Maintainance of s15.fluid.tuwien.ac.at

The operation of s15 can be remotely controlled from its management interface at ms15.fluid.tuwien.ac.at.

The credentials for the management interface, and also for the root and oswat accounts on s15 are known to Iris Fula, Rudolf Ladner, Thomas Loimer, and Christiane Lechner. The user account oswat on s15 is used for administrative purposes. Although customizations can only be done by root, any modified files, e.g., in /etc/, should be owned by oswat. If, in addition, the original files are saved with the suffix .orig, it is easy to find the differences to a stock debian system. Therefore, for instance, to customize dhcpd.conf, 

su; cd /etc
cp -p dhcp/dhcpd.conf dhcp/dhcpd.conf.orig
edit dhcp/dhcpd.conf
chown oswat:oswat dhcp/dhcpd.conf
# find differences; some files, e.g., in logrotate.d, must be owned by root, group can be oswat
find /etc -user oswat -o -group oswat -o -name "*.orig"

The operating system on s15 is debian. Type lsb_release -a to get information on the current release, and type uname -a to get the version of the running kernel.

To keep the operating system up to date, from time to time the commands 

apt-get update
apt-get upgrade
apt-get dist-upgrade

should be issued, as root.

Firewall

There is a local firewall installed on s15, which serves to stop the frequent dictionary attacks. These manifest themselves by frequent log-in attempts with common username - password combinations. The log-in attempts can be observed in /var/log/auth.log. The firewall is implemented by iptable rules. These rules count the number of log-in attempts from a given ip-number, and block that number if more than 6 attempts are tried. On a succesful login, a command in the pam stack removes the ip-number from which the succesful login originated from the list of tracked addresses. See the iptable-rules in the file iptables.up.rules, which was created with iptables-save > /etc/network/iptables.up.rules. The script /etc/network/if-pre-up.d/iptables loads the iptable-rules at each startup of the server.

See /etc/network/iptables.up.rules, the line with pam_exec.so in /etc/pam.d/sshd which, on succesful login, calls the unblock script /etc/network/unblock.

s15 (last edited 2025-11-11 15:04:43 by www)