S Y S T E M J O U R N A L for YborStudent.hccfl.edu System Description: A student-accessible server used to support several classes usch as Unix and Perl scripting. The server is located in the OIT on the Ybor campus. Hardware Inventory: HCC Asset Tag #17041 Dell PowerEdge 2500 Service Tag Number: 7YXGK11 (See: http://PremierSupport.dell.com/) Ship Date: 6/11/2002 Quantity Part Description Part # 1 4F522 Card (Circuit), Processor, VRM-8.5, 12V 1 5E957 PWA, Planar (Motherboard), PE2500, TUALATIN, 133 1 6E233 Processor, 80526, 1GHZ, 256, Fiber Channel, Coppermine-Tualatin, Integrated Heat Spreader 2 6878T Cord, Power, 125V, 10FT, SJT, Unshielded 1 7N242 Keyboard, 104, United States, SILITEK, Low Cost, Midnight Gray 1 4N433 Mouse, Personal System 2, 6P, 2BTN, LOGITECH, SAW34 1 52JRF KIT, Cable, Power, PE2500 3 6F777 Power Supply, 300W, Power Factor Correction 2 94PXC Dual In-Line Memory Module, 256, 133M, 32X72, 4K, 168, RG2 1 18NMH PWA, Interface, Backplane, 2X3, ULT3, P2500 1 93HRU Assembly, Cable, Hard Drive, PLN-BKPLN, P2500 1 392TE Compact Disk Drive, 650M, IDE (Integrated Drive Electronics), 5.25" Form Factor, 24X, Black, TEAC 5 6H925 Hard Drive, 36GB, S1, 80P, 10K, FUJITSU 1 13JPJ Dual In-Line Memory Module, 128, 100M, 16X72, 4K, Raid on Mother Board 1 275FR PWA, Input/Output, PE2500/PE2550, RAID-KEY 1 3K089 Floppy Drive, 1.44M, 3.5" Form Factor, Third Height, No Bezel, NEC 1 700NX Assembly, Cable, INTRPSR-PLN, P2500 1 79NPT Assembly, Cable, Dorado/Athens/Tualatin/Almodor, S3, Internal, Twisted Pair, P2500 ---------------------------------------------------------------- Summary: 512 MB RAM SCSI (Adaptec AIC7899) 140 GB RAID 5 (Di/3) Hard disk ATI Mach64 Rage XL, 8 MB Video RAM Mouse attached: MS Intelimouse PS2 10/100 Ethernet NIC IP Address: 169.139.223.21/24 OS: Fedora Core 4 Partition Map: Filesystem Type Mount Point Size /dev/sda1 ext3 /boot 145M /dev/sda2 ext3 /home 48G /dev/sda3 ext3 /usr 38G /dev/sda5 ext3 /var 10G /dev/sda6 ext3 /var/ftp 5G /dev/sda7 swap (none) 2G /dev/sda8 ext3 /var/log 2G /dev/sda9 ext3 /tmp 2G /dev/sda10 ext3 / 10G (unused free space: 17 GB) ---------------------------------------------------------------- 08-02-05 WP Initial install of server: prepare to re-install: all except /home will be re-formatted. cp -Rp /opt /usr/local /root /home backup-etc (move resulting tarball to ~wpollock) remove all stale user accounts. (should've done this first!) Anaconda install selections: Hardware: U.S. English keyboard Install (not update) Partitioning: Manual; See above (changed sda10 from .5G to 10G) format all partitions as ext3 (or swap) except sda2 Boot loader: Use GRUB boot loader in MBR, no grub password. Only bootable partition is /dev/sda10, set as default, label="Fedora Core 4". Network: eth0 No DHCP, Active on boot, static IP = 169.139.223.21/24, Hostname = "YborStudent" (Domain set in post install to "hccfl.edu"), Gateway IP = 160.139.223.1, 1st DNS = 169.139.222.4, 2nd DNS = 169.139.223.15 Firewall: enabled; allow incoming: ssh, http/https, smtp (not FTP!) SELinux active Clock: Eastern Time zone (America/New_York) Sys clock uses local time. Accounts: set root password Package Selection: Everything Install of all 4 CDs sucessful! Post Install: Set clock for NTP - This failed because of a networking problem, will turn this on later. On reboot smartd failed to start - will fix configuration later. Network problem turned out to be a wrong value for NETWORK in /etc/sysconfig/network-scripts/ifcfg-eth0. This appears to be an anaconda error as you only enter the IP and netmask! Restored local users and groups to /etc/{passwd,group,shadow,gshadow}. Restored /opt (the backup software CAgent (ArcServ)). Alice Scott will test this out and re-install this or replacement as necessary. Hardware problem noted with power supply. As box is still under service contract, AS reported the problem and a new power supply is exptected by tomorrow. Notice the BIOS version is A07, very old. AS may update that at same time. Ran yum -y update. This failled: many kde language packages conflicted with kdelibs package. Ran yum install kdelibs-3.4.2-0.fc4.1. Failled: No repositories were found. Manually fixed the repositories from yum.conf from cws.hcc-online.com. Needed to fix base, updates, and extras. Now the yum install worked! Re-ran yum -y update. 802 packages were updated/added. Checked for *.rpmnew files: none found (except in ~rabaut, ignored) Added new yum repositories (in /etc/yum.repos.d): dag.repo fedora-us.repo jpackage.repo livna.repo macromedia.repo These were copied from FC2 yum.conf from cws.hcc-online.com. However, The repos for jpackage and livna didn't work for FC4. I downloaded and installed: http://rpm.livna.org/fedora/4/i386/RPMS.lvn/livna-release-4-0.lvn.2.4.noarch.rpm And then downloaded and put into yum.repos.d: http://www.jpackage.org/jpackage.repo Edited this repo: commented out non-free and generic stanza. Problems persist with fedora-us and macromedia repos, found working copy of macromedia repo and installed it, the fedora-us repos support fedore core 1, 2, 3, and "latest". I therefore changed the "$releasever" to "latest". All seems working for now, but I suspect fedora-us will change this scheme someday. Edited /etc/hosts: added entry for our IP for YborStudent.hccfl.edu, had to remove "YborStudent" from 127.0.0.1 line (another anaconda bug?) # Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 localhost.localdomain localhost 169.139.223.21 YborStudent.hccfl.edu YborStudent Set the default run level to 3 (non-GUI boot) in /etc/inittab Also commented out gettys for virtual consoles 4, 5, and 6; leaving 1, 2, 3, and 7 (GUI) which should be more than enough. Ran telinit 3 to switch run levels (and turn off X). Edited /etc/sysconf/i18n: LANG="en_US" from "en_US.UTF8", which messes up man pages and other output since RH7.3 at least. Added the following services to chkconfig control: chkconfig --add dhcp6r chkconfig --add dund chkconfig --add firstboot chkconfig --add gdm-allow-login chkconfig --add gdm-early-login chkconfig --add hidd chkconfig --add pand chkconfig --add postfix