Difference between revisions of "Honesty admin"

From ProgClub
Jump to: navigation, search
(→‎Installing and configuring logcheck: Noting syslog-summary fix.)
(anh chau may voi nhau coi di)
Line 1: Line 1:
This page chronicles the administrative changes to [[Honesty|honesty.progclub.net]]. If you make an administrative change you should document the change here. Changes are logged he in reverse chronological order with a time-stamp in the form YYYY-MM-DD hh:mm. You can use the time from whatever timezone you are in, or UTC if you're cool, but use 24 hour time. Don't worry if the changes you make have a time-stamp that is less than a time-stamp later in the page, put the latest changes at the top. Put a link to your wiki user account before the time-stamp so we know who's doing what. See the [[Administrative reference]] for other information.
+
http://www.votre-compromis-de-vente.com/  
 
+
http://www.votre-compromis-de-vente.com/cl/simulateur-credit-immobilier.htm
= [[User:John|John]] 2012-02-28 13:35 =
+
http://www.votre-compromis-de-vente.com/demande_credit/demande-credit.htm
 
+
http://www.votre-compromis-de-vente.com/modelecompromis/modele-compromis-gratuit.htm
== Configuring etckeeper email commit notifications ==
 
 
 
Following [https://www.progclub.org/pipermail/list/2012-February/000470.html these instructions].
 
 
 
jj5@honesty:~$ echo $SESSION_PATH
 
/home/jj5/.session/2012/02/28/2012-02-28-132932
 
jj5@honesty:~$ note Configuring etckeeper email commit notifications
 
Note: Configuring etckeeper email commit notifications
 
 
 
jj5@honesty:~$ cd /srv
 
jj5@honesty:/srv$ ls
 
jj5@honesty:/srv$ sudo -s
 
root@honesty:/srv# mkdir bzr
 
root@honesty:/srv# cd bzr
 
 
 
root@honesty:/srv/bzr# bzr branch lp:bzr-hookless-email
 
You have not informed bzr of your Launchpad ID, and you must do this to
 
write to Launchpad or access private data.  See "bzr help launchpad-login".
 
Branched 30 revision(s).
 
 
 
root@honesty:/srv/bzr# ls
 
bzr-hookless-email
 
 
 
root@honesty:/srv/bzr# cd bzr-hookless-email/
 
root@honesty:/srv/bzr/bzr-hookless-email# bzr pull
 
Using saved parent location: http://bazaar.launchpad.net/~bzr/bzr-hookless-email/trunk-2a/
 
No revisions to pull.
 
 
 
root@honesty:/srv/bzr/bzr-hookless-email# cd /etc/cron.d
 
root@honesty:/etc/cron.d# vim bzr-hookless-mail
 
root@honesty:/etc/cron.d# cat bzr-hookless-mail
 
*/5 * * * * root /srv/bzr/bzr-hookless-mail/bzr_hookless_email.py -e log@progclub.org -r /etc
 
 
 
root@honesty:/etc/cron.d# ll
 
total 24K
 
drwxr-xr-x  2 root root 4.0K 2012-02-28 13:34 ./
 
drwxr-xr-x 83 root root 4.0K 2012-02-28 12:46 ../
 
-rw-r--r--  1 root root  95 2012-02-28 13:34 bzr-hookless-mail
 
-rw-r--r--  1 root root  347 2012-02-28 12:46 logcheck
 
-rw-r--r--  1 root root  506 2012-02-09 17:43 php5
 
-rw-r--r--  1 root root  102 2010-04-15 16:51 .placeholder
 
 
 
= [[User:John|John]] 2012-02-28 12:49 =
 
 
 
== Installing and configuring logcheck ==
 
 
 
jj5@honesty:~$ echo $SESSION_PATH
 
/home/jj5/.session/2012/02/28/2012-02-28-124504
 
jj5@honesty:~$ note Installing and configuring logcheck.
 
Note: Installing and configuring logcheck.
 
 
 
jj5@honesty:~$ sudo apt-get install logcheck syslog-summary
 
Reading package lists... Done
 
Building dependency tree
 
Reading state information... Done
 
The following extra packages will be installed:
 
  libipc-signal-perl libmime-types-perl libproc-waitstat-perl
 
  logcheck-database logtail mime-construct python-magic
 
Suggested packages:
 
  python-magic-dbg
 
The following NEW packages will be installed:
 
  libipc-signal-perl libmime-types-perl libproc-waitstat-perl logcheck
 
  logcheck-database logtail mime-construct python-magic syslog-summary
 
0 upgraded, 9 newly installed, 0 to remove and 0 not upgraded.
 
Need to get 361kB of archives.
 
After this operation, 1,982kB of additional disk space will be used.
 
Do you want to continue [Y/n]?
 
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main libipc-signal-perl 1.00-6 [7,016B]
 
Get:2 http://archive.ubuntu.com/ubuntu/ lucid/main libmime-types-perl 1.28-1 [31.5kB]
 
Get:3 http://archive.ubuntu.com/ubuntu/ lucid/main libproc-waitstat-perl 1.00-4 [7,806B]
 
Get:4 http://archive.ubuntu.com/ubuntu/ lucid/main mime-construct 1.10 [19.4kB]
 
Get:5 http://archive.ubuntu.com/ubuntu/ lucid-updates/main logtail 1.3.7ubuntu2 [57.8kB]
 
Get:6 http://archive.ubuntu.com/ubuntu/ lucid-updates/main logcheck 1.3.7ubuntu2 [75.7kB]
 
Get:7 http://archive.ubuntu.com/ubuntu/ lucid-updates/main logcheck-database 1.3.7ubuntu2 [115kB]
 
Get:8 http://archive.ubuntu.com/ubuntu/ lucid/universe syslog-summary 1.14-1 [10.2kB]
 
Get:9 http://archive.ubuntu.com/ubuntu/ lucid/main python-magic 5.03-5ubuntu1 [35.7kB]
 
Fetched 361kB in 0s (368kB/s)
 
Committing to: /etc/
 
modified apt/apt.conf.d/50unattended-upgrades
 
modified fail2ban/jail.local
 
modified logwatch/conf/logwatch.conf
 
Committed revision 69.
 
Selecting previously deselected package libipc-signal-perl.
 
(Reading database ... 24577 files and directories currently installed.)
 
Unpacking libipc-signal-perl (from .../libipc-signal-perl_1.00-6_all.deb) ...
 
Selecting previously deselected package libmime-types-perl.
 
Unpacking libmime-types-perl (from .../libmime-types-perl_1.28-1_all.deb) ...
 
Selecting previously deselected package libproc-waitstat-perl.
 
Unpacking libproc-waitstat-perl (from .../libproc-waitstat-perl_1.00-4_all.deb) ...
 
Selecting previously deselected package mime-construct.
 
Unpacking mime-construct (from .../mime-construct_1.10_all.deb) ...
 
Selecting previously deselected package logtail.
 
Unpacking logtail (from .../logtail_1.3.7ubuntu2_all.deb) ...
 
Selecting previously deselected package logcheck.
 
Unpacking logcheck (from .../logcheck_1.3.7ubuntu2_all.deb) ...
 
Selecting previously deselected package logcheck-database.
 
Unpacking logcheck-database (from .../logcheck-database_1.3.7ubuntu2_all.deb) ...
 
Selecting previously deselected package syslog-summary.
 
Unpacking syslog-summary (from .../syslog-summary_1.14-1_all.deb) ...
 
Selecting previously deselected package python-magic.
 
Unpacking python-magic (from .../python-magic_5.03-5ubuntu1_amd64.deb) ...
 
Processing triggers for man-db ...
 
Setting up libipc-signal-perl (1.00-6) ...
 
Setting up libmime-types-perl (1.28-1) ...
 
Setting up libproc-waitstat-perl (1.00-4) ...
 
Setting up mime-construct (1.10) ...
 
Setting up logtail (1.3.7ubuntu2) ...
 
Setting up logcheck (1.3.7ubuntu2) ...
 
Adding user logcheck to group adm
 
 
Setting up logcheck-database (1.3.7ubuntu2) ...
 
 
Setting up syslog-summary (1.14-1) ...
 
Setting up python-magic (5.03-5ubuntu1) ...
 
