Maintainance of s15.fluid.tuwien.ac.at

The operation of s15 can be remotely controlled from its management interface at ms15.fluid.tuwien.ac.at.

The credentials for the management interface, and also for the root and oswat accounts on s15 are known to Iris Fula, Rudolf Ladner, Thomas Loimer, and Christiane Lechner. The user account oswat on s15 is used for administrative purposes. Although customizations can only be done by root, any modified files, e.g., in /etc/, should be owned by oswat. If, in addition, the original files are saved with the suffix .orig, it is easy to find the differences to a stock debian system. Therefore, for instance, to customize dhcpd.conf, 

su; cd /etc
cp -p dhcp/dhcpd.conf dhcp/dhcpd.conf.orig
edit dhcp/dhcpd.conf
chown oswat:oswat dhcp/dhcpd.conf
# find differences; some files, e.g., in logrotate.d, must be owned by root, group can be oswat
find /etc -user oswat -o -group oswat -o -name "*.orig"

The operating system on s15 is debian. Type lsb_release -a to get information on the current release, and type uname -a to get the version of the running kernel.

To keep the operating system up to date, from time to time the commands 

apt-get update
apt-get upgrade
apt-get dist-upgrade

should be issued, as root.

Firewall

There is a local firewall installed on s15, which serves to stop the frequent dictionary attacks. These manifest themselves by frequent log-in attempts with common username - password combinations. The log-in attempts can be observed in /var/log/auth.log. The firewall is implemented by iptable rules. These rules count the number of log-in attempts from a given ip-number, and block that number if more than 6 attempts are tried. On a succesful login, a command in the pam stack removes the ip-number from which the succesful login originated from the list of tracked addresses.

The list of a maximum of 100 tracked or blocked ip-adresses is kept in /proc/net/xt_recent/DEFAULT. To manually unblock an ip-address, do, as root,
echo -ip.num.ber > /proc/net/xt_recent/DEFAULT
See man iptables_extensions(8), module xt_recent, and man pam_exec(3).

The iptable-rules that populate the list of addresses in proc/net/xt_recent/DEFAULT can be found in /etc/network/iptables.up.rules. The latter file was created with iptables-save > /etc/network/iptables.up.rules. The script /etc/network/if-pre-up.d/iptables loads the iptable-rules at each startup of the server. On a succesful login, a pam-module, see the line with pam_exec.so in /etc/pam.d/sshd, calls the script /etc/network/unblock.

Dhcp Server

/etc/dhcp/dhcpd.conf.orig

Print Server

cupsd.conf, try git diff /etc/cups/cupsd.conf.orig /etc/cups/cupsd.conf to see the differences. The ppd-file for canon was extracted from ...

Customizations

/etc/sshd/sshd_config,
sources are retrieved from the local mirror at gd.tuwien.ac.at, /etc/apt/sources.list

Log in via tiss-password

Upload new attachment "nsswitch.conf"

Configurations

s15 (last edited 2025-11-11 15:04:43 by www)