosts is run in daemon mode
 
# (--daemon flag) this specifies the timestamp format of
 
# the DAEMON_LOG messages (default is the ISO8061 format:
 
# ie. 2005-07-22 10:38:01,745)
 
#
 
# for possible values for this parameter refer to: man strftime
 
#
 
# Jan 1 13:05:59
 
#DAEMON_LOG_TIME_FORMAT = %b %d %H:%M:%S
 
#
 
# Jan 1 01:05:59
 
#DAEMON_LOG_TIME_FORMAT = %b %d %I:%M:%S
 
#
 
######################################################################
 
 
#######################################################################
 
#
 
# DAEMON_LOG_MESSAGE_FORMAT: when DenyHosts is run in daemon mode
 
# (--daemon flag) this specifies the message format of each logged
 
# entry. By default the following format is used:
 
#
 
# %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s
 
#
 
# Where the "%(asctime)s" portion is expanded to the format
 
# defined by DAEMON_LOG_TIME_FORMAT
 
#
 
# This string is passed to python's logging.Formatter contstuctor.
 
# For details on the possible format types please refer to:
 
# http://docs.python.org/lib/node357.html
 
#
 
# This is the default:
 
#DAEMON_LOG_MESSAGE_FORMAT = %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s
 
#
 
#
 
######################################################################
 
 
 
#######################################################################
 
#
 
# DAEMON_SLEEP: when DenyHosts is run in daemon mode (--daemon flag)
 
# this is the amount of time DenyHosts will sleep between polling
 
# the SECURE_LOG. See the comments in the PURGE_DENY section (above)
 
# for details on specifying this value or for complete details
 
# refer to: http://denyhosts.sourceforge.net/faq.html#timespec
 
#
 
#
 
 
DAEMON_SLEEP = 30s
 
DAEMON_SLEEP = 30s
#
 
#######################################################################
 
   
#######################################################################
 
#
 
# DAEMON_PURGE: How often should DenyHosts, when run in daemon mode,
 
# run the purge mechanism to expire old entries in HOSTS_DENY
 
# This has no effect if PURGE_DENY is blank.
 
#
 
 
DAEMON_PURGE = 1h
 
DAEMON_PURGE = 1h
#
 
#######################################################################
 
   
 
######### THESE SETTINGS ARE SPECIFIC TO ##########
 
######### DAEMON SYNCHRONIZATION ##########
 
 
 
#######################################################################
 
#
 
# Synchronization mode allows the DenyHosts daemon the ability
 
# to periodically send and receive denied host data such that
 
# DenyHosts daemons worldwide can automatically inform one
 
# another regarding banned hosts. This mode is disabled by
 
# default, you must uncomment SYNC_SERVER to enable this mode.
 
#
 
# for more information, please refer to:
 
# http:/denyhosts.sourceforge.net/faq.html#sync
 
#
 
#######################################################################
 
 
 
#######################################################################
 
#
 
# SYNC_SERVER: The central server that communicates with DenyHost
 
# daemons. Currently, denyhosts.net is the only available server
 
# however, in the future, it may be possible for organizations to
 
# install their own server for internal network synchronization
 
#
 
# To disable synchronization (the default), do nothing.
 
#
 
# To enable synchronization, you must uncomment the following line:
 
 
SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
 
SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
#
 
#######################################################################
 
   
#######################################################################
 
#
 
# SYNC_INTERVAL: the interval of time to perform synchronizations if
 
# SYNC_SERVER has been uncommented. The default is 1 hour.
 
#
 
 
SYNC_INTERVAL = 1h
 
SYNC_INTERVAL = 1h
#
 
#######################################################################
 
   
 
#######################################################################
 
#
 
# SYNC_UPLOAD: allow your DenyHosts daemon to transmit hosts that have
 
# been denied? This option only applies if SYNC_SERVER has
 
# been uncommented.
 
# The default is SYNC_UPLOAD = yes
 
#
 
#SYNC_UPLOAD = no
 
 
SYNC_UPLOAD = yes
 
SYNC_UPLOAD = yes
#
 
#######################################################################
 
   
 