alternatives --config mta # chose postfix chkconfig --add xend chkconfig --add xendomains chkconfig --add zzz-bootup-complete Added/removed these services: chkconfig bluetooth off chkconfig canna off chkconfig cpuspeed off chkconfig firstboot off chkconfig hidd off chkconfig hpoj off chkconfig iiim off chkconfig isdn off chkconfig mDNSResponder off chkconfig mdmonitor off chkconfig netfs off chkconfig nfslock off chkconfig nifd off chkconfig pcmcia off chkconfig portmap off chkconfig rhnsd off chkconfig rpcgssd off chkconfig rpcidmapd off chkconfig xend off chkconfig xendomains off chkconfig --level 234 xfs off chkconfig cups off chkconfig cups-config-daemon off chkconfig smartd off #Seem like our RAID controller is not supported! chkconfig mysqld on chkconfig httpd on chkconfig ntalk on List of service status (chkconfig --list): NetworkManager 0:off 1:off 2:off 3:off 4:off 5:off 6:off NetworkManagerDispatcher 0:off 1:off 2:off 3:off 4:off 5:off 6:off acpid 0:off 1:off 2:off 3:on 4:on 5:on 6:off amd 0:off 1:off 2:off 3:off 4:off 5:off 6:off anacron 0:off 1:off 2:on 3:on 4:on 5:on 6:off apmd 0:off 1:off 2:on 3:on 4:on 5:on 6:off arptables_jf 0:off 1:off 2:on 3:on 4:on 5:on 6:off arpwatch 0:off 1:off 2:off 3:off 4:off 5:off 6:off atalk 0:off 1:off 2:off 3:off 4:off 5:off 6:off atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off autofs 0:off 1:off 2:off 3:on 4:on 5:on 6:off bgpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off bluetooth 0:off 1:off 2:off 3:off 4:off 5:off 6:off bootparamd 0:off 1:off 2:off 3:off 4:off 5:off 6:off canna 0:off 1:off 2:off 3:off 4:off 5:off 6:off ccsd 0:off 1:off 2:off 3:off 4:off 5:off 6:off clvmd 0:off 1:off 2:off 3:off 4:off 5:off 6:off cman 0:off 1:off 2:off 3:off 4:off 5:off 6:off cpuspeed 0:off 1:on 2:off 3:off 4:off 5:off 6:off crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off cups 0:off 1:off 2:off 3:off 4:off 5:off 6:off cups-config-daemon 0:off 1:off 2:off 3:off 4:off 5:off 6:off dc_client 0:off 1:off 2:off 3:off 4:off 5:off 6:off dc_server 0:off 1:off 2:off 3:off 4:off 5:off 6:off dhcp6r 0:off 1:off 2:off 3:off 4:off 5:off 6:off dhcp6s 0:off 1:off 2:off 3:off 4:off 5:off 6:off dhcpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off dhcrelay 0:off 1:off 2:off 3:off 4:off 5:off 6:off dictd 0:off 1:off 2:off 3:off 4:off 5:off 6:off diskdump 0:off 1:off 2:off 3:off 4:off 5:off 6:off dovecot 0:off 1:off 2:off 3:off 4:off 5:off 6:off dund 0:off 1:off 2:off 3:off 4:off 5:off 6:off fenced 0:off 1:off 2:off 3:off 4:off 5:off 6:off firstboot 0:off 1:off 2:off 3:off 4:off 5:off 6:off gdm-allow-login 0:off 1:off 2:off 3:off 4:off 5:on 6:off gdm-early-login 0:off 1:off 2:off 3:off 4:off 5:on 6:off gfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off gkrellmd 0:off 1:off 2:off 3:off 4:off 5:off 6:off gpm 0:off 1:off 2:on 3:on 4:on 5:on 6:off haldaemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off hidd 0:off 1:off 2:off 3:off 4:off 5:off 6:off hpoj 0:off 1:off 2:off 3:off 4:off 5:off 6:off httpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off iiim 0:off 1:off 2:off 3:off 4:off 5:off 6:off innd 0:off 1:off 2:off 3:off 4:off 5:off 6:off ip6tables 0:off 1:off 2:on 3:on 4:on 5:on 6:off ipsec 0:off 1:off 2:off 3:off 4:off 5:off 6:off iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off ipvsadm 0:off 1:off 2:off 3:off 4:off 5:off 6:off irda 0:off 1:off 2:off 3:off 4:off 5:off 6:off irqbalance 0:off 1:off 2:on 3:on 4:on 5:on 6:off isdn 0:off 1:off 2:off 3:off 4:off 5:off 6:off isicom 0:off 1:off 2:off 3:off 4:off 5:off 6:off kadmin 0:off 1:off 2:off 3:off 4:off 5:off 6:off kprop 0:off 1:off 2:off 3:off 4:off 5:off 6:off krb524 0:off 1:off 2:off 3:off 4:off 5:off 6:off krb5kdc 0:off 1:off 2:off 3:off 4:off 5:off 6:off kudzu 0:off 1:off 2:off 3:on 4:on 5:on 6:off ldap 0:off 1:off 2:off 3:off 4:off 5:off 6:off lisa 0:off 1:off 2:off 3:off 4:off 5:off 6:off lm_sensors 0:off 1:off 2:on 3:on 4:on 5:on 6:off lock_gulmd 0:off 1:off 2:off 3:off 4:off 5:off 6:off mDNSResponder 0:off 1:off 2:off 3:off 4:off 5:off 6:off mailman 0:off 1:off 2:off 3:off 4:off 5:off 6:off mdmonitor 0:off 1:off 2:off 3:off 4:off 5:off 6:off mdmpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off messagebus 0:off 1:off 2:off 3:on 4:on 5:on 6:off microcode_ctl 0:off 1:off 2:off 3:off 4:off 5:off 6:off multipathd 0:off 1:off 2:off 3:off 4:off 5:off 6:off mysqld 0:off 1:off 2:on 3:on 4:on 5:on 6:off named 0:off 1:off 2:off 3:off 4:off 5:off 6:off netdump 0:off 1:off 2:off 3:off 4:off 5:off 6:off netdump-server 0:off 1:off 2:off 3:off 4:off 5:off 6:off netfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off netplugd 0:off 1:off 2:off 3:off 4:off 5:off 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off nfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off nfslock 0:off 1:off 2:off 3:off 4:off 5:off 6:off nifd 0:off 1:off 2:off 3:off 4:off 5:off 6:off nscd 0:off 1:off 2:off 3:off 4:off 5:off 6:off ntpd 0:off 1:off 2:off 3:on 4:off 5:on 6:off ospf6d 0:off 1:off 2:off 3:off 4:off 5:off 6:off ospfd 0:off 1:off 2:off 3:off 4:off 5:off 6:off pand 0:off 1:off 2:off 3:off 4:off 5:off 6:off pcmcia 0:off 1:off 2:off 3:off 4:off 5:off 6:off portmap 0:off 1:off 2:off 3:off 4:off 5:off 6:off postfix 0:off 1:off 2:on 3:on 4:on 5:on 6:off postgresql 0:off 1:off 2:off 3:off 4:off 5:off 6:off privoxy 0:off 1:off 2:off 3:off 4:off 5:off 6:off psacct 0:off 1:off 2:off 3:off 4:off 5:off 6:off radiusd 0:off 1:off 2:off 3:off 4:off 5:off 6:off radvd 0:off 1:off 2:off 3:off 4:off 5:off 6:off rarpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off rdisc 0:off 1:off 2:off 3:off 4:off 5:off 6:off readahead 0:off 1:off 2:off 3:off 4:off 5:on 6:off readahead_early 0:off 1:off 2:off 3:off 4:off 5:on 6:off rgmanager 0:off 1:off 2:off 3:off 4:off 5:off 6:off rhnsd 0:off 1:off 2:off 3:off 4:off 5:off 6:off ripd 0:off 1:off 2:off 3:off 4:off 5:off 6:off ripngd 0:off 1:off 2:off 3:off 4:off 5:off 6:off rpcgssd 0:off 1:off 2:off 3:off 4:off 5:off 6:off rpcidmapd 0:off 1:off 2:off 3:off 4:off 5:off 6:off rpcsvcgssd 0:off 1:off 2:off 3:off 4:off 5:off 6:off rstatd 0:off 1:off 2:off 