Difference between revisions of "Ziltoid"

From CSLabsWiki
 
(5 intermediate revisions by one other user not shown)
Line 1: Line 1:
 
{{services
 
{{services
 
|ip_addr = 128.153.145.2
 
|ip_addr = 128.153.145.2
|contact_person = [[User:cmr|Corey Richardson]], xperia64
+
|contact_person = [[User:xperia64|Xperia64]]
|last_update = ''None yet''
+
|last_update = October 2016
 
|services = Various
 
|services = Various
 
|category = Machines
 
|category = Machines
Line 10: Line 10:
 
{{Machine
 
{{Machine
 
| screenshot =
 
| screenshot =
| maintainer = [[User:cmr|Corey Richardson]], xperia64
+
| maintainer = [[User:xperia64|Xperia64]]
 
| hostname = ziltoid.cslabs.clarkson.edu
 
| hostname = ziltoid.cslabs.clarkson.edu
| operating_system = Debian ?
+
| operating_system = Debian 8.3
  +
| interface1 = {{Network Interface | name=Clarkson Network | mac=0c:c4:7a:41:a7:bc | ip=128.153.145.2}}
| cpuspecs = ?
 
  +
| interface2 = {{Network Interface | name=Clarkson Network | mac=0c:c4:7a:41:a7:bd | ip=Not Applicable}}
| ramspecs = ?
 
  +
| cpuspecs = Intel Xeon CPU E3-1220 V2 @ 3.10GHz
  +
| ramspecs = 4 GB
 
}}
 
}}
   
Line 20: Line 22:
   
 
The IP address allocated for Ziltoid is 128.153.145.2, necessitated by the fact that OIT's router for our subnets already occupies 128.153.144.1 and 128.153.145.1.
 
The IP address allocated for Ziltoid is 128.153.145.2, necessitated by the fact that OIT's router for our subnets already occupies 128.153.144.1 and 128.153.145.1.
  +
  +
==Setup==
  +
Start with a base 8.3.0 Debian install, follow the [[How_to_add_Kerberos_to_a_Debian_Machine|Kerberos]] setup instructions, and perform the following modifications:
  +
  +
===Packages===
  +
The following must be uninstalled:
  +
rdnssd
  +
The following can be uninstalled:
  +
nfs-client gcc-4.8-base ispell wamerican libthai-data
  +
libgtk2.0-0 libthai0 mlocate laptop-detect sgml-base debian-faq reportbug libwww-robotrules-perl
  +
aptitude m4 man-db texinfo file mutt os-prober sensible-utils installation-report install-info manpages
  +
The following should be installed:
  +
tcpdump nmap lm-sensors bridge-utils iptables iptables-persistent traceroute memtest86+
  +
  +
===Network Config===
  +
This is the current /etc/network/interfaces file:
  +
  +
source /etc/network/interfaces.d/*
  +
# The loopback network interface
  +
auto lo
  +
iface lo inet loopback
  +
# To output switch
  +
iface eth1 inet manual
  +
# From input switch
  +
iface eth3 inet manual
  +
auto br0
  +
iface br0 inet static
  +
bridge_ports eth3 eth1
  +
bridge_stp off
  +
address 128.153.145.2
  +
netmask 255.255.254.0
  +
gateway 128.153.145.1
  +
broadcast 128.153.145.255
  +
dns-search cslabs.clarkson.edu
  +
dns-nameservers 128.153.145.3
  +
  +
===iptables Firewall===
  +
# Generated by iptables-save v1.4.21 on Fri Mar 25 19:14:27 2016
  +
*filter
  +
:INPUT ACCEPT [132:9112]
  +
:FORWARD ACCEPT [0:0]
  +
:OUTPUT ACCEPT [72:6652]
  +
-A FORWARD -s 128.153.144.0/23 -j ACCEPT
  +
-A FORWARD -d 128.153.145.0/24 -j ACCEPT
  +
-A FORWARD -p tcp -m conntrack --ctstate ESTABLISHED -j ACCEPT
  +
-A FORWARD -p tcp -j DROP
  +
COMMIT
  +
# Completed on Fri Mar 25 19:14:27 2016
  +
  +
===sshd Config===
  +
Disable sftp via this:
  +
Subsystem sftp /bin/false #/usr/lib/openssh/sftp-server
  +
And block LDAP users from executing commands
  +
Match Group users
  +
AllowTCPForwarding yes
  +
X11Forwarding no
  +
ForceCommand /bin/false

Latest revision as of 10:58, 23 October 2016

Ziltoid
IP Address(es): 128.153.145.2
Contact Person: Xperia64
Last Update: October 2016
Services: Various


Hostname: ziltoid.cslabs.clarkson.edu
Operating system: Debian 8.3
NIC 1: Clarkson Network
MAC: 0c:c4:7a:41:a7:bc
IP: 128.153.145.2
NIC 2: Clarkson Network
MAC: 0c:c4:7a:41:a7:bd
IP: Not Applicable
CPU: Intel Xeon CPU E3-1220 V2 @ 3.10GHz
RAM: 4 GB


Ziltoid is our latest ssh gateway box/firewall, following in the footsteps of (chronologically): Isengard, Mordor, Zuul and Zuko. But hopefully mostly Isengard.

The IP address allocated for Ziltoid is 128.153.145.2, necessitated by the fact that OIT's router for our subnets already occupies 128.153.144.1 and 128.153.145.1.

Setup

Start with a base 8.3.0 Debian install, follow the Kerberos setup instructions, and perform the following modifications:

Packages

The following must be uninstalled:

   rdnssd

The following can be uninstalled:

   nfs-client gcc-4.8-base ispell wamerican libthai-data
   libgtk2.0-0 libthai0 mlocate laptop-detect sgml-base debian-faq reportbug libwww-robotrules-perl 
   aptitude m4 man-db texinfo file mutt os-prober sensible-utils installation-report install-info manpages

The following should be installed:

   tcpdump nmap lm-sensors bridge-utils iptables iptables-persistent traceroute memtest86+

Network Config

This is the current /etc/network/interfaces file:

   source /etc/network/interfaces.d/*
   # The loopback network interface
   auto lo
   iface lo inet loopback
   # To output switch
   iface eth1 inet manual
   # From input switch
   iface eth3 inet manual
   auto br0
   iface br0 inet static
       bridge_ports eth3 eth1
       bridge_stp off
           address 128.153.145.2
           netmask 255.255.254.0
           gateway 128.153.145.1
           broadcast 128.153.145.255
           dns-search cslabs.clarkson.edu
           dns-nameservers 128.153.145.3

iptables Firewall

   # Generated by iptables-save v1.4.21 on Fri Mar 25 19:14:27 2016
   *filter
   :INPUT ACCEPT [132:9112]
   :FORWARD ACCEPT [0:0]
   :OUTPUT ACCEPT [72:6652]
   -A FORWARD -s 128.153.144.0/23 -j ACCEPT
   -A FORWARD -d 128.153.145.0/24 -j ACCEPT
   -A FORWARD -p tcp -m conntrack --ctstate ESTABLISHED -j ACCEPT
   -A FORWARD -p tcp -j DROP
   COMMIT
   # Completed on Fri Mar 25 19:14:27 2016

sshd Config

Disable sftp via this:

   Subsystem sftp /bin/false #/usr/lib/openssh/sftp-server

And block LDAP users from executing commands

   Match Group users
           AllowTCPForwarding yes
           X11Forwarding no
           ForceCommand /bin/false