Committing to: /etc/
 
modified .etckeeper
 
modified aliases
 
modified aliases.db
 
modified group
 
modified group-
 
modified gshadow
 
modified gshadow-
 
modified passwd
 
modified passwd-
 
modified shadow
 
modified shadow-
 
added syslog-summary
 
added cron.d/logcheck
 
added logcheck/cracking.d
 
added logcheck/cracking.ignore.d
 
added logcheck/header.txt
 
added logcheck/logcheck.conf
 
added logcheck/logcheck.logfiles
 
added logcheck/violations.d
 
added logcheck/violations.ignore.d
 
added logcheck/cracking.d/kernel
 
added logcheck/cracking.d/rlogind
 
added logcheck/cracking.d/rsh
 
added logcheck/cracking.d/smartd
 
added logcheck/cracking.d/tftpd
 
added logcheck/cracking.d/uucico
 
added logcheck/ignore.d.paranoid/bind
 
added logcheck/ignore.d.paranoid/cron
 
added logcheck/ignore.d.paranoid/incron
 
added logcheck/ignore.d.paranoid/logcheck
 
added logcheck/ignore.d.paranoid/postfix
 
added logcheck/ignore.d.paranoid/ppp
 
added logcheck/ignore.d.paranoid/pureftp
 
added logcheck/ignore.d.paranoid/qpopper
 
added logcheck/ignore.d.paranoid/squid
 
added logcheck/ignore.d.paranoid/ssh
 
added logcheck/ignore.d.paranoid/stunnel
 
added logcheck/ignore.d.paranoid/sysklogd
 
added logcheck/ignore.d.paranoid/telnetd
 
added logcheck/ignore.d.paranoid/tripwire
 
added logcheck/ignore.d.paranoid/usb
 
added logcheck/ignore.d.server/acpid
 
added logcheck/ignore.d.server/amandad
 
added logcheck/ignore.d.server/anacron
 
added logcheck/ignore.d.server/anon-proxy
 
added logcheck/ignore.d.server/apache
 
added logcheck/ignore.d.server/apcupsd
 
added logcheck/ignore.d.server/arpwatch
 
added logcheck/ignore.d.server/automount
 
added logcheck/ignore.d.server/bind
 
added logcheck/ignore.d.server/bluez-utils
 
added logcheck/ignore.d.server/courier
 
added logcheck/ignore.d.server/cpqarrayd
 
added logcheck/ignore.d.server/cpufreqd
 
added logcheck/ignore.d.server/cracklib
 
added logcheck/ignore.d.server/cron
 
added logcheck/ignore.d.server/cron-apt
 
added logcheck/ignore.d.server/cups-lpd
 
added logcheck/ignore.d.server/cvs-pserver
 
added logcheck/ignore.d.server/cvsd
 
added logcheck/ignore.d.server/cyrus
 
added logcheck/ignore.d.server/dcc
 
added logcheck/ignore.d.server/ddclient
 
added logcheck/ignore.d.server/dhclient
 
added logcheck/ignore.d.server/dhcp
 
added logcheck/ignore.d.server/dictd
 
added logcheck/ignore.d.server/dkfilter
 
added logcheck/ignore.d.server/dkim-filter
 
added logcheck/ignore.d.server/dnsmasq
 
added logcheck/ignore.d.server/dovecot
 
added logcheck/ignore.d.server/dspam
 
added logcheck/ignore.d.server/epmd
 
added logcheck/ignore.d.server/exim4
 
added logcheck/ignore.d.server/fcron
 
added logcheck/ignore.d.server/ftpd
 
added logcheck/ignore.d.server/gnu-imap4d
 
added logcheck/ignore.d.server/gps
 
added logcheck/ignore.d.server/grinch
 
added logcheck/ignore.d.server/horde3
 
added logcheck/ignore.d.server/hplip
 
added logcheck/ignore.d.server/hylafax
 
added logcheck/ignore.d.server/ikiwiki
 
added logcheck/ignore.d.server/imap
 
added logcheck/ignore.d.server/imapproxy
 
added logcheck/ignore.d.server/imp
 
added logcheck/ignore.d.server/imp4
 
added logcheck/ignore.d.server/innd
 
added logcheck/ignore.d.server/ipppd
 
added logcheck/ignore.d.server/isdnlog
 
added logcheck/ignore.d.server/isdnutils
 
added logcheck/ignore.d.server/jabberd
 
added logcheck/ignore.d.server/kernel
 
added logcheck/ignore.d.server/klogind
 
added logcheck/ignore.d.server/krb5-kdc
 
added logcheck/ignore.d.server/libpam-mount
 
added logcheck/ignore.d.server/logcheck
 
added logcheck/ignore.d.server/login
 
added logcheck/ignore.d.server/maradns
 
added logcheck/ignore.d.server/mldonkey-server
 
added logcheck/ignore.d.server/mon
 
added logcheck/ignore.d.server/mountd
 
added logcheck/ignore.d.server/nagios
 
added logcheck/ignore.d.server/netconsole
 
added logcheck/ignore.d.server/nfs
 
added logcheck/ignore.d.server/nntpcache
 
added logcheck/ignore.d.server/nscd
 
added logcheck/ignore.d.server/nslcd
 
added logcheck/ignore.d.server/openvpn
 
added logcheck/ignore.d.server/otrs
 
added logcheck/ignore.d.server/passwd
 
added logcheck/ignore.d.server/pdns
 
added logcheck/ignore.d.server/perdition
 
added logcheck/ignore.d.server/policyd
 
added logcheck/ignore.d.server/popa3d
 
added logcheck/ignore.d.server/postfix
 
added logcheck/ignore.d.server/postfix-policyd
 
added logcheck/ignore.d.server/ppp
 
added logcheck/ignore.d.server/pptpd
 
added logcheck/ignore.d.server/procmail
 
added logcheck/ignore.d.server/proftpd
 
added logcheck/ignore.d.server/puppetd
 
added logcheck/ignore.d.server/pure-ftpd
 
added logcheck/ignore.d.server/pureftp
 
added logcheck/ignore.d.server/qpopper
 
added logcheck/ignore.d.server/rbldnsd
 
added logcheck/ignore.d.server/rpc_statd
 
added logcheck/ignore.d.server/rsnapshot
 
added logcheck/ignore.d.server/rsync
 
added logcheck/ignore.d.server/sa-exim
 
added logcheck/ignore.d.server/samba
 
added logcheck/ignore.d.server/saned
 
added logcheck/ignore.d.server/sasl2-bin
 
added logcheck/ignore.d.server/saslauthd
 
added logcheck/ignore.d.server/schroot
 
added logcheck/ignore.d.server/scponly
 
added logcheck/ignore.d.server/slapd
 
added logcheck/ignore.d.server/smartd
 
added logcheck/ignore.d.server/smbd_audit
 
added logcheck/ignore.d.server/smokeping
 
added logcheck/ignore.d.server/snmpd
 
added logcheck/ignore.d.server/snort
 
added logcheck/ignore.d.server/spamc
 
added logcheck/ignore.d.server/spamd
 
added logcheck/ignore.d.server/squid
 
added logcheck/ignore.d.server/ssh
 
added logcheck/ignore.d.server/stunnel
 
added logcheck/ignore.d.server/su
 
added logcheck/ignore.d.server/sudo
 
added logcheck/ignore.d.server/sympa
 
added logcheck/ignore.d.server/syslogd
 
added logcheck/ignore.d.server/teapop
 
added logcheck/ignore.d.server/telnetd
 
added logcheck/ignore.d.server/tftpd
 
added logcheck/ignore.d.server/thy
 
added logcheck/ignore.d.server/ucd-snmp
 
added logcheck/ignore.d.server/upsd
 
added logcheck/ignore.d.server/uptimed
 
added logcheck/ignore.d.server/userv
 
added logcheck/ignore.d.server/vsftpd
 
added logcheck/ignore.d.server/watchdog
 
added logcheck/ignore.d.server/webmin
 
added logcheck/ignore.d.server/wu-ftpd
 
added logcheck/ignore.d.server/xinetd
 
added logcheck/ignore.d.workstation/automount
 
added logcheck/ignore.d.workstation/bind
 
added logcheck/ignore.d.workstation/bluetooth-alsa
 
added logcheck/ignore.d.workstation/bluez-utils
 
added logcheck/ignore.d.workstation/bonobo
 
added logcheck/ignore.d.workstation/dhcpcd
 
added logcheck/ignore.d.workstation/francine
 
added logcheck/ignore.d.workstation/gconf
 
added logcheck/ignore.d.workstation/gdm
 
added logcheck/ignore.d.workstation/hald
 
added logcheck/ignore.d.workstation/hcid
 
added logcheck/ignore.d.workstation/ifplugd
 
added logcheck/ignore.d.workstation/ippl
 
added logcheck/ignore.d.workstation/kdm
 
added logcheck/ignore.d.workstation/kernel
 
added logcheck/ignore.d.workstation/libpam-gnome-keyring
 
added logcheck/ignore.d.workstation/logcheck
 
added logcheck/ignore.d.workstation/login
 
added logcheck/ignore.d.workstation/net-acct
 
added logcheck/ignore.d.workstation/nntpcache
 
added logcheck/ignore.d.workstation/polypaudio
 
added logcheck/ignore.d.workstation/postfix
 
added logcheck/ignore.d.workstation/ppp
 
added logcheck/ignore.d.workstation/proftpd
 
added logcheck/ignore.d.workstation/pump
 
added logcheck/ignore.d.workstation/sendfile
 
added logcheck/ignore.d.workstation/squid
 
added logcheck/ignore.d.workstation/udev
 
added logcheck/ignore.d.workstation/wdm
 
added logcheck/ignore.d.workstation/winbind
 
added logcheck/ignore.d.workstation/wpasupplicant
 
added logcheck/ignore.d.workstation/xdm
 
added logcheck/ignore.d.workstation/xlockmore
 
added logcheck/ignore.d.workstation/xscreensaver
 
added logcheck/violations.d/kernel
 
added logcheck/violations.d/logcheck
 
added logcheck/violations.d/smartd
 
added logcheck/violations.d/su
 
added logcheck/violations.d/sudo
 
added logcheck/violations.ignore.d/logcheck-su
 
added logcheck/violations.ignore.d/logcheck-sudo
 
added syslog-summary/ignore.rules
 
Committed revision 70.
 
 
 
jj5@honesty:~$ cd /etc/logcheck/
 
jj5@honesty:/etc/logcheck$ sudo vim logcheck.conf
 
jj5@honesty:/etc/logcheck$ cat logcheck.conf
 
cat: logcheck.conf: Permission denied
 
 
 
jj5@honesty:/etc/logcheck$ sudo cat logcheck.conf
 
# The following variable settings are the initial default values,
 
# which can be uncommented and modified to alter logcheck's behaviour
 
 
# Controls the format of date-/time-stamps in subject lines:
 
# Alternatively, set the format to suit your locale
 
 
#DATE="$(date +'%Y-%m-%d %H:%M')"
 
 
# Controls the presence of boilerplate at the top of each message:
 
# Alternatively, set to "0" to disable the introduction.
 
#
 
# If the files /etc/logcheck/header.txt and /etc/logcheck/footer.txt
 
# are present their contents will be read and used as the header and
 
# footer of any generated mails.
 
 
#INTRO=1
 
 
# Controls the level of filtering:
 
# Can be Set to "workstation", "server" or "paranoid" for different
 
# levels of filtering. Defaults to server if not set.
 
 
REPORTLEVEL="server"
 
 
# Controls the address mail goes to:
 
# *NOTE* the script does not set a default value for this variable!
 
# Should be set to an offsite "emailaddress@some.domain.tld"
 
 
SENDMAILTO="log@progclub.org"
 
 
# Send the results as attachment or not.
 
# 0=not as attachment; 1=as attachment
 
# Default is 0
 
 
MAILASATTACH=0
 
 
# Should the hostname in the subject of generated mails be fully qualified?
 
 
FQDN=1
 
 
# Controls whether "sort -u" is used on log entries (which will
 
# eliminate duplicates but destroy the original ordering); the
 
# default is to use "sort -k 1,3 -s":
 
# Alternatively, set to "1" to enable unique sorting
 
 
#SORTUNIQ=0
 
 
# Controls whether /etc/logcheck/cracking.ignore.d is scanned for
 
# exceptions to the rules in /etc/logcheck/cracking.d:
 
# Alternatively, set to "1" to enable cracking.ignore support
 
 
#SUPPORT_CRACKING_IGNORE=0
 
 
# Controls the base directory for rules file location
 
# This must be an absolute path
 
 
#RULEDIR="/etc/logcheck"
 
 
# Controls if syslog-summary is run over each section.
 
# Alternatively, set to "1" to enable extra summary.
 
# HINT: syslog-summary needs to be installed.
 
 
SYSLOGSUMMARY=1
 
 
# Controls Subject: lines on logcheck reports:
 
 
#ATTACKSUBJECT="Security Alerts"
 
#SECURITYSUBJECT="Security Events"
 
#EVENTSSUBJECT="System Events"
 
 
# Controls [logcheck] prefix on Subject: lines
 
 
#ADDTAG="no"
 
 
# Set a different location for temporary files than /tmp
 
# this is useful if your /tmp is small and you are getting
 
# errors such as:
 
# cp: writing `/tmp/logcheck.y12449/checked': No space left on device
 
# /usr/sbin/logcheck: line 161: cannot create temp file for here document: No space left on device
 
# mail: /tmp/mail.RsXXXXpc2eAx: No space left on device
 
# Null message body; hope that's ok
 
#
 
# If this is happening, likely you will want to change the following to be some other
 
# location, such as /var/tmp
 
 
TMP="/tmp"
 
 
 
Then you need to patch syslog-summary to change the python2.5 env to python2:
 
 
 
root@honesty:/# vim /usr/bin/syslog-summary
 
root@honesty:/# head /usr/bin/syslog-summary
 
#!/usr/bin/env python2
 
 
 
= [[User:John|John]] 2012-02-28 12:00 =
 
 
 
== Configuring new log@progclub mailing list ==
 
 
 
There's a new emailing list log@progclub where system logs will be delivered (to keep the noise off the admin list). To configure that on honesty:
 
 
 
jj5@honesty:~$ sudo -s
 
root@honesty:~# cd /etc/fail2ban/
 
root@honesty:/etc/fail2ban# vim jail.local
 
root@honesty:/etc/fail2ban# grep log@ jail.local
 
destemail = log@progclub.org
 
root@honesty:/etc/fail2ban# cd /etc/logwatch/conf/
 
root@honesty:/etc/logwatch/conf# vim logwatch.conf
 
root@honesty:/etc/logwatch/conf# grep log@ logwatch.conf
 
MailTo = log@progclub.org
 
root@honesty:/etc/logwatch/conf# cd /etc/apt/apt.conf.d/
 
root@honesty:/etc/apt/apt.conf.d# vim 50unattended-upgrades
 
root@honesty:/etc/apt/apt.conf.d# grep log@ 50unattended-upgrades
 
Unattended-Upgrade::Mail "log@progclub.org";
 
root@honesty:/etc/apt/apt.conf.d# reboot
 
 
 
= [[User:John|John]] 2012-02-08 15:36 =
 
 
 
== Fixing permissions on NFS dns_resolve directory ==
 
 
 
jj5@honesty:~$ sudo -s
 
root@honesty:~# cd /var/lib/nfs/rpc_pipefs/cache/
 
root@honesty:/var/lib/nfs/rpc_pipefs/cache# ll -d dns_resolve/
 
drw------- 2 root root 0 2012-02-03 18:17 dns_resolve//
 
root@honesty:/var/lib/nfs/rpc_pipefs/cache# cd /etc
 
root@honesty:/etc# vim rc.local
 
root@honesty:/etc# cat rc.local
 
#!/bin/sh -e
 
#
 
# rc.local
 
#
 
# This script is executed at the end of each multiuser runlevel.
 
# Make sure that the script will "exit 0" on success or any other
 
# value on error.
 
#
 
# In order to enable or disable this script just change the execution
 
# bits.
 
#
 
# By default this script does nothing.
 
 
chmod u+x /var/lib/nfs/rpc_pipefs/cache/dns_resolve
 
 
exit 0
 
 
 
Bah, that didn't fix all the issues, retying like this:
 
 
 
jj5@honesty:~$ sudo vim /etc/rc.local
 
jj5@honesty:~$ sudo /etc/rc.local
 
jj5@honesty:~$ cat /etc/rc.local
 
#!/bin/sh -e
 
#
 
# rc.local
 
#
 
# This script is executed at the end of each multiuser runlevel.
 
# Make sure that the script will "exit 0" on success or any other
 
# value on error.
 
#
 
# In order to enable or disable this script just change the execution
 
# bits.
 
#
 
# By default this script does nothing.
 
 
#chmod u+x /var/lib/nfs/rpc_pipefs/cache/dns_resolve
 
cd /var/lib/nfs/rpc_pipefs
 
if [ "$?" = "0" ]; then
 
  find . -type d -exec chmod u+x {} \;
 
fi
 
 
exit 0
 
 
 
= [[User:John|John]] 2012-01-31 18:52 =
 
 
 
== Preparing for Slicehost DataCenter migration ==
 
 
 
jj5@honesty:~$ sudo -s
 
root@honesty:~# cd /etc
 
root@honesty:/etc# grep -R 172.19 *
 
bind/named.conf.local:  allow-transfer { 172.19.1.28; };
 
grep: blkid.tab: No such file or directory
 
fstab:172.19.1.45:/home /home    nfs4    rw,_netdev,auto 0 0
 
mtab:172.19.1.45:/home /home nfs4 rw,clientaddr=172.19.1.46,addr=172.19.1.45 0 0
 
network/interfaces:    address 172.19.1.46
 
grep: nologin: No such file or directory
 
 
 
root@honesty:/etc# vim bind/named.conf.local
 
root@honesty:/etc# cat bind/named.conf.local
 
//
 
// Do any local configuration here
 
//
 
 
// Consider adding the 1918 zones here, if they are not used in your
 
// organization
 
//include "/etc/bind/zones.rfc1918";
 
