S Y S T E M J O U R N A L for YborStudent.hccfl.edu System Description: A student-accessible server used to support several classes usch as Unix and Perl scripting. The server is located in the OIT on the Ybor campus. Hardware Inventory: HCC Asset Tag #17041 Dell PowerEdge 2500 Service Tag Number: 7YXGK11 (See: http://PremierSupport.dell.com/) Ship Date: 6/11/2002 Quantity Part Description Part # 1 4F522 Card (Circuit), Processor, VRM-8.5, 12V 1 5E957 PWA, Planar (Motherboard), PE2500, TUALATIN, 133 1 6E233 Processor, 80526, 1GHZ, 256, Fiber Channel, Coppermine-Tualatin, Integrated Heat Spreader 2 6878T Cord, Power, 125V, 10FT, SJT, Unshielded 1 7N242 Keyboard, 104, United States, SILITEK, Low Cost, Midnight Gray 1 4N433 Mouse, Personal System 2, 6P, 2BTN, LOGITECH, SAW34 1 52JRF KIT, Cable, Power, PE2500 3 6F777 Power Supply, 300W, Power Factor Correction 2 94PXC Dual In-Line Memory Module, 256, 133M, 32X72, 4K, 168, RG2 1 18NMH PWA, Interface, Backplane, 2X3, ULT3, P2500 1 93HRU Assembly, Cable, Hard Drive, PLN-BKPLN, P2500 1 392TE Compact Disk Drive, 650M, IDE (Integrated Drive Electronics), 5.25" Form Factor, 24X, Black, TEAC 5 6H925 Hard Drive, 36GB, S1, 80P, 10K, FUJITSU 1 13JPJ Dual In-Line Memory Module, 128, 100M, 16X72, 4K, Raid on Mother Board 1 275FR PWA, Input/Output, PE2500/PE2550, RAID-KEY 1 3K089 Floppy Drive, 1.44M, 3.5" Form Factor, Third Height, No Bezel, NEC 1 700NX Assembly, Cable, INTRPSR-PLN, P2500 1 79NPT Assembly, Cable, Dorado/Athens/Tualatin/Almodor, S3, Internal, Twisted Pair, P2500 ---------------------------------------------------------------- Summary: 512 MB RAM SCSI (Adaptec AIC7899) 140 GB RAID 5 (Di/3) Hard disk ATI Mach64 Rage XL, 8 MB Video RAM Mouse attached: MS Intelimouse PS2 10/100 Ethernet NIC IP Address: 169.139.223.21/24 OS: Fedora Core 4 Partition Map: Filesystem Type Mount Point Size /dev/sda1 ext3 /boot 145M /dev/sda2 ext3 /home 49G /dev/sda3 ext3 /usr 38G /dev/sda5 ext3 /var 10G /dev/sda6 ext3 /var/ftp 5G /dev/sda7 swap (none) 2G /dev/sda8 ext3 /var/log 2G /dev/sda9 ext3 /tmp 2G /dev/sda10 ext3 / 10G (unused free space: 17 GB) ---------------------------------------------------------------- [date format: year-month-day] 08-04-05 WP Updated /etc/bashrc: umask to 027, PROMPT_COMMAND not set, and only run the profile.d/* scripts if executable (and readable). Modified ~root/.vimrc with the settings I like. Modified ~root/.bashrc and .bash_profile: .vimrc: set backspace=indent,eol,start " allows backspacing over everything set softtabstop=3 " sets soft tab stops every 4 columns set expandtab " convert all tabs to spaces set shiftwidth=3 " hitting tab indents 4 columns set autoindent " indent new line to same as previous if &term == "xterm" " Default is to use light background, so with PuTTY set bg=dark " use a color scheme appropriate for black background endif " Note in vim71 this must go in the file: " ~/.vim/after/syntax/syntax.vim set laststatus=2 " always show status bar set ruler " show cursor position in status bar set showcmd " shows partial commands (e.g., "dd") in status bar set ignorecase " ignore case when searching set nohlsearch " don't highlight search matches set incsearch " use incremental searching set syntax=enable " use color syntax highlighting .bash_profile: # .bash_profile # LEVEL is used to destinguish between login shell # windows (root windows) and other shells, because # a different prompt is used in each case. This # must be set before invoking .bashrc! export LEVEL=0 # Get the aliases and functions if [ -f ~/.bashrc ]; then . ~/.bashrc fi # User specific environment and startup programs: set -o ignoreeof # only "exit" or "logout" will log me off the system. shopt -s huponexit mesg n # Don't allow anyone to interrupt my session umask 027 # Create files with group, other permissions turned off. ulimit -Sc 0 # Prevent a crashed program from creating a "core" file. PATH=$HOME/bin:$PATH:/usr/local/sbin:/sbin:/usr/sbin CDPATH=":$HOME:$HOME/man:$HOME/bin" MANPATH="$HOME/man:$MANPATH" # The following changes the sort order to ACSII order, which does #not ignore case or punctuation characters (such as leading periods). LC_COLLATE=C EDITOR=vim VISUAL=$EDITOR FCEDIT=$EDITOR PAGER=less ENV=$HOME/.bashrc HISTSIZE=1000 HISTFILESIZE=1000 LESS='-ifXemPm?f%f .?lbLine %lb?L of %L..:$' # Set options for less command MAILCHECK=1 MAILPATH=/var/spool/mail/$USER'?Hey! You have new mail!' #PS1='[\u@\h \W]\$ ' TERM=xterm # PuTTY emulates this. TMPDIR=~/tmp export CDPATH ENV HISTSIZE HISTFILESIZE LC_COLLATE LESS MAILCHECK MAILPATH export EDITOR MANPATH PAGER TMPDIR VISUAL FCEDIT # Check for email: if type -p frm >/dev/null then frm -s new -s unread -q echo elif type -p mailutil >/dev/null then mailutil check /var/spool/mail/$USER echo fi # Display a fortune cookie message and other information: fortune echo w echo .bashrc: # Source global definitions if [ -f /etc/bashrc ]; then . /etc/bashrc fi # Turn on extended pattern matching: shopt -s extglob # Turns off '!' history expansion: set +H # Useful aliases: alias big='figlet -tcW -f banner' alias ..='cd ..' alias cd..='cd ..' alias cls=clear alias cr='chmod a+r' alias cx='chmod a+x' alias df='df -h' alias du='du -h' alias f=finger alias h='history 50' alias l='ls -lh' alias la='ls -aF' alias li='ls -lhi' alias ls='ls -F' alias mail=nail alias mc='echo ERROR with mc ' alias mess='tail -35 /var/log/messages' alias myntpdate='ntpdate -q 0.us.pool.ntp.org' alias nslookup='nslookup -sil' alias p7zip=7za alias path='echo PATH=$PATH' alias ping='ping -v' alias pps='ps w -cfA' alias ppwd=/bin/pwd alias quota='quota -vs' alias rehash='hash -r' alias rm='rm -i' alias rrm='rm -rf' alias su='LEVEL=0 su' alias showtemp="nc localhost 7634 | sed -e 's,|/dev/,\n&,g'; echo" alias vi=vim alias whereis='command -v' if test $(id -u) -eq 0 then alias cp='cp -i' alias mv='mv -i' PCHAR='#' else PCHAR='$' fi # Define shell functions: lsc() { ls -C $* | more; } #calc() { echo "$*" | bc -l; } calc() { ( IFS= read -r -p 'Expression: ' EXPR; echo "$EXPR" | bc -l ) } ip2bin() { NUMS=$(printf '%s\n' "$@" | sed -e 's/[^[:digit:]]/\n/g') printf 'obase=2\nibase=10\n%s\n' "$NUMS" | bc -l \ | sed -e 's/^/0000000/' -e 's/.*\(.\{8\}\)/\1/' \ | xargs printf '%s ' echo } cmd() { apropos "$@" | egrep '\((1|8)' | less; } lt() { /bin/ls -lt "$@" | head; } man2text() { zcat -f $(man -w -- "$1") |groff -Tascii -mandoc; } rand() { awk 'BEGIN {srand();printf "%d\n", (rand() * 10^8);}'; } textfiles() { file ${*:-*} | grep text | sed 's/:.*//'; } # Set the Prompt: # Setting PROMPT_COMMAND this way will set the window title (and icon text): if ! expr "$(tty)" : "/dev/tty.$" >/dev/null; then PROMPT_COMMAND='printf "\e]0;$(id -nu)@$(hostname -f): $PWD\a"' else PROMPT_COMMAND= fi # LEVEL should be set to zero and exported in login script first: let 'LEVEL = LEVEL + 1' # If LEVEL is 1 this is a "root" (top-level) window. If not 1, # this may be a root window if using X, since that fires up xterm # as a non-login shell. But in that case SHLVL > LEVEL. Tricky! if [ "$LEVEL" -eq 1 -o "${SHLVL-0}" -ne "$LEVEL" ] then PS1='\n\[$(tput bold)\]\u@\h\[$(tput sgr0)\] $PWD\n$PCHAR ' SHLVL=1 LEVEL=1 [ "$PCHAR" = "$" ] && set -o ignoreeof else PS1='\n\[$(tput bold)\]\u@\h\[$(tput sgr0)\] ($LEVEL) $PWD\n$PCHAR ' fi Ran webazolver to initialize webalizer. Updated /etc/updatedb.conf to run daily from /etc/cron.daily/slocate.cron, and changed that cron script to exclude the new directory I created for students to locate via find. Changed /etc/cron.daily/makewhatis.cron script to exclude devloper sections (0p, 2, 3, and n hold man pages for C library functions and headers, TCL, ...) This change only affects "man -k" (a.k.a. "apropos") and "whatis" searching...the man pages are still viewable. Create /usr/local heirarchy, imported contents from old YborStudent except for perl. Moved /usr/local/man/* to /usr/local/share/man/*. Created symlinks for /usr/doc --> /usr/share/doc, and also /usr/man. These help when installing very old packages that put docs in the old places! Added symlink for /usr/src/linux --> /usr/src/kernels/version, as this version of Fedora puts the kernel src and docs in this new location. Added symlink for /bin/perl --> /usr/bin/perl. mkdir for /var/{adm,gopher,ident}. edited /etc/passwd so ident home is /var/ident, not /home/ident. pwck, grpck now happy. updated /etc/sysctl.conf with additional security settings. (Some old keys have changed names, and other are set already.) The additions made are: # Additional settings by WP 8/4/05: # Disables replies to broadcast ICMP echo (ping), to # prevent a common DoS attack: net.ipv4.icmp_echo_ignore_broadcasts = 1 # Disable all source routing and ICMP redirects: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.eth0.accept_source_route = 0 net.ipv4.conf.lo.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.eth0.accept_redirects = 0 net.ipv4.conf.lo.accept_redirects = 0 # Enable source route verification: net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.eth0.rp_filter = 1 net.ipv4.conf.lo.rp_filter = 1 # Disable ipv6 (except on lo): net.ipv6.conf.default.autoconf = 0 net.ipv6.conf.all.autoconf = 0 net.ipv6.conf.eth0.autoconf = 0 net.ipv6.conf.lo.autoconf = 1 Installed bsd-games RPM (/usr/games), these are non-gui. Installed fortune-mod (modern version of fortune program). Updated /etc/issue and issue.net (a symlink to issue) (1 line): Welcome to YborStudent.hccfl.edu! Updated /etc/motd (4 lines): This system is intended for the use of Hillsborough Community College current students only. All other use is prohibited. 