Web2 Setup Process

From CSLabsWiki
Jump to: navigation, search

This page summarizes how the virtual machine Web2 was set up in Summer 2009.

Web2 is being phased out, so this page will vanish when that completes.

Install

This system was created via the Create a New VM How-To and is based off the Ubuntu 8.04 Generic VM image.

Configuration

Updated System

  • apt-get update && apt-get upgrade

Created User

  • Created user mccarrms
    • /usr/sbin/useradd -m mccarrms
  • Set password for mccarrms
    • passwd mccarrms

Configured Sudo

  • /usr/sbin/visudo
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.

## Networking
Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

## Installation and management of software
Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

## Services
Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig

## Updating the locate database
Cmnd_Alias LOCATE = /usr/sbin/updatedb

## Storage
Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount

## Delegating permissions
Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp, /usr/bin/sudoedit

## Processes
Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

## Drivers
Cmnd_Alias DRIVERS = /sbin/modprobe

## Shells
Cmnd_Alias SHELLS = /bin/sh, /bin/bash, /usr/bin/rsh, /bin/dash, /bin/rbash, /bin/su

## Users
Cmnd_Alias USERS = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/userhelper, /usr/sbin/usermod, /usr/sbin/usernetctl, /usr/bin/passwd

## HTTP
Cmnd_Alias HTTP = /etc/init.d/apache2 restart, /etc/init.d/apache2 stop

Defaults    requiretty

Defaults    env_reset,tty_tickets,lecture=always,logfile=/var/log/sudo.log
Defaults    env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
                        LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
                        LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
                        LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
                        LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \
                        _XKB_CHARSET XAUTHORITY"

## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
%sudo   ALL=(ALL)       ALL
%admins ALL=(root) ALL, !SHELLS, !HTTP

Configured Network

  • Edited /etc/network/interfaces
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
  address 128.153.145.20
  netmask 255.255.255.0
  gateway 128.153.145.1
  pre-up iptables-restore < /etc/iptables.rules
  post-down iptables-restore < /etc/iptables.downrules

auto eth0:0
iface eth0:0 inet static
  address 128.153.145.26
  netmask 255.255.255.0

Configured IPtables

Due to the sensitivity of this material, this config file has been left off; however, the following rules are needed.

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

Set Up SSH Login Banner

  • Edited /etc/issue.net
             __   ___ 
 _    _____ / /  |_  |
| |/|/ / -_) _ \/ __/ 
|__,__/\__/_.__/____/ 
                      

Configured Password Requirements

  • Edited /etc/login.defs
MAIL_DIR        /var/mail
#MAIL_FILE      .mail

FAILLOG_ENAB		yes

LOG_UNKFAIL_ENAB	no

LOG_OK_LOGINS		no

SYSLOG_SU_ENAB		yes
SYSLOG_SG_ENAB		yes

#SULOG_FILE	/var/log/sulog

#TTYTYPE_FILE	/etc/ttytype

FTMP_FILE	/var/log/btmp

SU_NAME		su

HUSHLOGIN_FILE	.hushlogin
#HUSHLOGIN_FILE	/etc/hushlogins

ENV_SUPATH	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ENV_PATH	PATH=/usr/local/bin:/usr/bin:/bin:/usr/games

TTYGROUP	tty
TTYPERM		0600

ERASECHAR	0177
KILLCHAR	025

#UMASK		022

PASS_MAX_DAYS	360
PASS_MIN_DAYS	0
PASS_WARN_AGE	60

UID_MIN			 1000
UID_MAX			60000

GID_MIN			  100
GID_MAX			60000

LOGIN_RETRIES		5

LOGIN_TIMEOUT		60

CHFN_RESTRICT		rwh

DEFAULT_HOME	yes

#USERDEL_CMD	/usr/sbin/userdel_local

USERGROUPS_ENAB yes

# FAKE_SHELL /bin/fakeshell

#CONSOLE	/etc/consoles
#CONSOLE	console:tty01:tty02:tty03:tty04

#CONSOLE_GROUPS		floppy:audio:cdrom

#MD5_CRYPT_ENAB	no

Configured Hosts

  • Edited /etc/hosts.allow
For security purposes, this information has been intentionally left off.
  • Edited /etc/hosts.deny
ALL: ALL