3:off 4:off 5:off 6:off rusersd 0:off 1:off 2:off 3:off 4:off 5:off 6:off rwalld 0:off 1:off 2:off 3:off 4:off 5:off 6:off rwhod 0:off 1:off 2:off 3:off 4:off 5:off 6:off saslauthd 0:off 1:off 2:off 3:off 4:off 5:off 6:off sendmail 0:off 1:off 2:off 3:off 4:off 5:off 6:off smartd 0:off 1:off 2:off 3:off 4:off 5:off 6:off smb 0:off 1:off 2:off 3:off 4:off 5:off 6:off snmpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off snmptrapd 0:off 1:off 2:off 3:off 4:off 5:off 6:off spamassassin 0:off 1:off 2:off 3:off 4:off 5:off 6:off squid 0:off 1:off 2:off 3:off 4:off 5:off 6:off sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off sysstat 0:off 1:on 2:on 3:on 4:on 5:on 6:off tomcat5 0:off 1:off 2:off 3:off 4:off 5:off 6:off tux 0:off 1:off 2:off 3:off 4:off 5:off 6:off ups 0:off 1:off 2:off 3:off 4:off 5:off 6:off vncserver 0:off 1:off 2:off 3:off 4:off 5:off 6:off vsftpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off winbind 0:off 1:off 2:off 3:off 4:off 5:off 6:off xend 0:off 1:off 2:off 3:off 4:off 5:off 6:off xendomains 0:off 1:off 2:off 3:off 4:off 5:off 6:off xfs 0:off 1:off 2:off 3:off 4:off 5:on 6:off xinetd 0:off 1:off 2:off 3:on 4:on 5:on 6:off ypbind 0:off 1:off 2:off 3:off 4:off 5:off 6:off yppasswdd 0:off 1:off 2:off 3:off 4:off 5:off 6:off ypserv 0:off 1:off 2:off 3:off 4:off 5:off 6:off ypxfrd 0:off 1:off 2:off 3:off 4:off 5:off 6:off yum 0:off 1:off 2:off 3:off 4:off 5:off 6:off zebra 0:off 1:off 2:off 3:off 4:off 5:off 6:off zzz-bootup-complete 0:off 1:off 2:off 3:off 4:off 5:on 6:off xinetd based services: amanda: off amandaidx: off amidxtape: off auth: off chargen: off chargen-udp: off cups-lpd: off cvs: off daytime: off daytime-udp: off echo: off echo-udp: off eklogin: off finger: off gssftp: off klogin: off krb5-telnet: off kshell: off ktalk: off ntalk: on rexec: off rlogin: off rsh: off rsync: off swat: off talk: off telnet: off tftp: off time: off time-udp: off uucp: off Turned off all currently running services that were configured off above Updated /etc/xinetd.d/ntalk with: only_from = localhost .hccfl.edu Ran "find-questionable-files" script, fixed permissions on world-writable files. 08-04-05 WP Updated /etc/sysconfig/network and .../ifcfg-eth0 to not use IPv6 or IPv4 zeroconf: network: NETWORKING=yes NETWORKING_IPV6=no HOSTNAME=YborStudent GATEWAY=169.139.223.1 ifcfg-eth0: IPADDR=169.139.223.21 NETMASK=255.255.225.0 DEVICE=eth0 BOOTPROTO=static HWADDR=00:06:5B:3E:89:0F ONBOOT=yes TYPE=Ethernet NOZEROCONF=true IPV6INIT=false BROADCAST=169.139.223.255 NETWORK=169.139.223.0 Updated /etc/profile to only run /etc/profile.d/* scripts if execute bit is set (in addition to read). Turned off execute bit on colorls.sh. Updated /etc/bashrc: umask to 027, PROMPT_COMMAND not set, and only run the profile.d/* scripts if exeuctable (and readable). Modified ~root/.vimrc with the settings I like. Modified ~root/.bashrc and .bash_profile: .vimrc: set backspace=indent,eol,start " allows backspacing over everything set softtabstop=4 " sets soft tab stops every 4 columns set expandtab " convert all tabs to spaces set shiftwidth=4 " hitting tab indents 4 columns set autoindent " indent new line to same as previous set background=dark " use a color scheme appropriate for black background set laststatus=2 " alwas show status bar set ruler " show cursor position in status bar set showcmd " shows partial commands (e.g., "dd") in status bar set ignorecase " ignnore case when searching set nohlsearch " don't highlight search matches set incsearch " use incremental searching syntax off " don't use color at all .bash_profile: # .bash_profile # Get the aliases and functions if [ -f ~/.bashrc ]; then . ~/.bashrc fi # User specific environment and startup programs set -o ignoreeof # only "exit" or "logout" will log me off the system. shopt -s huponexit mesg n # Don't allow anyone to interrupt my session PATH=$HOME/bin:$PATH:/usr/sbin:/sbin:/usr/local/sbin # The following changes the sort order to ACSII order, which does #not ignore case or punctuation characters (such as leading periods). LC_COLLATE=C EDITOR=vim VISUAL=$EDITOR PAGER=less ENV=~/.bashrc LESS='-fXemPm?f%f .?lbLine %lb?L of %L..:$' # Set options for less command MAILCHECK=1 MAILPATH=/var/spool/mail/$USER'?Hey! You have new mail!' TERM=xterm export ENV LC_COLLATE LESS MAILCHECK MAILPATH export EDITOR PAGER VISUAL # Check for email: if type -p frm >/dev/null then frm -s new -s unread -q echo elif type -p mailutil >/dev/null then mailutil check /var/spool/mail/wpollock echo fi # Display a fortune cookie message: fortune echo .bashrc: # .bashrc # User specific aliases and functions alias cp='cp -i' alias mv='mv -i' alias rm='rm -i' # Source global definitions if [ -f /etc/bashrc ]; then . /etc/bashrc fi alias vi=vim # for some reason the is explicitly turned off # by /etc/profile.d/vim.sh. # Turn on extended pattern matching: shopt -s extglob # Turns off '!' history expansion: #histchars='#' # (that's 'ctl-^ ctl-^ #') set +H # Useful aliases: alias ..='cd ..' alias cd..='cd ..' alias cls=clear alias cr='chmod a+r' alias cx='chmod a+x' alias df='df -h' alias du='du -h' alias f=finger alias h='history 50' alias l='ls -l' alias la='ls -aF' alias li='ls -li' alias ls='ls -F' alias mc='echo ERROR with mc ' alias mess='tail -35 /var/log/messages' alias nslookup='nslookup -sil' alias path='echo PATH=$PATH' alias pps='ps w -cfA' alias ppwd=/bin/pwd #alias rrm='rm -rf' # Define shell functions: lsc() { ls -C $* | more; } calc() { echo "$*" | bc -l; } # Set the Prompt: unset PROMPT_COMMAND if [ ! "$LEVEL" ] then export LEVEL=1 PS1='YborStudent $PWD# ' else let 'LEVEL = LEVEL + 1' PS1='YborStudent ($LEVEL) $PWD# ' fi Ran webazolver to initialize webalizer. Updated /etc/updatedb.conf to run daily from /etc/cron.daily/slocate.cron, and changed that cron script to exclude the new directory I created for students to locate via find. Changed /etc/cron.daily/makewhatis.cron script to exclude devloper sections (0p, 2, 3, and n hold man pages for C library functions and headers, TCL, ...) This change only affects "man -k" (a.k.a. "apropos") and "whatis" searching...the