 
// Dynamic zone for testing the bkdns project
 
zone "progclub.biz" in {
 
  type master;
 
  file "progclub.biz.dns";
 
  //allow-transfer { 172.19.1.28; };
 
  allow-transfer { 67.207.130.204; };
 
  allow-update { key dev.progclub.biz.; };
 
};
 
 
 
root@honesty:/etc# vim /etc/fstab
 
root@honesty:/etc# cat /etc/fstab
 
proc            /proc      proc    defaults    0 0
 
/dev/sda1      /          ext3    defaults,errors=remount-ro,noatime    0 1
 
/dev/sda2      none        swap    sw          0 0
 
67.207.128.184:/home /home    nfs4    rw,_netdev,auto 0 0
 
 
 
root@honesty:/etc# vim /etc/mtab
 
root@honesty:/etc# cat /etc/mtab
 
/dev/sda1 / ext3 rw,noatime,errors=remount-ro 0 0
 
proc /proc proc rw 0 0
 
none /proc/sys/fs/binfmt_misc binfmt_misc rw,noexec,nosuid,nodev 0 0
 
none /sys sysfs rw,noexec,nosuid,nodev 0 0
 
udev /dev tmpfs rw,mode=0755 0 0
 
none /dev/pts devpts rw,noexec,nosuid,gid=5,mode=0620 0 0
 
none /dev/shm tmpfs rw,nosuid,nodev 0 0
 
none /var/run tmpfs rw,nosuid,mode=0755 0 0
 
none /var/lock tmpfs rw,noexec,nosuid,nodev 0 0
 
none /lib/init/rw tmpfs rw,nosuid,mode=0755 0 0
 
rpc_pipefs /var/lib/nfs/rpc_pipefs rpc_pipefs rw 0 0
 
67.207.128.184:/home /home nfs4 rw,clientaddr=67.207.129.103,addr=67.207.128.184 0 0
 
 
 
 
 
= [[User:Tasaio|Tasaio]] 2012-01-15 13:08 =
 
 
 
== Installing and Configuring DNS for bkdns development ==
 
 
 
Install bind and dnsutils
 
tasaio@honesty:~$ sudo apt-get update && sudo apt-get install bind9
 
tasaio@honesty:~$ sudo apt-get install dnsutils
 
Generate a key
 
tasaio@honesty:~$ dnssec-keygen -a HMAC-MD5 -b 512 -n USER dev.progclub.biz.
 
tasaio@honesty:~$  cat Kdev.progclub.biz.+157+61713.key
 
dev.progclub.biz. IN KEY 0 3 157 actualkeyremoved==
 
Add a zone to bind's config (let our key update it)
 
tasaio@honesty:~$ cat /etc/bind/named.conf.local
 
// ....
 
// Dynamic zone for testing the bkdns project
 
zone "progclub.biz" in {
 
        type master;
 
        file "progclub.biz.dns";
 
        allow-transfer { 172.19.1.28; };
 
        allow-update { key dev.progclub.biz.; };
 
        };
 
Set up the initial zone file
 
tasaio@honesty:~$ cat /var/cache/bind/dev.progclub.biz.dns
 
;
 
; BIND data file for progclub.biz
 
;
 
$TTL    604800
 
@      IN      SOA    honesty.progclub.net. root.progclub.net. (
 
 
                              3        ; Serial
 
                          604800        ; Refresh
 
                          86400        ; Retry
 
                        2419200        ; Expire
 
                          604800 )      ; Negative Cache TTL
 
;
 
@      IN      NS      honesty.progclub.net.
 
@      IN      NS      hope.progclub.net.
 
@      IN      A      172.19.1.46
 
 
Add our key to bind's config
 
tasaio@honesty:/etc/bind$ cat named.conf
 
// This is the primary configuration file for the BIND DNS server named.
 
//
 
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
 
// structure of BIND configuration files in Debian, *BEFORE* you customize
 
// this configuration file.
 
//
 
// If you are just adding zones, please do that in /etc/bind/named.conf.local
 
 
include "/etc/bind/named.conf.options";
 
include "/etc/bind/named.conf.local";
 
include "/etc/bind/named.conf.default-zones";
 
include "/etc/bind/keys.conf";
 
 
tasaio@honesty:/etc/bind$ sudo cat keys.conf
 
key dev.progclub.biz. {
 
        algorithm hmac-md5;
 
        secret "actualkeyremoved==";
 
        };
 
 
 
Restart Bind
 
tasaio@honesty:~$ sudo /etc/init.d/bind9 restart
 
 
 
This zone accepts dynamic updates. If you must update the zone file by hand, make sure you run
 
rndc freeze progclub.biz
 
before editing, and
 
rndc thaw progclub.biz
 
when finished.
 
 
 
= [[User:John|John]] 2012-01-15 03:18 =
 
 
 
== Allowing DNS traffic through firewall ==
 
 
 
root@honesty:~# vim /etc/iptables.up.rules
 
 
 
Added:
 
 
 
# allow DNS traffic
 
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
 
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
 
 
 
= [[User:John|John]] 2011-12-01 23:07 =
 
 
 
== Configuring unattended upgrades ==
 
 
 
Following [https://help.ubuntu.com/10.04/serverguide/C/automatic-updates.html these instructions] on automatic updates.
 
 
 
root@honesty:~# apt-get install unattended-upgrades
 
Reading package lists... Done
 
Building dependency tree
 
Reading state information... Done
 
The following extra packages will be installed:
 
  iso-codes python-apt
 
Suggested packages:
 
  isoquery python-apt-dbg python-gtk2 python-vte python-apt-doc bsd-mailx
 
The following NEW packages will be installed:
 
  iso-codes python-apt unattended-upgrades
 
0 upgraded, 3 newly installed, 0 to remove and 10 not upgraded.
 
Need to get 2850kB of archives.
 
After this operation, 13.4MB of additional disk space will be used.
 
Do you want to continue [Y/n]?
 
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main iso-codes 3.12.1-1 [2642kB]
 
Get:2 http://archive.ubuntu.com/ubuntu/ lucid-updates/main python-apt 0.7.94.2ubuntu6.4 [187kB]
 
Get:3 http://archive.ubuntu.com/ubuntu/ lucid-updates/main unattended-upgrades 0.55ubuntu5 [20.6kB]
 
Fetched 2850kB in 2s (1341kB/s)
 
Preconfiguring packages ...
 
Selecting previously deselected package iso-codes.
 
(Reading database ... 21487 files and directories currently installed.)
 
Unpacking iso-codes (from .../iso-codes_3.12.1-1_all.deb) ...
 
Selecting previously deselected package python-apt.
 
Unpacking python-apt (from .../python-apt_0.7.94.2ubuntu6.4_amd64.deb) ...
 
Selecting previously deselected package unattended-upgrades.
 
Unpacking unattended-upgrades (from .../unattended-upgrades_0.55ubuntu5_all.deb) ...
 
Processing triggers for man-db ...
 
Processing triggers for ureadahead ...
 
Setting up iso-codes (3.12.1-1) ...
 
Setting up python-apt (0.7.94.2ubuntu6.4) ...
 
 
Processing triggers for python-central ...
 
Setting up unattended-upgrades (0.55ubuntu5) ...
 
update-rc.d: warning: unattended-upgrades start runlevel arguments (none) do not match LSB Default-Start values (0 6)
 
update-rc.d: warning: unattended-upgrades stop runlevel arguments (0 6) do not match LSB Default-Stop values (none)
 
 
Committing to: /etc/
 
added pm
 
added apt/apt.conf.d/50unattended-upgrades
 
added init.d/unattended-upgrades
 
added logrotate.d/unattended-upgrades
 
added pm/sleep.d
 
added pm/sleep.d/10_unattended-upgrades-hibernate
 
added rc0.d/S10unattended-upgrades
 
added rc6.d/S10unattended-upgrades
 
Committed revision 39.
 
 
 
root@honesty:~# vim /etc/apt/apt.conf.d/50unattended-upgrades
 
root@honesty:~# cat /etc/apt/apt.conf.d/50unattended-upgrades
 
// Automatically upgrade packages from these (origin, archive) pairs
 
Unattended-Upgrade::Allowed-Origins {
 
        "Ubuntu lucid-security";
 
        "Ubuntu lucid-updates";
 
};
 
 
// List of packages to not update
 
Unattended-Upgrade::Package-Blacklist {
 
//      "vim";
 
//      "libc6";
 
//      "libc6-dev";
 
//      "libc6-i686";
 
};
 
 
// Send email to this address for problems or packages upgrades
 
// If empty or unset then no email is sent, make sure that you
 
// have a working mail setup on your system. The package 'mailx'
 
// must be installed or anything that provides /usr/bin/mail.
 
Unattended-Upgrade::Mail "admin@progclub.org";
 
 
// Do automatic removal of new unused dependencies after the upgrade
 
// (equivalent to apt-get autoremove)
 
Unattended-Upgrade::Remove-Unused-Dependencies "true";
 
 
// Automatically reboot *WITHOUT CONFIRMATION* if a
 
// the file /var/run/reboot-required is found after the upgrade
 
Unattended-Upgrade::Automatic-Reboot "true";
 
 
// Use apt bandwidth limit feature, this example limits the download
 
// speed to 70kb/sec
 
//Acquire::http::Dl-Limit "70";
 
 
 
root@honesty:~# vim /etc/apt/apt.conf.d/02periodic
 
root@honesty:~# cat /etc/apt/apt.conf.d/02periodic
 
APT::Periodic::Update-Package-Lists "1";
 
APT::Periodic::Download-Upgradeable-Packages "1";
 
APT::Periodic::AutocleanInterval "7";
 
APT::Periodic::Unattended-Upgrade "1";
 
 
 
= [[User:John|John]] 2011-12-01 06:42 =
 
 
 
== Supporting /pcwiki URLs on Member Net ==
 
 
 
The way MediaWiki loads resources is to send a relative URL back to the server requesting the load of other resources. So basically we need to support /pcwiki URLs on Member Net as well as on the ProgClub web-site. To do that I added the following to /etc/apache2/sites-enabled/default-ssl:
 
 
 
RewriteEngine on
 
RewriteRule ^/pcwiki/(.*) https://www.progclub.org/pcwiki/$1 [NE]
 
 
 
Note that the [NE] was required at the end of the rewrite rule to [http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html avoid double-escaping].
 
 
 
= [[User:John|John]] 2011-11-30 16:41 =
 
 
 
== Software installation for Tasaio ==
 
 
 
# version control software - needed for a lot of bitbucket projects
 
sudo apt-get install mercurial
 
 
 
# version control
 
# software - my personal choice and needed for anything on github (and
 
# needed for a project I'd like to build for my space in the membernet)
 
sudo apt-get install git-core
 
 
 
# standard python PIL library
 
# - Ubuntu should just include this by default already.
 
sudo apt-get install python-imaging
 
 
 
# tools to build python
 
# packages and install things from pypi
 
sudo apt-get install python-setuptools
 
 
 
# pip is a better version
 
# of easy_install, virtualenv allows for painless isolated python
 
# installations
 
sudo easy_install pip virtualenv
 
 
 
  jj5@honesty:~$ install-for-justin
 
  [sudo] password for jj5:
 
  Reading package lists... Done
 
  Building dependency tree
 
  Reading state information... Done
 
  The following extra packages will be installed:
 
    mercurial-common
 
  Suggested packages:
 
    qct wish kdiff3 tkdiff meld xxdiff python-mysqldb python-pygments
 
    python-openssl
 
  The following NEW packages will be installed:
 
    mercurial mercurial-common
 
  0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
 
  Need to get 1185kB of archives.
 
  After this operation, 4973kB of additional disk space will be used.
 
  Do you want to continue [Y/n]?
 
  Get:1 http://archive.ubuntu.com/ubuntu/ lucid/universe mercurial-common 1.4.3-1 [1131kB]
 
  Get:2 http://archive.ubuntu.com/ubuntu/ lucid/universe mercurial 1.4.3-1 [53.5kB]
 
  Fetched 1185kB in 1s (838kB/s)
 
  Committing to: /etc/
 
  added apache2/mods-enabled/rewrite.load
 
  Committed revision 35.
 
  Selecting previously deselected package mercurial-common.
 
  (Reading database ... 20444 files and directories currently installed.)
 
  Unpacking mercurial-common (from .../mercurial-common_1.4.3-1_all.deb) ...
 
  Selecting previously deselected package mercurial.
 
  Unpacking mercurial (from .../mercurial_1.4.3-1_amd64.deb) ...
 
  Processing triggers for man-db ...
 
  Setting up mercurial-common (1.4.3-1) ...
 
 
  Setting up mercurial (1.4.3-1) ...
 
 
  Creating config file /etc/mercurial/hgrc.d/hgext.rc with new version
 
 
  Processing triggers for python-support ...
 
  Committing to: /etc/
 
  added mercurial
 
  added bash_completion.d/mercurial
 
  added mercurial/hgrc
 
  added mercurial/hgrc.d
 
  added mercurial/hgrc.d/hgext.rc
 
  added mercurial/hgrc.d/mergetools.rc
 
  Committed revision 36.
 