#######################################################################
 
#
 
# SYNC_DOWNLOAD: allow your DenyHosts daemon to receive hosts that have
 
# been denied by others? This option only applies if SYNC_SERVER has
 
# been uncommented.
 
# The default is SYNC_DOWNLOAD = yes
 
#
 
#SYNC_DOWNLOAD = no
 
 
SYNC_DOWNLOAD = yes
 
SYNC_DOWNLOAD = yes
#
 
#
 
#
 
#######################################################################
 
   
#######################################################################
 
#
 
# SYNC_DOWNLOAD_THRESHOLD: If SYNC_DOWNLOAD is enabled this parameter
 
# filters the returned hosts to those that have been blocked this many
 
# times by others. That is, if set to 1, then if a single DenyHosts
 
# server has denied an ip address then you will receive the denied host.
 
#
 
# See also SYNC_DOWNLOAD_RESILIENCY
 
#
 
#SYNC_DOWNLOAD_THRESHOLD = 10
 
#
 
# The default is SYNC_DOWNLOAD_THRESHOLD = 3
 
#
 
 
SYNC_DOWNLOAD_THRESHOLD = 3
 
SYNC_DOWNLOAD_THRESHOLD = 3
#
 
#######################################################################
 
   
#######################################################################
 
#
 
# SYNC_DOWNLOAD_RESILIENCY: If SYNC_DOWNLOAD is enabled then the
 
# value specified for this option limits the downloaded data
 
# to this resiliency period or greater.
 
#
 
# Resiliency is defined as the timespan between a hackers first known
 
# attack and it's most recent attack. Example:
 
#
 
# If the centralized denyhosts.net server records an attack at 2 PM
 
# and then again at 5 PM, specifying a SYNC_DOWNLOAD_RESILIENCY = 4h
 
# will not download this ip address.
 
#
 
# However, if the attacker is recorded again at 6:15 PM then the
 
# ip address will be downloaded by your DenyHosts instance.
 
#
 
# This value is used in conjunction with the SYNC_DOWNLOAD_THRESHOLD
 
# and only hosts that satisfy both values will be downloaded.
 
# This value has no effect if SYNC_DOWNLOAD_THRESHOLD = 1
 
#
 
# The default is SYNC_DOWNLOAD_RESILIENCY = 5h (5 hours)
 
#
 
# Only obtain hackers that have been at it for 2 days or more:
 
#SYNC_DOWNLOAD_RESILIENCY = 2d
 
#
 
# Only obtain hackers that have been at it for 5 hours or more:
 
 
SYNC_DOWNLOAD_RESILIENCY = 5h
 
SYNC_DOWNLOAD_RESILIENCY = 5h
#
 
#######################################################################
 
</pre></code>
 
 
*Configured denyhosts to start on boot
 
**<code>/sbin/chkconfig denyhosts on</code>
 
 
*Started denyhosts
 
**<code>/etc/init.d/denyhosts start</code>
 
 
===Configured Some Password Policy===
 
*Edited /etc/login.defs
 
<code><pre>
 
# *REQUIRED*
 
# Directory where mailboxes reside, _or_ name of file, relative to the
 
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
 
# QMAIL_DIR is for Qmail
 
#
 
#QMAIL_DIR Maildir
 
MAIL_DIR /var/spool/mail
 
#MAIL_FILE .mail
 
 
# Password aging controls:
 
#
 
# PASS_MAX_DAYS Maximum number of days a password may be used.
 
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
 
# PASS_MIN_LEN Minimum acceptable password length.
 
# PASS_WARN_AGE Number of days warning given before a password expires.
 
#
 
PASS_MAX_DAYS 360
 
PASS_MIN_DAYS 0
 
PASS_MIN_LEN 8
 
PASS_WARN_AGE 30
 
 
#
 
# Min/max values for automatic uid selection in useradd
 
#
 
UID_MIN 500
 
UID_MAX 60000
 
 
#
 
# Min/max values for automatic gid selection in groupadd
 
#
 
GID_MIN 500
 
GID_MAX 60000
 
 
#
 
# If defined, this command is run when removing a user.
 
# It should remove any at/cron/print jobs etc. owned by
 
# the user to be removed (passed as the first argument).
 
#
 
#USERDEL_CMD /usr/sbin/userdel_local
 
 