08-05-05 WP Added alias root-->hpiffl in /etc/aliases, ran newaliases. 08-08-05 WP Added ~/.inputrc file that sources /etc/inputrc. home, end, del, and other keys now work as expected. Added symlink to /etc/contab.monthly to run /usr/local/sbin/set-default-expire-date. Ran it once to set the defaults. Edited man.config: turned off caching (catman pages), removed TCL from list of sections to search, added additional paths to MANPATH and have it ignore /usr/man, which is not part of the FHS and now just a symlink to /usr/share/man. (The same for /usr/local/man and /usr/local/share/man.) Restored /etc/quotatab: # # This is sample quotatab (/etc/quotatab) # Here you can specify description of each device for user # # Comments begin with hash in the beginning of the line # Modified 6-04-03 by WP # Example of description /dev/sda2: /home (Your home directory) /dev/sda5: /var (Your email folder) /dev/sda9: /tmp (System-wide temporary directory) Commented out all lines in /etc/quotagrpadmins. Added warnquota.cron to cron.daily to run warnquota command. Modified warnquota.conf: commented out "CC_TO root" line. Ran cuotacheck to initialize aquota.user DB on /tmp, /var. Then chmod a+r on those files (so users can run "quota" command). Installed chkrootkit package via yum. Installed pwgen package manually (from findrpm.net). Installed apt (port of apt-get) package vua yum. installed html2text (--nodeps, alternatives is installed), deb. Installed alien from tarball (package wouldn't install). This required html2text and deb. I installed apt to grab those debian packages but that didn't work because you must configure /etc/apt/* with the correct repository information. After building I noticed a new directory /share that was created. Makefile didn't define PREFIX=/usr, so fixed that and rebuilt, then removed /share. Removed /usr/local/bin/perl*, .../cpan (the standard versions are now in /usr/bin), checkinstall, makepak. Configured cpan. Installed checkinstall from rpm. Removed from /usr/local/bin: a2p, c2ph, find2perl, GET, POST, HEAD, pwgen, dprofpp, enc2xs, h2ph, h2xs, libnetcfg, lwp-{download,mirror,request,rget}, piconv, pl2pm, pod*, psed, pstruct, s2p, splain, xsubpp. Also removed local man pages for these. Removed from /usr/local/lib: checkinstall, installwatch.so. Added "usrquota,nodev" to /home, /tmp, and /var in /etc/fstab. Added "acl" to /, /usr, /home, /tmp, /var, and /var/log. The new fstab: # This file is edited by fstab-sync - see 'man fstab-sync' for details LABEL=/1 / ext3 defaults,acl 1 1 LABEL=/boot1 /boot ext3 defaults 1 2 /dev/devpts /dev/pts devpts gid=5,mode=620 0 0 /dev/shm /dev/shm tmpfs defaults 0 0 LABEL=/home /home ext3 defaults,usrquota,nodev,acl 1 2 /dev/proc /proc proc defaults 0 0 /dev/sys /sys sysfs defaults 0 0 LABEL=/tmp1 /tmp ext3 defaults,usrquota,nodev,acl 1 2 LABEL=/usr1 /usr ext3 defaults,acl 1 2 LABEL=/var1 /var ext3 defaults,usrquota,nodev,acl 1 2 LABEL=/var/ftp1 /var/ftp ext3 defaults 1 2 LABEL=/var/log1 /var/log ext3 defaults,acl 1 2 LABEL=SWAP-sda7 swap swap defaults 0 0 /dev/fd0 /media/floppy auto pamconsole,exec,noauto,managed 0 0 /dev/hda /media/cdrom auto pamconsole,exec,noauto,managed 0 0 Updated /etc/pam.d/su to require users to be in group wheel. Updated /etc/ssh/sshd_config (egrep -v '^#|^$' /etc/ssh/sshd_config): Protocol 2 SyslogFacility AUTHPRIV PermitRootLogin no PasswordAuthentication yes ChallengeResponseAuthentication no GSSAPIAuthentication yes GSSAPICleanupCredentials yes UsePAM yes X11Forwarding yes KeepAlive yes ClientAliveInterval 20 ClientAliveCountMax 3 Banner /etc/issue.net Subsystem sftp /usr/libexec/openssh/sftp-server (Changes from default config: PermitRootLogin, X11Forwarding, KeepAlive, ClientAlive*, and Banner.) Restored old /etc/sudoers file: # sudoers file. # # This file MUST be edited with the 'visudo' command as root. # # See the sudoers man page for the details on how to write a sudoers file. # # Host alias specification # User alias specification User_Alias PW_USERS = hpiffl, rabaut, schatzow, blevins, cmercer, ascott, lmalave User_Alias QUOTA_USERS = hpiffl, rabaut, schatzow, blevins, cmercer, ascott, lmalave User_Alias CLASS_MGMT_USERS = hpiffl, rabaut, schatzow # Cmnd alias specification Cmnd_Alias PW = /usr/bin/passwd -[ulS] [a-zA-Z]*, \ /usr/bin/passwd [a-zA-Z]*, \ !/usr/bin/passwd root, !/usr/bin/passwd hpiffl, \ !/usr/bin/passwd -* root, !/usr/bin/passwd -* hpiffl Cmnd_Alias QUOTA = /usr/bin/quota, /usr/sbin/repquota Cmnd_Alias CLASS_MGMT = /usr/local/sbin/add-users, /usr/local/sbin/remove-users # Defaults specification #Defaults:hpiffl !authenticate # User privilege specification root ALL=(ALL) ALL # Uncomment to allow people in group wheel to run all commands # %wheel ALL=(ALL) ALL # Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL # Samples # %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom # %users localhost=/sbin/shutdown -h now PW_USERS YborStudent, YborStudent.hccfl.edu, localhost = PW QUOTA_USERS YborStudent, YborStudent.hccfl.edu, localhost = QUOTA CLASS_MGMT_USERS YborStudent, yborStuydent.hccfl.edu, localhost = CLASS_MGMT Restored /var/ftp/ with welcome.msg, pub/rebaut and pub/schatzow. Changed ~ftp in /etc/passwd: /var/ftp --> /var/ftp/./pub Added default domain name (search directive) in /etc/resolv.conf: nameserver 169.139.222.4 nameserver 169.139.222.15 search hccfl.edu Set root password for mysql. Annoyed that I lost the old mysql setup, as I forgot to back it up before the upgrade! Copied /etc/skel --> skel.old, removed/edited startup files in skel. Added /etc/profile.d/msgs.sh to run /usr/local/bin/msgs cmd on startup. Added 'umask 027' for /etc/csh.cshrc and /etc/zshenv. Installed pam_abl (auto black list) module and configured sshd to use it. Documentation was installed in man1 and man8. This module checks for too many failled login attempts and "shuns" the IP address and/or user for some interval (default is 2 days). This should prevent most sshd dictionary attacks. Added to /etc/pam.d/sshd: auth required pam_abl.so config=/etc/security/pam_abl.conf And the current config file is: # /etc/security/pam_abl.conf # debug host_db=/var/lib/pam_abl/hosts.db host_purge=2d host_rule=*:10/1h,30/1d user_db=/var/lib/pam_abl/users.db user_purge=2d user_rule=!root:10/1h,30/1d Added group read and ACLs to make /var/lib/pam_abl/* readable/writable by hpiffl, rebaut. This way we can use the "pam_abl" command to view status or purge DB. Updated logrotate to include pam_abl: Edited /etc/log.d/conf/services/sshd.conf, to remove the "pam_succeed_if" and "pam_abl" messages (from the sshd section): # Added 8/8/05 by WP: This version of pam_succeed_if is old and doesn't # recognize the "quiet" flags. #*Remove = pam_succeed_if # don't need this here, new logwatch section for this created. *Remove = pam_abl (Also modified secure.conf to ignore pam_abl.) Added new logwatch service pam_abl.conf: ################################################################ # $Id: pam_abl.conf,v 1.0 2005/07/24 17:03:10 hpiffl Exp $ ################################################################ Title = "pam_abl" # Which logfile group... LogFile = secure # Only give lines pertaining to the pam_abl service... *OnlyService = pam_abl *RemoveHeaders ######################################################## # This was written and is maintained by: # Hymie Piffl # # Please send all comments, suggestions, bug reports, # etc, to piffl@acm.org ######################################################## Added new logwatch script pam_abl: #!/bin/bash ################################################################ # $Id: pam_abl,v 1.2 2005/07/29 22:56:04 hpiffl Exp $ ################################################################ sort | uniq -c | sort -nr | sed 's/^ *\([0-9]* \)\(.*\)$/\2 (\1times)/' Added extra security settings to sendmail.mc. Rebuilt sendmail.cf. 08-09-05 WP Reconfigured apache by editing /etc/httpd/conf/httpd.conf. Took me quite a while to realize that SELinux was preventing access to CGI and user home directories (UserDir). To fix, I ran this to disable SElinux checking fore httpd daemons: setsebool -P httpd_disable_trans 1 (I first tried the instructions in the httpd_selinux man page: setsebool -P httpd_enable_cgi 1 restorecon -R ~hpiffl/public_html/ chcon -R -t httpd_sys_content_t ~hpiffl/public_html but I realized I'd have to do this for every user. And it didn't work, I must've done something wrong or omitted some step.) Added /etc/profile.d/huponexit.sh. Sending HUP signal kills many background jobs students accidentally leave running. Fixed the timezone data files to the correct settings according to what FC4 tzset utilities and glibc library functions look for: ln -s /usr/share/zoneinfo/America/New_York /usr/share/zoneinfo/localtime rm /etc/localtime; ln -s /usr/share/zoneinfo/localtime /etc/localtime (For some reason this is never right on Fedora out of the box.) Added ACLs: read permission for hpiffl piffl to /var/log/messages* Installed /usr/local/bin/frm (and local man page). Note: this binary is part of some email package, I just scp-ed the binary and man page from cws.hcc-online.com. Added /etc/logrotate.d/audit.log to rotate the audit logs. Of course this is only done since we don't actually audit this server. Rather, with SELinux, messages that used to go to messages and dmesg now go here. See auditctl for more information: # You don't do this in real life on an audit log! # You should archive these someplace before removal. /var/log/audit/*log { missingok notifempty } Installed pine (from RPM). Installed SOAP::Lite from "cpan". (For Mike.) Note that after install need to run: # cd /usr/lib/perl5/site_perl/5.8.6 # chmod -R a+r . # find . -type d |xargs chmod a+x (A smarter idea would be to change umask to 022 before install!) 