  Reading package lists... Done
 
  Building dependency tree
 
  Reading state information... Done
 
  The following extra packages will be installed:
 
    libdigest-sha1-perl liberror-perl
 
  Suggested packages:
 
    git-doc git-arch git-cvs git-svn git-email git-daemon-run git-gui gitk
 
    gitweb
 
  The following NEW packages will be installed:
 
    git-core libdigest-sha1-perl liberror-perl
 
  0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
 
  Need to get 6193kB of archives.
 
  After this operation, 12.9MB of additional disk space will be used.
 
  Do you want to continue [Y/n]?
 
  Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main liberror-perl 0.17-1 [23.8kB]
 
  Get:2 http://archive.ubuntu.com/ubuntu/ lucid/main libdigest-sha1-perl 2.12-1build1 [26.7kB]
 
  Get:3 http://archive.ubuntu.com/ubuntu/ lucid-updates/main git-core 1:1.7.0.4-1ubuntu0.2 [6143kB]
 
  Fetched 6193kB in 4s (1251kB/s)
 
  Selecting previously deselected package liberror-perl.
 
  (Reading database ... 20834 files and directories currently installed.)
 
  Unpacking liberror-perl (from .../liberror-perl_0.17-1_all.deb) ...
 
  Selecting previously deselected package libdigest-sha1-perl.
 
  Unpacking libdigest-sha1-perl (from .../libdigest-sha1-perl_2.12-1build1_amd64.deb) ...
 
  Selecting previously deselected package git-core.
 
  Unpacking git-core (from .../git-core_1%3a1.7.0.4-1ubuntu0.2_amd64.deb) ...
 
  Processing triggers for man-db ...
 
  Setting up liberror-perl (0.17-1) ...
 
  Setting up libdigest-sha1-perl (2.12-1build1) ...
 
  Setting up git-core (1:1.7.0.4-1ubuntu0.2) ...
 
  Committing to: /etc/
 
  added bash_completion.d/git
 
  added emacs/site-start.d/50git-core.el
 
  Committed revision 37.
 
  Reading package lists... Done
 
  Building dependency tree
 
  Reading state information... Done
 
  The following extra packages will be installed:
 
    libfreetype6 libjpeg62 liblcms1
 
  Suggested packages:
 
    liblcms-utils python-imaging-doc python-imaging-dbg
 
  The following NEW packages will be installed:
 
    libfreetype6 libjpeg62 liblcms1 python-imaging
 
  0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded.
 
  Need to get 963kB of archives.
 
  After this operation, 2544kB of additional disk space will be used.
 
  Do you want to continue [Y/n]?
 
  Err http://archive.ubuntu.com/ubuntu/ lucid-updates/main libfreetype6 2.3.11-1ubuntu2.4
 
    404  Not Found [IP: 91.189.88.45 80]
 
  Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main libjpeg62 6b-15ubuntu1 [94.5kB]
 
  Err http://security.ubuntu.com/ubuntu/ lucid-security/main libfreetype6 2.3.11-1ubuntu2.4
 
    404  Not Found [IP: 91.189.92.166 80]
 
  Get:2 http://archive.ubuntu.com/ubuntu/ lucid-updates/main liblcms1 1.18.dfsg-1ubuntu2.10.04.1 [111kB]
 
  Get:3 http://archive.ubuntu.com/ubuntu/ lucid-updates/main python-imaging 1.1.7-1ubuntu0.1 [323kB]
 
  Fetched 528kB in 1s (471kB/s)
 
  Failed to fetch http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6_2.3.11-1ubuntu2.4_amd64.deb  404  Not Found [IP: 91.189.92.166 80]
 
  E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?
 
  Reading package lists... Done
 
  Building dependency tree
 
  Reading state information... Done
 
  The following extra packages will be installed:
 
    python-pkg-resources
 
  Suggested packages:
 
    python-distribute python-distribute-doc
 
  The following NEW packages will be installed:
 
    python-pkg-resources python-setuptools
 
  0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
 
  Need to get 278kB of archives.
 
  After this operation, 1135kB of additional disk space will be used.
 
  Do you want to continue [Y/n]?
 
  Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main python-pkg-resources 0.6.10-4ubuntu1 [65.0kB]
 
  Get:2 http://archive.ubuntu.com/ubuntu/ lucid/main python-setuptools 0.6.10-4ubuntu1 [213kB]
 
  Fetched 278kB in 0s (308kB/s)
 
  Selecting previously deselected package python-pkg-resources.
 
  (Reading database ... 21358 files and directories currently installed.)
 
  Unpacking python-pkg-resources (from .../python-pkg-resources_0.6.10-4ubuntu1_all.deb) ...
 
  Selecting previously deselected package python-setuptools.
 
  Unpacking python-setuptools (from .../python-setuptools_0.6.10-4ubuntu1_all.deb) ...
 
  Setting up python-pkg-resources (0.6.10-4ubuntu1) ...
 
 
  Processing triggers for python-central ...
 
  Setting up python-setuptools (0.6.10-4ubuntu1) ...
 
 
  Processing triggers for python-central ...
 
  Searching for pip
 
  Reading http://pypi.python.org/simple/pip/
 
  Reading http://pip.openplans.org
 
  Reading http://www.pip-installer.org
 
  Best match: pip 1.0.2
 
  Downloading http://pypi.python.org/packages/source/p/pip/pip-1.0.2.tar.gz#md5=47ec6ff3f6d962696fe08d4c8264ad49
 
  Processing pip-1.0.2.tar.gz
 
  Running pip-1.0.2/setup.py -q bdist_egg --dist-dir /tmp/easy_install-45O4m6/pip-1.0.2/egg-dist-tmp-5MDsF_
 
  warning: no files found matching '*.html' under directory 'docs'
 
  warning: no previously-included files matching '*.txt' found under directory 'docs/_build'
 
  no previously-included directories found matching 'docs/_build/_sources'
 
  Adding pip 1.0.2 to easy-install.pth file
 
  Installing pip script to /usr/local/bin
 
  Installing pip-2.6 script to /usr/local/bin
 
 
  Installed /usr/local/lib/python2.6/dist-packages/pip-1.0.2-py2.6.egg
 
  Processing dependencies for pip
 
  Finished processing dependencies for pip
 
  Searching for virtualenv
 
  Reading http://pypi.python.org/simple/virtualenv/
 
  Reading http://virtualenv.openplans.org
 
  Reading http://www.virtualenv.org
 
  Best match: virtualenv 1.6.4
 
  Downloading http://pypi.python.org/packages/source/v/virtualenv/virtualenv-1.6.4.tar.gz#md5=1072b66d53c24e019a8f1304ac9d9fc5
 
  Processing virtualenv-1.6.4.tar.gz
 
  Running virtualenv-1.6.4/setup.py -q bdist_egg --dist-dir /tmp/easy_install-X543tR/virtualenv-1.6.4/egg-dist-tmp-Ohjo5k
 
  warning: no previously-included files matching '*.*' found under directory 'docs/_templates'
 
  Adding virtualenv 1.6.4 to easy-install.pth file
 
  Installing virtualenv script to /usr/local/bin
 
 
  Installed /usr/local/lib/python2.6/dist-packages/virtualenv-1.6.4-py2.6.egg
 
  Processing dependencies for virtualenv
 
  Finished processing dependencies for virtualenv
 
 
 
= [[User:John|John]] 2011-11-30 15:54 =
 
 
 
== Web-site goes HTTPS ==
 
 
 
Found [http://www.cyberciti.biz/tips/howto-apache-force-https-secure-connections.html this article] which suggested the following in /etc/apache2/sites-enabled/www.progclub.net
 
 
 
RewriteEngine On
 
RewriteCond %{HTTPS} off
 
RewriteRule (.*) https://www.progclub.net%{REQUEST_URI}
 
 
 
This has two benefits. One is that all web requests will be redirected to the secure site, and the second is that all HTTP requests will be redirected to the canonical domain.
 
 
 
Also had to run:
 
 
 
# a2enmod rewrite
 
 
 
= [[User:John|John]] 2011-11-27 13:43 =
 
 
 
== Fixing NFSv4 (nfs4) IDMAP issue ==
 
 
 
See [[Charity_admin#John_2011-11-27_13:37|charity admin]].
 
 
 
= [[User:John|John]] 2011-09-08 22:21 =
 
 
 
== Enabling PHP in UserDir ==
 
 
 
Found [http://devplant.net/2010/05/04/linux-php-not-working-in-userdir-public_html/ this article] which explained how to enable PHP in user directories. Basically edit /etc/apache2/mods-enabled/php5.conf and remove these lines:
 
 
 
<IfModule mod_userdir.c>
 
    <Directory /home/*/public_html>
 
        php_admin_value engine Off
 
    </Directory>
 
</IfModule>
 
 
 
= [[User:John|John]] 2011-09-08 22:21 =
 
 
 
== Installing lsof ==
 
 
 
jj5@honesty:~/pcad/example/linuxhowtos$ sudo apt-get install lsof
 
Reading package lists... Done
 
Building dependency tree
 
Reading state information... Done
 
The following NEW packages will be installed:
 
  lsof
 
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
 
Need to get 284kB of archives.
 
After this operation, 463kB of additional disk space will be used.
 
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main lsof 4.81.dfsg.1-1build1 [284kB]
 
Fetched 284kB in 0s (286kB/s)
 
Selecting previously deselected package lsof.
 
(Reading database ... 20366 files and directories currently installed.)
 
Unpacking lsof (from .../lsof_4.81.dfsg.1-1build1_amd64.deb) ...
 
Processing triggers for man-db ...
 
Setting up lsof (4.81.dfsg.1-1build1) ...
 
 
 
= [[User:John|John]] 2011-09-08 22:07 =
 
 
 
== Installing telnet ==
 
 
 
jj5@honesty:~/pcad/example/linuxhowtos$ sudo apt-get install telnet
 
[sudo] password for jj5:
 
Reading package lists... Done
 
Building dependency tree
 
Reading state information... Done
 
The following NEW packages will be installed:
 
  telnet
 
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
 
Need to get 72.2kB of archives.
 
After this operation, 209kB of additional disk space will be used.
 
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main telnet 0.17-36build1 [72.2kB]
 
Fetched 72.2kB in 0s (119kB/s)
 
Selecting previously deselected package telnet.
 
(Reading database ... 20355 files and directories currently installed.)
 
Unpacking telnet (from .../telnet_0.17-36build1_amd64.deb) ...
 
Processing triggers for man-db ...
 
Setting up telnet (0.17-36build1) ...
 
update-alternatives: using /usr/bin/telnet.netkit to provide /usr/bin/telnet (telnet) in auto mode.
 
 
Committing to: /etc/
 
added alternatives/telnet
 
added alternatives/telnet.1.gz
 
Committed revision 27.
 
 
 
 
 
= [[User:John|John]] 2011-09-08 21:44 =
 
 
 
== Installing gcc ==
 
 
 
root@honesty:~/pcad# apt-get install gcc
 
Reading package lists... Done
 
Building dependency tree
 
Reading state information... Done
 
The following extra packages will be installed:
 
  binutils gcc-4.4 libc-dev-bin libc6-dev libgomp1 linux-libc-dev manpages-dev
 
Suggested packages:
 
  binutils-doc gcc-multilib autoconf automake1.9 libtool flex bison gdb
 
  gcc-doc gcc-4.4-multilib libmudflap0-4.4-dev gcc-4.4-doc gcc-4.4-locales
 
  libgcc1-dbg libgomp1-dbg libmudflap0-dbg libcloog-ppl0 libppl-c2 libppl7
 
  glibc-doc
 
The following NEW packages will be installed:
 
  binutils gcc gcc-4.4 libc-dev-bin libc6-dev libgomp1 linux-libc-dev
 
  manpages-dev
 
0 upgraded, 8 newly installed, 0 to remove and 0 not upgraded.
 
Need to get 9883kB of archives.
 
After this operation, 35.3MB of additional disk space will be used.
 
Do you want to continue [Y/n]?
 
Get:1 http://archive.ubuntu.com/ubuntu/ lucid-updates/main binutils 2.20.1-3ubuntu7.1 [1658kB]
 
Get:2 http://archive.ubuntu.com/ubuntu/ lucid/main libgomp1 4.4.3-4ubuntu5 [25.5kB]
 
Get:3 http://archive.ubuntu.com/ubuntu/ lucid/main gcc-4.4 4.4.3-4ubuntu5 [2877kB]
 
Get:4 http://archive.ubuntu.com/ubuntu/ lucid/main gcc 4:4.4.3-1ubuntu1 [5064B]
 
Get:5 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libc-dev-bin 2.11.1-0ubuntu7.8 [224kB]
 
Get:6 http://archive.ubuntu.com/ubuntu/ lucid-updates/main linux-libc-dev 2.6.32-33.72 [841kB]
 
Get:7 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libc6-dev 2.11.1-0ubuntu7.8 [2706kB]
 
Get:8 http://archive.ubuntu.com/ubuntu/ lucid/main manpages-dev 3.23-1 [1547kB]
 
Fetched 9883kB in 5s (1875kB/s)
 
Selecting previously deselected package binutils.
 
