Dns2 Setup Process
From CSLabsWiki
This page summarizes how the virtual machine Dns2 was set up in Spring 2010.
Install
- Installed CentOS 5.4 x64.
- Partition Scheme
- 3 GB /
- 1.5 GB /var
- 512 MB swap
- Partition Scheme
Configuration
Updated System
- Added Extra Repositories
- RPMForge Yum Repository
- Fedora EPEL Yum Repository
- Configured Yum Priorities & to use our mirror
- Edited
/etc/yum.repos.d/CentOS-Base.repo
- Edited
# CentOS-Base.repo
#
# This file uses a new mirrorlist system developed by Lance Davis for CentOS.
# The mirror system uses the connecting IP address of the client and the
# update status of each mirror to pick mirrors that are updated to and
# geographically close to the client. You should use this for CentOS updates
# unless you are manually picking other mirrors.
#
# If the mirrorlist= does not work for you, as a fall back you can try the
# remarked out baseurl= line instead.
#
#
[base]
name=CentOS-$releasever - Base
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
baseurl=http://mirror.clarkson.edu/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1
#released updates
[updates]
name=CentOS-$releasever - Updates
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates
baseurl=http://mirror.clarkson.edu/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1
#packages used/produced in the build but not released
[addons]
name=CentOS-$releasever - Addons
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=addons
baseurl=http://mirror.clarkson.edu/centos/$releasever/addons/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1
#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras
baseurl=http://mirror.clarkson.edu/centos/$releasever/extras/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1
#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus
baseurl=http://mirror.clarkson.edu/centos/$releasever/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=2
#contrib - packages by Centos Users
[contrib]
name=CentOS-$releasever - Contrib
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=contrib
baseurl=http://mirror.clarkson.edu/centos/$releasever/contrib/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=2
- Edited
/etc/yum.repos.d/rpmforge.repo
- Edited
# Name: RPMforge RPM Repository for Red Hat Enterprise 5 - dag
# URL: http://rpmforge.net/
[rpmforge]
name = Red Hat Enterprise $releasever - RPMforge.net - dag
baseurl = http://mirror.clarkson.edu/rpmforge/redhat/el5/en/$basearch/dag
#mirrorlist = http://apt.sw.be/redhat/el5/en/mirrors-rpmforge
#mirrorlist = file:///etc/yum.repos.d/mirrors-rpmforge
enabled = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmforge-dag
gpgcheck = 1
priority=15
- Edited
/etc/yum.repos.d/epel.repo
- Edited
[epel]
name=Extra Packages for Enterprise Linux 5 - $basearch
baseurl=http://mirror.clarkson.edu/epel/5/$basearch
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-5&arch=$basearch
failovermethod=priority
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
priority=30
[epel-debuginfo]
name=Extra Packages for Enterprise Linux 5 - $basearch - Debug
baseurl=http://mirror.clarkson.edu/epel/5/$basearch/debug
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-debug-5&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1
priority=30
[epel-source]
name=Extra Packages for Enterprise Linux 5 - $basearch - Source
baseurl=http://mirror.clarkson.edu/epel/5/SRPMS
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-source-5&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1
priority=30
- Edited
/etc/yum.repos.d/epel-testing.repo
- Edited
[epel-testing]
name=Extra Packages for Enterprise Linux 5 - Testing - $basearch
baseurl=http://mirror.clarkson.edu/epel/testing/5/$basearch
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-epel5&arch=$basearch
failovermethod=priority
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
priority=40
[epel-testing-debuginfo]
name=Extra Packages for Enterprise Linux 5 - Testing - $basearch - Debug
baseurl=http://mirror.clarkson.edu/epel/testing/5/$basearch/debug
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-debug-epel5&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1
priority=40
[epel-testing-source]
name=Extra Packages for Enterprise Linux 5 - Testing - $basearch - Source
baseurl=http://mirror.clarkson.edu/epel/testing/5/SRPMS
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-source-epel5&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1
priority=40
- Disabled Yum FastestMirror since using local mirror
sed -i 's/enabled=1/enabled=0/g' /etc/yum/pluginconf.d/fastestmirror.conf
- Installed Yum Priorities (Note: This must be installed prior to installing the packages below.)