08-12-05 WP Re-wrote "add-users" script, a wizard to create many classes of student accounts easily. (The "remove-users" script was unchanged at this time.) Re-configured pam_abl to only block hosts, not user accounts. Added favicon.ico, index.html, and robots.txt to /var/www/html. The index.html is a brief message to students, letting them know they probably reached the server in error, and to try PuTTY instead of a web browser. The robots.txt file: # This policy file forbids any automated web crawler # from searching or indexing this web site: User-agent: * Disallow: / 08-13-05 WP Closed some ports the default iptables ruleset allows (/etc/sysconfig/iptables): # Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT # HOWL port, used for zeroconf networking. #-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT # CUPS (IPP) port, turn on if printing support is wanted: #-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT Fixed a bug in /etc/bashrc that prevented scp from elsewhere to YborStudent from working! Changed: if ! shopt -q login_shell ; then # We're not a login shell to: if [ "x$SHLVL" != "x1" ]; then # We're not a login shell 08-24-05 WP Re-worked the iptables rules to close additional ports I don't know what they are used for: 50, 51. Also changed the SSH rules to rate limit SSH connections to 5 per minute (long lines have been wrapped): # Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT # IPv6 auth and crypt protocols, used with authentication, encryption headers: -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT # HOWL port, used for zeroconf networking: #-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT # CUPS (IPP) port, turn on if printing support is wanted: #-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow unlimited SSH connections from HCC: -A RH-Firewall-1-INPUT -s 169.139.223.1 -m state --state NEW -m tcp -p tcp \ --dport 22 -j ACCEPT # Here we limit users to 5 ssh connects per minute, or the connection is dropped: -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 \ -m limit --limit 5/min -j ACCEPT -A RH-Firewall-1-INPUT -i eth0 -p tcp --dport 22 -j DROP -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT # Reject anything not permitted by above rules: -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT 09-01-05 WP chmod 644 /var/log/lastlog; chmod 664 /var/log/wtmp*; chmod 600 /var/log/btmp Fixed permissions for [bw]tmp in /etc/logrotate.conf too. 9-21-05 WP Created "cvsanon" user and group (uid 200). Account is locked, with /sbin/nologin as shell and /var/cvs has home. A quota was added for this user on /var: setquota -u cvsanon 80000 100000 1000 1500 /var Opened port TCP/2401 (CVS pserver): # Open port for CVS pserver (for testing: later require SSH tunnel): -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2401 -j ACCEPT Created CVS repository in /var/cvs, with "anoymous" access( no password, mapped to user "cvsanon"). This should allow Java students (and anyone else) to create and use CVS with eclipse remotely. (TODO: Secure using SSH, set up read-only modules for model solutions) 10-10-05 WP Started the X font server, so Alice Scott can "startx" and use the GUI backup software. Fixed the CVS repo to use ssh only. (Closed the added firwall hole.) 10-12-05 WP Started the X font server, so Alice Scott can "startx" and use the GUI backup software. Discovered that "livna" YUM repository is not compatible with the others. This prevents YUM from running. I have updated the yum.repos.d/* files with new repos (and removed livna). The original repos are saved in ~root. Running yum resulted in over 300 updates! These are installing now. 11-17-05 WP chmod 000 /etc/cron.weekly/makewhatis.cron. This already runs daily. Edited the section list in /etc/cron.daily/makewhatis.cron, to remove non-existant section "l". Added an "intro" section to all man sections that don't have one already: 0p, 1p, 3p, 9, and n. 11-18-05 WP Put custom nohup in /usr/local/bin, which works correctly by closing stdin. 11-22-05 WP Updated pam_abl config file in /etc/security/pam_abl.conf (Some HCC students were triggering the block, which blocks all users from HCC; the NAT means all internal HCC hosts appear as 169.139.223.1, or fwacad.hccfl.edu): # /etc/security/pam_abl.conf # debug host_db=/var/lib/pam_abl/hosts.db host_purge=6h #host_rule=*:10/1h,30/1d host_rule=!169.139.223.1:10/1h,30/1d #user_db=/var/lib/pam_abl/users.db #user_purge=2d #user_rule=!root:10/1h,30/1d #user_rule=!hpiffl:10/1h,30/1d 11-23-05 WP Disabled cvs pserver (from xinetd.d/cvs). For now. Disabled pam_abl (commented out from /etc/pam.d/sshd). Someone at HCC was tripping this, and with the NAT all of HCC appears to be at that one IP address, so no local user could login! (My "fix" put in yesterday didn't work!) 12-01-05 WP Ran yum update. As before 4 kernel related packages had to be updateds first, then the main update works. The 4 packages were cman-kernel, GFS-kernel, dlm-kernel, and gnbd-kernel. 12-02-05 WP Ran yum clean packages. Freed up about 25% of /var. 12-23-05 WP Learned today why boot.log is always empty. Fedora Core 4 did that on purpose as the team didn't feel this log was useful. They are wrong, but the boot logging must be enabled manually in FC4. Here is the recipe: # cp -p /usr/bin/logger /sbin # cd /etc/init.d # cp syslog syslog.orig # vi syslog.orig # diff syslog.orig syslog 6c6 < # chkconfig: 2345 12 88 --- > # chkconfig: 2345 0 99 # chkconfig --del syslog; chkconfig --add syslog # cp functions functions.orig # vi functions # diff functions.orig functions 370a371 > logger -p local7.info -t "$0" -- "$1 succeeded" 380a382 > logger -p local7.info -t "$0" -- "$1 failed" 392a395 > logger -p local7.info -t "$0" -- "$1 succeeded" 402a406 > logger -p local7.info -t "$0" -- "$1 succeeded" Also, check that /etc/logrotate.d/syslog contains an entry for boot.log. Cleaned up the *.rpmnew and *.rpmsave files, except the two .rpmsave files /etc/log.d/conf/services/{secure.conf.rpmsave,sshd.conf.rpmsave}. Not sure what should be done with these, will keep an eye on the logwatch output to see if these should be restored. Removed "rhgb" and "quiet" from the grub.conf list of kernel parameters. "rhgb" causes an X window boot, removing makes booting faster. "quiet" suppresses log messages. For full logs you need to also add "audit=1". 01-11-06 WP Fixed problem with /etc/cron.daily/tmpwatch (caused by yum update???). It was complaining that aquota.user needed to be deleted but couldn't. Actually it shouldn't try, so I modified tmpwatch to skip this file. I also added a missing shebang line and reformatted: #!/bin/sh # Modified 1/11/06 by WP: added shebang line, added skip of aquota.user, # reformatted long line. /usr/sbin/tmpwatch -x /tmp/.X11-unix -x /tmp/.XIM-unix -x /tmp/.font-unix \ -x /tmp/.ICE-unix -x /tmp/.Test-unix -x /tmp/aquota.user \ 240 /tmp /usr/sbin/tmpwatch 720 /var/tmp for d in /var/{cache/man,catman}/{cat?,X11R6/cat?,local/cat?}; do if [ -d "$d" ]; then /usr/sbin/tmpwatch -f 720 $d fi done ---------------------------------------------------------------------------- 02-01-06 WP Installed nail(1) mailx replacement. For some reason the mailx package for Fedora include the mailx man pages but only the enhanced mail command, not mailx. Nail is a "new mailx". Added /usr/local/bin/mailx that just says to use nail(1) instead. Hopefully this will clear up the confusion of CGS-1760 students looking for mailx. 02-10-06 WP Changed postfix configuration (main.cf), to use procmail as MDA. This is because some people rely on ~/.procmailrc to work! Note that /usr/bin/procmail must be SUID root to act as a MDA. 02-16-05 WP Updated the SELinux rules, to allow talk (the in.ntalkd daemon). I didn't realize this was blocked until a student brought it to my attention today. Examining the various logs, I realized SELinux was the culprit (eventually). The following rules were added to the /etc/selinux/targeted/src/policy/domains/misc/local.te file: # Added rules from audit2allow, to enable in.ntalkd to work: allow inetd_child_t initrc_var_run_t:file { read write }; allow inetd_child_t initrc_var_run_t:file lock; allow inetd_child_t devpts_t:dir search; allow inetd_child_t devpts_t:chr_file getattr; allow inetd_child_t devpts_t:chr_file write; and then I rebuilt the policy with: cd /etc/selinux/targeted/src/policy; make policy install load The rules were found, one by one, by running: audit2allow -v -l DOC_DIR="/usr/share/doc" 52c52 < INSTYPE="" --- > INSTYPE="R" 58c58 < PAK_DIR="" --- > PAK_DIR="." 