man pages are still viewable. Create /usr/local heirarchy, imported contents from old YborStudent except for perl. Moved /usr/local/man/* to /usr/local/share/man/*. Created symlinks for /usr/doc --> /usr/share/doc, and also /usr/man. These help when installing very old packages that put docs in the old places! Added symlink for /usr/src/linux --> /usr/src/kernels/version, as this version of Fedora puts the kernel src and docs in this new location. Added symlink for /bin/perl --> /usr/bin/perl. mkdir for /var/{adm,gopher,ident}. edited /etc/passwd so ident home is /var/ident, not /home/ident. pwck, grpck now happy. updated /etc/sysctl.conf with additional security settings. (Some old keys have changed names, and other are set already.) The additions made are: # Additional settings by WP 8/4/05: # Disables replies to broadcast ICMP echo (ping), to # prevent a common DoS attack: net.ipv4.icmp_echo_ignore_broadcasts = 1 # Disable all source routing and ICMP redirects: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.eth0.accept_source_route = 0 net.ipv4.conf.lo.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.eth0.accept_redirects = 0 net.ipv4.conf.lo.accept_redirects = 0 # Enable source route verification: net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.eth0.rp_filter = 1 net.ipv4.conf.lo.rp_filter = 1 # Disable ipv6 (except on lo): net.ipv6.conf.default.autoconf = 0 net.ipv6.conf.all.autoconf = 0 net.ipv6.conf.eth0.autoconf = 0 net.ipv6.conf.lo.autoconf = 1 Installed bsd-games RPM (/usr/games), these are non-gui. Installed fortune-mod (modern version of fortune program). Updated /etc/issue and issue.net (a symlink to issue) (1 line): Welcome to YborStudent.hccfl.edu! Updated /etc/motd (4 lines): This system is intended for the use of Hillsborough Community College current students only. All other use is prohibited. 08-05-05 WP Added alias root-->wpollock in /etc/aliases, ran newaliases. 08-08-05 WP Added ~/.inputrc file that sources /etc/inputrc. home, end, del, and other keys now work as expected. Added symlink to /etc/contab.monthly to run /usr/local/sbin/set-default-expire-date. Ran it once to set the defaults. Edited man.config: turned off caching (catman pages), removed TCL from list of sections to search, added additional paths to MANPATH and have it ignore /usr/man, which is not part of the FHS and now just a symlink to /usr/share/man. (The same for /usr/local/man and /usr/local/share/man.) Restored /etc/quotatab: # # This is sample quotatab (/etc/quotatab) # Here you can specify description of each device for user # # Comments begin with hash in the beginning of the line # Modified 6-04-03 by WP # Example of description /dev/sda2: /home (Your home directory) /dev/sda5: /var (Your email folder) /dev/sda9: /tmp (System-wide temporary directory) Commented out all lines in /etc/quotagrpadmins. Added warnquota.cron to cron.daily to run warnquota command. Modified warnquota.conf: commented out "CC_TO root" line. Ran cuotacheck to initialize aquota.user DB on /tmp, /var. Then chmod a+r on those files (so users can run "quota" command). Installed chkrootkit package via yum. Installed pwgen package manually (from findrpm.net). Installed apt (port of apt-get) package vua yum. installed html2text (--nodeps, alternatives is installed), deb. Installed alien from tarball (package wouldn't install). This required html2text and deb. I installed apt to grab those debian packages but that didn't work because you must configure /etc/apt/* with the correct repository information. After building I noticed a new directory /share that was created. Makefile didn't define PREFIX=/usr, so fixed that and rebuilt, then removed /share. Removed /usr/local/bin/perl*, .../cpan (the standard versions are now in /usr/bin), checkinstall, makepak. Configured cpan. Installed checkinstall from rpm. Removed from /usr/local/bin: a2p, c2ph, find2perl, GET, POST, HEAD, pwgen, dprofpp, enc2xs, h2ph, h2xs, libnetcfg, lwp-{download,mirror,request,rget}, piconv, pl2pm, pod*, psed, pstruct, s2p, splain, xsubpp. Also removed local man pages for these. Removed from /usr/local/lib: checkinstall, installwatch.so. Added "usrquota,nodev" to /home, /tmp, and /var in /etc/fstab. Added "acl" to /, /usr, /home, /tmp, /var, and /var/log. The new fstab: # This file is edited by fstab-sync - see 'man fstab-sync' for details LABEL=/1 / ext3 defaults,acl 1 1 LABEL=/boot1 /boot ext3 defaults 1 2 /dev/devpts /dev/pts devpts gid=5,mode=620 0 0 /dev/shm /dev/shm tmpfs defaults 0 0 LABEL=/home /home ext3 defaults,usrquota,nodev,acl 1 2 /dev/proc /proc proc defaults 0 0 /dev/sys /sys sysfs defaults 0 0 LABEL=/tmp1 /tmp ext3 defaults,usrquota,nodev,acl 1 2 LABEL=/usr1 /usr ext3 defaults,acl 1 2 LABEL=/var1 /var ext3 defaults,usrquota,nodev,acl 1 2 LABEL=/var/ftp1 /var/ftp ext3 defaults 1 2 LABEL=/var/log1 /var/log ext3 defaults,acl 1 2 LABEL=SWAP-sda7 swap swap defaults 0 0 /dev/fd0 /media/floppy auto pamconsole,exec,noauto,managed 0 0 /dev/hda /media/cdrom auto pamconsole,exec,noauto,managed 0 0 Updated /etc/pam.d/su to require users to be in group wheel. Updated /etc/ssh/sshd_config (egrep -v '^#|^$' /etc/ssh/sshd_config): Protocol 2 SyslogFacility AUTHPRIV PermitRootLogin no PasswordAuthentication yes ChallengeResponseAuthentication no GSSAPIAuthentication yes GSSAPICleanupCredentials yes UsePAM yes X11Forwarding yes KeepAlive yes ClientAliveInterval 20 ClientAliveCountMax 3 Banner /etc/issue.net Subsystem sftp /usr/libexec/openssh/sftp-server (Changes from default config: PermitRootLogin, X11Forwarding, KeepAlive, ClientAlive*, and Banner.) Restored old /etc/sudoers file: # sudoers file. # # This file MUST be edited with the 'visudo' command as root. # # See the sudoers man page for the details on how to write a sudoers file. # # Host alias specification # User alias specification User_Alias PW_USERS = wpollock, rabaut, schatzow, blevins, cmercer, ascott, lmalave User_Alias QUOTA_USERS = wpollock, rabaut, schatzow, blevins, cmercer, ascott, lmalave User_Alias CLASS_MGMT_USERS = wpollock, rabaut, schatzow # Cmnd alias specification Cmnd_Alias PW = /usr/bin/passwd -[ulS] [a-zA-Z]*, \ /usr/bin/passwd [a-zA-Z]*, \ !