yum install yum-priorities
- Configured Yum Priorities to check for obsoletes
echo "check_obsoletes=1" >> /etc/yum/pluginconf.d/priorities.conf
yum install vim-enhanced gcc emacs-nox screenyum update
Created User
- Created user mccarrms
/usr/sbin/useradd -m mccarrms
- Set password for mccarrms
passwd mccarrms
Configured Sudo
/usr/sbin/visudo
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
## Networking
Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
## Installation and management of software
Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
## Services
Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig
## Updating the locate database
Cmnd_Alias LOCATE = /usr/sbin/updatedb
## Storage
Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
## Delegating permissions
Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
## Processes
Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
## Drivers
Cmnd_Alias DRIVERS = /sbin/modprobe
## Shells
Cmnd_Alias SHELLS = /bin/sh, /bin/bash, /usr/bin/rsh, /bin/dash, /bin/rbash, /bin/su
## Users
Cmnd_Alias USERS = /usr/sbin/useradd, /usr/sbin/userdel
Defaults requiretty
Defaults env_reset,tty_tickets,lecture=always,logfile=/var/log/sudo.log
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \
_XKB_CHARSET XAUTHORITY"
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
%wheel ALL=(ALL) ALL
%admins ALL=(root) ALL, !SHELLS
Configured Networks
- Configured hostname in
/etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=dns2
GATEWAY=128.153.145.1
- Verified eth0 configuration for Clarkson Network in
/etc/sysconfig/network-scripts/ifcfg-eth0
# Xen Virtual Ethernet
DEVICE=eth0
BOOTPROTO=static
DHCPCLASS=
HWADDR=00:16:36:14:95:35
IPADDR=128.153.145.4
NETMASK=255.255.255.0
ONBOOT=yes
Configured Hosts
- Edited
/etc/hosts
127.0.0.1 localhost.localdomain localhost
128.153.145.4 dns2.cslabs.clarkson.edu dns2.cslabs dns2
- Edited
/etc/hosts.allow
For security purposes, this information has been intentionally left off.
- Edited
/etc/hosts.deny
ALL: ALL
Configured DNS Servers
- Edited
/etc/resolv.conf
search cslabs.clarkson.edu clarkson.edu
nameserver 128.153.145.3
nameserver 128.153.145.4
Disabled IP v6
- Appended the following to
/etc/modprobe.conf
install ipv6 /bin/true
- Disabled IP v6 firewall
/sbin/chkconfig ip6tables off
Configured IPtables
Due to the sensitivity of this material, this config file has been left off; however, the following rule is needed.
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
Configured SSH
- Edited
/etc/ssh/sshd_config
Due to the sensitivity of this material, this config file has been left off.