81c81 < DEL_SPEC=1 --- > DEL_SPEC=0 120c120 < EXCLUDE="" --- > EXCLUDE="/selinux" Added notice to /etc/motd, that the system will soon be updated: This system is intended for the use of Hillsborough Community College current students only. All other use is prohibited. NOTICE: The YborStudent server will be updated to a new version of Linux, sometime between now and the start of Fall 2006 semester.. You should expect an outage of up to a week, and should backup any important data. 07-20-06 WP Alice Scott added new user 'bck' for backups, and installed new backup software "/usr/omni/*" with new omni xinetd service. This new software works with the tape library system and replaces the old ArcServ backup system. However the firewall holes aren't correct yet so no backups are possible. With coordinate with Roy Johnson (x7701) to resolve. 07-21-06 WP Replaced Dag Yum repository with Dries and FreshRPMs. Added correct firewall holes for new backup service. It has been tested (backup but not restore) and works. YborStudent is now on the regular OIT backup schedule. The new firewall rules are: # Data Protector Backup Server (Tape Library) Ports: -A RH-Firewall-1-INPUT -p tcp -s 169.139.223.1 --dport 5555 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -s 169.139.223.1 --dport 2157 -j ACCEPT 07-26-06 WP Removed iptables hole for port 2157, Roy must have been mistaken about the backup server ("omni") needing that port as well as 5555. Adding logging rule to iptables to capture dropped packets, just to be sure. This rule may be removed in the future. 08-10-06 WP Installed livna.org RPM repository for yum, and disabled it so it won't be used by default. This is because many livna RPMs don't work well with standard RPMs, however lilvna does include several packages (e.g., Nvidia driver RPMs) not found elsewhere. To use, run: yum --enablerepro livna install 09-01-06 WP An "nmap localhost" shows "freeciv" service running on TCP/5555. But TCP/5555 is omni. I located the omni log files and noticed that this has never worked, reporting an illegal server address: 08/31/2006 04:34:44 AM INET.785.0 ["inet/allow_deny.c /main/dp55/8":526] A.05.50 bPHSS_32323/PHSS_32324/DPSOL_00125 A request 3 (vbda) came from host fwacad.hccfl.edu which is not a cell manager of this client Thu 31 Aug 2006 04:34:44 AM EDT [root.sys@admapps.hccfl.edu] : vbda After looking around I changed /usr/omni/config/client/cell_server from: admapps.hccfl.edu to: fwacad.hccfl.edu (This should be the real server name, but as YborStudent is outside the firewall, NAT applies, so the source appears to be fwacad (a strange name!). I will check tomorrow to see if this fixes the problem. Note: This is a dangerous fix, basically allowing any server from within HCC to act as an omni server. 09-05-06 WP Noticed /etc/skel/.kde, removed it. 09-07-06 WP Modified /etc/cron.daily/yum.cron by removing "-d 0" option. As yum runs that option causes silent operation, so no logging is reported via logwatch. Removing this should fix that. Noticed omni ran without errors today! 09-12-06 WP Fedora Core 4 is now supported via the Fedora Legacy Updates project. I have installed the RPM for that (updates yum repository). Installed John the Ripper password cracker. (OIT folk use weak passwords, will ask them to change.) Installed Bastille. Installed via cpan: Bundle::CPAN (update), Curses (used for Bastille). 09-15-06 WP Added "-b /usr/bin/john" to /etc/prelink.conf. Prelink runs from cron.daily and for some reason john (John the Ripper) causes it to abort. This link causes prelink to skip john. 09-25-06 WP Installed tripwire. FC4 makes this very easy (yum install tripwire). vi i/etc/tripwire/twpol.txt (Commented out about 50 items not installed on YborStudent, and commented out checks for /root/.?* (left in a few of those however). Then: tripwire-setup-keyfiles tripwire --init 09-28-06 WP Alarmed at the huge log files (>700M!), I have stopped logging rejected packets, by commenting out the line in /etc/sysconfig/iptables and restarting iptables. Added "compress" to the logrotate command for /var/log/messages, in /etc/logrotate.d/syslog. 10-19-06 WP Removed cvsanon user and cvsusers group. Created new cvs setup, accessible by local users or via ssh: # New cvs setup accessible by local users or via ssh: # Create cvs user and group, to own the repositories: mkdir /var/cvs-repos useradd -c "CVS User" -d /var/cvs-repos -M cvs -s /sbin/nologin gpasswd -a hpiffl cvs gpasswd -a rabaut cvs pwck grpck chage -l cvs chage -E -1 cvs # Setup email aliases for cvs and cvs-admin-: vi /etc/aliases # forward to piffl@acm.org newaliases # or: postalias /etc/aliases # Set up a group quota for /var, for group "cvs": cd /var touch aquota.group chmod a+r aquota.group vi /etc/fstab # Changed this line: # /dev/sda5 /var ext3 defaults,usrquota,grpquota,nodev,acl 1 2 mount /var -o remount quotacheck -vgcM /var setquota -g cvs 100000 150000 300 500 /var # Set correct owner, group for ~cvs, and set default permissions: cd ~cvs mkdir .ssh chown -R cvs.cvs . chmod g+ws . setfacl -m d:g:cvs:rwX . # Create a repository for the COP-2805 class: mkdir cop2805 export CVSROOT=/var/cvs-repos/cop2805 cvs init cd mkdir cvsproj cd cvsproj cvs import -m 'Create empty project' cvsproj vendor start cd rmdir cvsproj # Configure repository: cvs checkout CVSROOT cd CVSROOT vi notify # Added this line: # ALL mail -s "YborStudent CVS notification - cop2805" cvs vi users # Lists email address to use, rather than local mail # Added the line: hpiffl:piffl@acm.org cvs add users cvs commit -m 'Allow use of cvs watch command' notify users vi loginfo # Added the following: # Notify cvs administrator of all commits: ALL mail -s "YborStudent CVS Repository commit by $USER to module %p %s" cvs # Maintain a current snapshot in my secure web site (for easy access): #^cvsproj\(/\|$\) (date; cat; (sleep 2; cd /home/hpiffl.com/secure-html/cvsproj; cvs -q update -d) &) >> $CVSROOT/CVSROOT/updatelog 2>&1 ^cvsproj\(/\|$\) (date; cat; (sleep 2; ssh hpiffl@hpiffl.com '(cd /home/hpiffl.com/secure-html/cvs-repos; CVS_RSH=ssh cvs -q -d :ext:hpiffl@yborstudent.hccfl.edu/var/cvs-repos/cop2805 update -d cvsproj)') &) >>$CVSROOT/CVSROOT/updatelog 2>&1 cvs commit -m 'Automatically maintain current copy in my private website, and send email notice to cvs-admin-cop2805 (piffl@acm.org) after each commit' loginfo cd .. cvs release -d CVSROOT # Setup website to hold snap-shot of module: # (accessed with: https://yborstudent.hccfl.edu/~hpiffl/ ) cd ~hpiffl/secure-html vi index.htm # Add link to cvs-repos directory mkdir cvs-repos chgrp cvs cvs-repos chmod g+s,a+rx cvs-repos setfacl -m d:o::rX cvs-repos vi cvs-repos/index.php chmod a+r cvs-repos/index.php CVS_RSH=ssh \ cvs -q -d :ext:hpiffl@yborstudent.hccfl.edu/var/cvs-repos/cop2805 \ checkout cvsproj # Adjust permissions if needed. # Add accounts for students, using official HCC user ID: useradd -c "Gloria Giraldo (cop2805 CVS)" -m ggiraldo gpasswd -a ggiraldo cvs passwd ggiraldo ... # repeat for all COP-2805 students 10-25-06 AS Changed /usr/omni/config/client/cell_server from "fwacad.hccfl.edu" (the firewall NAT address for HCC) to "hcc44a.hccfl.edu". May need to update iptables? 11-09-06 WP Commented out "auto.net" from "auto.master". This disables automounting of NFS on /net. We don't use NFS on this server. Changed iptables firewall rule for "omni" ("data protector" backup server) from IP 169.139.223.1 to IP 169.139.222.40. Apparently OIT updated the backup server and moved it on 10/22/06, and no backups have been done since then! 11-16-06 WP Changed default locale. Edited /etc/sysconfig/i18n to set: LANG="en_US" LC_COLLATE="POSIX" Bash has a problem with en_US collating order (although wildcards such as "[!A-Z]" are defined to only work if the collating is POSIX (a.k.a. "C"), most other shells still have this work. But, we use bash, hence the change. (The original LANG is "en_US.utf-8", but I find most man pages in FC4 aren't encoded in UTF-8 so that doesn't work right. 02-06-07 WP Updated Apache config. For some reason the index.htm file wasn't being found, and read permission errors were present. I turned off multiviews option for /home/*/public_html, re-ordered the names on the DirectoryIndex to put index.htm nearer the beginning, and added a new Directory for hpiffl's home, to include multiviews. Still haven't updated to FC 6! 02-21-07 WP Re-setup CPAN (as root). This required running: cpan cpan; cpan Digest::SHA Installed "Tk" Perl module. This required first running X. The following was done: Xvfb :0 & cpan Tk; kill `pidof Xvfb` 03-22-07 WP Discovered problem with quota reporting utility "quota". I have downloaded the source from sourceforge.net/projects/linuxquota/ and that works. The new quota commands are in /usr/local/*. The official quota tools have not be removed (but PATH should pick up the new tools). The three quota files in /usr/local/etc have been replaced with symlinks to the real files in /etc. Tweaked warnquota.conf: (diff) 15,17c15,17 < # CC_BEFORE = 2 days < SUPPORT = "root@myhost.com" < PHONE = "(123) 456-1111 or (222) 333-4444" --- > CC_BEFORE = 2 days > SUPPORT = "root@localhost" > #PHONE = "(123) 456-1111 or (222) 333-4444" 05-02-07 WP Updated /etc/sysconfig/i18n again. I finally figured out the problem with LANG="en_US.UTF-8" was that PuTTY defaults to ISO8859-1. Changing PuTTY to use UTF-8, then changing i18n means that everything works, even better (curly quotes in man pages!) 