Web2 Setup Process
From CSLabsWiki
This page summarizes how the virtual machine Web2 was set up in Summer 2009.
Contents
- 1 Install
- 2 Configuration
- 2.1 Updated System
- 2.2 Created User
- 2.3 Configured Sudo
- 2.4 Configured Network
- 2.5 Configured IPtables
- 2.6 Set Up SSH Login Banner
- 2.7 Configured Password Requirements
- 2.8 Configured Hosts
- 2.9 Modified umask
- 2.10 Disabled IP v6
- 2.11 Configured DNS Servers
- 2.12 Configured SNMP
- 2.13 Configured Logwatch Reports
- 3 Installed Apache
Install
This system was created via the Create a New VM How-To and is based off the Ubuntu 8.04 Generic VM image.
Configuration
Updated System
apt-get update && apt-get upgrade
Created User
- Created user mccarrms
/usr/sbin/useradd -m mccarrms
- Set password for mccarrms
passwd mccarrms
Configured Sudo
/usr/sbin/visudo
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
## Networking
Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
## Installation and management of software
Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
## Services
Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig
## Updating the locate database
Cmnd_Alias LOCATE = /usr/sbin/updatedb
## Storage
Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
## Delegating permissions
Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp, /usr/bin/sudoedit
## Processes
Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
## Drivers
Cmnd_Alias DRIVERS = /sbin/modprobe
## Shells
Cmnd_Alias SHELLS = /bin/sh, /bin/bash, /usr/bin/rsh, /bin/dash, /bin/rbash, /bin/su
## Users
Cmnd_Alias USERS = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/userhelper, /usr/sbin/usermod, /usr/sbin/usernetctl, /usr/bin/passwd
## HTTP
Cmnd_Alias HTTP = /etc/init.d/apache2 restart, /etc/init.d/apache2 stop
Defaults requiretty
Defaults env_reset,tty_tickets,lecture=always,logfile=/var/log/sudo.log
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \
_XKB_CHARSET XAUTHORITY"
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
%sudo ALL=(ALL) ALL
%admins ALL=(root) ALL, !SHELLS, !HTTP
Configured Network
- Edited
/etc/network/interfaces
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 128.153.145.20
netmask 255.255.255.0
gateway 128.153.145.1
pre-up iptables-restore < /etc/iptables.rules
post-down iptables-restore < /etc/iptables.downrules
auto eth0:0
iface eth0:0 inet static
address 128.153.145.26
netmask 255.255.255.0
Configured IPtables
Due to the sensitivity of this material, this config file has been left off; however, the following rules are needed.
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
Set Up SSH Login Banner
- Edited
/etc/issue.net
__ ___
_ _____ / / |_ |
| |/|/ / -_) _ \/ __/
|__,__/\__/_.__/____/
Configured Password Requirements
- Edited
/etc/login.defs
MAIL_DIR /var/mail
#MAIL_FILE .mail
FAILLOG_ENAB yes
LOG_UNKFAIL_ENAB no
LOG_OK_LOGINS no
SYSLOG_SU_ENAB yes
SYSLOG_SG_ENAB yes
#SULOG_FILE /var/log/sulog
#TTYTYPE_FILE /etc/ttytype
FTMP_FILE /var/log/btmp
SU_NAME su
HUSHLOGIN_FILE .hushlogin
#HUSHLOGIN_FILE /etc/hushlogins
ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
TTYGROUP tty
TTYPERM 0600
ERASECHAR 0177
KILLCHAR 025
#UMASK 022
PASS_MAX_DAYS 360
PASS_MIN_DAYS 0
PASS_WARN_AGE 60
UID_MIN 1000
UID_MAX 60000
GID_MIN 100
GID_MAX 60000
LOGIN_RETRIES 5
LOGIN_TIMEOUT 60
CHFN_RESTRICT rwh
DEFAULT_HOME yes
#USERDEL_CMD /usr/sbin/userdel_local
USERGROUPS_ENAB yes
# FAKE_SHELL /bin/fakeshell
#CONSOLE /etc/consoles
#CONSOLE console:tty01:tty02:tty03:tty04
#CONSOLE_GROUPS floppy:audio:cdrom
#MD5_CRYPT_ENAB no
Configured Hosts
- Edited
/etc/hosts.allow
For security purposes, this information has been intentionally left off.