Modified umask

  • Removed the following from /etc/profile
umask 022
  • Added the following to /etc/profile
if [ $UID -gt 999 ] && [ "`id -gn`" = "`id -un`" ]; then
        umask 002
elif [ $UID = 0 ]; then
        umask 002
else
        umask 022
fi

Disabled IP v6

  • Modify the following in /etc/modprobe.d/aliases
alias net-pf-10 off

Configured DNS Servers

  • Edited /etc/resolv.conf
search cslabs.clarkson.edu clarkson.edu
nameserver 128.153.145.3
nameserver 128.153.145.4

Configured SNMP

  • Edited /etc/snmp/snmpd.conf
rocommunity     <passphrase>  <ipsallowed>
rocommunity     <passphrase>  <ipsallowed>
 
syslocation Clarkson University Applied CS Labs
syscontact Matt McCarrell <mccarrms@gmail.com>
disk /
exec timeskew /usr/local/sbin/ntp_check
exec uptime /usr/bin/uptime

Configured Logwatch Reports

  • Set detail level to be high and changed MailFrom
sed -i "s/MailFrom = root/MailFrom = logwatch/g" /usr/share/logwatch/dist.conf/logwatch.conf
sed -i "s/Detail = Med/Detail = High/g" /usr/share/logwatch/dist.conf/logwatch.conf

Installed Apache

  • Installed httpd, php, etc.
    • apt-get install apache2 php5 libapache2-mod-php5 mysql-client php5-mysql php5-curl php5-gd php5-suhosin php-pear php-xml-parser php5-xcache highlight source-hightlight php-mode php5-cli libgd2-xpm libgd2-xpm-dev imagemagick
    • Added for lab-build virtual host reprepro
  • Modified /etc/apache2/apache2.conf
ServerRoot "/etc/apache2"

#<IfModule !mpm_winnt.c>
#<IfModule !mpm_netware.c>
LockFile /var/lock/apache2/accept.lock
#</IfModule>
#</IfModule>

PidFile ${APACHE_PID_FILE}

Timeout 30

KeepAlive On

MaxKeepAliveRequests 100

KeepAliveTimeout 5

<IfModule mpm_prefork_module>
    StartServers          5
    MinSpareServers       5
    MaxSpareServers      10
    MaxClients           50
    MaxRequestsPerChild   0
</IfModule>

<IfModule mpm_worker_module>
    StartServers          2
    MaxClients          150
    MinSpareThreads      25
    MaxSpareThreads      75
    ThreadsPerChild      25
    MaxRequestsPerChild   0
</IfModule>

User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}

AccessFileName .htaccess

<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
</Files>

DefaultType text/plain

HostnameLookups Off

ErrorLog /var/log/apache2/error.log

LogLevel warn

Include /etc/apache2/mods-enabled/*.load
Include /etc/apache2/mods-enabled/*.conf

Include /etc/apache2/httpd.conf

Include /etc/apache2/ports.conf

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

ServerTokens Prod

ServerSignature Off

#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html

#    Alias /error/ "/usr/share/apache2/error/"
#
#    <Directory "/usr/share/apache2/error">
#        AllowOverride None
#        Options IncludesNoExec
#        AddOutputFilter Includes html
#        AddHandler type-map var
#        Order allow,deny
#        Allow from all
#        LanguagePriority en cs de es fr it nl sv pt-br ro
#        ForceLanguagePriority Prefer Fallback
#    </Directory>
#
#    ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var
#    ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var
#    ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var
#    ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var
#    ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var
#    ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var
#    ErrorDocument 410 /error/HTTP_GONE.html.var
#    ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var
#    ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var
#    ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var
#    ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var
#    ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var
#    ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var
#    ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var
#    ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var
#    ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var
#    ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var