/usr/bin/passwd root, !/usr/bin/passwd wpollock, \ !/usr/bin/passwd -* root, !/usr/bin/passwd -* wpollock Cmnd_Alias QUOTA = /usr/bin/quota, /usr/sbin/repquota Cmnd_Alias CLASS_MGMT = /usr/local/sbin/add-users, /usr/local/sbin/remove-users # Defaults specification #Defaults:wpollock !authenticate # User privilege specification root ALL=(ALL) ALL # Uncomment to allow people in group wheel to run all commands # %wheel ALL=(ALL) ALL # Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL # Samples # %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom # %users localhost=/sbin/shutdown -h now PW_USERS YborStudent, YborStudent.hccfl.edu, localhost = PW QUOTA_USERS YborStudent, YborStudent.hccfl.edu, localhost = QUOTA CLASS_MGMT_USERS YborStudent, yborStuydent.hccfl.edu, localhost = CLASS_MGMT Restored /var/ftp/ with welcome.msg, pub/rebaut and pub/schatzow. Changed ~ftp in /etc/passwd: /var/ftp --> /var/ftp/./pub Added default domain name (search directive) in /etc/resolv.conf: nameserver 169.139.222.4 nameserver 169.139.222.15 search hccfl.edu Set root password for mysql. Annoyed that I lost the old mysql setup, as I forgot to back it up before the upgrade! Copied /etc/skel --> skel.old, removed/edited startup files in skel. Added /etc/profile.d/msgs.sh to run /usr/local/bin/msgs cmd on startup. Added 'umask 027' for /etc/csh.cshrc and /etc/zshenv. Installed pam_abl (auto black list) module and configured sshd to use it. Documentation was installed in man1 and man8. This module checks for too many failled login attempts and "shuns" the IP address and/or user for some interval (default is 2 days). This should prevent most sshd dictionary attacks. Added to /etc/pam.d/sshd: auth required pam_abl.so config=/etc/security/pam_abl.conf And the current config file is: # /etc/security/pam_abl.conf # debug host_db=/var/lib/pam_abl/hosts.db host_purge=2d host_rule=*:10/1h,30/1d user_db=/var/lib/pam_abl/users.db user_purge=2d user_rule=!root:10/1h,30/1d Added group read and ACLs to make /var/lib/pam_abl/* readable/writable by wpollock, rebaut. This way we can use the "pam_abl" command to view status or purge DB. Updated logrotate to include pam_abl: Edited /etc/log.d/conf/services/sshd.conf, to remove the "pam_succeed_if" and "pam_abl" messages (from the sshd section): # Added 8/8/05 by WP: This version of pam_succeed_if is old and doesn't # recognize the "quiet" flags. #*Remove = pam_succeed_if # don't need this here, new logwatch section for this created. *Remove = pam_abl (Also modified secure.conf to ignore pam_abl.) Added new logwatch service pam_abl.conf: ################################################################ # $Id: pam_abl.conf,v 1.0 2005/07/24 17:03:10 wpollock Exp $ ################################################################ Title = "pam_abl" # Which logfile group... LogFile = secure # Only give lines pertaining to the pam_abl service... *OnlyService = pam_abl *RemoveHeaders ######################################################## # This was written and is maintained by: # Wayne Pollock # # Please send all comments, suggestions, bug reports, # etc, to pollock@acm.org ######################################################## Added new logwatch script pam_abl: #!/bin/bash ################################################################ # $Id: pam_abl,v 1.2 2005/07/29 22:56:04 wpollock Exp $ ################################################################ sort | uniq -c | sort -nr | sed 's/^ *\([0-9]* \)\(.*\)$/\2 (\1times)/' Added extra security settings to sendmail.mc. Rebuilt sendmail.cf. 08-09-05 WP Reconfigured apache by editing /etc/httpd/conf/httpd.conf. Took me quite a while to realize that SELinux was preventing access to CGI and user home directories (UserDir). To fix, I ran this to disable SElinux checking fore httpd daemons: setsebool -P httpd_disable_trans 1 (I first tried the instructions in the httpd_selinux man page: setsebool -P httpd_enable_cgi 1 restorecon -R ~wpollock/public_html/ chcon -R -t httpd_sys_content_t ~wpollock/public_html but I realized I'd have to do this for every user. And it didn't work, I must've done something wrong or omitted some step.) Added /etc/profile.d/huponexit.sh. Sending HUP signal kills many background jobs students accidentally leave running. Fixed the timezone data files to the correct settings according to what FC4 tzset utilities and glibc library functions look for: ln -s /usr/share/zoneinfo/America/New_York /usr/share/zoneinfo/localtime rm /etc/localtime; ln -s /usr/share/zoneinfo/localtime /etc/localtime (For some reason this is never right on Fedora out of the box.) Added ACLs: read permission for wpollock pollock to /var/log/messages* Installed /usr/local/bin/frm (and local man page). Note: this binary is part of some email package, I just scp-ed the binary and man page from cws.hcc-online.com. Added /etc/logrotate.d/audit.log to rotate the audit logs. Of course this is only done since we don't actually audit this server. Rather, with SELinux, messages that used to go to messages and dmesg now go here. See auditctl for more information: # You don't do this in real life on an audit log! # You should archive these someplace before removal. /var/log/audit/*log { missingok notifempty } Installed pine (from RPM). Installed SOAP::Lite from "cpan". (For Mike.) Note that after install need to run: # cd /usr/lib/perl5/site_perl/5.8.6 # chmod -R a+r . # find . -type d |xargs chmod a+x (A smarter idea would be to change umask to 022 before install!) 