Difference between revisions of "Isengard Setup Process"

From CSLabsWiki
m (Updated check_load values)
m (removed a category)
Line 1,282: Line 1,282:
 
*Rebooted and tested that denyhosts started on boot & had other users test accounts
 
*Rebooted and tested that denyhosts started on boot & had other users test accounts
   
[[Category:How To]]
 
 
[[Category:Documentation]]
 
[[Category:Documentation]]
 
[[Category:Infrastructure]]
 
[[Category:Infrastructure]]

Revision as of 20:28, 7 March 2009

This page summarizes how the virtual machine isengard was set up in April 2008, changes made during May 2008, and upgrades during August 2008.

Install

  • Installed CentOS 5.1 x64.
    • Partition Scheme
      • 4.5 GB /
      • 512 MB swap

Upgraded to Latest Version

  • Upgraded to CentOS 5.2 x64
    • yum upgrade
    • Rebooted for changes to take effect

Configuration

Configured Sudo

  • /usr/sbin/visudo
## sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
##
## This file must be edited with the 'visudo' command.

## Host Aliases
## Groups of machines. You may prefer to use hostnames (perhap using
## wildcards for entire domains) or IP addresses instead.
# Host_Alias     FILESERVERS = fs1, fs2
# Host_Alias     MAILSERVERS = smtp, smtp2

## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
## rather than USERALIAS
User_Alias ADMINS = mccarrms,shephezj,lewisrj


## Command Aliases
## These are groups of related commands...

## Networking
Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

## Installation and management of software
Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

## Services
Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig

## Updating the locate database
Cmnd_Alias LOCATE = /usr/sbin/updatedb

## Storage
Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount

## Delegating permissions
Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp

## Processes
Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

## Drivers
Cmnd_Alias DRIVERS = /sbin/modprobe

## Shells
Cmnd_Alias SHELLS = /bin/sh, /bin/bash, /usr/bin/rsh, /bin/dash, /bin/rbash, /bin/su

# Defaults specification

#
# Disable "ssh hostname sudo <cmd>", because it will show the password in clear.
#         You have to run "ssh -t hostname sudo <cmd>".
#
Defaults    requiretty

Defaults    env_reset,tty_tickets,lecture=always,logfile=/var/log/sudo.log
Defaults    env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
                        LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
                        LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
                        LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
                        LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \
                        _XKB_CHARSET XAUTHORITY"

## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
##      user    MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL

## Allow members of ADMINS to use sudo
ADMINS ALL=(root) ALL, !SHELLS

## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL

## Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL

## Allows members of the users group to mount and unmount the
## cdrom as root
# %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

## Allows members of the users group to shutdown this system
# %users  localhost=/sbin/shutdown -h now

Created Admin User

  • Created user mccarrms
    • /usr/sbin/useradd -m mccarrms -s/bin/bash
  • Set password for mccarrms
    • passwd mccarrms

Configured Networks

  • Configured hostname in /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=isengard.cslabs.clarkson.edu
  • Configured eth0 for Clarkson Network in /etc/sysconfig/network-scripts/ifcfg-eth0
# Xen Virtual Ethernet
DEVICE=eth0
BOOTPROTO=none
BROADCAST=128.153.145.255
HWADDR=00:16:3E:31:D1:B7
IPADDR=128.153.145.12
NETMASK=255.255.255.0
NETWORK=128.153.145.0
ONBOOT=yes
GATEWAY=128.153.145.1
TYPE=Ethernet
  • Configured eth1 for the Server Room Network in /etc/sysconfig/network-scripts/ifcfg-eth1
# Xen Virtual Ethernet
DEVICE=eth1
BOOTPROTO=none
BROADCAST=10.0.1.255
HWADDR=00:16:3E:04:C5:85
IPADDR=10.0.1.5
NETMASK=255.255.255.0
NETWORK=10.0.1.0
ONBOOT=yes
TYPE=Ethernet
  • Configured eth2 for the Internal Network in /etc/sysconfig/network-scripts/ifcfg-eth2
# Xen Virtual Ethernet
DEVICE=eth2
BOOTPROTO=none
BROADCAST=10.0.0.255
HWADDR=00:16:3E:74:85:C8
IPADDR=10.0.0.20
NETMASK=255.255.255.0
NETWORK=10.0.0.0
ONBOOT=yes
TYPE=Ethernet

Updated System

  • Installed all updates
    • yum update
  • Rebooted system due to new kernel
    • /sbin/shutdown -r now

Configured IPtables

  • Edited /etc/sysconfig/iptables
Due to the sensitivity of this material, this config file has been left off; however, ssh must be allowed.
  • Restarted iptables
    • /etc/init.d/iptables restart