#
 
# If useradd should create home directories for users by default
 
# On RH systems, we do. This option is overridden with the -m flag on
 
# useradd command line.
 
#
 
CREATE_HOME yes
 
 
# The permission mask is initialized to this value. If not specified,
 
# the permission mask will be initialized to 022.
 
UMASK 077
 
 
# This enables userdel to remove user groups if no members exist.
 
#
 
USERGROUPS_ENAB yes
 
</pre></code>
 
 
===Added RPMForge Yum Repository===
 
*<code>rpm -Uhv http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS//rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm</code>
 
**From [http://dag.wieers.com/rpm/FAQ.php#B2 Dag Wieers]
 
 
===Configured to be monitored by [[netstat]] Nagios Server===
 
====Installed Needed Packages====
 
*<code>yum install xinetd gcc openssl-devel</code>
 
 
====Created nagios user====
 
*<code>/usr/sbin/useradd nagios -s/sbin/nologin</code>
 
*<code>passwd nagios</code>
 
 
====Compiled and Installed Nagios Plugins====
 
*Downloaded Plugins
 
**<code>wget http://superb-east.dl.sourceforge.net/sourceforge/nagiosplug/nagios-plugins-1.4.12.tar.gz</code>
 
 
*Extracted Plugins
 
**<code>tar xzf nagios-plugins-1.4.12.tar.gz</code>
 
 
*Compiled and Installed Plugins
 
**<code>cd nagios-plugins-1.4.12</code>
 
**<code>./configure --enable-perl-modules</code>
 
**<code>make</code>
 
**<code>make install</code>
 
 
*Set Permissions on plugin folder
 
**<code>chown nagios.nagios /usr/local/nagios</code>
 
**<code>chown -R nagios.nagios /usr/local/nagios/libexec</code>
 
 
====Installed NRPE Daemon====
 
*Downloaded
 
**<code>wget http://internap.dl.sourceforge.net/sourceforge/nagios/nrpe-2.12.tar.gz</code>
 
 
*Extracted nrpe
 
**<code>tar xzf nrpe-2.12.tar.gz</code>
 
 
*Compiled & Installed Plugin
 
**<code>cd nrpe-2.12</code>
 
**<code>./configure</code>
 
**<code>make all</code>
 
**<code>make install-plugin</code>
 
**<code>make install-daemon</code>
 
**<code>make install-daemon-config</code>
 
**<code>make install-xinetd</code>
 
 
*Edited <code>/etc/xinetd.d/nrpe</code> and modified the following line
 
<code><pre>
 
only_from = 128.153.145.16
 
</pre></code>
 
 
*Edited <code>/etc/services</code> and added the following entry
 
<code><pre>
 
nrpe 5666/tcp # NRPE
 
</pre></code>
 
 
*Configured xinetd to start on boot
 
**<code>/sbin/chkconfig xinetd on</code>
 
 
*Started xinetd
 
**<code>/etc/init.d/xinetd start</code>
 
 
*Edited <code>/etc/sysconfig/iptables</code> and added the following rule
 
<code><pre>
 
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5666 -s 128.153.145.16 -j ACCEPT
 
</pre></code>
 
 
*Restarted iptables
 
**<code>/etc/init.d/iptables restart</code>
 
 
====Configured NRPE====
 
*Edited <code>/usr/local/nagios/etc/nrpe.cfg</code> to look like the following
 
<code><pre>
 
#############################################################################
 
# NRPE Config File
 
#
 
# Last Modified: 05-27-2008
 
#############################################################################
 
 
 
# LOG FACILITY
 
# The syslog facility that should be used for logging purposes.
 
 
log_facility=daemon
 
 
 
 
# PID FILE
 
# The name of the file in which the NRPE daemon should write it's process ID
 
# number. The file is only written if the NRPE daemon is started by the root
 
# user and is running in standalone mode.
 
 
pid_file=/var/run/nrpe.pid
 
 
 
 
# PORT NUMBER
 
# Port number we should wait for connections on.
 
# NOTE: This must be a non-priviledged port (i.e. > 1024).
 
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
 
 
server_port=5666
 
 
 