(Reading database ... 17233 files and directories currently installed.)
 
Unpacking binutils (from .../binutils_2.20.1-3ubuntu7.1_amd64.deb) ...
 
Selecting previously deselected package libgomp1.
 
Unpacking libgomp1 (from .../libgomp1_4.4.3-4ubuntu5_amd64.deb) ...
 
Selecting previously deselected package gcc-4.4.
 
Unpacking gcc-4.4 (from .../gcc-4.4_4.4.3-4ubuntu5_amd64.deb) ...
 
Selecting previously deselected package gcc.
 
Unpacking gcc (from .../gcc_4%3a4.4.3-1ubuntu1_amd64.deb) ...
 
Selecting previously deselected package libc-dev-bin.
 
Unpacking libc-dev-bin (from .../libc-dev-bin_2.11.1-0ubuntu7.8_amd64.deb) ...
 
Selecting previously deselected package linux-libc-dev.
 
Unpacking linux-libc-dev (from .../linux-libc-dev_2.6.32-33.72_amd64.deb) ...
 
Selecting previously deselected package libc6-dev.
 
Unpacking libc6-dev (from .../libc6-dev_2.11.1-0ubuntu7.8_amd64.deb) ...
 
Selecting previously deselected package manpages-dev.
 
Unpacking manpages-dev (from .../manpages-dev_3.23-1_all.deb) ...
 
Processing triggers for man-db ...
 
Setting up binutils (2.20.1-3ubuntu7.1) ...
 
 
Setting up libgomp1 (4.4.3-4ubuntu5) ...
 
 
Setting up gcc-4.4 (4.4.3-4ubuntu5) ...
 
Setting up gcc (4:4.4.3-1ubuntu1) ...
 
 
Setting up libc-dev-bin (2.11.1-0ubuntu7.8) ...
 
Setting up linux-libc-dev (2.6.32-33.72) ...
 
Setting up libc6-dev (2.11.1-0ubuntu7.8) ...
 
Setting up manpages-dev (3.23-1) ...
 
Processing triggers for libc-bin ...
 
ldconfig deferred processing now taking place
 
Committing to: /etc/
 
added alternatives/c89
 
added alternatives/c89.1.gz
 
added alternatives/c99
 
added alternatives/c99.1.gz
 
added alternatives/cc
 
added alternatives/cc.1.gz
 
Committed revision 26.
 
 
 
= [[User:John|John]] 2011-09-03 00:24 =
 
 
 
== Kerberizing Apache ==
 
 
 
root@honesty:/home/apache/www/www.progclub.net/pcma# kadmin -p jj5
 
Authenticating as principal jj5 with password.
 
Password for jj5@PROGCLUB.ORG:
 
kadmin:  addprinc -randkey HTTP/honesty.progclub.org
 
WARNING: no policy specified for HTTP/honesty.progclub.org@PROGCLUB.ORG; defaulting to no policy
 
Principal "HTTP/honesty.progclub.org@PROGCLUB.ORG" created.
 
kadmin:  delprinc HTTP/honesty.progclub.org
 
Are you sure you want to delete the principal "HTTP/honesty.progclub.org@PROGCLUB.ORG"? (yes/no): yes
 
Principal "HTTP/honesty.progclub.org@PROGCLUB.ORG" deleted.
 
Make sure that you have removed this principal from all ACLs before reusing.
 
kadmin:  addprinc -randkey HTTP/honesty.progclub.net
 
WARNING: no policy specified for HTTP/honesty.progclub.net@PROGCLUB.ORG; defaulting to no policy
 
Principal "HTTP/honesty.progclub.net@PROGCLUB.ORG" created.
 
kadmin:  ktadd -k /etc/apache2/apache2.keytab HTTP/honesty.progclub.net
 
Entry for principal HTTP/honesty.progclub.net with kvno 2, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/apache2/apache2.keytab.
 
Entry for principal HTTP/honesty.progclub.net with kvno 2, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/apache2/apache2.keytab.
 
Entry for principal HTTP/honesty.progclub.net with kvno 2, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/apache2/apache2.keytab.
 
Entry for principal HTTP/honesty.progclub.net with kvno 2, encryption type DES cbc mode with CRC-32  added to keytab WRFILE:/etc/apache2/apache2.keytab.
 
kadmin:  quit
 
 
 
root@honesty:/home/apache/www/www.progclub.net/pcma# chown www-data:www-data /etc/apache/apache2.keytab
 
root@honesty:/home/apache/www/www.progclub.net/pcma# chmod 400 /etc/apache2/apache2.keytab
 
root@honesty:/home/apache/www/www.progclub.net/pcma# apt-get install libapache2-mod-auth-kerb
 
Reading package lists... Done
 
Building dependency tree
 
Reading state information... Done
 
The following NEW packages will be installed:
 
  libapache2-mod-auth-kerb
 
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
 
Need to get 20.3kB of archives.
 
After this operation, 119kB of additional disk space will be used.
 
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main libapache2-mod-auth-kerb 5.3-5build2 [20.3kB]
 
Fetched 20.3kB in 0s (32.7kB/s)
 
Committing to: /etc/
 
modified .etckeeper
 
added apache2/apache2.keytab
 
Committed revision 23.
 
Selecting previously deselected package libapache2-mod-auth-kerb.
 
(Reading database ... 17197 files and directories currently installed.)
 
Unpacking libapache2-mod-auth-kerb (from .../libapache2-mod-auth-kerb_5.3-5build2_amd64.deb) ...
 
Setting up libapache2-mod-auth-kerb (5.3-5build2) ...
 
Enabling module auth_kerb.
 
Run '/etc/init.d/apache2 restart' to activate new configuration!
 
 
Committing to: /etc/
 
added apache2/mods-available/auth_kerb.load
 
added apache2/mods-enabled/auth_kerb.load
 
Committed revision 24.
 
root@honesty:/home/apache/www/www.progclub.net/pcma#
 
 
 
= [[User:John|John]] 2011-08-19 14:43 =
 
 
 
== Installing fail2ban ==
 
 
 
jj5@honesty:~$ sudo -s
 
[sudo] password for jj5:
 
root@honesty:~# apt-get install fail2ban
 
Reading package lists... Done
 
Building dependency tree
 
Reading state information... Done
 
The following extra packages will be installed:
 
  whois
 
Suggested packages:
 
  python-gamin mailx
 
The following NEW packages will be installed:
 
  fail2ban whois
 
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
 
Need to get 129kB of archives.
 
After this operation, 1032kB of additional disk space will be used.
 
Do you want to continue [Y/n]?
 
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/universe fail2ban 0.8.4-1ubuntu1 [96.0kB]
 
Get:2 http://archive.ubuntu.com/ubuntu/ lucid/main whois 5.0.0ubuntu3 [32.6kB]
 
Fetched 129kB in 1s (128kB/s)
 
Selecting previously deselected package fail2ban.
 
(Reading database ... 16972 files and directories currently installed.)
 
Unpacking fail2ban (from .../fail2ban_0.8.4-1ubuntu1_all.deb) ...
 
Selecting previously deselected package whois.
 
Unpacking whois (from .../whois_5.0.0ubuntu3_amd64.deb) ...
 
Processing triggers for man-db ...
 
Processing triggers for ureadahead ...
 
Setting up fail2ban (0.8.4-1ubuntu1) ...
 
 
Setting up whois (5.0.0ubuntu3) ...
 
Processing triggers for python-central ...
 
Committing to: /etc/
 
added fail2ban
 
added default/fail2ban
 
added fail2ban/action.d
 
added fail2ban/fail2ban.conf
 
added fail2ban/filter.d
 
added fail2ban/jail.conf
 
added fail2ban/action.d/complain.conf
 
added fail2ban/action.d/dshield.conf
 
added fail2ban/action.d/hostsdeny.conf
 
added fail2ban/action.d/ipfilter.conf
 
added fail2ban/action.d/ipfw.conf
 
added fail2ban/action.d/iptables-allports.conf
 
added fail2ban/action.d/iptables-multiport-log.conf
 
added fail2ban/action.d/iptables-multiport.conf
 
added fail2ban/action.d/iptables-new.conf
 
added fail2ban/action.d/iptables.conf
 
added fail2ban/action.d/mail-buffered.conf
 
added fail2ban/action.d/mail-whois-lines.conf
 
added fail2ban/action.d/mail-whois.conf
 
added fail2ban/action.d/mail.conf
 
added fail2ban/action.d/mynetwatchman.conf
 
added fail2ban/action.d/sendmail-buffered.conf
 
added fail2ban/action.d/sendmail-whois-lines.conf
 
added fail2ban/action.d/sendmail-whois.conf
 
added fail2ban/action.d/sendmail.conf
 
added fail2ban/action.d/shorewall.conf
 
added fail2ban/filter.d/apache-auth.conf
 
added fail2ban/filter.d/apache-badbots.conf
 
added fail2ban/filter.d/apache-nohome.conf
 
added fail2ban/filter.d/apache-noscript.conf
 
added fail2ban/filter.d/apache-overflows.conf
 
added fail2ban/filter.d/common.conf
 
added fail2ban/filter.d/courierlogin.conf
 
added fail2ban/filter.d/couriersmtp.conf
 
added fail2ban/filter.d/cyrus-imap.conf
 
added fail2ban/filter.d/exim.conf
 
added fail2ban/filter.d/gssftpd.conf
 
added fail2ban/filter.d/lighttpd-fastcgi.conf
 
added fail2ban/filter.d/named-refused.conf
 
added fail2ban/filter.d/pam-generic.conf
 
added fail2ban/filter.d/php-url-fopen.conf
 
added fail2ban/filter.d/postfix.conf
 
added fail2ban/filter.d/proftpd.conf
 
added fail2ban/filter.d/pure-ftpd.conf
 
added fail2ban/filter.d/qmail.conf
 
added fail2ban/filter.d/sasl.conf
 
added fail2ban/filter.d/sieve.conf
 
added fail2ban/filter.d/sshd-ddos.conf
 
added fail2ban/filter.d/sshd.conf
 
added fail2ban/filter.d/vsftpd.conf
 
added fail2ban/filter.d/webmin-auth.conf
 
added fail2ban/filter.d/wuftpd.conf
 
added fail2ban/filter.d/xinetd-fail.conf
 
added init.d/fail2ban
 
added logrotate.d/fail2ban
 
added rc0.d/K99fail2ban
 
added rc1.d/K99fail2ban
 
added rc2.d/S99fail2ban
 
added rc3.d/S99fail2ban
 
added rc4.d/S99fail2ban
 
added rc5.d/S99fail2ban
 
added rc6.d/K99fail2ban
 
Committed revision 16.
 
 
 
 
 
= [[User:John|John]] 2011-08-15 05:08 =
 
 
 
== Installing Apache, MySQL and PHP ==
 
 
 
root@honesty:~# apt-get install apache2 mysql-server php5
 
Reading package lists... Done
 
Building dependency tree
 
Reading state information... Done
 
The following extra packages will be installed:
 
  apache2-mpm-prefork apache2-utils apache2.2-bin apache2.2-common
 
  libapache2-mod-php5 libapr1 libaprutil1 libaprutil1-dbd-sqlite3
 
  libaprutil1-ldap libdbd-mysql-perl libdbi-perl libexpat1
 
  libhtml-template-perl libmysqlclient16 libnet-daemon-perl libplrpc-perl
 
  mysql-client-5.1 mysql-client-core-5.1 mysql-common mysql-server-5.1
 
  mysql-server-core-5.1 php5-common psmisc ssl-cert
 
Suggested packages:
 
  www-browser apache2-doc apache2-suexec apache2-suexec-custom ufw php-pear
 
  dbishell libipc-sharedcache-perl tinyca mailx php5-suhosin
 
The following NEW packages will be installed:
 
  apache2 apache2-mpm-prefork apache2-utils apache2.2-bin apache2.2-common
 
  libapache2-mod-php5 libapr1 libaprutil1 libaprutil1-dbd-sqlite3
 
  libaprutil1-ldap libdbd-mysql-perl libdbi-perl libexpat1
 
  libhtml-template-perl libmysqlclient16 libnet-daemon-perl libplrpc-perl
 
  mysql-client-5.1 mysql-client-core-5.1 mysql-common mysql-server
 
  mysql-server-5.1 mysql-server-core-5.1 php5 php5-common psmisc ssl-cert
 
0 upgraded, 27 newly installed, 0 to remove and 0 not upgraded.
 
Need to get 31.5MB of archives.
 
After this operation, 82.8MB of additional disk space will be used.
 
Do you want to continue [Y/n]?
 
 
 
 
 
= [[User:John|John]] 2011-08-15 04:06 =
 
 
 
== Configuring NFS client ==
 
 
 
root@honesty:/etc# apt-get install nfs-common
 
Reading package lists... Done
 
Building dependency tree
 
Reading state information... Done
 
The following extra packages will be installed:
 
  libevent-1.4-2 libgssglue1 libnfsidmap2 librpcsecgss3 portmap
 
The following NEW packages will be installed:
 
  libevent-1.4-2 libgssglue1 libnfsidmap2 librpcsecgss3 nfs-common portmap
 
0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded.
 