Configured SSH

  • Edited /etc/ssh/sshd_config
Due to the sensitivity of this material, this config file has been left off.
  • Restarted sshd
    • /etc/init.d/sshd restart

Set Up SSH Login Banner

  • Edited /etc/issue.net
   _                               __
  (_)__ ___ ___  ___ ____ ________/ /
 / (_-</ -_) _ \/ _ `/ _ `/ __/ _  /
/_/___/\__/_//_/\_, /\_,_/_/  \_,_/
               /___/

Set Up & Configured NTP

  • Installed NTP
    • yum install ntp
  • Edited /etc/ntp.conf
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

# Permit all access over the loopback interface.  This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1 
restrict -6 ::1

# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
restrict tick.clarkson.edu mask 255.255.255.255 nomodify notrap noquery
restrict tock.clarkson.edu mask 255.255.255.255 nomodify notrap noquery

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
#server 0.rhel.pool.ntp.org
#server 1.rhel.pool.ntp.org
#server 2.rhel.pool.ntp.org
server tick.clarkson.edu
server tock.clarkson.edu

#broadcast 192.168.1.255 key 42         # broadcast server
#broadcastclient                        # broadcast client
#broadcast 224.0.1.1 key 42             # multicast server
#multicastclient 224.0.1.1              # multicast client
#manycastserver 239.255.254.254         # manycast server
#manycastclient 239.255.254.254 key 42  # manycast client

# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available. 
server  127.127.1.0     # local clock
fudge   127.127.1.0 stratum 10

# Drift file.  Put this in a directory which the daemon can write to.
# No symbolic links allowed, either, since the daemon updates the file
# by creating a temporary in the same directory and then rename()'ing
# it to the file.
driftfile /var/lib/ntp/drift

# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography. 
keys /etc/ntp/keys

# Specify the key identifiers which are trusted.
#trustedkey 4 8 42

# Specify the key identifier to use with the ntpdc utility.
#requestkey 8

# Specify the key identifier to use with the ntpq utility.
#controlkey 8
  • Edited /etc/ntp/step-tickers
tick.clarkson.edu
tock.clarkson.edu
  • Configured ntpd to start on boot
    • /sbin/chkconfig ntpd on
  • Started ntpd immediately
    • /sbin/service ntpd start

Configured DNS Servers

  • Edited /etc/resolv.conf
search sr.cs.clarkson.edu
nameserver 10.0.1.1
nameserver 10.0.0.1
nameserver 128.153.128.2
nameserver 128.153.4.2

Configured Hosts File

  • Edited /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1       localhost.localdomain   localhost
::1     localhost6.localdomain6 localhost6
#Clarkson Network
128.153.145.2   dns.cslabs.clarkson.edu dns.cslabs dns
128.153.145.3   indns.cslabs.clarkson.edu indns.cslabs
128.153.145.4   srdns.cslabs.clarkson.edu srdns.cslabs
128.153.145.12  isengard.cslabs.clarkson.edu isengard.cslabs isengard
128.153.145.16  netstat.cslabs.clarkson.edu netstat.cslabs
128.153.145.100 vmware1.cslabs.clarkson.edu vmware1.cslabs
128.153.145.101 vmware2.cslabs.clarkson.edu vmware2.cslabs
128.153.145.201 hydrogen.cslabs.clarkson.edu hydrogen.cslabs
128.153.145.202 helium.cslabs.clarkson.edu helium.cslabs
128.153.145.203 lithium.cslabs.clarkson.edu lithium.cslabs
128.153.145.204 beryllium.cslabs.clarkson.edu beryllium.cslabs
128.153.145.205 boron.cslabs.clarkson.edu boron.cslabs
128.153.145.206 carbon.cslabs.clarkson.edu carbon.cslabs
128.153.145.207 nitrogen.cslabs.clarkson.edu nitrogen.cslabs
128.153.145.208 oxygen.cslabs.clarkson.edu oxygen.cslabs
128.153.145.209 fluorine.cslabs.clarkson.edu fluorine.cslabs
128.153.145.210 neon.cslabs.clarkson.edu neon.cslabs
128.153.145.211 sodium.cslabs.clarkson.edu sodium.cslabs
128.153.145.212 magnesium.cslabs.clarkson.edu magnesium.cslabs
128.153.145.213 aluminum.cslabs.clarkson.edu aluminum.cslabs
128.153.145.214 silicon.cslabs.clarkson.edu silicon.cslabs
128.153.145.215 righteous.cslabs.clarkson.edu righteous.cslabs
#Internal Network
10.0.0.1        indns.in.cs.clarkson.edu indns.in.cs indns.in indns
10.0.0.10       righteous.in.cs.clarkson.edu righteous.in.cs righteous.in
10.0.0.11       vmware1.in.cs.clarkson.edu vmware1.in.cs vmware1.in
10.0.0.12       vmware2.in.cs.clarkson.edu vmware2.in.cs vmware2.in
10.0.0.20       isengard.in.cs.clarkson.edu isengard.in.cs isengard.in
10.0.0.21       netstat.in.cs.clarkson.edu netstat.in.cs netstat.in
#Server Room Network
10.0.1.1        srdns.sr.cs.clarkson.edu srdns.sr.cs srdns.sr srdns
10.0.1.2        animal.sr.cs.clarkson.edu animal.sr.cs animal.sr animal
10.0.1.5        isengard.sr.cs.clarkson.edu isengard.sr.cs isengard.sr isengard
10.0.1.25       hydrogen.sr.cs.clarkson.edu hydrogen.sr.cs hydrogen.sr hydrogen
10.0.1.26       helium.sr.cs.clarkson.edu helium.sr.cs helium.sr helium
10.0.1.27       lithium.sr.cs.clarkson.edu lithium.sr.cs lithium.sr lithium
10.0.1.29       vmware1.sr.cs.clarkson.edu vmware1.sr.cs vmware1.sr vmware1
10.0.1.30       vmware2.sr.cs.clarkson.edu vmware2.sr.cs vmware2.sr vmware2
10.0.1.33       righteous.sr.cs.clarkson.edu righteous.sr.cs righteous.sr righteous
10.0.1.55       netstat.sr.cs.clarkson.edu netstat.sr.cs netstat.sr netstat