08-12-05 WP Re-wrote "add-users" script, a wizard to create many classes of student accounts easily. (The "remove-users" script was unchanged at this time.) Re-configured pam_abl to only block hosts, not user accounts. Added favicon.ico, index.html, and robots.txt to /var/www/html. The index.html is a brief message to students, letting them know they probably reached the server in error, and to try PuTTY instead of a web browser. The robots.txt file: # This policy file forbids any automated web crawler # from searching or indexing this web site: User-agent: * Disallow: / 08-13-05 WP Closed some ports the default iptables ruleset allows (/etc/sysconfig/iptables): # Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT # HOWL port, used for zeroconf networking. #-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT # CUPS (IPP) port, turn on if printing support is wanted: #-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT Fixed a bug in /etc/bashrc that prevented scp from elsewhere to YborStudent from working! Changed: if ! shopt -q login_shell ; then # We're not a login shell to: if [ "x$SHLVL" != "x1" ]; then # We're not a login shell 08-24-05 WP Re-worked the iptables rules to close additional ports I don't know what they are used for: 50, 51. Also changed the SSH rules to rate limit SSH connections to 5 per minute (long lines have been wrapped): # Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT # IPv6 auth and crypt protocols, used with authentication, encryption headers: -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT # HOWL port, used for zeroconf networking: #-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT # CUPS (IPP) port, turn on if printing support is wanted: #-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow unlimited SSH connections from HCC: -A RH-Firewall-1-INPUT -s 169.139.223.1 -m state --state NEW -m tcp -p tcp \ --dport 22 -j ACCEPT # Here we limit users to 5 ssh connects per minute, or the connection is dropped: -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 \ -m limit --limit 5/min -j ACCEPT -A RH-Firewall-1-INPUT -i eth0 -p tcp --dport 22 -j DROP -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT # Reject anything not permitted by above rules: -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT 09-01-05 WP chmod 644 /var/log/lastlog; chmod 664 /var/log/wtmp*; chmod 600 /var/log/btmp Fixed permissions for [bw]tmp in /etc/logrotate.conf too. 9-21-05 WP Created "cvsanon" user and group (uid 200). Account is locked, with /sbin/nologin as shell and /var/cvs has home. A quota was added for this user on /var: setquota -u cvsanon 80000 100000 1000 1500 /var Opened port TCP/2401 (CVS pserver): # Open port for CVS pserver (for testing: later require SSH tunnel): -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2401 -j ACCEPT Created CVS repository in /var/cvs, with "anoymous" access( no password, mapped to user "cvsanon"). This should allow Java students (and anyone else) to create and use CVS with eclipse remotely. (TODO: Secure using SSH, set up read-only modules for model solutions) 10-10-05 WP Started the X font server, so Alice Scott can "startx" and use the GUI backup software. Fixed the CVS repo to use ssh only. (Closed the added firwall hole.) 10-12-05 WP Started the X font server, so Alice Scott can "startx" and use the GUI backup software. Discovered that "livna" YUM repository is not compatible with the others. This prevents YUM from running. I have updated the yum.repos.d/* files with new repos (and removed livna). The original repos are saved in ~root. Running yum resulted in over 300 updates! These are installing now. 11-17-05 WP chmod 000 /etc/cron.weekly/makewhatis.cron. This already runs daily. Edited the section list in /etc/cron.daily/makewhatis.cron, to remove non-existant section "l". Added an "intro" section to all man sections that don't have one already: 0p, 1p, 3p, 9, and n. 11-18-05 WP Put custom nohup in /usr/local/bin, which works correctly by closing stdin. 11-22-05 WP Updated pam_abl config file in /etc/security/pam_abl.conf (Some HCC students were triggering the block, which blocks all users from HCC; the NAT means all internal HCC hosts appear as 169.139.223.1, or fwacad.hccfl.edu): # /etc/security/pam_abl.conf # debug host_db=/var/lib/pam_abl/hosts.db host_purge=6h #host_rule=*:10/1h,30/1d host_rule=!169.139.223.1:10/1h,30/1d #user_db=/var/lib/pam_abl/users.db #user_purge=2d #user_rule=!root:10/1h,30/1d #user_rule=!wpollock:10/1h,30/1d 11-23-05 WP Disabled cvs pserver (from xinetd.d/cvs). For now. Disabled pam_abl (commented out from /etc/pam.d/sshd). Someone at HCC was tripping this, and with the NAT all of HCC appears to be at that one IP address, so no local user could login! (My "fix" put in yesterday didn't work!) 12-01-05 WP Ran yum update. As before 4 kernel related packages had to be updateds first, then the main update works. The 4 packages were cman-kernel, GFS-kernel, dlm-kernel, and gnbd-kernel. 12-02-05 WP Ran yum clean packages. Freed up about 25% of /var. 12-23-05 WP Learned today why boot.log is always empty. Fedora Core 4 did that on purpose as the team didn't feel this log was useful. They are wrong, but the boot logging must be enabled manually in FC4. Here is the recipe: # cp -p /usr/bin/logger /sbin # cd /etc/init.d # cp syslog syslog.orig # vi syslog.orig # diff syslog.orig syslog 6c6 < # chkconfig: 2345 12 88 --- > # chkconfig: 2345 0 99 # chkconfig --del syslog; chkconfig --add syslog # cp functions functions.orig # vi functions # diff functions.orig functions 370a371 > logger -p local7.info -t "$0" -- "$1 succeeded" 380a382 > logger -p local7.info -t "$0" -- "$1 failed" 392a395 > logger -p local7.info -t "$0" -- "$1 succeeded" 402a406 > logger -p local7.info -t "$0" -- "$1 succeeded" Also, check that /etc/logrotate.d/syslog contains an entry for boot.log. Cleaned up the *.rpmnew and *.rpmsave files, except the two .rpmsave files /etc/log.d/conf/services/{secure.conf.rpmsave,sshd.conf.rpmsave}. Not sure what should be done with these, will keep an eye on the logwatch output to see if these should be restored. Removed "rhgb" and "quiet" from the grub.conf list of kernel parameters. "rhgb" causes an X window boot, removing makes booting faster. "quiet" suppresses log messages. For full logs you need to also add "audit=1". 01-11-06 WP Fixed problem with /etc/cron.daily/tmpwatch (caused by yum update???). It was complaining that aquota.user needed to be deleted but couldn't. Actually it shouldn't try, so I modified tmpwatch to skip this file. I also added a missing shebang line and reformatted: #!