05-10-07 WP Updated /etc/logrotate.conf to keep 4 back [wb]tmp files. Updated /root/.bashrc with many new aliases, functions, and a new two-line prompt. 05-22-07 WP Repaired /etc/fstab: /var entry went missing somehow after scheduled maintance on 5-18-07. Updated ~root/.bashrc and .bash_profile. 05-31-07 WP Installed p7zip (bin/7za) compression/archiving tool. Updated /etc/sudoers to allow wpolloc to run sudoedit. 06-05-07 WP Updated /etc/fstab to include new mount options and to reformat the file (shortened the lines by removed extra spaces). The changed entries now include the user_xattr option: LABEL=/home /home ext3 defaults,usrquota,nodev,acl,user_xattr 1 2 LABEL=/tmp1 /tmp ext3 defaults,usrquota,nodev,acl,user_xattr 1 2 07-16-07 WP Rebuilt server using Fedora 7, preserving /home (and some other data. Started new journal. (This is the final entry.) END-OF-JOURNAL =============================================================================== Rebuilt Server as Fedora 7 (Format: yy-mm-dd initials_of_admin log entry) 07-07-16 WP Rebuilt server: clean install of Fedora 7 (preserving /home, partitions, selected other data). Remove all stale user accounts. (should've done this first!) Anaconda install selections: Install language: English Hardware: U.S. English keyboard Install from network: HTTP, mirrors.kernel.org, fedora/... Install (not update) Partitioning: Manual; See above. Format all partitions (not /home) as ext3 (or swap) Boot loader: Use GRUB boot loader in MBR, no grub password. Only bootable partition is /dev/sda10, set as default, label="Fedora 7". Network: eth0 No DHCP, Active on boot, static IP = 169.139.223.21/24, Hostname = "YborStudent" (Domain set in post install to "hccfl.edu"), Gateway IP = 160.139.223.1, 1st DNS = 169.139.222.4, 2nd DNS = 169.139.223.15 Firewall: enabled; allow incoming: ssh, http/https, smtp (not FTP!) SELinux active (enforcing) Clock: Eastern Time zone (America/New_York) Sys clock uses UTC time. Accounts: set root password Package Selection: minimal (customize later) Install sucessful! Post Install: Set clock for NTP: Used pool 1. Restored local users and groups to /etc/{passwd,group,shadow,gshadow}. Updated /etc/fstab: LABEL=/ / ext3 defaults,acl 1 1 LABEL=/tmp /tmp ext3 defaults,usrquota,nodev,acl,user_xattr 1 2 LABEL=/var /var ext3 defaults,usrquota,nodev,acl,user_xattr 1 2 LABEL=/var/ftp /var/ftp ext3 defaults 1 2 LABEL=/var/log /var/log ext3 defaults,acl 1 2 LABEL=/usr /usr ext3 defaults,acl 1 2 LABEL=/home /home ext3 defaults,usrquota,nodev,acl,user_xattr 1 2 LABEL=/boot /boot ext3 defaults 1 2 tmpfs /dev/shm tmpfs defaults 0 0 devpts /dev/pts devpts gid=5,mode=620 0 0 sysfs /sys sysfs defaults 0 0 proc /proc proc defaults 0 0 LABEL=SWAP-sda7 swap swap defaults 0 0 Ran: touch /.autorelabel (to repair SELinux errors). Rebooted. Saw the following boot-time errors, which have never repeated: agpgart: unable to determine aperture size. agpgart: unable to determine aperture size. agpgart: ServerWorks CNB20He is unsupported due to lack of documentation. agpgart: ServerWorks CNB20He is unsupported due to lack of documentation. snort, psql failed to start: turned off snort. Update /etc/hosts, /etc/sysconfig/{i18n,iptables,network} Restore /root, /usr/local (minus all the quota tools, now standard), /var/cvs*. Restored /opt (the backup software CAgent (ArcServ)). Alice Scott will test this out and re-install this or replacement as necessary. Restored /etc/issue.net, motd. Made hard link from issue.net to issue. Ran yum -y update. Updated ~/.config/user-dirs.dirs (list of default dirs used by Gnome). Updated /etc/aliases. Ran newaliases. Removed system (empty) mailboxes from /var/mail. Archived pcampbell home dir, removed loggin. Added new yum repositories (in /etc/yum.repos.d): freshrpms, jpackage, livna (disabled), macromedia Set the default run level to 3 (non-GUI boot) in /etc/inittab Also commented out gettys for virtual consoles 4, 5, and 6; leaving 1, 2, 3, and 7 (GUI) which should be more than enough. Restored /etc/sudoers. Completed install of all interesting software packages available. Installed ytalk, numlockx. Run checkquota on /tmp, /var. Set quotas for all FSes except /home (set already). Re-ran yum -y update. Checked for *.rpmnew files: none found (except in ~rabaut, ignored). Turned on/off services. List of service status (chkconfig --list): ConsoleKit 0:off 1:off 2:off 3:on 4:on 5:on 6:off NetworkManager 0:off 1:off 2:off 3:off 4:off 5:off 6:off NetworkManagerDispatcher 0:off 1:off 2:off 3:off 4:off 5:off 6:off amavisd 0:off 1:off 2:off 3:off 4:off 5:off 6:off anacron 0:off 1:off 2:on 3:on 4:on 5:on 6:off apt 0:off 1:off 2:off 3:off 4:off 5:off 6:off argus 0:off 1:off 2:off 3:off 4:off 5:off 6:off arpwatch 0:off 1:off 2:off 3:off 4:off 5:off 6:off atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off autofs 0:off 1:off 2:off 3:on 4:on 5:on 6:off avahi-daemon 0:off 1:off 2:off 3:off 4:off 5:off 6:off avahi-dnsconfd 0:off 1:off 2:off 3:off 4:off 5:off 6:off bgpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off bluetooth 0:off 1:off 2:off 3:off 4:off 5:off 6:off btseed 0:off 1:off 2:off 3:off 4:off 5:off 6:off bttrack 0:off 1:off 2:off 3:off 4:off 5:off 6:off capi 0:off 1:off 2:off 3:off 4:off 5:off 6:off clamav-milter 0:off 1:off 2:off 3:off 4:off 5:off 6:off clamd.amavisd 0:off 1:off 2:off 3:off 4:off 5:off 6:off cman 0:off 1:off 2:off 3:off 4:off 5:off 6:off cpuspeed 0:off 1:on 2:on 3:off 4:on 5:off 6:off crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off cups 0:off 1:off 2:on 3:on 4:on 5:on 6:off cups-config-daemon 0:off 1:off 2:off 3:off 4:off 5:off 6:off dbmail-imapd 0:off 1:off 2:off 3:off 4:off 5:off 6:off dbmail-lmtpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off dbmail-pop3d 0:off 1:off 2:off 3:off 4:off 5:off 6:off dbmail-timsieved 0:off 1:off 2:off 3:off 4:off 5:off 6:off dc_client 0:off 1:off 2:off 3:off 4:off 5:off 6:off dc_server 0:off 1:off 2:off 3:off 4:off 5:off 6:off dhcdbd 0:off 1:off 2:off 3:off 4:off 5:off 6:off dhcp6r 0:off 1:off 2:off 3:off 4:off 5:off 6:off dhcp6s 0:off 1:off 2:off 3:off 4:off 5:off 6:off dhcpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off dhcrelay 0:off 1:off 2:off 3:off 4:off 5:off 6:off dnsmasq 0:off 1:off 2:off 3:off 4:off 5:off 6:off dovecot 0:off 1:off 2:off 3:off 4:off 5:off 6:off dund 0:off 1:off 2:off 3:off 4:off 5:off 6:off fedora-ds 0:off 1:off 2:off 3:off 4:off 5:off 6:off firstboot 0:off 1:off 2:off 3:on 4:off 5:on 6:off flumotion 0:off 1:off 2:off 3:off 4:off 5:off 6:off gfs2 0:off 1:off 2:off 3:off 4:off 5:off 6:off gpm 0:off 1:off 2:on 3:on 4:on 5:off 6:off haldaemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off hddtemp 0:off 1:off 2:off 3:off 4:off 5:off 6:off heartbeat 0:off 1:off 2:off 3:off 4:off 5:off 6:off hidd 0:off 1:off 2:off 3:off 4:off 5:off 6:off hplip 0:off 1:off 2:off 3:off 4:off 5:off 6:off hsqldb 0:off 1:off 2:off 3:off 4:off 5:off 6:off httpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off icecast 0:off 1:off 2:off 3:off 4:off 5:off 6:off innd 0:off 1:off 2:off 3:off 4:off 5:off 6:off ip6tables 0:off 1:off 2:on 3:on 4:on 5:on 6:off ipsec 0:off 1:off 2:off 3:off 4:off 5:off 6:off iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off ipvsadm 0:off 1:off 2:off 3:off 4:off 5:off 6:off irda 0:off 1:off 2:off 3:off 4:off 5:off 6:off irqbalance 0:off 1:off 2:on 3:on 4:on 5:on 6:off iscsi 0:off 1:off 2:off 3:off 4:off 5:off 6:off iscsid 0:off 1:off 2:off 3:off 4:off 5:off 6:off isdn 0:off 1:off 2:off 3:off 4:off 5:off 6:off kadmin 0:off 1:off 2:off 3:off 4:off 5:off 6:off kprop 0:off 1:off 2:off 3:off 4:off 5:off 6:off krb524 0:off 1:off 2:off 3:off 4:off 5:off 6:off krb5kdc 0:off 1:off 2:off 3:off 4:off 5:off 6:off kudzu 0:off 1:off 2:off 3:on 4:on 5:on 6:off ldap 0:off 1:off 2:off 3:off 4:off 5:off 6:off ldirectord 0:off 1:off 2:off 3:off 4:off 5:off 6:off libvirtd 0:off 1:off 2:off 3:off 4:off 5:off 6:off lirc 0:off 1:off 2:off 3:off 4:off 5:off 6:off lisa 0:off 1:off 2:off 3:off 4:off 5:off 6:off lm_sensors 0:off 1:off 2:on 3:on 4:on 5:on 6:off mailman 0:off 1:off 2:off 3:off 4:off 5:off 6:off mcstrans 0:off 1:off 2:on 3:on 4:on 5:on 6:off mdmonitor 0:off 1:off 2:off 3:off 4:off 5:off 6:off messagebus 0:off 1:off 2:off 3:on 4:on 5:on 6:off microcode_ctl 0:off 1:off 2:on 3:on 4:on 5:on 6:off milter-regex 0:off 1:off 2:off 3:off 4:off 5:off 6:off multipathd 0:off 1:off 2:off 3:off 4:off 5:off 6:off mysqld 0:off 1:off 2:off 3:on 4:off 5:on 6:off nagios 0:off 1:off 2:off 3:off 4:off 5:off 6:off named 0:off 1:off 2:off 3:off 4:off 5:off 6:off nasd 0:off 1:off 2:off 3:off 4:off 5:off 6:off netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off netfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off netplugd 0:off 1:off 2:off 3:off 4:off 5:off 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off nfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off nfslock 0:off 1:off 2:off 3:off 4:off 5:off 6:off nmb 0:off 1:off 2:off 3:off 4:off 5:off 6:off nscd 0:off 1:off 2:off 3:off 4:off 5:off 6:off ntpd 0:off 1:off 2:off 3:on 4:off 5:on 