 
# SERVER ADDRESS
 
# Address that nrpe should bind to in case there are more than one interface
 
# and you do not want nrpe to bind on all interfaces.
 
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
 
 
#server_address=127.0.0.1
 
 
 
 
# NRPE USER
 
# This determines the effective user that the NRPE daemon should run as.
 
# You can either supply a username or a UID.
 
#
 
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
 
 
nrpe_user=nagios
 
 
 
 
# NRPE GROUP
 
# This determines the effective group that the NRPE daemon should run as.
 
# You can either supply a group name or a GID.
 
#
 
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
 
 
nrpe_group=nagios
 
 
 
 
# ALLOWED HOST ADDRESSES
 
# This is an optional comma-delimited list of IP address or hostnames
 
# that are allowed to talk to the NRPE daemon.
 
#
 
# Note: The daemon only does rudimentary checking of the client's IP
 
# address. I would highly recommend adding entries in your /etc/hosts.allow
 
# file to allow only the specified host to connect to the port
 
# you are running this daemon on.
 
#
 
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
 
 
allowed_hosts=128.153.145.16
 
 
 
 
# COMMAND ARGUMENT PROCESSING
 
# This option determines whether or not the NRPE daemon will allow clients
 
# to specify arguments to commands that are executed. This option only works
 
# if the daemon was configured with the --enable-command-args configure script
 
# option.
 
#
 
# *** ENABLING THIS OPTION IS A SECURITY RISK! ***
 
# Read the SECURITY file for information on some of the security implications
 
# of enabling this variable.
 
#
 
# Values: 0=do not allow arguments, 1=allow command arguments
 
 
dont_blame_nrpe=0
 
 
 
 
# COMMAND PREFIX
 
# This option allows you to prefix all commands with a user-defined string.
 
# A space is automatically added between the specified prefix string and the
 
# command line from the command definition.
 
#
 
# *** THIS EXAMPLE MAY POSE A POTENTIAL SECURITY RISK, SO USE WITH CAUTION! ***
 
# Usage scenario:
 
# Execute restricted commmands using sudo. For this to work, you need to add
 
# the nagios user to your /etc/sudoers. An example entry for alllowing
 
# execution of the plugins from might be:
 
#
 
# nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/
 
#
 
# This lets the nagios user run all commands in that directory (and only them)
 
# without asking for a password. If you do this, make sure you don't give
 
# random users write access to that directory or its contents!
 
 
# command_prefix=/usr/bin/sudo
 
 
 
 
# DEBUGGING OPTION
 
# This option determines whether or not debugging messages are logged to the
 
# syslog facility.
 
# Values: 0=debugging off, 1=debugging on
 
 
debug=0
 
 
 
 
# COMMAND TIMEOUT
 
# This specifies the maximum number of seconds that the NRPE daemon will
 
# allow plugins to finish executing before killing them off.
 
 
command_timeout=60
 
 
 
 
# CONNECTION TIMEOUT
 
# This specifies the maximum number of seconds that the NRPE daemon will
 
# wait for a connection to be established before exiting. This is sometimes
 
# seen where a network problem stops the SSL being established even though
 
# all network sessions are connected. This causes the nrpe daemons to
 
# accumulate, eating system resources. Do not set this too low.
 
 
connection_timeout=300
 
 
 
 
# WEEK RANDOM SEED OPTION
 
# This directive allows you to use SSL even if your system does not have
 
# a /dev/random or /dev/urandom (on purpose or because the necessary patches
 
# were not applied). The random number generator will be seeded from a file
 
# which is either a file pointed to by the environment valiable $RANDFILE
 
# or $HOME/.rnd. If neither exists, the pseudo random number generator will
 
# be initialized and a warning will be issued.
 
# Values: 0=only seed from /dev/[u]random, 1=also seed from weak randomness
 
 
#allow_weak_random_seed=1
 
 
 