- Edited
/etc/hosts.deny
ALL: ALL
Modified umask
- Removed the following from
/etc/profile
umask 022
- Added the following to
/etc/profile
if [ $UID -gt 999 ] && [ "`id -gn`" = "`id -un`" ]; then
umask 002
elif [ $UID = 0 ]; then
umask 002
else
umask 022
fi
Disabled IP v6
- Modify the following in
/etc/modprobe.d/aliases
alias net-pf-10 off
Configured DNS Servers
- Edited
/etc/resolv.conf
search cslabs.clarkson.edu clarkson.edu
nameserver 128.153.145.3
nameserver 128.153.145.4
Configured SNMP
- Edited
/etc/snmp/snmpd.conf
rocommunity <passphrase> <ipsallowed>
rocommunity <passphrase> <ipsallowed>
syslocation Clarkson University Applied CS Labs
syscontact Matt McCarrell <mccarrms@gmail.com>
disk /
exec timeskew /usr/local/sbin/ntp_check
exec uptime /usr/bin/uptime
Configured Logwatch Reports
- Set detail level to be high and changed MailFrom
sed -i "s/MailFrom = root/MailFrom = logwatch/g" /usr/share/logwatch/dist.conf/logwatch.conf
sed -i "s/Detail = Med/Detail = High/g" /usr/share/logwatch/dist.conf/logwatch.conf
Installed Apache
- Installed httpd, php, etc.
apt-get install apache2 php5 libapache2-mod-php5 mysql-client php5-mysql php5-curl php5-gd php5-suhosin php-pear php-xml-parser php5-xcache highlight source-hightlight php-mode php5-cli libgd2-xpm libgd2-xpm-dev imagemagick- Added for lab-build virtual host
reprepro
- Modified
/etc/apache2/apache2.conf
ServerRoot "/etc/apache2"
#<IfModule !mpm_winnt.c>
#<IfModule !mpm_netware.c>
LockFile /var/lock/apache2/accept.lock
#</IfModule>
#</IfModule>
PidFile ${APACHE_PID_FILE}
Timeout 120
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 10
<IfModule mpm_prefork_module>
StartServers 8
MinSpareServers 5
MaxSpareServers 20
MaxClients 256
MaxRequestsPerChild 1000
</IfModule>
<IfModule mpm_worker_module>
StartServers 2
MaxClients 150
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25
MaxRequestsPerChild 0
</IfModule>
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
AccessFileName .htaccess
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>
DefaultType text/plain
HostnameLookups Off
ErrorLog /var/log/apache2/error.log
LogLevel warn
Include /etc/apache2/mods-enabled/*.load
Include /etc/apache2/mods-enabled/*.conf
Include /etc/apache2/httpd.conf
Include /etc/apache2/ports.conf
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
ServerTokens Prod
ServerSignature Off
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
# Alias /error/ "/usr/share/apache2/error/"
#
# <Directory "/usr/share/apache2/error">
# AllowOverride None
# Options IncludesNoExec
# AddOutputFilter Includes html
# AddHandler type-map var
# Order allow,deny
# Allow from all
# LanguagePriority en cs de es fr it nl sv pt-br ro
# ForceLanguagePriority Prefer Fallback
# </Directory>
#
# ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var
# ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var
# ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var
# ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var
# ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var
# ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var
# ErrorDocument 410 /error/HTTP_GONE.html.var
# ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var
# ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var
# ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var
# ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var
# ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var
# ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var
# ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var
# ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var
# ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var
# ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var
Include /etc/apache2/conf.d/