Set up DenyHosts

  • Installed denyhosts
    • yum install denyhosts
  • Configured denyhosts (/etc/denyhosts/denyhosts.cfg)
       ############ THESE SETTINGS ARE REQUIRED ############

########################################################################
#
# SECURE_LOG: the log file that contains sshd logging info
# if you are not sure, grep "sshd:" /var/log/*
#
# The file to process can be overridden with the --file command line
# argument
#
# Redhat or Fedora Core:
SECURE_LOG = /var/log/secure
#
# Mandrake, FreeBSD or OpenBSD: 
#SECURE_LOG = /var/log/auth.log
#
# SuSE:
#SECURE_LOG = /var/log/messages
#
# Mac OS X (v10.4 or greater - 
#   also refer to:   http://www.denyhosts.net/faq.html#macos
#SECURE_LOG = /private/var/log/asl.log
#
# Mac OS X (v10.3 or earlier):
#SECURE_LOG=/private/var/log/system.log
#
########################################################################

########################################################################
#
# HOSTS_DENY: the file which contains restricted host access information
#
# Most operating systems:
HOSTS_DENY = /etc/hosts.deny
#
# Some BSD (FreeBSD) Unixes:
#HOSTS_DENY = /etc/hosts.allow
#
# Another possibility (also see the next option):
#HOSTS_DENY = /etc/hosts.evil
#######################################################################


########################################################################
#
# PURGE_DENY: removed HOSTS_DENY entries that are older than this time
#             when DenyHosts is invoked with the --purge flag
#
#      format is: i[dhwmy]
#      Where 'i' is an integer (eg. 7) 
#            'm' = minutes
#            'h' = hours
#            'd' = days
#            'w' = weeks
#            'y' = years
#
# never purge:
PURGE_DENY = 
#
# purge entries older than 1 week
#PURGE_DENY = 1w
#
# purge entries older than 5 days
#PURGE_DENY = 5d
#######################################################################

#######################################################################
#
# PURGE_THRESHOLD: defines the maximum times a host will be purged.  
# Once this value has been exceeded then this host will not be purged. 
# Setting this parameter to 0 (the default) disables this feature.
#
# default: a denied host can be purged/re-added indefinitely
#PURGE_THRESHOLD = 0
#
# a denied host will be purged at most 2 times. 
#PURGE_THRESHOLD = 2 
#
#######################################################################


#######################################################################
#
# BLOCK_SERVICE: the service name that should be blocked in HOSTS_DENY
# 
# man 5 hosts_access for details
#
# eg.   sshd: 127.0.0.1  # will block sshd logins from 127.0.0.1
#
# To block all services for the offending host:
#BLOCK_SERVICE = ALL
# To block only sshd:
BLOCK_SERVICE  = sshd
# To only record the offending host and nothing else (if using
# an auxilary file to list the hosts).  Refer to: 
# http://denyhosts.sourceforge.net/faq.html#aux
#BLOCK_SERVICE =    
#
#######################################################################