 
# INCLUDE CONFIG FILE
 
# This directive allows you to include definitions from an external config file.
 
 
include=/usr/local/nagios/etc/command_def.cfg
 
</pre></code>
 
 
*Created <code>/usr/local/nagios/etc/command_def.cfg</code>
 
<code><pre>
 
command[check_users]=/usr/local/nagios/libexec/check_users -w 10 -c 15
 
command[check_load]=/usr/local/nagios/libexec/check_load -w 3.00,2.75,2.50 -c 3.50,3.25,3.00
 
command[check_rootfs]=/usr/local/nagios/libexec/check_disk -w 15% -c 10% -p /dev/xvda1
 
command[check_zombie_procs]=/usr/local/nagios/libexec/check_procs -w 5 -c 10 -s Z
 
command[check_total_procs]=/usr/local/nagios/libexec/check_procs -w 80 -c 100
 
command[check_swap]=/usr/local/nagios/libexec/check_swap -w 15% -c 10%
 
command[check_nagios]=/usr/local/nagios/libexec/check_nagios -V
 
 
</pre></code>
 
</pre></code>
   
  +
*Configured DenyHosts to start on boot
===Final Steps===
 
  +
**<code>/sbin/chkconfig --levels 2345 denyhosts on</code>
*Created previous user accounts that existed on righteous
 
*Copied previous user account passwords from <code>/etc/shadow</code> on old righteous to <code>/etc/shadow</code> on isengard
 
*Rebooted and tested that denyhosts started on boot & had other users test accounts
 
   
 
[[Category:Documentation]]
 
[[Category:Documentation]]

Revision as of 22:27, 5 April 2009

This page summarizes how the virtual machine Isengard was set up in Spring 2009.

Install

  • Installed CentOS 5.3 x64.
    • Partition Scheme
      • 2.9 GB /
      • 100 MB /home
      • 1.5 GB /var
      • 512 MB swap

Configuration

Updated VM

  • yum install yum-fastestmirror vim-enhanced gcc emacs-nox
  • yum update

Created User

  • Created user mccarrms
    • /usr/sbin/useradd -m mccarrms
  • Set password for mccarrms
    • passwd mccarrms

Configured Sudo

  • /usr/sbin/visudo
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.

## Networking
Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

## Installation and management of software
Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

## Services
Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig

## Updating the locate database
Cmnd_Alias LOCATE = /usr/sbin/updatedb

## Storage
Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount

## Delegating permissions
Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp

## Processes
Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

## Drivers
Cmnd_Alias DRIVERS = /sbin/modprobe

## Shells
Cmnd_Alias SHELLS = /bin/sh, /bin/bash, /usr/bin/rsh, /bin/dash, /bin/rbash, /bin/su

## Users
Cmnd_Alias USERS = /usr/sbin/useradd, /usr/sbin/userdel

Defaults    requiretty

Defaults    env_reset,tty_tickets,lecture=always,logfile=/var/log/sudo.log
Defaults    env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
                        LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
                        LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
                        LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
                        LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \
                        _XKB_CHARSET XAUTHORITY"

## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
%wheel  ALL=(ALL)       ALL
%admins ALL=USERS, /usr/bin/passwd [[\:alpha\:]]*, !/usr/bin/passwd root

Configured Networks

  • Configured hostname in /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=isengard.cslabs.clarkson.edu
  • Verified eth0 configuration for Clarkson Network in /etc/sysconfig/network-scripts/ifcfg-eth0
# Xen Virtual Ethernet
DEVICE=eth0
BOOTPROTO=none
BROADCAST=128.153.145.255
HWADDR=00:16:3E:34:64:A6
IPADDR=128.153.145.12
NETMASK=255.255.255.0
NETWORK=128.153.145.0
ONBOOT=yes
GATEWAY=128.153.145.1
TYPE=Ethernet
  • Verified eth1 configuration for the Server Room Network in /etc/sysconfig/network-scripts/ifcfg-eth1
# Xen Virtual Ethernet
DEVICE=eth1
BOOTPROTO=none
BROADCAST=10.0.1.255
HWADDR=00:16:3E:1C:FE:21
IPADDR=10.0.1.5
NETMASK=255.255.255.0
NETWORK=10.0.1.0
ONBOOT=yes
TYPE=Ethernet
  • Verified eth2 configuration for the Internal Network in /etc/sysconfig/network-scripts/ifcfg-eth2
# Xen Virtual Ethernet
DEVICE=eth2
BOOTPROTO=none
BROADCAST=10.0.0.255
HWADDR=00:16:3e:10:25:3f
IPADDR=10.0.0.20
NETMASK=255.255.255.0
NETWORK=10.0.0.0
ONBOOT=yes
TYPE=Ethernet