NameVirtualHost *
Include /etc/apache2/sites-enabled/
- Enabled mod_rewrite
a2enmod rewrite
- Unlinked default site config
unlink /etc/apache2/sites-enabled/000default
- Created
/etc/apache2/sites-enabled/web2
<VirtualHost *>
ServerName web2.cslabs.clarkson.edu
ServerAdmin web-admin@cslabs.clarkson.edu
DocumentRoot "/var/www/"
ErrorLog /var/log/apache2/web2-error_log
CustomLog /var/log/apache2/web2-access_log combined
ServerAlias web2*
RedirectMatch ^/$ http://cslabs.clarkson.edu/
</VirtualHost>
- Created
/etc/apache2/sites-enabled/zDefault
<VirtualHost *>
ServerName web2.cslabs.clarkson.edu
ServerAdmin web-admin@cslabs.clarkson.edu
DocumentRoot "/var/www/"
ErrorLog /var/log/apache2/web2-error_log
CustomLog /var/log/apache2/web2-access_log combined
ServerAlias *
RedirectMatch ^/$ http://cslabs.clarkson.edu/
</VirtualHost>
- Created
/etc/apache2/sites-enabled/docs
<VirtualHost *>
ServerName docs.cosi.clarkson.edu
ServerAdmin web-admin@cslabs.clarkson.edu
DocumentRoot "/var/docs_www/"
ErrorLog /var/log/apache2/docs-error_log
CustomLog /var/log/apache2/docs-access_log combined
ServerAlias docs.cosi
Redirect permanent / http://docs.cslabs.clarkson.edu/
</VirtualHost>
<VirtualHost *>
ServerName docs.cslabs
ServerAdmin web-admin@cslabs.clarkson.edu
DocumentRoot "/var/docs_www/"
ErrorLog /var/log/apache2/docs-error_log
CustomLog /var/log/apache2/docs-access_log combined
ServerAlias docs
Redirect permanent / http://docs.cslabs.clarkson.edu/
</VirtualHost>
<VirtualHost *>
ServerName docs.cslabs.clarkson.edu
ServerAdmin web-admin@cslabs.clarkson.edu
DocumentRoot "/var/docs_www/"
ErrorLog /var/log/apache2/docs-error_log
CustomLog /var/log/apache2/docs-access_log combined
<Directory /var/docs_www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride Limit
Order allow,deny
allow from all
</Directory>
# For rewriting /w/index.php to /wiki/
Alias /wiki "/var/docs_www/w/index.php"
Alias /index.php "/var/docs_www/w/index.php"
</VirtualHost>
- Created
/etc/apache2/sites-enabled/status
<VirtualHost *>
ServerName status.cslabs.clarkson.edu
ServerAdmin web-admin@cslabs.clarkson.edu
DocumentRoot "/var/status_www/"
ErrorLog /var/log/apache2/status-error_log
CustomLog /var/log/apache2/status-access_log combined
ServerAlias status*
<Directory /var/status_www/>
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
allow from all
</Directory>
</VirtualHost>
- Created
/etc/apache2/sites-enabled/lab-build
<VirtualHost *>
ServerName lab-build.cslabs.clarkson.edu
ServerAdmin web-admin@cslabs.clarkson.edu
DocumentRoot "/var/lab-build_www/"
ErrorLog /var/log/apache2/lab-build-error_log
CustomLog /var/log/apache2/lab-build-access_log combined
ServerAlias lab-build*
<Directory /var/lab-build_www/>
Options Indexes FollowSymLinks
AllowOverride Limit
Order allow,deny
allow from all
</Directory>
</VirtualHost>
- Configured server so php is not exposed and y2k compliance is off
- Edited
/etc/php5/apache2/php.ini
- Edited
expose_php = Off
memory_limit = 64M
upload_max_filesize = 8M
- Started Apache
/etc/init.d/apache2 start
Virtual Host Notes
- A group must be created for each virtual host and the virtual host html root must be owned by that group.
- The setgid bit should be set on each of the virtual host html roots. This can be done by using the following command:
chmod g+s <vhost>_www/
AWStats
- All virtual hosts should be configured to be monitored by AWStats on Netstat. The basic process for doing this is on the Configure a Remote Debian Based Linux Server for AWStats how-to.