Include /etc/apache2/conf.d/

NameVirtualHost *

Include /etc/apache2/sites-enabled/
  • Enabled mod_rewrite
a2enmod rewrite
  • Enabled mod_deflate
a2enmod deflate
  • Unlinked default site config
    • unlink /etc/apache2/sites-enabled/000default
  • Created /etc/apache2/sites-enabled/web2
<VirtualHost *>
    ServerName web2.cslabs.clarkson.edu
    ServerAdmin web-admin@cslabs.clarkson.edu
    DocumentRoot "/var/www/"
    ErrorLog /var/log/apache2/web2-error_log
    CustomLog /var/log/apache2/web2-access_log combined
    ServerAlias web2*
    RedirectMatch ^/$ http://cslabs.clarkson.edu/
</VirtualHost>
  • Created /etc/apache2/sites-enabled/zDefault
<VirtualHost *>
    ServerName web2.cslabs.clarkson.edu
    ServerAdmin web-admin@cslabs.clarkson.edu
    DocumentRoot "/var/www/"
    ErrorLog /var/log/apache2/web2-error_log
    CustomLog /var/log/apache2/web2-access_log combined
    ServerAlias *
    RedirectMatch ^/$ http://cslabs.clarkson.edu/
</VirtualHost>
  • Created /etc/apache2/sites-enabled/docs
<VirtualHost *>
    ServerName docs.cosi.clarkson.edu
    ServerAdmin web-admin@cslabs.clarkson.edu
    DocumentRoot "/var/docs_www/"
    ErrorLog /var/log/apache2/docs-error_log
    CustomLog /var/log/apache2/docs-access_log combined
    ServerAlias docs.cosi
    Redirect permanent / http://docs.cslabs.clarkson.edu/
</VirtualHost>

<VirtualHost *>
    ServerName docs.cslabs
    ServerAdmin web-admin@cslabs.clarkson.edu
    DocumentRoot "/var/docs_www/"
    ErrorLog /var/log/apache2/docs-error_log
    CustomLog /var/log/apache2/docs-access_log combined
    ServerAlias docs
    Redirect permanent / http://docs.cslabs.clarkson.edu/
</VirtualHost>

<VirtualHost *>
    ServerName docs.cslabs.clarkson.edu
    ServerAdmin web-admin@cslabs.clarkson.edu
    DocumentRoot "/var/docs_www/"
    ErrorLog /var/log/apache2/docs-error_log
    CustomLog /var/log/apache2/docs-access_log combined
    <Directory /var/docs_www/>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride Limit
        Order allow,deny
        allow from all
    </Directory>
    # For rewriting /w/index.php to /wiki/
    Alias /wiki "/var/docs_www/w/index.php"
    Alias /index.php "/var/docs_www/w/index.php"
</VirtualHost>
  • Created /etc/apache2/sites-enabled/status
<VirtualHost *>
    ServerName status.cslabs.clarkson.edu
    ServerAdmin web-admin@cslabs.clarkson.edu
    DocumentRoot "/var/status_www/"
    ErrorLog /var/log/apache2/status-error_log
    CustomLog /var/log/apache2/status-access_log combined
    ServerAlias status*
    <Directory /var/status_www/>
        Options Indexes FollowSymLinks
        AllowOverride All
        Order allow,deny
        allow from all
    </Directory>
</VirtualHost>
  • Created /etc/apache2/sites-enabled/lab-build
<VirtualHost *>
    ServerName lab-build.cslabs.clarkson.edu
    ServerAdmin web-admin@cslabs.clarkson.edu
    DocumentRoot "/var/lab-build_www/"
    ErrorLog /var/log/apache2/lab-build-error_log
    CustomLog /var/log/apache2/lab-build-access_log combined
    ServerAlias lab-build*
    <Directory /var/lab-build_www/>
        Options Indexes FollowSymLinks
        AllowOverride Limit
        Order allow,deny
        allow from all
    </Directory>
</VirtualHost>
  • Created /etc/apache2/sites-enabled/nonlinear
<VirtualHost *>
    ServerName nonlinear.cslabs.clarkson.edu
    ServerAdmin web-admin@cslabs.clarkson.edu
    DocumentRoot "/var/nonlinear_www/"
    ErrorLog /var/log/apache2/nonlinear-error_log
    CustomLog /var/log/apache2/nonlinear-access_log combined
    ServerAlias nonlinear*
    <Directory /var/nonlinear_www/>
        Options Indexes FollowSymLinks
        AllowOverride Limit
        Order allow,deny
        allow from all
    </Directory>
</VirtualHost>
  • Configured server so php is not exposed and y2k compliance is off
    • Edited /etc/php5/apache2/php.ini
expose_php = Off
memory_limit = 64M
upload_max_filesize = 8M
  • Started Apache
    • /etc/init.d/apache2 start

Virtual Host Notes

  • A group must be created for each virtual host and the virtual host html root must be owned by that group.
  • The setgid bit should be set on each of the virtual host html roots. This can be done by using the following command: chmod g+s <vhost>_www/

AWStats