Configured Hosts

  • Edited /etc/hosts
127.0.0.1       localhost.localdomain   localhost
::1             localhost6.localdomain6 localhost6
128.153.145.12  isengard.cslabs.clarkson.edu isengard.cslabs isengard
10.0.1.5        isengard.sr.cslabs.clarkson.edu isengard.sr.cslabs isengard.sr
10.0.0.20       isengard.int.cslabs.clarkson.edu isengard.int.cslabs isengard.int

Configured DNS Servers

  • Edited /etc/resolv.conf
search cslabs.clarkson.edu
nameserver 128.153.145.2
nameserver 128.153.0.254
nameserver 128.153.5.254

Configured IPtables

Due to the sensitivity of this material, this config file has been left off; however, the following rules are needed.

-A INPUT -p udp -m udp --dport 22 -j ACCEPT

Configured SSH

  • Edited /etc/ssh/sshd_config
Due to the sensitivity of this material, this config file has been left off.
  • Restarted sshd
    • /etc/init.d/sshd restart

Set Up SSH Login Banner

  • Edited /etc/issue.net
   _                               __
  (_)__ ___ ___  ___ ____ ________/ /
 / (_-</ -_) _ \/ _ `/ _ `/ __/ _  /
/_/___/\__/_//_/\_, /\_,_/_/  \_,_/
               /___/

Configured Password Requirements

  • Edited /etc/login.defs
MAIL_DIR        /var/spool/mail

PASS_MAX_DAYS   360
PASS_MIN_DAYS   0
PASS_MIN_LEN    8
PASS_WARN_AGE   60

UID_MIN                   500
UID_MAX                 60000

GID_MIN                   500
GID_MAX                 60000

CREATE_HOME     yes

UMASK           077

USERGROUPS_ENAB yes

MD5_CRYPT_ENAB yes

ENCRYPT_METHOD MD5

Added Custom PATH Variables

  • Added the following to /etc/profile
PATH=$PATH:/usr/sbin:/sbin
export PATH

Modified Root's Crontab

  • crontab -e
# Used to update locate database
0 * * * * /usr/bin/updatedb

Installed DenyHosts

  • Installed DenyHosts
    • yum install denyhosts
  • Configured DenyHosts /etc/denyhosts/denyhosts.cfg
SECURE_LOG = /var/log/secure

HOSTS_DENY = /etc/hosts.deny

PURGE_DENY =

BLOCK_SERVICE  = sshd

DENY_THRESHOLD_INVALID = 5

DENY_THRESHOLD_VALID = 10

DENY_THRESHOLD_ROOT = 1

DENY_THRESHOLD_RESTRICTED = 1

WORK_DIR = /usr/share/denyhosts/data

SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES

HOSTNAME_LOOKUP=YES

LOCK_FILE = /var/lock/subsys/denyhosts

ADMIN_EMAIL = mccarrms@gmail.com

SMTP_HOST = localhost
SMTP_PORT = 25

SMTP_FROM = DenyHosts <nobody@isengard.cslabs.clarkson.edu>

SMTP_SUBJECT = DenyHosts Report

AGE_RESET_VALID=5d

AGE_RESET_RESTRICTED=25d

AGE_RESET_INVALID=10d

DAEMON_LOG = /var/log/denyhosts

DAEMON_SLEEP = 30s

DAEMON_PURGE = 1h

SYNC_SERVER = http://xmlrpc.denyhosts.net:9911

SYNC_INTERVAL = 1h

SYNC_UPLOAD = yes

SYNC_DOWNLOAD = yes

SYNC_DOWNLOAD_THRESHOLD = 3

SYNC_DOWNLOAD_RESILIENCY = 5h
  • Configured DenyHosts to start on boot
    • /sbin/chkconfig --levels 2345 denyhosts on