Need to get 421kB of archives.
 
After this operation, 1364kB of additional disk space will be used.
 
Do you want to continue [Y/n]?
 
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main libevent-1.4-2 1.4.13-stable-1 [61.4kB]
 
Get:2 http://archive.ubuntu.com/ubuntu/ lucid/main libgssglue1 0.1-4 [24.4kB]
 
Get:3 http://archive.ubuntu.com/ubuntu/ lucid/main libnfsidmap2 0.23-2 [32.1kB]
 
Get:4 http://archive.ubuntu.com/ubuntu/ lucid/main librpcsecgss3 0.19-2 [36.3kB]
 
Get:5 http://archive.ubuntu.com/ubuntu/ lucid/main portmap 6.0.0-1ubuntu2 [38.2kB]
 
Get:6 http://archive.ubuntu.com/ubuntu/ lucid/main nfs-common 1:1.2.0-4ubuntu4 [228kB]
 
Fetched 421kB in 1s (359kB/s)
 
Preconfiguring packages ...
 
Selecting previously deselected package libevent-1.4-2.
 
(Reading database ... 15759 files and directories currently installed.)
 
Unpacking libevent-1.4-2 (from .../libevent-1.4-2_1.4.13-stable-1_amd64.deb) ...
 
Selecting previously deselected package libgssglue1.
 
Unpacking libgssglue1 (from .../libgssglue1_0.1-4_amd64.deb) ...
 
Selecting previously deselected package libnfsidmap2.
 
Unpacking libnfsidmap2 (from .../libnfsidmap2_0.23-2_amd64.deb) ...
 
Selecting previously deselected package librpcsecgss3.
 
Unpacking librpcsecgss3 (from .../librpcsecgss3_0.19-2_amd64.deb) ...
 
Selecting previously deselected package portmap.
 
Unpacking portmap (from .../portmap_6.0.0-1ubuntu2_amd64.deb) ...
 
Selecting previously deselected package nfs-common.
 
Unpacking nfs-common (from .../nfs-common_1%3a1.2.0-4ubuntu4_amd64.deb) ...
 
Processing triggers for man-db ...
 
Processing triggers for ureadahead ...
 
Setting up libevent-1.4-2 (1.4.13-stable-1) ...
 
 
Setting up libgssglue1 (0.1-4) ...
 
 
Setting up libnfsidmap2 (0.23-2) ...
 
 
Setting up librpcsecgss3 (0.19-2) ...
 
 
Setting up portmap (6.0.0-1ubuntu2) ...
 
portmap start/running, process 7410
 
 
Setting up nfs-common (1:1.2.0-4ubuntu4) ...
 
 
Creating config file /etc/idmapd.conf with new version
 
 
Creating config file /etc/default/nfs-common with new version
 
Adding system user `statd' (UID 104) ...
 
Adding new user `statd' (UID 104) with group `nogroup' ...
 
Not creating home directory `/var/lib/nfs'.
 
statd start/running, process 7626
 
gssd stop/pre-start, process 7651
 
idmapd stop/pre-start, process 7679
 
 
Processing triggers for libc-bin ...
 
ldconfig deferred processing now taking place
 
Committing to: /etc/
 
added gssapi_mech.conf
 
added idmapd.conf
 
modified passwd
 
modified passwd-
 
modified shadow
 
modified shadow-
 
added default/nfs-common
 
added default/portmap
 
added init/gssd.conf
 
added init/idmapd.conf
 
added init/portmap.conf
 
added init/rpc_pipefs.conf
 
added init/statd.conf
 
added init.d/gssd
 
added init.d/idmapd
 
added init.d/portmap
 
added init.d/rpc_pipefs
 
added init.d/statd
 
Committed revision 12.
 
 
 
root@honesty:/etc# vim /etc/fstab
 
root@honesty:/etc# cat /etc/fstab
 
proc            /proc      proc    defaults    0 0
 
/dev/sda1      /          ext3    defaults,errors=remount-ro,noatime    0 1
 
/dev/sda2      none        swap    sw          0 0
 
172.19.1.45:/home /home    nfs4    rw,_netdev,auto 0 0
 
 
 
root@honesty:/etc# vim /etc/modules
 
root@honesty:/etc# cat /etc/modules
 
# /etc/modules: kernel modules to load at boot time.
 
#
 
# This file contains the names of kernel modules that should be loaded
 
# at boot time, one per line. Lines beginning with "#" are ignored.
 
nfs
 
 
 
 
 
 
 
= [[User:John|John]] 2011-08-15 03:45 =
 
 
 
== Configuring Kerberos client ==
 
 
 
jj5@honesty:~$ sudo -s
 
[sudo] password for jj5:
 
root@honesty:~# apt-get install krb5-user krb5-config libpam-krb5
 
Reading package lists... Done
 
Building dependency tree
 
Reading state information... Done
 
The following extra packages will be installed:
 
  bind9-host geoip-database libbind9-60 libdns64 libgeoip1 libgssrpc4 libisc60
 
  libisccc60 libisccfg60 libkadm5clnt-mit7 liblwres60
 
Suggested packages:
 
  geoip-bin krb5-doc
 
The following NEW packages will be installed:
 
  bind9-host geoip-database krb5-config krb5-user libbind9-60 libdns64
 
  libgeoip1 libgssrpc4 libisc60 libisccc60 libisccfg60 libkadm5clnt-mit7
 
  liblwres60 libpam-krb5
 
0 upgraded, 14 newly installed, 0 to remove and 0 not upgraded.
 
Need to get 2235kB of archives.
 
After this operation, 5517kB of additional disk space will be used.
 
Do you want to continue [Y/n]?
 
 
 
Package configuration
 
 
 
 
┌──────────────────┤ Configuring Kerberos Authentication ├──────────────────┐
 
│ When users attempt to use Kerberos and specify a principal or user name  │
 
│ without specifying what administrative Kerberos realm that principal      │
 
│ belongs to, the system appends the default realm.  The default realm may  │
 
│ also be used as the realm of a Kerberos service running on the local      │
 
│ machine.  Often, the default realm is the uppercase version of the local  │
 
│ DNS domain.                                                              │
 
│                                                                          │
 
│ Default Kerberos version 5 realm:                                        │
 
│                                                                          │
 
│ PROGCLUB.ORG_____________________________________________________________ │
 
│                                                                          │
 
│                                  <Ok>                                    │
 
│                                                                          │
 
└───────────────────────────────────────────────────────────────────────────┘
 
 
 
Package configuration
 
 
 
 
 
 
  ┌────────────────┤ Configuring Kerberos Authentication ├─────────────────┐
 
  │ Enter the hostnames of Kerberos servers in the PROGCLUB.ORG Kerberos  │
 
  │ realm separated by spaces.                                            │
 
  │                                                                        │
 
  │ Kerberos servers for your realm:                                      │
 
  │                                                                        │
 
  │ kerberos.progclub.org_________________________________________________ │
 
  │                                                                        │
 
  │                                <Ok>                                  │
 
  │                                                                        │
 
  └────────────────────────────────────────────────────────────────────────┘
 
 
 
Package configuration
 
 
 
 
 
 
┌──────────────────┤ Configuring Kerberos Authentication ├──────────────────┐
 
│ Enter the hostname of the administrative (password changing) server for  │
 
│ the PROGCLUB.ORG Kerberos realm.                                          │
 
│                                                                          │
 
│ Administrative server for your Kerberos realm:                            │
 
│                                                                          │
 
│ kerberos.progclub.org____________________________________________________ │
 
│                                                                          │
 
│                                  <Ok>                                    │
 
│                                                                          │
 
└───────────────────────────────────────────────────────────────────────────┘
 
 
 
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main libgeoip1 1.4.6.dfsg-17 [109kB]
 
Get:2 http://archive.ubuntu.com/ubuntu/ lucid/main libisc60 1:9.7.0.dfsg.P1-1 [169kB]
 
Get:3 http://archive.ubuntu.com/ubuntu/ lucid/main libdns64 1:9.7.0.dfsg.P1-1 [690kB]
 
Get:4 http://archive.ubuntu.com/ubuntu/ lucid/main libisccc60 1:9.7.0.dfsg.P1-1 [29.4kB]
 
Get:5 http://archive.ubuntu.com/ubuntu/ lucid/main libisccfg60 1:9.7.0.dfsg.P1-1 [52.6kB]
 
Get:6 http://archive.ubuntu.com/ubuntu/ lucid/main libbind9-60 1:9.7.0.dfsg.P1-1 [34.1kB]
 
Get:7 http://archive.ubuntu.com/ubuntu/ lucid/main liblwres60 1:9.7.0.dfsg.P1-1 [47.9kB]
 
Get:8 http://archive.ubuntu.com/ubuntu/ lucid/main bind9-host 1:9.7.0.dfsg.P1-1 [68.2kB]
 
Get:9 http://archive.ubuntu.com/ubuntu/ lucid/main geoip-database 1.4.6.dfsg-17 [658kB]
 
Get:10 http://archive.ubuntu.com/ubuntu/ lucid/main krb5-config 2.2 [23.0kB]
 
Get:11 http://archive.ubuntu.com/ubuntu/ lucid/main libgssrpc4 1.8.1+dfsg-2 [81.4kB]
 
Get:12 http://archive.ubuntu.com/ubuntu/ lucid/main libkadm5clnt-mit7 1.8.1+dfsg-2 [62.0kB]
 
Get:13 http://archive.ubuntu.com/ubuntu/ lucid/main krb5-user 1.8.1+dfsg-2 [137kB]
 
Get:14 http://archive.ubuntu.com/ubuntu/ lucid/main libpam-krb5 4.2-1 [73.8kB]
 
Fetched 2235kB in 1s (1280kB/s)
 
Preconfiguring packages ...
 
Selecting previously deselected package libgeoip1.
 
(Reading database ... 15582 files and directories currently installed.)
 
Unpacking libgeoip1 (from .../libgeoip1_1.4.6.dfsg-17_amd64.deb) ...
 
Selecting previously deselected package libisc60.
 
Unpacking libisc60 (from .../libisc60_1%3a9.7.0.dfsg.P1-1_amd64.deb) ...
 
Selecting previously deselected package libdns64.
 
Unpacking libdns64 (from .../libdns64_1%3a9.7.0.dfsg.P1-1_amd64.deb) ...
 
Selecting previously deselected package libisccc60.
 
Unpacking libisccc60 (from .../libisccc60_1%3a9.7.0.dfsg.P1-1_amd64.deb) ...
 
Selecting previously deselected package libisccfg60.
 
Unpacking libisccfg60 (from .../libisccfg60_1%3a9.7.0.dfsg.P1-1_amd64.deb) ...
 
Selecting previously deselected package libbind9-60.
 
Unpacking libbind9-60 (from .../libbind9-60_1%3a9.7.0.dfsg.P1-1_amd64.deb) ...
 
Selecting previously deselected package liblwres60.
 
Unpacking liblwres60 (from .../liblwres60_1%3a9.7.0.dfsg.P1-1_amd64.deb) ...
 
Selecting previously deselected package bind9-host.
 
Unpacking bind9-host (from .../bind9-host_1%3a9.7.0.dfsg.P1-1_amd64.deb) ...
 
Selecting previously deselected package geoip-database.
 
Unpacking geoip-database (from .../geoip-database_1.4.6.dfsg-17_all.deb) ...
 
Selecting previously deselected package krb5-config.
 
Unpacking krb5-config (from .../krb5-config_2.2_all.deb) ...
 
Selecting previously deselected package libgssrpc4.
 
Unpacking libgssrpc4 (from .../libgssrpc4_1.8.1+dfsg-2_amd64.deb) ...
 
Selecting previously deselected package libkadm5clnt-mit7.
 
Unpacking libkadm5clnt-mit7 (from .../libkadm5clnt-mit7_1.8.1+dfsg-2_amd64.deb) ...
 
Selecting previously deselected package krb5-user.
 
Unpacking krb5-user (from .../krb5-user_1.8.1+dfsg-2_amd64.deb) ...
 
Selecting previously deselected package libpam-krb5.
 
Unpacking libpam-krb5 (from .../libpam-krb5_4.2-1_amd64.deb) ...
 
Processing triggers for man-db ...
 
Setting up libgeoip1 (1.4.6.dfsg-17) ...
 
 
Setting up libisc60 (1:9.7.0.dfsg.P1-1) ...
 
 
Setting up libdns64 (1:9.7.0.dfsg.P1-1) ...
 
 
Setting up libisccc60 (1:9.7.0.dfsg.P1-1) ...
 
 
Setting up libisccfg60 (1:9.7.0.dfsg.P1-1) ...
 
 
Setting up libbind9-60 (1:9.7.0.dfsg.P1-1) ...
 
 
Setting up liblwres60 (1:9.7.0.dfsg.P1-1) ...
 
 
Setting up bind9-host (1:9.7.0.dfsg.P1-1) ...
 
Setting up geoip-database (1.4.6.dfsg-17) ...
 
Setting up krb5-config (2.2) ...
 
 
Setting up libgssrpc4 (1.8.1+dfsg-2) ...
 