#######################################################################
#
# DENY_THRESHOLD_INVALID: block each host after the number of failed login 
# attempts has exceeded this value.  This value applies to invalid
# user login attempts (eg. non-existent user accounts)
#
DENY_THRESHOLD_INVALID = 5
#
#######################################################################

#######################################################################
#
# DENY_THRESHOLD_VALID: block each host after the number of failed 
# login attempts has exceeded this value.  This value applies to valid
# user login attempts (eg. user accounts that exist in /etc/passwd) except
# for the "root" user
#
DENY_THRESHOLD_VALID = 10
#
#######################################################################

#######################################################################
#
# DENY_THRESHOLD_ROOT: block each host after the number of failed 
# login attempts has exceeded this value.  This value applies to 
# "root" user login attempts only.
#
DENY_THRESHOLD_ROOT = 1
#
#######################################################################


#######################################################################
#
# DENY_THRESHOLD_RESTRICTED: block each host after the number of failed 
# login attempts has exceeded this value.  This value applies to 
# usernames that appear in the WORK_DIR/restricted-usernames file only.
#
DENY_THRESHOLD_RESTRICTED = 1
#
#######################################################################


#######################################################################
#
# WORK_DIR: the path that DenyHosts will use for writing data to
# (it will be created if it does not already exist).  
#
# Note: it is recommended that you use an absolute pathname
# for this value (eg. /home/foo/denyhosts/data)
#
WORK_DIR = /usr/share/denyhosts/data
#
#######################################################################

#######################################################################
#
# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS
#
# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES|NO
# If set to YES, if a suspicious login attempt results from an allowed-host
# then it is considered suspicious.  If this is NO, then suspicious logins 
# from allowed-hosts will not be reported.  All suspicious logins from 
# ip addresses that are not in allowed-hosts will always be reported.
#
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
######################################################################

######################################################################
#
# HOSTNAME_LOOKUP
#
# HOSTNAME_LOOKUP=YES|NO
# If set to YES, for each IP address that is reported by Denyhosts,
# the corresponding hostname will be looked up and reported as well
# (if available).
#
HOSTNAME_LOOKUP=YES
#
######################################################################


######################################################################
#
# LOCK_FILE
#
# LOCK_FILE=/path/denyhosts
# If this file exists when DenyHosts is run, then DenyHosts will exit
# immediately.  Otherwise, this file will be created upon invocation
# and deleted upon exit.  This ensures that only one instance is
# running at a time.
#
# Redhat/Fedora:
LOCK_FILE = /var/lock/subsys/denyhosts
#
# Debian
#LOCK_FILE = /var/run/denyhosts.pid
#
# Misc
#LOCK_FILE = /tmp/denyhosts.lock
#
######################################################################


       ############ THESE SETTINGS ARE OPTIONAL ############


#######################################################################
#
# ADMIN_EMAIL: if you would like to receive emails regarding newly
# restricted hosts and suspicious logins, set this address to 
# match your email address.  If you do not want to receive these reports
# leave this field blank (or run with the --noemail option)
#
# Multiple email addresses can be delimited by a comma, eg:
# ADMIN_EMAIL = foo@bar.com, bar@foo.com, etc@foobar.com
#
ADMIN_EMAIL = 
#
#######################################################################

#######################################################################
#
# SMTP_HOST and SMTP_PORT: if DenyHosts is configured to email 
# reports (see ADMIN_EMAIL) then these settings specify the 
# email server address (SMTP_HOST) and the server port (SMTP_PORT)
# 
#
SMTP_HOST = localhost
SMTP_PORT = 25
#
#######################################################################

#######################################################################
# 
# SMTP_USERNAME and SMTP_PASSWORD: set these parameters if your 
# smtp email server requires authentication
#
#SMTP_USERNAME=foo
#SMTP_PASSWORD=bar
#
######################################################################

#######################################################################
#
# SMTP_FROM: you can specify the "From:" address in messages sent
# from DenyHosts when it reports thwarted abuse attempts
#
SMTP_FROM = DenyHosts <nobody@localhost>
#
#######################################################################

#######################################################################
#
# SMTP_SUBJECT: you can specify the "Subject:" of messages sent
# by DenyHosts when it reports thwarted abuse attempts
SMTP_SUBJECT = DenyHosts Report
#
######################################################################

######################################################################
#
# SMTP_DATE_FORMAT: specifies the format used for the "Date:" header
# when sending email messages.
#
# for possible values for this parameter refer to: man strftime
#
# the default:
#
#SMTP_DATE_FORMAT = %a, %d %b %Y %H:%M:%S %z
#
######################################################################