- Restarted sshd
/etc/init.d/sshd restart
Set Up SSH Login Banner
- Edited
/etc/issue.net
__ ___
___/ /__ ___ |_ |
/ _ / _ \(_-</ __/
\_,_/_//_/___/____/
Configured Password Requirements
- Edited
/etc/login.defs
MAIL_DIR /var/spool/mail
PASS_MAX_DAYS 360
PASS_MIN_DAYS 0
PASS_MIN_LEN 8
PASS_WARN_AGE 60
UID_MIN 500
UID_MAX 60000
GID_MIN 500
GID_MAX 60000
CREATE_HOME yes
UMASK 077
USERGROUPS_ENAB yes
MD5_CRYPT_ENAB yes
ENCRYPT_METHOD MD5
Added Custom PATH Variables
- Added the following to
/etc/profile
PATH=$PATH:/usr/sbin:/sbin
export PATH
Configured Aliases
- Edited
/etc/aliases
#
# Aliases in this file will NOT be expanded in the header from
# Mail, but WILL be visible over networks or from /bin/mail.
#
# >>>>>>>>>> The program "newaliases" must be run after
# >> NOTE >> this file is updated for any changes to
# >>>>>>>>>> show through to sendmail.
#
# Basic system aliases -- these MUST be present.
mailer-daemon: postmaster
postmaster: logwatch@cslabs.clarkson.edu
# General redirections for pseudo accounts.
bin: logwatch@cslabs.clarkson.edu
daemon: logwatch@cslabs.clarkson.edu
adm: logwatch@cslabs.clarkson.edu
lp: logwatch@cslabs.clarkson.edu
sync: logwatch@cslabs.clarkson.edu
shutdown: logwatch@cslabs.clarkson.edu
halt: logwatch@cslabs.clarkson.edu
mail: logwatch@cslabs.clarkson.edu
news: logwatch@cslabs.clarkson.edu
uucp: logwatch@cslabs.clarkson.edu
operator: logwatch@cslabs.clarkson.edu
games: logwatch@cslabs.clarkson.edu
gopher: logwatch@cslabs.clarkson.edu
ftp: logwatch@cslabs.clarkson.edu
nobody: logwatch@cslabs.clarkson.edu
radiusd: logwatch@cslabs.clarkson.edu
nut: logwatch@cslabs.clarkson.edu
dbus: logwatch@cslabs.clarkson.edu
vcsa: logwatch@cslabs.clarkson.edu
canna: logwatch@cslabs.clarkson.edu
wnn: logwatch@cslabs.clarkson.edu
rpm: logwatch@cslabs.clarkson.edu
nscd: logwatch@cslabs.clarkson.edu
pcap: logwatch@cslabs.clarkson.edu
apache: logwatch@cslabs.clarkson.edu
webalizer: logwatch@cslabs.clarkson.edu
dovecot: logwatch@cslabs.clarkson.edu
fax: logwatch@cslabs.clarkson.edu
quagga: logwatch@cslabs.clarkson.edu
radvd: logwatch@cslabs.clarkson.edu
pvm: logwatch@cslabs.clarkson.edu
amanda: logwatch@cslabs.clarkson.edu
privoxy: logwatch@cslabs.clarkson.edu
ident: logwatch@cslabs.clarkson.edu
named: logwatch@cslabs.clarkson.edu
xfs: logwatch@cslabs.clarkson.edu
gdm: logwatch@cslabs.clarkson.edu
mailnull: logwatch@cslabs.clarkson.edu
postgres: logwatch@cslabs.clarkson.edu
sshd: logwatch@cslabs.clarkson.edu
smmsp: logwatch@cslabs.clarkson.edu
postfix: logwatch@cslabs.clarkson.edu
netdump: logwatch@cslabs.clarkson.edu
ldap: logwatch@cslabs.clarkson.edu
squid: logwatch@cslabs.clarkson.edu
ntp: logwatch@cslabs.clarkson.edu
mysql: logwatch@cslabs.clarkson.edu
desktop: logwatch@cslabs.clarkson.edu
rpcuser: logwatch@cslabs.clarkson.edu
rpc: logwatch@cslabs.clarkson.edu
nfsnobody: logwatch@cslabs.clarkson.edu
ingres: logwatch@cslabs.clarkson.edu
system: logwatch@cslabs.clarkson.edu
toor: logwatch@cslabs.clarkson.edu
manager: logwatch@cslabs.clarkson.edu
dumper: logwatch@cslabs.clarkson.edu
abuse: logwatch@cslabs.clarkson.edu
newsadm: news
newsadmin: news
usenet: news
ftpadm: ftp
ftpadmin: ftp
ftp-adm: ftp
ftp-admin: ftp
www: webmaster
webmaster: logwatch@cslabs.clarkson.edu
noc: logwatch@cslabs.clarkson.edu
security: logwatch@cslabs.clarkson.edu
hostmaster: logwatch@cslabs.clarkson.edu
info: postmaster
marketing: postmaster
sales: postmaster
support: postmaster
# trap decode to catch security attacks
decode: logwatch@cslabs.clarkson.edu
# Person who should get roots's mail
root: logwatch@cslabs.clarkson.edu
- Updated aliases
/usr/bin/newaliases
Disabled Various Kernel Modules
- Added the following to
/etc/modprobe.conf
install pppox /bin/true
install bluetooth /bin/true
install sctp /bin/true
Installed & Configured SNMP
- Installed needed packages
yum install net-snmp ntp
- Configured SNMP Daemon
/etc/snmp/snmpd.conf
rocommunity <passphrase> 127.0.0.1
rocommunity <passphrase> <ipsallowed>
syslocation Clarkson University Applied CS Labs
syscontact Matt McCarrell <mccarrms@gmail.com>
disk /
disk /var
exec timeskew /usr/local/sbin/ntp_check
exec uptime /usr/bin/uptime
- Deployed
ntp_checkscript- Copied over
ntp_checkto /usr/local/sbin/ chown root.root /usr/local/sbin/ntp_check
- Copied over
- Configured SNMP to start at specific run levels