6:off openais 0:off 1:off 2:off 3:off 4:off 5:off 6:off openvpn 0:off 1:off 2:off 3:off 4:off 5:off 6:off ospf6d 0:off 1:off 2:off 3:off 4:off 5:off 6:off ospfd 0:off 1:off 2:off 3:off 4:off 5:off 6:off pand 0:off 1:off 2:off 3:off 4:off 5:off 6:off pcscd 0:off 1:off 2:off 3:off 4:off 5:off 6:off postgresql 0:off 1:off 2:off 3:on 4:off 5:on 6:off pound 0:off 1:off 2:off 3:off 4:off 5:off 6:off privoxy 0:off 1:off 2:off 3:off 4:off 5:off 6:off proftpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off psacct 0:off 1:off 2:off 3:off 4:off 5:on 6:off qdiskd 0:off 1:off 2:off 3:off 4:off 5:off 6:off qemu 0:off 1:off 2:off 3:off 4:off 5:off 6:off radiusd 0:off 1:off 2:off 3:off 4:off 5:off 6:off rdisc 0:off 1:off 2:off 3:off 4:off 5:off 6:off readahead_early 0:off 1:off 2:on 3:on 4:on 5:on 6:off readahead_later 0:off 1:off 2:off 3:on 4:off 5:on 6:off restorecond 0:off 1:off 2:on 3:on 4:on 5:on 6:off rgmanager 0:off 1:off 2:off 3:off 4:off 5:off 6:off ripd 0:off 1:off 2:off 3:off 4:off 5:off 6:off ripngd 0:off 1:off 2:off 3:off 4:off 5:off 6:off rpcbind 0:off 1:off 2:off 3:off 4:off 5:off 6:off rpcgssd 0:off 1:off 2:off 3:off 4:off 5:off 6:off rpcidmapd 0:off 1:off 2:off 3:off 4:off 5:off 6:off rpcsvcgssd 0:off 1:off 2:off 3:off 4:off 5:off 6:off saslauthd 0:off 1:off 2:off 3:on 4:off 5:on 6:off scsi_reserve 0:off 1:off 2:off 3:off 4:off 5:off 6:off sendmail 0:off 1:off 2:on 3:on 4:on 5:on 6:off setroubleshoot 0:off 1:off 2:off 3:on 4:on 5:on 6:off shorewall 0:off 1:off 2:off 3:off 4:off 5:off 6:off smartd 0:off 1:off 2:on 3:on 4:on 5:on 6:off smb 0:off 1:off 2:off 3:off 4:off 5:off 6:off smolt 0:off 1:off 2:off 3:off 4:off 5:off 6:off snmpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off snmptrapd 0:off 1:off 2:off 3:off 4:off 5:off 6:off snortd 0:off 1:off 2:off 3:off 4:off 5:off 6:off spamass-milter 0:off 1:off 2:off 3:off 4:off 5:off 6:off spamassassin 0:off 1:off 2:off 3:off 4:off 5:off 6:off squid 0:off 1:off 2:off 3:off 4:off 5:off 6:off sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off syslog-ng 0:off 1:off 2:off 3:off 4:off 5:off 6:off sysstat 0:off 1:on 2:on 3:on 4:on 5:on 6:off tomcat5 0:off 1:off 2:off 3:off 4:off 5:off 6:off tux 0:off 1:off 2:off 3:off 4:off 5:off 6:off ups 0:off 1:off 2:off 3:off 4:off 5:off 6:off vncserver 0:off 1:off 2:off 3:off 4:off 5:off 6:off vsftpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off winbind 0:off 1:off 2:off 3:off 4:off 5:off 6:off wine 0:off 1:off 2:off 3:off 4:off 5:off 6:off wpa_supplicant 0:off 1:off 2:off 3:off 4:off 5:off 6:off xend 0:off 1:off 2:off 3:off 4:off 5:off 6:off xendomains 0:off 1:off 2:off 3:off 4:off 5:off 6:off xfs 0:off 1:off 2:off 3:off 4:off 5:on 6:off xinetd 0:off 1:off 2:off 3:on 4:on 5:on 6:off ypbind 0:off 1:off 2:off 3:off 4:off 5:off 6:off yum-updatesd 0:off 1:off 2:off 3:off 4:off 5:off 6:off zebra 0:off 1:off 2:off 3:off 4:off 5:off 6:off xinetd based services: apgd: off chargen-dgram: off chargen-stream: off cvs: off daytime-dgram: off daytime-stream: off discard-dgram: off discard-stream: off echo-dgram: off echo-stream: off ntalk: on omni: on rsync: on talk: off tcpmux-server: off telnet: on tftp: off time-dgram: off time-stream: off xproftpd: off Updated /etc/xinetd.d/ntalk with: only_from = localhost .hccfl.edu 07-08-04 WP Updated sudoers file. Added additional software. Added email alias (/etc/aliases) for 'vdr' to root. 07-08-08 WP Turned on MySQL, PostgreSQL. Added (super-)users rabaut, hpiffl, and created DBs for hpiffl, rabaut. Turned off moodle cron job (commented out line from /etc/cron.d/moodle) Installed checkinstall RPM. Modified checkinstallrc file. Created man pages from the README file for checkinstall(8) and installwatch(1). 07-08-09 WP Installed sg3_utils for sg_persist(8), messagebus (D-Bus) complains it can't find that. Updated syslog from starting/ stoppiing 12/88 to 01/99. Hopefully this will capture more of the boot-time error messages. 07-08-10 WP Installed cmake package. Ran yum update. 07-08-11 WP Installed Sun JDK/JRE 1.6 update 2. This was very complicated! LSB/RH std Java packages conflict if you just install the Sun JDK RPM, and lots of stuff will break if you remove the old Java RPMs. JPackage.org has the tools to build working RPMs from the Sun install package (not the RPM), that uses "alternatives" and thus will co-exist with other Java packages. But the directions are nearly impossible to follow! With much Googling and trial-and-error I figured it out. My direstions are in the file ~/java-install-Sun_jdk-Fedora7.txt. 07-08-13 WP Added group www, made /var/www/html (recursively) owned by www, and chmod g+s /var/www/html (and sub-dirs). Added hpiffl to group www; now I can update web site. Added favicon.ico to /var/www/html/. 07-08-14 WP Edited html.conf file: enabled Userdir (~/public_html). Added index.htm and index.php to DirectoryIndex. Commented out all languages except English, French, and Spanish. Set ServerAdmin to "webmaster@YborStudent.hccfl.edu" (there is already an alias for this in /etc/aliases to root). Enabled "ExtendedStatus", but have not enabled server-status URL. Set ServerName to "YborStudent.hccfl.edu". Set ServerSignature to "EMail". 07-08-15 WP Added user "esloan (Ed Sloan)", set up with Instructor "sudo" privileges (class managment commands of add-users, remove-users; and password managment) 07-08-22 WP Added "yum -y update" to cron.daily. 07-08-29 WP Imported all available RPM GPG keys with: cd /etc/pki/rpm-gpg; for i in *; do rpm --import $i; done Set SELinux to "Permissive (for now), and turned off setroubleshoot daemon, which was locking out RPM. (Both will be turned back on by default, at next boot.) 07-09-02 WP Updated iptables firewall for extra security. New rules from /etc/sysconfig/iptables: # Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT ####################################################################### # Drop all packets with invalid source IP addresses (See RFC-3330): # 0.0.0.0 is only legal as a src IP on a local LAN, in DHCP packets. Since # YborStudent isn't serving DHCP it is safe to drop these: -A RH-Firewall-1-INPUT -i eth0 -s 0.0.0.0/8 -j DROP # Shouldn't see loopbak or my address as src on incoming packets on NIC: -A RH-Firewall-1-INPUT -i eth0 -s 127.0.0.0/8 -j DROP -A RH-Firewall-1-INPUT -i eth0 -s 169.139.223.21 -j DROP # Egress filtering: Drop out-going packets with bad src IP (i.e. faked): -A OUTPUT -o eth0 -s ! 169.139.223.21 -j DROP # Private range IPs can't be forwarded and thus can't be legal src IP: -A RH-Firewall-1-INPUT -s 10.0.0.0/8 -j DROP -A RH-Firewall-1-INPUT -m iprange --src-range 172.16.0.0-172.31.255.255 -j DROP -A RH-Firewall-1-INPUT -s 192.168.0.0/16 -j DROP # Multicast can't be valid src IP: -A RH-Firewall-1-INPUT -m iprange --src-range 224.0.0.0-239.255.255.255 -j DROP # Class E addresses are reserved: -A RH-Firewall-1-INPUT -m iprange --src-range 240.0.0.0-247.255.255.255 -j DROP # All higher addresses are illegal (including broadcast as src): -A RH-Firewall-1-INPUT -m iprange --src-range 248.0.0.0-255.255.255.255 -j DROP # Reseved for zeroconf link-local addressing, not used here: -A RH-Firewall-1-INPUT -s 169.254.0.0/16 -j DROP # Reserved for TEST-NET and for documentation purposes: -A RH-Firewall-1-INPUT -s 192.0.2.0/24 -j DROP # Reserved for Internet device benchmark testing: -A RH-Firewall-1-INPUT -s 198.18.0.0/15 -j DROP # 192.88.99.0/24 used for 6to4 relay anycast, which is only used for some # IPv6 setups: -A RH-Firewall-1-INPUT -s 192.88.99.0/24 -j DROP ###################################################################### -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT #-A RH-Firewall-1-INPUT -i eth0 -p tcp --dport 23 -j ACCEPT # IPv6 auth and crypt protocols, used with authentication, encryption headers: -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT # HOWL port, used for zeroconf networking: #-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT # CUPS (IPP) port, turn on if printing support is wanted: #-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow unlimited SSH connections from HCC: -A RH-Firewall-1-INPUT -s 169.139.223.1 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT # Here we limit users to 5 ssh connects per minute, or the connection is dropped: -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m limit --limit 5/min -j ACCEPT -A RH-Firewall-1-INPUT -i eth0 -p tcp --dport 22 -j DROP -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT # Open port for CVS pserver (for testing: later require SSH tunnel): #-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2401 -j ACCEPT # Open port for Postgres DB server: #-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5432 -j ACCEPT # Omni Data Protector Backup Server (Tape Library) Port: -A RH-Firewall-1-INPUT -p tcp -s 169.139.222.40 --dport 5555 -j ACCEPT # Log anything not permitted by the above rules: #-A RH-Firewall-1-INPUT -j LOG # Reject anything not permitted by above rules: -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT 07-09-06 WP Removed crontab delay by editing /etc/sysconfig/crontab. (The delay is to randomize the start time, when you have a bunch of servers all runing cron (and perhaps starting network downloads e.g. yum). Since this isn't the case for YborStudent the delay is pointless. Added /var/www/html/robots.txt, to dis-allow all indexing. Turned off dbmail cron.daily job (chmod a-x); it's not configured (yet). 