/bin/sh # Modified 1/11/06 by WP: added shebang line, added skip of aquota.user, # reformatted long line. /usr/sbin/tmpwatch -x /tmp/.X11-unix -x /tmp/.XIM-unix -x /tmp/.font-unix \ -x /tmp/.ICE-unix -x /tmp/.Test-unix -x /tmp/aquota.user \ 240 /tmp /usr/sbin/tmpwatch 720 /var/tmp for d in /var/{cache/man,catman}/{cat?,X11R6/cat?,local/cat?}; do if [ -d "$d" ]; then /usr/sbin/tmpwatch -f 720 $d fi done ---------------------------------------------------------------------------- 02-01-06 WP Installed nail(1) mailx replacement. For some reason the mailx package for Fedora include the mailx man pages but only the enhanced mail command, not mailx. Nail is a "new mailx". Added /usr/local/bin/mailx that just says to use nail(1) instead. Hopefully this will clear up the confusion of CTS-1106 students looking for mailx. 02-10-06 WP Changed postfix configuration (main.cf), to use procmail as MDA. This is because some people rely on ~/.procmailrc to work! Note that /usr/bin/procmail must be SUID root to act as a MDA. 02-16-05 WP Updated the SELinux rules, to allow talk (the in.ntalkd daemon). I didn't realize this was blocked until a student brought it to my attention today. Examining the various logs, I realized SELinux was the culprit (eventually). The following rules were added to the /etc/selinux/targeted/src/policy/domains/misc/local.te file: # Added rules from audit2allow, to enable in.ntalkd to work: allow inetd_child_t initrc_var_run_t:file { read write }; allow inetd_child_t initrc_var_run_t:file lock; allow inetd_child_t devpts_t:dir search; allow inetd_child_t devpts_t:chr_file getattr; allow inetd_child_t devpts_t:chr_file write; and then I rebuilt the policy with: cd /etc/selinux/targeted/src/policy; make policy install load The rules were found, one by one, by running: audit2allow -v -l DOC_DIR="/usr/share/doc" 52c52 < INSTYPE="" --- > INSTYPE="R" 58c58 < PAK_DIR="" --- > PAK_DIR="." 81c81 < DEL_SPEC=1 --- > DEL_SPEC=0 120c120 < EXCLUDE="" --- > EXCLUDE="/selinux" Added notice to /etc/motd, that the system will soon be updated: This system is intended for the use of Hillsborough Community College current students only. All other use is prohibited. NOTICE: The YborStudent server will be updated to a new version of Linux, sometime between now and the start of Fall 2006 semester.. You should expect an outage of up to a week, and should backup any important data. 07-20-06 WP Alice Scott added new user 'bck' for backups, and installed new backup software "/usr/omni/*" with new omni xinetd service. This new software works with the tape library system and replaces the old ArcServ backup system. However the firewall holes aren't correct yet so no backups are possible. With coordinate with Roy Johnson (x7701) to resolve. 07-21-06 WP Replaced Dag Yum repository with Dries and FreshRPMs. Added correct firewall holes for new backup service. It has been tested (backup but not restore) and works. YborStudent is now on the regular OIT backup schedule. The new firewall rules are: # Data Protector Backup Server (Tape Library) Ports: -A RH-Firewall-1-INPUT -p tcp -s 169.139.223.1 --dport 5555 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -s 169.139.223.1 --dport 2157 -j ACCEPT 07-26-06 WP Removed iptables hole for port 2157, Roy must have been mistaken about the backup server ("omni") needing that port as well as 5555. Adding logging rule to iptables to capture dropped packets, just to be sure. This rule may be removed in the future. 08-03-06 WP Installed Unison 2.17.1 as /usr/local/bin/unison. (No man page is available yet.) 08-10-06 WP Installed livna.org RPM repository for yum, and disabled it so it won't be used by default. This is because many livna RPMs don't work well with standard RPMs, however lilvna does include several packages (e.g., Nvidia driver RPMs) not found elsewhere. To use, run: yum --enablerepro livna install 09-01-06 WP An "nmap localhost" shows "freeciv" service running on TCP/5555. But TCP/5555 is omni. I located the omni log files and noticed that this has never worked, reporting an illegal server address: 08/31/2006 04:34:44 AM INET.785.0 ["inet/allow_deny.c /main/dp55/8":526] A.05.50 bPHSS_32323/PHSS_32324/DPSOL_00125 A request 3 (vbda) came from host fwacad.hccfl.edu which is not a cell manager of this client Thu 31 Aug 2006 04:34:44 AM EDT [root.sys@admapps.hccfl.edu] : vbda After looking around I changed /usr/omni/config/client/cell_server from: admapps.hccfl.edu to: fwacad.hccfl.edu (This should be the real server name, but as YborStudent is outside the firewall, NAT applies, so the source appears to be fwacad (a strange name!). I will check tomorrow to see if this fixes the problem. Note: This is a dangerous fix, basically allowing any server from within HCC to act as an omni server. 09-05-06 WP Noticed /etc/skel/.kde, removed it. 09-07-06 WP Modified /etc/cron.daily/yum.cron by removing "-d 0" option. As yum runs that option causes silent operation, so no logging is reported via logwatch. Removing this should fix that. Noticed omni ran without errors today! 09-12-06 WP Fedora Core 4 is now supported via the Fedora Legacy Updates project. I have installed the RPM for that (updates yum repository). Installed John the Ripper password cracker. (OIT folk use weak passwords, will ask them to change.) Installed Bastille. Installed via cpan: Bundle::CPAN (update), Curses (used for Bastille). 09-15-06 WP Added "-b /usr/bin/john" to /etc/prelink.conf. Prelink runs from cron.daily and for some reason john (John the Ripper) causes it to abort. This link causes prelink to skip john. 09-25-06 WP Installed tripwire. FC4 makes this very easy (yum install tripwire). vi i/etc/tripwire/twpol.txt (Commented out about 50 items not installed on YborStudent, and commented out checks for /root/.?* (left in a few of those however). Then: tripwire-setup-keyfiles tripwire --init 09-28-06 WP Alarmed at the huge log files (>700M!), I have stopped logging rejected packets, by commenting out the line in /etc/sysconfig/iptables and restarting iptables. Added "compress" to the logrotate command for /var/log/messages, in /etc/logrotate.d/syslog. 