######################################################################
#
# SYSLOG_REPORT
#
# SYSLOG_REPORT=YES|NO
# If set to yes, when denied hosts are recorded the report data
# will be sent to syslog (syslog must be present on your system).
# The default is: NO
#
#SYSLOG_REPORT=NO
#
#SYSLOG_REPORT=YES
#
######################################################################

######################################################################
#
# ALLOWED_HOSTS_HOSTNAME_LOOKUP
#
# ALLOWED_HOSTS_HOSTNAME_LOOKUP=YES|NO
# If set to YES, for each entry in the WORK_DIR/allowed-hosts file,
# the hostname will be looked up.  If your versions of tcp_wrappers
# and sshd sometimes log hostnames in addition to ip addresses
# then you may wish to specify this option.
# 
#ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO
#
######################################################################

###################################################################### 
# 
# AGE_RESET_VALID: Specifies the period of time between failed login
# attempts that, when exceeded will result in the failed count for 
# this host to be reset to 0.  This value applies to login attempts 
# to all valid users (those within /etc/passwd) with the 
# exception of root.  If not defined, this count will never
# be reset.
#
# See the comments in the PURGE_DENY section (above) 
# for details on specifying this value or for complete details 
# refer to:  http://denyhosts.sourceforge.net/faq.html#timespec
#
AGE_RESET_VALID=5d
#
######################################################################

###################################################################### 
# 
# AGE_RESET_ROOT: Specifies the period of time between failed login
# attempts that, when exceeded will result in the failed count for 
# this host to be reset to 0.  This value applies to all login 
# attempts to the "root" user account.  If not defined,
# this count will never be reset.
#
# See the comments in the PURGE_DENY section (above) 
# for details on specifying this value or for complete details 
# refer to:  http://denyhosts.sourceforge.net/faq.html#timespec
#
AGE_RESET_ROOT=25d
#
######################################################################

###################################################################### 
# 
# AGE_RESET_RESTRICTED: Specifies the period of time between failed login
# attempts that, when exceeded will result in the failed count for 
# this host to be reset to 0.  This value applies to all login 
# attempts to entries found in the WORK_DIR/restricted-usernames file.  
# If not defined, the count will never be reset.
#
# See the comments in the PURGE_DENY section (above) 
# for details on specifying this value or for complete details 
# refer to:  http://denyhosts.sourceforge.net/faq.html#timespec
#
AGE_RESET_RESTRICTED=25d
#
######################################################################


###################################################################### 
# 
# AGE_RESET_INVALID: Specifies the period of time between failed login
# attempts that, when exceeded will result in the failed count for 
# this host to be reset to 0.  This value applies to login attempts 
# made to any invalid username (those that do not appear 
# in /etc/passwd).  If not defined, count will never be reset.
#
# See the comments in the PURGE_DENY section (above) 
# for details on specifying this value or for complete details 
# refer to:  http://denyhosts.sourceforge.net/faq.html#timespec
#
AGE_RESET_INVALID=10d
#
######################################################################


######################################################################
#
# RESET_ON_SUCCESS: If this parameter is set to "yes" then the
# failed count for the respective ip address will be reset to 0
# if the login is successful.  
#
# The default is RESET_ON_SUCCESS = no
#
#RESET_ON_SUCCESS = yes
#
#####################################################################


######################################################################
#
# PLUGIN_DENY: If set, this value should point to an executable
# program that will be invoked when a host is added to the
# HOSTS_DENY file.  This executable will be passed the host
# that will be added as it's only argument.
#
#PLUGIN_DENY=/usr/bin/true
#
######################################################################


######################################################################
#
# PLUGIN_PURGE: If set, this value should point to an executable
# program that will be invoked when a host is removed from the
# HOSTS_DENY file.  This executable will be passed the host
# that is to be purged as it's only argument.
#
#PLUGIN_PURGE=/usr/bin/true
#
######################################################################

######################################################################
#
# USERDEF_FAILED_ENTRY_REGEX: if set, this value should contain
# a regular expression that can be used to identify additional
# hackers for your particular ssh configuration.  This functionality
# extends the built-in regular expressions that DenyHosts uses.
# This parameter can be specified multiple times.
# See this faq entry for more details:
#    http://denyhosts.sf.net/faq.html#userdef_regex
#
#USERDEF_FAILED_ENTRY_REGEX=
#
#
######################################################################




   ######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE  ##########



#######################################################################
#
# DAEMON_LOG: when DenyHosts is run in daemon mode (--daemon flag)
# this is the logfile that DenyHosts uses to report it's status.
# To disable logging, leave blank.  (default is: /var/log/denyhosts)
#
DAEMON_LOG = /var/log/denyhosts
#
# disable logging:
#DAEMON_LOG = 
#
######################################################################