 
Setting up libkadm5clnt-mit7 (1.8.1+dfsg-2) ...
 
 
Setting up krb5-user (1.8.1+dfsg-2) ...
 
Setting up libpam-krb5 (4.2-1) ...
 
 
Processing triggers for libc-bin ...
 
ldconfig deferred processing now taking place
 
Committing to: /etc/
 
added krb5.conf
 
modified pam.d/common-account
 
modified pam.d/common-auth
 
modified pam.d/common-password
 
modified pam.d/common-session
 
modified pam.d/common-session-noninteractive
 
Committed revision 8.
 
 
 
root@honesty:~# hostname -f
 
honesty
 
root@honesty:~# vim /etc/hosts
 
root@honesty:~# cat /etc/hosts
 
127.0.0.1    localhost localhost.localdomain
 
67.207.129.103    honesty.progclub.net honesty
 
root@honesty:~# hostname -f
 
honesty.progclub.net
 
 
 
root@honesty:~# kadmin -p jj5
 
Authenticating as principal jj5 with password.
 
Password for jj5@PROGCLUB.ORG:
 
kadmin:  addprinc -randkey host/honesty.progclub.net@PROGCLUB.ORG
 
WARNING: no policy specified for host/honesty.progclub.net@PROGCLUB.ORG; defaulting to no policy
 
Principal "host/honesty.progclub.net@PROGCLUB.ORG" created.
 
kadmin:  ktadd host/honesty.progclub.net@PROGCLUB.ORG
 
Entry for principal host/honesty.progclub.net@PROGCLUB.ORG with kvno 2, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab.
 
Entry for principal host/honesty.progclub.net@PROGCLUB.ORG with kvno 2, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab.
 
Entry for principal host/honesty.progclub.net@PROGCLUB.ORG with kvno 2, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
 
Entry for principal host/honesty.progclub.net@PROGCLUB.ORG with kvno 2, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
 
kadmin:  quit
 
 
 
root@honesty:~# cd /etc
 
root@honesty:/etc# ll kr*
 
-rw-r--r-- 1 root root 3504 Aug 14 17:49 krb5.conf
 
-rw------- 1 root root  326 Aug 14 17:53 krb5.keytab
 
 
 
root@honesty:/etc# apt-get install libnss-ldapd libsasl2-modules-gssapi-mit kstart
 
Reading package lists... Done
 
Building dependency tree
 
Reading state information... Done
 
The following extra packages will be installed:
 
  libpam-ldapd nscd nslcd
 
The following NEW packages will be installed:
 
  kstart libnss-ldapd libpam-ldapd libsasl2-modules-gssapi-mit nscd nslcd
 
0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded.
 
Need to get 531kB of archives.
 
After this operation, 1311kB of additional disk space will be used.
 
Do you want to continue [Y/n]?
 
 
 
Package configuration
 
 
 
  ┌─────────────────────────┤ Configuring NSLCD ├──────────────────────────┐
 
  │ Please enter the Uniform Resource Identifier of the LDAP server. The  │
 
  │ format is 'ldap://<hostname_or_IP_address>:<port>/'. Alternatively,    │
 
  │ 'ldaps://' or 'ldapi://' can be used. The port number is optional.    │
 
  │                                                                        │
 
  │ When using an ldap or ldaps scheme it is recommended to use an IP      │
 
  │ address to avoid failures when domain name services are unavailable.  │
 
  │                                                                        │
 
  │ Multiple URIs can be be specified by separating them with spaces.      │
 
  │                                                                        │
 
  │ LDAP server URI:                                                      │
 
  │                                                                        │
 
  │ ldaps://charity.progclub.org/_________________________________________ │
 
  │                                                                        │
 
  │                  <Ok>                      <Cancel>                  │
 
  │                                                                        │
 
  └────────────────────────────────────────────────────────────────────────┘
 
 
 
Package configuration
 
 
 
 
 
┌───────────────────────────┤ Configuring NSLCD ├───────────────────────────┐
 
│ Please enter the distinguished name of the LDAP search base. Many sites  │
 
│ use the components of their domain names for this purpose. For example,  │
 
│ the domain "example.net" would use "dc=example,dc=net" as the            │
 
│ distinguished name of the search base.                                    │
 
│                                                                          │
 
│ LDAP server search base:                                                  │
 
│                                                                          │
 
│ dc=progclub,dc=org_______________________________________________________ │
 
│                                                                          │
 
│                    <Ok>                        <Cancel>                  │
 
│                                                                          │
 
└───────────────────────────────────────────────────────────────────────────┘
 
 
 
Package configuration
 
 
 
┌───────────────────────────┤ Configuring NSLCD ├───────────────────────────┐
 
│                                                                          │
 
│ When an encrypted connection is used, a server certificate can be        │
 
│ requested and checked. Please choose whether lookups should be            │
 
│ configured to require a certificate, and whether certificates should be  │
 
│ checked for validity:                                                    │
 
│  * never: no certificate will be requested or checked;                    │
 
│  * allow: a certificate will be requested, but it is not                  │
 
│          required or checked;                                            │
 
│  * try: a certificate will be requested and checked, but if no            │
 
│        certificate is provided it is ignored;                            │
 
│  * demand: a certificate will be requested, required, and checked.        │
 
│ If certificate checking is enabled, at least one of the tls_cacertdir or  │
 
│ tls_cacertfile options must be put in /etc/nslcd.conf.                    │
 
│                                                                          │
 
│                                  <Ok>                                    │
 
│                                                                          │
 
└───────────────────────────────────────────────────────────────────────────┘
 
 
 
Package configuration
 
 
 
 
 
 
                      ┌──────┤ Configuring NSLCD ├───────┐
 
                      │ Check server's SSL certificate:  │
 
                      │                                  │
 
                      │              never              │
 
                      │            * allow              │
 
                      │              try                │
 
                      │              demand              │
 
                      │                                  │
 
                      │                                  │
 
                      │      <Ok>          <Cancel>      │
 
                      │                                  │
 
                      └──────────────────────────────────┘
 
 
 
Package configuration
 
 
┌───────────────────────┤ Configuring libnss-ldapd ├────────────────────────┐
 
│ For this package to work, you need to modify your /etc/nsswitch.conf to  │
 
│ use the ldap datasource.                                                  │
 
│                                                                          │
 
│ You can select the services that should have LDAP lookups enabled. The    │
 
│ new LDAP lookups will be added as the last datasource. Be sure to review  │
 
│ these changes.                                                            │
 
│                                                                          │
 
│ Name services to configure:                                              │
 
│                                                                          │
 
│    [*] aliases                                                            │
 
│    [*] ethers                                                            │
 
│    [*] group                                                              │
 
│    [*] hosts                                                              │
 
│    [*] netgroup                                                          │
 
│    [*] networks                                                          │
 
│    [*] passwd                                                            │
 
│    [*] protocols                                                          │
 
│    [*] rpc                                                                │
 
│    [*] services                                                          │
 
│    [*] shadow                                                            │
 
│                                                                          │
 
│                                                                          │
 
│                                  <Ok>                                    │
 
│                                                                          │
 
└───────────────────────────────────────────────────────────────────────────┘
 
 
 
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/universe kstart 3.16-3 [58.3kB]
 
Get:2 http://archive.ubuntu.com/ubuntu/ lucid/universe libsasl2-modules-gssapi-mit 2.1.23.dfsg1-5ubuntu1 [73.1kB]
 
Get:3 http://archive.ubuntu.com/ubuntu/ lucid/universe nscd 2.11.1-0ubuntu7 [211kB]
 
Get:4 http://archive.ubuntu.com/ubuntu/ lucid/universe nslcd 0.7.2 [120kB]
 
Get:5 http://archive.ubuntu.com/ubuntu/ lucid/universe libnss-ldapd 0.7.2 [41.8kB]
 
Get:6 http://archive.ubuntu.com/ubuntu/ lucid/universe libpam-ldapd 0.7.2 [27.6kB]
 
Fetched 531kB in 1s (441kB/s)
 
Committing to: /etc/
 
modified .etckeeper
 
modified hosts
 
added krb5.keytab
 
Committed revision 9.
 
Preconfiguring packages ...
 
Selecting previously deselected package kstart.
 
(Reading database ... 15699 files and directories currently installed.)
 
Unpacking kstart (from .../kstart_3.16-3_amd64.deb) ...
 
Selecting previously deselected package libsasl2-modules-gssapi-mit.
 
Unpacking libsasl2-modules-gssapi-mit (from .../libsasl2-modules-gssapi-mit_2.1.23.dfsg1-5ubuntu1_amd64.deb) ...
 
Selecting previously deselected package nscd.
 
Unpacking nscd (from .../nscd_2.11.1-0ubuntu7_amd64.deb) ...
 
Selecting previously deselected package nslcd.
 
Unpacking nslcd (from .../archives/nslcd_0.7.2_amd64.deb) ...
 
Selecting previously deselected package libnss-ldapd.
 
Unpacking libnss-ldapd (from .../libnss-ldapd_0.7.2_amd64.deb) ...
 
Selecting previously deselected package libpam-ldapd.
 
Unpacking libpam-ldapd (from .../libpam-ldapd_0.7.2_amd64.deb) ...
 
Processing triggers for man-db ...
 
Processing triggers for ureadahead ...
 
Setting up kstart (3.16-3) ...
 
Setting up libsasl2-modules-gssapi-mit (2.1.23.dfsg1-5ubuntu1) ...
 
Setting up nscd (2.11.1-0ubuntu7) ...
 
  * Starting Name Service Cache Daemon nscd                              [ OK ]
 
 
Setting up nslcd (0.7.2) ...
 
Warning: The home dir /var/run/nslcd/ you specified can't be accessed: No such file or directory
 
Adding system user `nslcd' (UID 103) ...
 
Adding new group `nslcd' (GID 105) ...
 
Adding new user `nslcd' (UID 103) with group `nslcd' ...
 
Not creating home directory `/var/run/nslcd/'.
 
  * Starting LDAP connection daemon nslcd                                [ OK ]
 
 
Setting up libnss-ldapd (0.7.2) ...
 
/etc/nsswitch.conf: enable LDAP lookups for aliases
 
/etc/nsswitch.conf: enable LDAP lookups for ethers
 
/etc/nsswitch.conf: enable LDAP lookups for group
 
/etc/nsswitch.conf: enable LDAP lookups for hosts
 
/etc/nsswitch.conf: enable LDAP lookups for netgroup
 
/etc/nsswitch.conf: enable LDAP lookups for networks
 
/etc/nsswitch.conf: enable LDAP lookups for passwd
 
/etc/nsswitch.conf: enable LDAP lookups for protocols
 
/etc/nsswitch.conf: enable LDAP lookups for rpc
 
/etc/nsswitch.conf: enable LDAP lookups for services
 
/etc/nsswitch.conf: enable LDAP lookups for shadow
 
  * Restarting Name Service Cache Daemon nscd                            [ OK ]
 
 
Setting up libpam-ldapd (0.7.2) ...
 
 
Processing triggers for libc-bin ...
 
ldconfig deferred processing now taking place
 
Committing to: /etc/
 
modified .etckeeper
 
modified group
 
modified group-
 
modified gshadow
 
modified gshadow-
 
added nscd.conf
 
added nslcd.conf
 
modified nsswitch.conf
 
modified passwd
 
modified passwd-
 
modified shadow
 
modified shadow-
 
added init.d/nscd
 
added init.d/nslcd
 
modified pam.d/common-account
 
modified pam.d/common-auth
 
modified pam.d/common-password
 
modified pam.d/common-session
 
modified pam.d/common-session-noninteractive
 
added rc0.d/K20nscd
 
added rc0.d/K20nslcd
 
added rc1.d/K20nscd
 
added rc1.d/K20nslcd
 
added rc2.d/S20nscd
 
added rc2.d/S20nslcd
 
added rc3.d/S20nscd
 
added rc3.d/S20nslcd
 
added rc4.d/S20nscd
 
added rc4.d/S20nslcd
 
added rc5.d/S20nscd
 
added rc5.d/S20nslcd
 
added rc6.d/K20nscd
 
added rc6.d/K20nslcd
 
Committed revision 10.
 