07-10-19 WP Added /etc/pam.d/pam_demo and /usr/local/bin/pam_demo. This command just demonstrates a C program using PAM, and allows students to see how changes to the policy file in pam.d affect things. 07-10-28 WP yum installed dictd (for dict cmd). 07-11-03 WP yum had trouble with clamav and openoffice.org updating with dependancy conflicts. Today I yum erased all clamav* (and amavisd-new), and all openoffice.org (10+ packages), then yum installed them. This worked! 07-11-07 WP Installed via yum graphviz and graphviz-perl. Ran cpan to configure. Ran capn Bundle::CPAN to update. This takes a while and is interactive! Used cpan to install GraphViz and Graph::easy. Removed /usr/local/bin/mailx script (printed 'use "nail"'; no longer used! 07-11-13 WP Ran yum install --enablerepo=livna kmod-ndiswrapper to install ndiswrapper. Ran yum install unshield to install the Linux "InstallShield" extractor; "cabextractor" was installed by default. Updated /etc/sysconfig/network and .../ifcfg-eth0 to not use IPv6 or IPv4 zeroconf: network: NETWORKING=yes NETWORKING_IPV6=no HOSTNAME=YborStudent GATEWAY=169.139.223.1 NOZEROCONF=true IPV6INIT=false #IPV6_AUTOCONF=yes ifcfg-eth0: # Intel Corporation 82557/8/9 [Ethernet Pro 100] DEVICE=eth0 ONBOOT=yes BOOTPROTO=static HWADDR=00:06:5B:3E:89:0F IPADDR=169.139.223.21 NETMASK=255.255.255.0 System needs a reboot to run new kernel, installed previously. Added: alias vi=vim to ~root/.bashrc. (Found out that /etc/profile.d/vim.sh only creates this alias if not root!) 07-11-15 WP Ran pwck and grpck. Created /var/adm, /var/spool/uucp, and changed gopher and sabyon homes to /tmp. grpck added missing gshadow entries. 07-11-21 WP yum installed xorg-x11-server-Xvfb (X virtual frame buffer server) 07-11-26 WP Installed "auth" package (identd). Installed a wiki called "UnixWiki" (using mediawiki package): # mkdir /var/www/UnixWiki # chmod a+rX /var/www/UnixWiki # cp -a /usr/share/mediawiki/* /var/www/UnixWiki/ # chmod a+w /var/www/UnixWiki/config/ # cat > /etc/httpd/conf.d/UnixWiki.conf <<-\EOF # Apache conf file for Mediawiki Alias /UnixWiki /var/www/UnixWiki # Mediawiki public web pages - must be publically accessible Order allow,deny Allow from all # Mediawiki private data - must NOT be publically accessible # once install is complete: # # Order deny,allow # Deny from all # EOF # service httpd reload # MySQL must also be running Now point a web browser to http://YborStudent.hccfl.edu/UnixWiki and complete the install: Use MySQL, "prefix" of "unix_", and defaults for everything else. Must check "user super-user" and supply name and password for a user with MySQL admin privileges. Finish up the install with: # mv /var/www/UnixWiki/config/LocalSettings.php /var/www/UnixWiki/ # cp /var/www/UnixWiki/config/LocalSettings.php ~ # chmod 500 /var/www/UnixWiki/config/ # chmod 440 /var/www/UnixWiki/LocalSettings.php vi ... # uncomment .../config directory parts of UnixWiki.conf # service httpd reload vi LocalSettings.php to customize settings. Here's what I've added near the end: ####### Customized by WP: ######## $wgLogo = "{$wgScriptPath}/tux.png"; # After students create their accounts, change to false to # prevent others from editing: $wgGroupPermissions['*' ]['createaccount'] = true; $wgGroupPermissions['*' ]['edit'] = false; $wgGroupPermissions['*' ]['createpage'] = false; $wgGroupPermissions['*' ]['createtalk'] = false; Googled for "Tux logo" and found the above, renamed to tux.png. Used mysql directly to make hpiffl a sysop and buracrat. Created several standard pages, customized the main page, the help page, disclaimers, about, privacy, and the navigation box (view and edit the "special" page "MediaWiki:Sidebar"). Protected the main pages from non-sysops (me and maybe other faculty). 07-12-10 WP Re-installed (removed then installed) ndiswrapper. Current selinux targeted policy is broken, but not seriously. 07-12-13 WP Installed ffmpeg, wireshark (the TUI tshark), wireshark-gnome (the GUI). 07-12-17 WP Updated /etc/sysconfig/hddtemp, and enabled the service. Sadly it doesn't appear that our RAID system supports this. TODO: check into hddtemp for our RAID, and also our UPS (see nutupsdrv(8).) 08-01-16 WP yum install rt3 (Request Tracker). See http://wiki.bestpractical.com/view/InstallationGuides for more. 08-01-31 WP RPM dependency problem with xine. Removed xine, xine-skins, and xine-lib-moles. Then yum update worked. Rebooted to run new kernel. 08-02-08 WP Re-installed xine packages. No problems now. 28-02-08 WP yum updates failling for two weeks, due to perl-PathTools requiring old versions of perl stuff. Did the following to fix: rpm -e perl-PathTools-3.25-1.fc7.rf yum update cpan install Bundle::CPAN reload cpan i /PathTools/ force install K/KW/KWILLIAMS/PathTools-3.2701.tar.gz (The 'force' was needed as the system thinks this is already installed.) 03-03-08 WP At some point an update via yum changed permissions on /usr/share/info/dir, I have added back a+r permissions. 03-09-08 WP Installed the adjtimex package. 03-14-08 WP Discovered the UnixWiki was broken. Found a fixer/updater PHP script in/var/www/UnixWiki/maintenance/update.php (run with: php update.php). Before running that directory needed a symlink to ../LocalSettings.php and a new file AdminSettings.php (copied from ../AdminSettings.sample), containing my MySQL username and password (a user with ALL perms on the wikidb was needed). After running script, deleted AdminSettings.php file for security. 04-28-08 WP chmod 1777 /var/spool/mail (pine complained about the 775 perms) remove-users unix (removed last year's student accounts) Downloaded and built (but did not install) pine from source RPM, with SSL support. Enabled livna and livna-source yum repos. 04-29-08 WP Removed pine completely, and replaced it with the pine replacement "alpine". (This is actually the current version of pine.) Added an alias pine=alpine to /etc/profile.d/alpine.sh 05-08-08 WP Removed mplayer, which was blocking yum updates due to unfullfilable dependencies. Manually ran yum --exclude=ffmpeg update, which worked. Installed the oddly named librsync package for the rdiff utility. 05-13-08 WP Added ACL to permit hpiffl to read /var/log/btmp. (Probably should just change the group and make the file g+r.) Changed permissions on /etc/logrotate.d/* to a+r. 05-15-08 WP Reset root password, after AS accidentally changed it. Commented out the iptables DROP rule for source IP of 10.0.0.0/8, since new VPN doesn't NAT those addresses. Removed ACL from btmp, sshd complains every time it connects about excess permissions. 05-16-08 WP Set new quotas for /home for hpiffl, rabaut, and ascott: setquota -u $USER 2097152 4194304 4096 8192 /home Attempted to install backup software, but this failed due to hardware problems with the CD-ROM drive. The hardware is still under a service agreement, and a repair call is scheduled for next Friday. 05-23-08 WP Removed ffmpeg, it isn't updated properly and blocks the automatic yum updates. 05-29-08 WP The daily logwatch reported user ua09 used su, but didn't note the attempt failled. It did fail (grep ua09 /var/log/secure), so all is well. While following this up I ran pwck and found user "ident" had a non-existant home directory of /home/ident. I changed that to /var/empty. 06-08-08 WP Some odd log entries made me examine /var/log closely. Many log files were created apparently last year an never written to, others when a GUI was accidentally started. These (mostly empty) log files were removed (e.g., Xorg*, vdr/, ...). /var/log/scrollkeeper wasn't rotated, so I added /etc/logrotate.d/scrollkeeper. 06-23-08 WP Installed "ncompress", which provides old Unix compress/uncompress. Installed GraphicsMagick. 07-02-08 WP Installed apbuild tools, from http://autopackage.org/download-tools.html (These tools include apgcc, a wrapper for gcc that fixed many problems when trying "gcc -static ...". Just use "apgcc -static ..." instead.) 07-09-08 WP Copied /usr/share/logwatch/conf.default/services/sendmail.conf to /etc/logwatch/conf/services. Uncommented "Detail=5". Changed 'LogLevel' in /etc/mail/{sendmail,submit}.cf from the default of 9 to 15. Chaged 'StatusFile' in /etc/mail/submit.cf from default of /var/spool/clientmailqueue/sm-client.st to /var/log/mail/sm-client.st. "touch /var/log;/mail/sm-client.st; chown smmsp.smmsp .../sm-client.st; chmod 600 .../sm-client.st" Chmod u+w /etc/mail/submitg.cf (it is owned by root). Restarted sendmail. These changes should result in sendmail statistics reported from logwatch. 07-20-08 WP Created /etc/logrotate.d/btmp. This file doesn't exist by default, but once created grows without bound: # no packages own btmp # Added 2008-07-20 by WP # $Id: btmp,v 1.0 2008/07/20 11:22:17 hpiffl Exp $ /var/log/btmp { monthly create 0600 root utmp rotate 1 } 07-28-08 WP Changed SELinux from enforcing to permissive. (In /etc/selinux/config.) The problem is student websites. When they create ~/public_html/ it gets the wrong context. There doesn't seem to be any way to fix that, short of running restorecon -R /home in cron every few minutes. (I don't know enough about SELinux to update the rules so httpd can serve any files.) 