#######################################################################
# 
# DAEMON_LOG_TIME_FORMAT: when DenyHosts is run in daemon mode 
# (--daemon flag) this specifies the timestamp format of 
# the DAEMON_LOG messages (default is the ISO8061 format:
# ie. 2005-07-22 10:38:01,745)
#
# for possible values for this parameter refer to: man strftime
#
# Jan 1 13:05:59   
#DAEMON_LOG_TIME_FORMAT = %b %d %H:%M:%S
#
# Jan 1 01:05:59 
#DAEMON_LOG_TIME_FORMAT = %b %d %I:%M:%S
#
###################################################################### 

#######################################################################
# 
# DAEMON_LOG_MESSAGE_FORMAT: when DenyHosts is run in daemon mode 
# (--daemon flag) this specifies the message format of each logged
# entry.  By default the following format is used:
#
# %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s
#
# Where the "%(asctime)s" portion is expanded to the format
# defined by DAEMON_LOG_TIME_FORMAT
#
# This string is passed to python's logging.Formatter contstuctor.
# For details on the possible format types please refer to:
# http://docs.python.org/lib/node357.html
#
# This is the default:
#DAEMON_LOG_MESSAGE_FORMAT = %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s
#
#
###################################################################### 

 
#######################################################################
#
# DAEMON_SLEEP: when DenyHosts is run in daemon mode (--daemon flag)
# this is the amount of time DenyHosts will sleep between polling
# the SECURE_LOG.  See the comments in the PURGE_DENY section (above)
# for details on specifying this value or for complete details
# refer to:    http://denyhosts.sourceforge.net/faq.html#timespec
# 
#
DAEMON_SLEEP = 30s
#
#######################################################################

#######################################################################
#
# DAEMON_PURGE: How often should DenyHosts, when run in daemon mode,
# run the purge mechanism to expire old entries in HOSTS_DENY
# This has no effect if PURGE_DENY is blank.
#
DAEMON_PURGE = 1h
#
#######################################################################


   #########   THESE SETTINGS ARE SPECIFIC TO     ##########
   #########       DAEMON SYNCHRONIZATION         ##########


#######################################################################
#
# Synchronization mode allows the DenyHosts daemon the ability
# to periodically send and receive denied host data such that 
# DenyHosts daemons worldwide can automatically inform one
# another regarding banned hosts.   This mode is disabled by
# default, you must uncomment SYNC_SERVER to enable this mode.
#
# for more information, please refer to: 
#        http:/denyhosts.sourceforge.net/faq.html#sync 
#
#######################################################################


#######################################################################
#
# SYNC_SERVER: The central server that communicates with DenyHost
# daemons.  Currently, denyhosts.net is the only available server
# however, in the future, it may be possible for organizations to
# install their own server for internal network synchronization
#
# To disable synchronization (the default), do nothing. 
#
# To enable synchronization, you must uncomment the following line:
SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
#
#######################################################################

#######################################################################
#
# SYNC_INTERVAL: the interval of time to perform synchronizations if
# SYNC_SERVER has been uncommented.  The default is 1 hour.
# 
SYNC_INTERVAL = 1h
#
#######################################################################


#######################################################################
#
# SYNC_UPLOAD: allow your DenyHosts daemon to transmit hosts that have
# been denied?  This option only applies if SYNC_SERVER has
# been uncommented.
# The default is SYNC_UPLOAD = yes
#
#SYNC_UPLOAD = no
SYNC_UPLOAD = yes
#
#######################################################################


#######################################################################
#
# SYNC_DOWNLOAD: allow your DenyHosts daemon to receive hosts that have
# been denied by others?  This option only applies if SYNC_SERVER has
# been uncommented.
# The default is SYNC_DOWNLOAD = yes
#
#SYNC_DOWNLOAD = no
SYNC_DOWNLOAD = yes
#
#
#
#######################################################################

#######################################################################
#
# SYNC_DOWNLOAD_THRESHOLD: If SYNC_DOWNLOAD is enabled this parameter
# filters the returned hosts to those that have been blocked this many
# times by others.  That is, if set to 1, then if a single DenyHosts
# server has denied an ip address then you will receive the denied host.
# 
# See also SYNC_DOWNLOAD_RESILIENCY
#
#SYNC_DOWNLOAD_THRESHOLD = 10
#
# The default is SYNC_DOWNLOAD_THRESHOLD = 3 
#
SYNC_DOWNLOAD_THRESHOLD = 3
#
#######################################################################