 
 
root@honesty:/etc# cat /etc/nsswitch.conf
 
# /etc/nsswitch.conf
 
#
 
# Example configuration of GNU Name Service Switch functionality.
 
# If you have the `glibc-doc-reference' and `info' packages installed, try:
 
# `info libc "Name Service Switch"' for information about this file.
 
 
passwd:        compat ldap
 
group:          compat ldap
 
shadow:        compat ldap
 
 
hosts:          files dns ldap
 
networks:      files ldap
 
 
protocols:      db files ldap
 
services:      db files ldap
 
ethers:        db files ldap
 
rpc:            db files ldap
 
 
netgroup:      nis ldap
 
aliases:        ldap
 
 
 
root@honesty:/etc# cat /etc/nslcd.conf
 
# /etc/nslcd.conf
 
# nslcd configuration file. See nslcd.conf(5)
 
# for details.
 
 
# The user and group nslcd should run as.
 
uid nslcd
 
gid nslcd
 
 
# The location at which the LDAP server(s) should be reachable.
 
uri ldaps://charity.progclub.org/
 
 
# The search base that will be used for all queries.
 
base dc=progclub,dc=org
 
 
# The LDAP protocol version to use.
 
#ldap_version 3
 
 
# The DN to bind with for normal lookups.
 
#binddn cn=annonymous,dc=example,dc=net
 
#bindpw secret
 
 
# SSL options
 
#ssl off
 
tls_reqcert allow
 
 
# The search scope.
 
#scope sub
 
 
 
root@honesty:/etc# vim /etc/nslcd.conf
 
 
 
# JE: 2011-08-15: added sasl_mech
 
sasl_mech GSSAPI
 
 
 
root@honesty:/etc# pam-auth-update
 
 
 
Package configuration
 
 
┌───────────────────────────────────┤  ├────────────────────────────────────┐
 
│ Pluggable Authentication Modules (PAM) determine how authentication,      │
 
│ authorization, and password changing are handled on the system, as well  │
 
│ as allowing configuration of additional actions to take when starting    │
 
│ user sessions.                                                            │
 
│                                                                          │
 
│ Some PAM module packages provide profiles that can be used to            │
 
│ automatically adjust the behavior of all PAM-using applications on the    │
 
│ system.  Please indicate which of these behaviors you wish to enable.    │
 
│                                                                          │
 
│ PAM profiles to enable:                                                  │
 
│                                                                          │
 
│    [*] Kerberos authentication                                            │
 
│    [*] Unix authentication                                                │
 
│    [ ] LDAP Authentication                                                │
 
│                                                                          │
 
│                                                                          │
 
│                    <Ok>                        <Cancel>                  │
 
│                                                                          │
 
└───────────────────────────────────────────────────────────────────────────┘
 
 
 
root@honesty:/etc# vim /etc/pam.d/common-password
 
root@honesty:/etc# cat /etc/pam.d/common-password
 
#
 
# /etc/pam.d/common-password - password-related modules common to all services
 
#
 
# This file is included from other service-specific PAM config files,
 
# and should contain a list of modules that define the services to be
 
# used to change user passwords.  The default is pam_unix.
 
 
# Explanation of pam_unix options:
 
#
 
# The "sha512" option enables salted SHA512 passwords.  Without this option,
 
# the default is Unix crypt.  Prior releases used the option "md5".
 
#
 
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
 
# login.defs.
 
#
 
# See the pam_unix manpage for other options.
 
 
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
 
# To take advantage of this, it is recommended that you configure any
 
# local modules either before or after the default block, and use
 
# pam-auth-update to manage selection of other modules.  See
 
# pam-auth-update(8) for details.
 
 
# here are the per-package modules (the "Primary" block)
 
#password      requisite                      pam_krb5.so minimum_uid=1000
 
#password      [success=1 default=ignore]      pam_unix.so obscure use_authtok try_first_pass sha512
 
# here's the fallback if no module succeeds
 
#password      requisite                      pam_deny.so
 
# prime the stack with a positive return value if there isn't one already;
 
# this avoids us returning an error just because nothing sets a success code
 
# since the modules above will each just jump around
 
#password      required                        pam_permit.so
 
# and here are more per-package modules (the "Additional" block)
 
# end of pam-auth-update config
 
 
password  sufficient  pam_krb5.so minimum_uid=1000
 
password  required    pam_unix.so obscure try_first_pass sha512
 
 
 
root@honesty:/etc# service nslcd restart
 
  * Restarting LDAP connection daemon nslcd
 
  nslcd: /etc/nslcd.conf:30: option sasl_mech is currently not fully supported (please report any successes)
 
                                                                        [ OK ]
 
 
 
root@honesty:/etc# etckeeper commit "Configured Kerberos client"
 
Committing to: /etc/
 
modified nslcd.conf
 
modified pam.d/common-account
 
modified pam.d/common-auth
 
modified pam.d/common-password
 
modified pam.d/common-session
 
modified pam.d/common-session-noninteractive
 
Committed revision 11.
 
 
 
= [[User:John|John]] 2011-08-05 16:59 =
 
 
 
== Disabling IPSec ==
 
 
 
Can't get [[IPSec]] to work. Commented out /etc/network/if-up.d/ip and removed the policies from /etc/ipsec-tools.conf.
 
 
 
= [[User:John|John]] 2011-07-30 19:30 =
 
 
 
== Configuring IPSec ==
 
 
 
jj5@honesty:~$ sudo -s
 
[sudo] password for jj5:
 
root@honesty:~# cd /etc/network/if-pre-up.d/
 
root@honesty:/etc/network/if-pre-up.d# ll
 
total 12
 
drwxr-xr-x 2 root root 4096 Apr 22  2010 ./
 
drwxr-xr-x 6 root root 4096 Apr 22  2010 ../
 
-rwxr-xr-x 1 root root  348 Dec 21  2009 ethtool*
 
root@honesty:/etc/network/if-pre-up.d# vim iptables
 
 
 
#!/bin/sh
 
/sbin/iptables-restore < /etc/iptables.up.rules
 
 
 
root@honesty:/etc/network/if-pre-up.d# chmod +x iptables
 
root@honesty:/etc/network/if-pre-up.d# cd ../if-up.d/
 
root@honesty:/etc/network/if-up.d# vim ip
 
 
 
#!/bin/sh
 
# Charity
 
ip route add 67.207.128.184 dev eth0 advmss 200
 
# Hope
 
ip route add 67.207.130.204 dev eth0 advmss 200
 
 
 
root@honesty:/etc/network/if-up.d# chmod +x ip
 
root@honesty:/etc/network/if-up.d# cd /etc/
 
root@honesty:/etc# vim iptables.up.rules
 
 
 
*filter
 
# Allow all loopback (lo0) traffic
 
-A INPUT -i lo -j ACCEPT
 
# Drop all traffic to 127/8 that does use lo0
 
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
 
# Accept all established inbound connections
 
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# Allow all outbound traffic
 
-A OUTPUT -j ACCEPT
 
# Allow HTTP and HTTPS connections from anywhere
 
-A INPUT -p tcp --dport 80 -j ACCEPT
 
-A INPUT -p tcp --dport 443 -j ACCEPT
 
# Allow SSH connections
 
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
 
# Accept anything from charity
 
-A INPUT -s 67.207.128.184 -j ACCEPT
 
# Accept anything from hope
 
-A INPUT -s 67.207.130.204 -j ACCEPT
 
# Allow MySQL connections from John's house
 
-A INPUT -s 60.240.67.126/32 -p tcp -m tcp --dport 3306 -j ACCEPT
 
# Allow MySQL connections from localhost
 
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 3306 -j ACCEPT
 
# Allow ping
 
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
 
# log iptables denied calls
 
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
 
#-A INPUT -j LOG --log-prefix "iptables debug: " --log-level 7
 
# Reject all other inbound - default deny unless explicitly allowed policy
 
-A INPUT -j REJECT
 
-A FORWARD -j REJECT
 
COMMIT
 
 
 
root@honesty:/etc# vim ipsec-tools.conf
 
 
 
#!/usr/sbin/setkey -f
 
## Flush the SAD and SPD
 
flush;
 
spdflush;
 
# Charity/Honesty configuration
 
# ESP SAs using 192 bit long keys (168 + 24 parity)
 
add 67.207.128.184 67.207.129.103 esp 5 -E aes-cbc
 
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
 
add 67.207.129.103 67.207.128.184 esp 6 -E aes-cbc
 
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
 
# AH SAs using 160 bit long keys
 
add 67.207.128.184 67.207.129.103 ah 7 -A hmac-sha1
 
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
 
add 67.207.129.103 67.207.128.184 ah 8 -A hmac-sha1
 
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
 
# Security policies
 
spdadd 67.207.129.103 67.207.128.184 any -P out ipsec
 
        esp/transport//require
 
        ah/transport//require;
 
spdadd 67.207.128.184 67.207.129.103 any -P in ipsec
 
        esp/transport//require
 
        ah/transport//require;
 
# Hope/Honesty configuration
 
# ESP SAs using 192 bit long keys (168 + 24 parity)
 
add 67.207.130.204 67.207.129.103 esp 9 -E aes-cbc
 
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
 
add 67.207.129.103 67.207.130.204 esp 10 -E aes-cbc
 
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
 
# AH SAs using 160 bit long keys
 
add 67.207.130.204 67.207.129.103 ah 11 -A hmac-sha1
 
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
 
add 67.207.129.103 67.207.130.204 ah 12 -A hmac-sha1
 
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
 
# Security policies
 
spdadd 67.207.129.103 67.207.130.204 any -P out ipsec
 
        esp/transport//require
 
        ah/transport//require;
 
spdadd 67.207.130.204 67.207.129.103 any -P in ipsec
 
        esp/transport//require
 
        ah/transport//require;
 
 
 
root@honesty:/etc# ll ipsec-tools.conf
 
-rwxr-xr-x 1 root root 1661 Jul 30 09:46 ipsec-tools.conf*
 
root@honesty:/etc# chmod 700 ipsec-tools.conf
 
root@honesty:/etc# ll ipsec-tools.conf
 
-rwx------ 1 root root 1661 Jul 30 09:46 ipsec-tools.conf*
 
root@honesty:~# etckeeper commit "Configured IPSec"
 
Committing to: /etc/
 
modified .etckeeper
 
modified ipsec-tools.conf
 
added iptables.up.rules
 
added network/if-pre-up.d/iptables
 
added network/if-up.d/ip
 
Committed revision 5.
 
root@honesty:/etc# reboot
 
 
 
Phew, that ought to do it.
 
 
 
The other end of the connections have been configured on [[Charity_admin#John_2011-07-30_17:15|charity]] and [[Hope_admin#John_2011-07-30_18:05|hope]].
 
 
 
= [[User:John|John]] 2011-07-30 13:57 =
 
 
 
== Adding user jj5 ==
 
 
 
Didn't want to have to do this, but need to ssh in a fair bit.
 
 
 
root@honesty:~# adduser jj5
 
Adding user `jj5' ...
 
Adding new group `jj5' (1000) ...
 
Adding new user `jj5' (1000) with group `jj5' ...
 
Creating home directory `/home/jj5' ...
 
Copying files from `/etc/skel' ...
 
Enter new UNIX password:
 
Retype new UNIX password:
 
passwd: password updated successfully
 
Changing the user information for jj5
 
Enter the new value, or press ENTER for the default
 
        Full Name []: John Elliot
 
        Room Number []:
 
        Work Phone []:
 
        Home Phone []:
 
        Other []:
 
Is the information correct? [Y/n]
 
root@honesty:~# gpasswd -a jj5 sudo
 
Adding user jj5 to group sudo
 
 
 
 
 
= [[User:John|John]] 2011-07-29 02:54 =
 
 
 
== Installing Etckeeper ==
 
 
 
# apt-get install etckeeper
 
Reading package lists... Done
 
Building dependency tree
 
Reading state information... Done
 
The following extra packages will be installed:
 
  bzr bzrtools patch python-configobj python-crypto python-paramiko
 
  python-support rsync
 
Suggested packages:
 
  bzr-gtk bzr-svn python-pycurl xdg-utils python-kerberos bzr-doc librsvg2-bin
 
  graphviz ed diffutils-doc python-crypto-dbg
 
The following NEW packages will be installed:
 
  bzr bzrtools etckeeper patch python-configobj python-crypto python-paramiko
 
  python-support rsync
 
0 upgraded, 9 newly installed, 0 to remove and 0 not upgraded.
 
Need to get 4787kB of archives.
 
After this operation, 27.8MB of additional disk space will be used.
 
Do you want to continue [Y/n]?
 
 
 
Just like that.
 
 
 
== Installing IPSec ==
 
 
 
# apt-get install ipsec-tools
 
Reading package lists... Done
 
Building dependency tree
 
Reading state information... Done
 
The following NEW packages will be installed:
 
  ipsec-tools
 
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
 
Need to get 111kB of archives.
 
After this operation, 274kB of additional disk space will be used.
 
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main ipsec-tools 1:0.7.1-1.6ubuntu1 [111kB]
 
Fetched 111kB in 0s (153kB/s)
 
Selecting previously deselected package ipsec-tools.
 
(Reading database ... 15571 files and directories currently installed.)
 
Unpacking ipsec-tools (from .../ipsec-tools_1%3a0.7.1-1.6ubuntu1_amd64.deb) ...
 
Processing triggers for man-db ...
 
Processing triggers for ureadahead ...
 
Setting up ipsec-tools (1:0.7.1-1.6ubuntu1) ...
 
 
 
Processing triggers for libc-bin ...
 
ldconfig deferred processing now taking place
 
Committing to: /etc/
 
modified .etckeeper
 
added ipsec-tools.conf
 
added default/setkey
 
added init.d/setkey
 
added rcS.d/S37setkey
 
Committed revision 2.
 
 
 
= [[User:John|John]] 2011-07-28 21:15 =
 
 
 
The honesty.progclub.org slice has has been created, and the host added to to the DNS zones, but apart from that it's not configured presently.
 

Revision as of 22:49, 11 June 2012