/sbin/chkconfig --levels 2345 snmpd on
- Started daemon
/etc/init.d/snmpd start
Increased Detail of Logwatch Reports
- Set detail level to be high
echo "Detail = High" >> /etc/logwatch/conf/logwatch.conf
Disabled Unneeded Services
- Referenced this page
chkconfig nfs off
/etc/init.d/nfs stop
chkconfig nfslock off
/etc/init.d/nfslock stop
chkconfig rpcgssd off
/etc/init.d/rpcgssd stop
chkconfig rpcidmapd off
/etc/init.d/rpcidmapd stop
chkconfig rpcsvcgssd off
/etc/init.d/rpcsvcgssd stop
chkconfig portmap off
/etc/init.d/portmap stop
chkconfig netfs off
/etc/init.d/netfs stop
chkconfig anacron off
/etc/init.d/anacron stop
chkconfig autofs off
/etc/init.d/autofs stop
chkconfig avahi-daemon off
/etc/init.d/avahi-daemon stop
chkconfig avahi-dnsconfd off
/etc/init.d/avahi-dnsconfd stop
chkconfig bluetooth off
/etc/init.d/bluetooth stop
chkconfig hidd off
/etc/init.d/hidd stop
chkconfig cups off
/etc/init.d/cups stop
chkconfig firstboot off
/etc/init.d/firstboot stop
chkconfig gpm off
/etc/init.d/gpm stop
chkconfig haldaemon off
/etc/init.d/haldaemon stop
chkconfig irda off
/etc/init.d/irda stop
chkconfig kudzu off
/etc/init.d/kudzu stop
chkconfig messagebus off
/etc/init.d/messagebus stop
chkconfig microcode_ctl off
/etc/init.d/microcode_ctl stop
chkconfig pcscd off
/etc/init.d/pcscd stop
chkconfig readahead_early off
/etc/init.d/readahead_early stop
chkconfig readahead_later off
/etc/init.d/readahead_later stop
chkconfig ypbind off
/etc/init.d/ypbind stop
Installed BIND
Installed needed packages
yum install bind bind-chroot bind-libs bind-utils
Created Configs
- Created
/var/named/chroot/etc/named.conf
acl cslabs {
128.153.144.0/23;
128.153.146.176;
127.0.0.1;
};
options {
directory "/var/named";
pid-file "/var/run/named/named.pid";
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
version "[secured]";
forwarders { 128.153.0.254; 128.153.5.254; };
allow-notify { 128.153.145.4; };
};
include "/etc/rndc.key";
include "/etc/tsig.key";
controls {
inet 127.0.0.1 allow { 127.0.0.1; }
keys { "rndckey"; };
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view "internal" IN {
match-clients { cslabs; };
recursion yes;
include "/etc/cslabs-external.inc";
include "/etc/cslabs-internal.inc";
};
view "external" IN {
match-clients { any; };
recursion no;
allow-query-cache { none; };
include "/etc/cslabs-external.inc";
};
- Created
/var/named/chroot/etc/cslabs-external.inc
zone "cslabs.clarkson.edu" {
type slave;
file "slaves/cslabs.clarkson.edu.zone";
masters { 128.153.145.3; };
allow-transfer { none; };
};
zone "dev.cslabs.clarkson.edu" {
type slave;
file "slaves/dev.cslabs.clarkson.edu.zone";
masters { 128.153.145.3; };
allow-transfer { none; };
};
zone "145.153.128.in-addr.arpa" {
type slave;
file "slaves/145.153.128.in-addr.arpa";
masters { 128.153.145.3; };
allow-transfer { none; };
};
- Created
/var/named/chroot/etc/cslabs-internal.inc
zone "int.cslabs.clarkson.edu" {
type slave;
file "slaves/int.cslabs.clarkson.edu.zone";
masters { 128.153.145.3; };
allow-transfer { none; };
};
zone "0.0.10.in-addr.arpa" {
type slave;
file "slaves/0.0.10.in-addr.arpa";
masters { 128.153.145.3; };
allow-transfer { none; };
};
zone "sr.cslabs.clarkson.edu" {
type slave;
file "slaves/sr.cslabs.clarkson.edu.zone";
masters { 128.153.145.3; };
allow-transfer { none; };
};
zone "1.0.10.in-addr.arpa" {
type slave;
file "slaves/1.0.10.in-addr.arpa";
masters { 128.153.145.3; };
allow-transfer { none; };
};
- Created TSIG config file
- Created
/var/named/chroot/etc/tsig.keyusing key present on Dns1
- Created
key "TRANSFER" {
algorithm hmac-md5;
secret "";
};
server 128.153.145.3 {
keys {
TRANSFER;
};
};
- Fixed ownership and permissions on files
chown root.named cslabs-external.inc cslabs-internal.inc named.conf tsig.key
chmod o-rwx cslabs-external.inc cslabs-internal.inc named.conf
chmod 640 /var/named/chroot/etc/tsig.key
- Fixed permissions on directory (Fixes error I noticed in the logs. See this page for more details.
chmod g+w /var/named/chroot/var/named
- Created
/etc/rndc.conf
options {
default-key "rndckey";
default-server 127.0.0.1;
default-port 953;
};
server 127.0.0.1 {
key "rndckey";
};
include "/etc/rndc.key";
Configured service
- Configured
namedto start on boot
chkconfig --levels 345 named on
- Started
named
/etc/init.d/named start