08-04-08 WP Installed Omni Backup software: added entries to /etc/hosts: 169.139.223.54 hccbackup.family.hccfl.edu hccbackup 169.139.222.40 hcc44a.hccfl.edu hcc44a Added firewall holes for this: # Omni Data Protector Backup Server (Tape Library) Port: -A RH-Firewall-1-INPUT -p tcp -s 169.139.223.54 --dport 5555 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -s 169.139.222.40 --dport 5555 -j ACCEPT chmod -R o-w /usr/omni/logs/ 08-11-08 WP Moved all of /usr/local/man/* to /usr/local/share/man/*, then put a symlink at /usr/local/man for /usr/local/share/man. Installed figlet in /usr/local, from source (/usr/local/src). This required simple edit of the Makefile, and a chmod afterward of chmod a+x /usr/local/bin/figlet, chmod a+rx figlist, and a+rX for /usr/local/share/{man6,figlet}. (Next time I'm setting umask before installing!) Obtained from figlet.org. 08-12-08 WP Updated /etc/ssh/sshd_config to deny root login. (Previously that was the default, but now it is to allow. Restarted sshd. Updated /etc/pam.d/system-auth. The changes include fixing the bad account section modules, adding pam_shells as a required module, and changing the comments. The new file is (system-auth is just a symlink to system-auth-ac, so that is the file really changed): #%PAM-1.0 # This file was manually modified. # User changes will be destroyed the next time authconfig is run. # $Id: system-auth,v 1.1 2008/08/15 01:47:56 hpiffl Exp $ auth required pam_env.so auth required pam_shells.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account required pam_shells.so #account sufficient pam_localuser.so #account sufficient pam_succeed_if.so uid < 500 quiet #account required pam_permit.so account sufficient pam_deny.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so (I'm concerned about cron jobs on the system, and su to system accounts without valid shells, but if necessary I will update the configuration.) 08-25-08 WP Added a symlink for /usr/local/sbin/set-default-expire-date to run from /etc/cron.monthly. 08-09-09 WP Cleaned up old stuff from /home: etc, root.tgz, wphome.tbz. Ran backup-etc. Preparing to run john the ripper I notices rabaut had an illegal character in his password hash in /etc/shadow! I replaced that with vi with his hash from the CWS. 09-13-08 WP Ran password audit (john the ripper). No bad passwords found! 09-02-04 WP Added "rstohr" MySql database for use by ua01@localhost. 09-02-06 WP Updated /etc/pam.d/su to require users in group wheel. This had been done previously (2008-08-05) but somehow was reset. Also nobody was in group wheel. I added hpiffl, rabaut, and ascott to group wheel. 09-02-13 WP Ran John the Ripper: # cd; unshadow /etc/passwd /etc/shadow > passwords-20090213 # john passwords-20090213 & (This will continue to run after log out. To view status of cracker, use "john --status". To see the accounts with cracked passwords so far, use "john --show passwords-20090213". 09-02-17 WP Removed numlockx package from system. It is fairly useless and messes up one of my assignments. Had to manually remove entry from /var/cache/man/whatis for numlockx. 09-03-30 WP Changed logrotate for yum (removed "notifempty"). Manually rotated yum logs. Yum uses syslog format and the timestamps don't include a year, so after a year old log entries appear as new to logwatch. 09-05-05 WP Installed xosd (provides osd_cat) and foremost (a data recovery tool), so I could look at their man pages. 09-05-06 AS Updated the hosts file to indicate the new name and IP address of the new backup server 09-05-28 WP Updated hosts.allow and hosts.deny to only allow telnet (in.telnetd) from localhost. While I was at it, I put these two files under RCS. /etc/hosts.allow addition: in.telnetd: localhost YborStudent.hccfl.edu /etc/hosts.deny addition: in.telnetd: ALL 09-06-09 WP Deleted wedged jobs from mail queue (rm /var/spool/mqueue/*). Added email alias for tomcat --> root, ran newaliases. Deleted old tomcat mail. Changed the password expire to never (01) for ua?? accounts. 09-06-11 WP Installed socat (like netcat-ng). 09-07-08 WP Tracked down the httpd issue. Two months ago OIT did an auto-discovery of servicers and services in the data center and "discovered" the apache web server running here. Their monitoring system "WhatsUp Professional" starting pinging the server and probing httpd once a minute ever since. Chet Ramsey has turned off the http probe. 09-09-07 WP Updated UnixWiki site to allow uploading of images by logged in users: Made changes to LocalSettings.php: $ rcsdiff -r1.0 LocalSettings.php =================================================================== RCS file: RCS/LocalSettings.php,v retrieving revision 1.0 diff -r1.0 LocalSettings.php 81,82c81,82 < $wgEnableUploads = false; < $wgUseImageResize = true; --- > $wgEnableUploads = true; > $wgUseImageResize = true; 85a86,89 > # Location of apache user writable upload directory: > $wgUploadPath = "{$wgScriptPath}/images"; > $wgUploadDirectory = "/var/www/UnixWiki/images"; > 122c126,139 < --- > > ####### Customized by WP: ######## > $wgLogo = "{$wgScriptPath}/tux.png"; > # After students create their accounts, change to false to > # prevent others from editing: > $wgGroupPermissions['*' ]['createaccount'] = true; > > $wgGroupPermissions['*' ]['edit'] = false; > $wgGroupPermissions['*' ]['createpage'] = false; > $wgGroupPermissions['*' ]['createtalk'] = false; > > # Always fetch system messages (e.g. side3bar text) from the DB: > $wgUseDatabaseMessages = true; > chown apache.apache /var/www/UnixWiki/images chmod 755 /var/www/UnixWiki/images 10-02-02 WP Updated quota on /home for admin I students: # cd /home # for u in $(echo ua??) > do > setquota -u $u 25000000 35000000 5000 8000 /home > done 10-02-06 WP Updated /etc/logrotate.d/yum to include "yearly" option. 10-02-24 WP Re-created 'vanilla' /var/cvs-repos for COP-2805 class assignments. (Followed directions from CVS-repo-setup.) Added group quota for 'cvs' to /var: touch /var/aquota.group; chmod a+r /var/aquota.group vi /etc/fstab # added grpquota option for /var mount -o remount /var quotacheck -vgcM /var setquota -g cvs 100000 150000 300 500 /var Added new user accounts for COP-2805 students (in group cvs), with pwgen supplied passwords. discovered alpine(pine) was sending 'flowed" text by default! And the package is missing the /etc/pine.conf file!!! I created one by deleting ~/.pinerc (from ub00, not hpiffl or root), running alpine, configuring the no flow option, quit alpine, and copy the resulting .pinerc to /etc/pine.conf. Also made that readable by all. 10-03-05 WP Found source for missing xcalc at: ftp://ftp.x.org/pub/X11R7.0/src/app/xcalc-X11R7.0-1.0.1.tar.bz2 and created a RPM spec file from directions found at: http://forums.fedoraforum.org/showthread.php?t=114937#post597090 This needed some tweaking but got a working spec file: Summary: X.Org XCalc Name: xcalc-X11R7.0 Version: 1.0.1 Release: 1%{?dist} License: MIT/X11 Group: User Interface/X URL: http://www.x.org Source0: ftp://ftp.x.org/pub/X11R7.0/src/app/xcalc-X11R7.0-1.0.1.tar.bz2 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root %description %prep %setup -q %build %configure %install rm -rf $RPM_BUILD_ROOT make install DESTDIR=$RPM_BUILD_ROOT %clean rm -rf $RPM_BUILD_ROOT %files %defattr(-,root,root,-) %doc /usr/bin/xcalc /usr/share/X11/app-defaults/XCalc /usr/share/X11/app-defaults/XCalc-color /usr/share/man/man1/xcalc.1x.gz %changelog * Fri Aug 25 2006 amlai <> -=20 - Initial build. and built it with rpmbuild -bb, then installed the resulting RPM. The path for the new command is /usr/bin/xcalc. 10-11-05 WP Added some blocks to iptables, to stop the 3 worst ssh attackers: # Annoying ssh attackers: -A RH-Firewall-1-INPUT -s 217.170.194.68 -j DROP -A RH-Firewall-1-INPUT -s 61.239.248.134 -j DROP -A RH-Firewall-1-INPUT -s 202.65.242.76 -j DROP 11-03-01 WP Students attemting to start the GUI have run their home directory out of space, and left several GUI process hung (gconf). I have removed the execute by others permission from /usr/bin/startx and startkde, and cleaned out the left-over GUI files from /var/tmp. I have run a quota report, and as a result increased the quotas for ascott and rebaut: setquota -u rabaut 4096000 6000000 8000 10000 /home setquota -u ascott 12000 24000 2000 3000 /home 11-03-09 WP The CVS users from the COP-2805 class found a problem with quotas on /var. Apparently the quota for user root was preventing updates to /var, I think because the files are owned by root and not by user cvs. I've removed the user quota for root from /var, as I don't want to mess with the file ownership in the middle of the term. But next term I will try: cd $CVSROOT; chown -R cvs . 11-06-24 WP Installed CUnit (in /var/local). 11-07-22 WP Updated resolv.conf to include all HCC nameservers, as per Adrian McCray (The HCC network manager): search hccfl.edu nameserver 169.139.222.4 # ns1.hccfl.edu nameserver 169.139.222.15 # ns2.hccfl.edu nameserver 198.31.195.114 # ns3.hccfl.edu nameserver 198.31.195.115 # ns4.hccfl.edu 11-09-21 WP Updated /etc/hosts, /etc/aliases to fix problem with alpine-counter email. 11-12-11 WP Updated iptables rules: commented out the two Omni backup holes. Apparently HCC hasn't used Omni for years but nobody told me until recently.