#######################################################################
#
# SYNC_DOWNLOAD_RESILIENCY:  If SYNC_DOWNLOAD is enabled then the
# value specified for this option limits the downloaded data
# to this resiliency period or greater.
#
# Resiliency is defined as the timespan between a hackers first known 
# attack and it's most recent attack.  Example:
# 
# If the centralized   denyhosts.net server records an attack at 2 PM 
# and then again at 5 PM, specifying a SYNC_DOWNLOAD_RESILIENCY = 4h 
# will not download this ip address.
#
# However, if the attacker is recorded again at 6:15 PM then the 
# ip address will be downloaded by your DenyHosts instance.  
#
# This value is used in conjunction with the SYNC_DOWNLOAD_THRESHOLD 
# and only hosts that satisfy both values will be downloaded.  
# This value has no effect if SYNC_DOWNLOAD_THRESHOLD = 1 
#
# The default is SYNC_DOWNLOAD_RESILIENCY = 5h (5 hours)
#
# Only obtain hackers that have been at it for 2 days or more:
#SYNC_DOWNLOAD_RESILIENCY = 2d
#
# Only obtain hackers that have been at it for 5 hours or more:
SYNC_DOWNLOAD_RESILIENCY = 5h
#
#######################################################################
  • Configured denyhosts to start on boot
    • /sbin/chkconfig denyhosts on
  • Started denyhosts
    • /etc/init.d/denyhosts start

Configured Some Password Policy

  • Edited /etc/login.defs
# *REQUIRED*
#   Directory where mailboxes reside, _or_ name of file, relative to the
#   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
#   QMAIL_DIR is for Qmail
#
#QMAIL_DIR	Maildir
MAIL_DIR	/var/spool/mail
#MAIL_FILE	.mail

# Password aging controls:
#
#	PASS_MAX_DAYS	Maximum number of days a password may be used.
#	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
#	PASS_MIN_LEN	Minimum acceptable password length.
#	PASS_WARN_AGE	Number of days warning given before a password expires.
#
PASS_MAX_DAYS	360
PASS_MIN_DAYS	0
PASS_MIN_LEN	8
PASS_WARN_AGE	30

#
# Min/max values for automatic uid selection in useradd
#
UID_MIN			  500
UID_MAX			60000

#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN			  500
GID_MAX			60000

#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD	/usr/sbin/userdel_local

#
# If useradd should create home directories for users by default
# On RH systems, we do. This option is overridden with the -m flag on
# useradd command line.
#
CREATE_HOME	yes

# The permission mask is initialized to this value. If not specified, 
# the permission mask will be initialized to 022.
UMASK           077

# This enables userdel to remove user groups if no members exist.
#
USERGROUPS_ENAB yes

Added RPMForge Yum Repository

Configured to be monitored by netstat Nagios Server

Installed Needed Packages

  • yum install xinetd gcc openssl-devel

Created nagios user

  • /usr/sbin/useradd nagios -s/sbin/nologin
  • passwd nagios

Compiled and Installed Nagios Plugins

  • Extracted Plugins
    • tar xzf nagios-plugins-1.4.12.tar.gz
  • Compiled and Installed Plugins
    • cd nagios-plugins-1.4.12
    • ./configure --enable-perl-modules
    • make
    • make install
  • Set Permissions on plugin folder
    • chown nagios.nagios /usr/local/nagios
    • chown -R nagios.nagios /usr/local/nagios/libexec

Installed NRPE Daemon

  • Extracted nrpe
    • tar xzf nrpe-2.12.tar.gz
  • Compiled & Installed Plugin
    • cd nrpe-2.12
    • ./configure
    • make all
    • make install-plugin
    • make install-daemon
    • make install-daemon-config
    • make install-xinetd
  • Edited /etc/xinetd.d/nrpe and modified the following line
only_from = 128.153.145.16
  • Edited /etc/services and added the following entry
nrpe           5666/tcp         # NRPE
  • Configured xinetd to start on boot
    • /sbin/chkconfig xinetd on
  • Started xinetd
    • /etc/init.d/xinetd start
  • Edited /etc/sysconfig/iptables and added the following rule
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5666 -s 128.153.145.16 -j ACCEPT
  • Restarted iptables
    • /etc/init.d/iptables restart

Configured NRPE

  • Edited /usr/local/nagios/etc/nrpe.cfg to look like the following
#############################################################################
# NRPE Config File
#
# Last Modified: 05-27-2008
#############################################################################


# LOG FACILITY
# The syslog facility that should be used for logging purposes.

log_facility=daemon



# PID FILE
# The name of the file in which the NRPE daemon should write it's process ID
# number.  The file is only written if the NRPE daemon is started by the root
# user and is running in standalone mode.