10-19-06 WP Removed cvsanon user and cvsusers group. Created new cvs setup, accessible by local users or via ssh: # New cvs setup accessible by local users or via ssh: # Create cvs user and group, to own the repositories: mkdir /var/cvs-repos useradd -c "CVS User" -d /var/cvs-repos -M cvs -s /sbin/nologin gpasswd -a wpollock cvs gpasswd -a rabaut cvs pwck grpck chage -l cvs chage -E -1 cvs # Setup email aliases for cvs and cvs-admin-: vi /etc/aliases # forward to pollock@acm.org newaliases # or: postalias /etc/aliases # Set up a group quota for /var, for group "cvs": cd /var touch aquota.group chmod a+r aquota.group vi /etc/fstab # Changed this line: # /dev/sda5 /var ext3 defaults,usrquota,grpquota,,nodev,acl 1 2 mount /var -o remount quotacheck -vgcM /var setquota -g cvs 100000 150000 300 500 /var # Set correct owner, group for ~cvs, and set default permissions: cd ~cvs mkdir .ssh chown -R cvs.cvs . chmod g+ws . setfacl -m d:g:cvs:rwX . # Create a repository for the COP-2805 class: mkdir cop2805 export CVSROOT=/var/cvs-repos/cop2805 cvs init cd mkdir cvsproj cd cvsproj cvs import -m 'Create empty project' cvsproj vendor start cd rmdir cvsproj # Configure repository: cvs checkout CVSROOT cd CVSROOT vi notify # Added this line: # ALL mail -s "YborStudent CVS notification - cop2805" cvs vi users # Lists email address to use, rather than local mail # Added the line: wpollock:pollock@acm.org cvs add users cvs commit -m 'Allow use of cvs watch command' notify users vi loginfo # Added the following: # Notify cvs administrator of all commits: ALL mail -s "YborStudent CVS Repository commit by $USER to module %p %s" cvs # Maintain a current snapshot in my secure web site (for easy access): #^cvsproj\(/\|$\) (date; cat; (sleep 2; cd /home/wpollock.com/secure-html/cvsproj; cvs -q update -d) &) >> $CVSROOT/CVSROOT/updatelog 2>&1 ^cvsproj\(/\|$\) (date; cat; (sleep 2; ssh wpollock@wpollock.com '(cd /home/wpollock.com/secure-html/cvs-repos; CVS_RSH=ssh cvs -q -d :ext:wpollock@yborstudent.hccfl.edu/var/cvs-repos/cop2805 update -d cvsproj)') &) >>$CVSROOT/CVSROOT/updatelog 2>&1 cvs commit -m 'Automatically maintain current copy in my private website, and send email notice to cvs-admin-cop2805 (pollock@acm.org) after each commit' loginfo cd .. cvs release -d CVSROOT # Setup website to hold snap-shot of module: # (accessed with: https://yborstudent.hccfl.edu/~wpollock/ ) cd ~wpollock/secure-html vi index.htm # Add link to cvs-repos directory mkdir cvs-repos chgrp cvs cvs-repos chmod g+s,a+rx cvs-repos setfacl -m d:o::rX cvs-repos vi cvs-repos/index.php chmod a+r cvs-repos/index.php CVS_RSH=ssh \ cvs -q -d :ext:wpollock@yborstudent.hccfl.edu/var/cvs-repos/cop2805 \ checkout cvsproj # Adjust permissions if needed. # Add accounts for students, using official HCC user ID: useradd -c "Gloria Giraldo (cop2805 CVS)" -m ggiraldo gpasswd -a ggiraldo cvs passwd ggiraldo ... # repeat for all COP-2805 students 10-25-06 AS Changed /usr/omni/config/client/cell_server from "fwacad.hccfl.edu" (the firewall NAT address for HCC) to "hcc44a.hccfl.edu". May need to update iptables? 11-09-06 WP Commented out "auto.net" from "auto.master". This disables automounting of NFS on /net. We don't use NFS on this server. Changed iptables firewall rule for "omni" ("data protector" backup server) from IP 169.139.223.1 to IP 169.139.222.40. Apparently OIT updated the backup server and moved it on 10/22/06, and no backups have been done since then! 11-16-06 WP Changed default locale. Edited /etc/sysconfig/i18n to set: LANG="en_US" LC_COLLATE="POSIX" Bash has a problem with en_US collating order (although wildcards such as "[!A-Z]" are defined to only work if the collating is POSIX (a.k.a. "C"), most other shells still have this work. But, we use bash, hence the change. (The original LANG is "en_US.utf-8", but I find most man pages in FC4 aren't encoded in UTF-8 so that doesn't work right. 02-06-07 WP Updated Apache config. For some reason the index.htm file wasn't being found, and read permission errors were present. I turned off multiviews option for /home/*/public_html, re-ordered the names on the DirectoryIndex to put index.htm nearer the beginning, and added a new Directory for wpollock's home, to include multiviews. Still haven't updated to FC 6! 02-21-07 WP Re-setup CPAN (as root). This required running: cpan cpan; cpan Digest::SHA Installed "Tk" Perl module. This required first running X. The following was done: Xvfb :0 & cpan Tk; kill `pidof Xvfb` 03-22-07 WP Discovered problem with quota reporting utility "quota". I have downloaded the source from sourceforge.net/projects/linuxquota/ and that works. The new quota commands are in /usr/local/*. The official quota tools have not be removed (but PATH should pick up the new tools). The three quota files in /usr/local/etc have been replaced with symlinks to the real files in /etc. Tweaked warnquota.conf: (diff) 15,17c15,17 < # CC_BEFORE = 2 days < SUPPORT = "root@myhost.com" < PHONE = "(123) 456-1111 or (222) 333-4444" --- > CC_BEFORE = 2 days > SUPPORT = "root@localhost" > #PHONE = "(123) 456-1111 or (222) 333-4444" 05-02-07 WP Updated /etc/sysconfig/i18n again. I finally figured out the problem with LANG="en_US.UTF-8" was that PuTTY defaults to ISO8859-1. Changing PuTTY to use UTF-8, then changing i18n means that everything works, even better (curly quotes in man pages!) 05-10-07 WP Updated /etc/logrotate.conf to keep 4 back [wb]tmp files. Updated /root/.bashrc with many new aliases, functions, and a new two-line prompt. 05-22-07 WP Repaired /etc/fstab: /var entry went missing somehow after scheduled maintance on 5-18-07. Updated ~root/.bashrc and .bash_profile. 05-31-07 WP Installed p7zip (bin/7za) compression/archiving tool. Updated /etc/sudoers to allow wpolloc to run sudoedit. 06-05-07 WP Updated /etc/fstab to include new mount options and to reformat the file (shortened the lines by removed extra spaces). The changed entries now include the user_xattr option: LABEL=/home /home ext3 defaults,usrquota,nodev,acl,user_xattr 1 2 LABEL=/tmp1 /tmp ext3 defaults,usrquota,nodev,acl,user_xattr 1 2