pid_file=/var/run/nrpe.pid



# PORT NUMBER
# Port number we should wait for connections on.
# NOTE: This must be a non-priviledged port (i.e. > 1024).
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd

server_port=5666



# SERVER ADDRESS
# Address that nrpe should bind to in case there are more than one interface
# and you do not want nrpe to bind on all interfaces.
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd

#server_address=127.0.0.1



# NRPE USER
# This determines the effective user that the NRPE daemon should run as.
# You can either supply a username or a UID.
#
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd

nrpe_user=nagios



# NRPE GROUP
# This determines the effective group that the NRPE daemon should run as.
# You can either supply a group name or a GID.
#
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd

nrpe_group=nagios



# ALLOWED HOST ADDRESSES
# This is an optional comma-delimited list of IP address or hostnames
# that are allowed to talk to the NRPE daemon.
#
# Note: The daemon only does rudimentary checking of the client's IP
# address.  I would highly recommend adding entries in your /etc/hosts.allow
# file to allow only the specified host to connect to the port
# you are running this daemon on.
#
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd

allowed_hosts=128.153.145.16



# COMMAND ARGUMENT PROCESSING
# This option determines whether or not the NRPE daemon will allow clients
# to specify arguments to commands that are executed.  This option only works
# if the daemon was configured with the --enable-command-args configure script
# option.
#
# *** ENABLING THIS OPTION IS A SECURITY RISK! ***
# Read the SECURITY file for information on some of the security implications
# of enabling this variable.
#
# Values: 0=do not allow arguments, 1=allow command arguments

dont_blame_nrpe=0



# COMMAND PREFIX
# This option allows you to prefix all commands with a user-defined string.
# A space is automatically added between the specified prefix string and the
# command line from the command definition.
#
# *** THIS EXAMPLE MAY POSE A POTENTIAL SECURITY RISK, SO USE WITH CAUTION! ***
# Usage scenario:
# Execute restricted commmands using sudo.  For this to work, you need to add
# the nagios user to your /etc/sudoers.  An example entry for alllowing
# execution of the plugins from might be:
#
# nagios          ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/
#
# This lets the nagios user run all commands in that directory (and only them)
# without asking for a password.  If you do this, make sure you don't give
# random users write access to that directory or its contents!

# command_prefix=/usr/bin/sudo



# DEBUGGING OPTION
# This option determines whether or not debugging messages are logged to the
# syslog facility.
# Values: 0=debugging off, 1=debugging on

debug=0



# COMMAND TIMEOUT
# This specifies the maximum number of seconds that the NRPE daemon will
# allow plugins to finish executing before killing them off.

command_timeout=60



# CONNECTION TIMEOUT
# This specifies the maximum number of seconds that the NRPE daemon will
# wait for a connection to be established before exiting. This is sometimes
# seen where a network problem stops the SSL being established even though
# all network sessions are connected. This causes the nrpe daemons to
# accumulate, eating system resources. Do not set this too low.

connection_timeout=300



# WEEK RANDOM SEED OPTION
# This directive allows you to use SSL even if your system does not have
# a /dev/random or /dev/urandom (on purpose or because the necessary patches
# were not applied). The random number generator will be seeded from a file
# which is either a file pointed to by the environment valiable $RANDFILE
# or $HOME/.rnd. If neither exists, the pseudo random number generator will
# be initialized and a warning will be issued.
# Values: 0=only seed from /dev/[u]random, 1=also seed from weak randomness

#allow_weak_random_seed=1



# INCLUDE CONFIG FILE
# This directive allows you to include definitions from an external config file.

include=/usr/local/nagios/etc/command_def.cfg
  • Created /usr/local/nagios/etc/command_def.cfg
command[check_users]=/usr/local/nagios/libexec/check_users -w 10 -c 15
command[check_load]=/usr/local/nagios/libexec/check_load -w 3.00,2.75,2.50 -c 3.50,3.25,3.00
command[check_rootfs]=/usr/local/nagios/libexec/check_disk -w 15% -c 10% -p /dev/xvda1
command[check_zombie_procs]=/usr/local/nagios/libexec/check_procs -w 5 -c 10 -s Z
command[check_total_procs]=/usr/local/nagios/libexec/check_procs -w 80 -c 100
command[check_swap]=/usr/local/nagios/libexec/check_swap -w 15% -c 10%
command[check_nagios]=/usr/local/nagios/libexec/check_nagios -V

Final Steps

  • Created previous user accounts that existed on righteous
  • Copied previous user account passwords from /etc/shadow on old righteous to /etc/shadow on isengard
  • Rebooted and tested that denyhosts started on boot & had other users test accounts