Maintainance of s15.fluid.tuwien.ac.at
The operation of s15 can be remotely controlled from its management interface at ms15.fluid.tuwien.ac.at.
The credentials for the management interface, and also for the root and oswat accounts on s15 are known to Iris Fula, Rudolf Ladner, Thomas Loimer, and Christiane Lechner. The user account oswat on s15 is used for administrative purposes. Although customizations can only be done by root, any modified files, e.g., in /etc/, should be owned by oswat. If, in addition, the original files are saved with the suffix .orig, it is easy to find the differences to a stock debian system. Therefore, for instance, to customize dhcpd.conf,
su; cd /etc cp -p dhcp/dhcpd.conf dhcp/dhcpd.conf.orig edit dhcp/dhcpd.conf chown oswat:oswat dhcp/dhcpd.conf # find differences; some files, e.g., in logrotate.d, must be owned by root, group can be oswat find /etc -user oswat -o -group oswat -o -name "*.orig"
The operating system on s15 is debian. Type lsb_release -a to get information on the current release, and type uname -a to get the version of the running kernel.
To keep the operating system up to date, from time to time the commands
apt-get update apt-get upgrade apt-get dist-upgrade
should be issued, as root.
Firewall
There is a local firewall installed on s15, which serves to stop the frequent dictionary attacks. These manifest themselves by frequent log-in attempts with common username - password combinations. The log-in attempts can be observed in /var/log/auth.log. The firewall is implemented by iptable rules. These rules count the number of log-in attempts from a given ip-number, and block that number if more than 6 attempts are tried. On a succesful login, a command in the pam stack removes the ip-number from which the succesful login originated from the list of tracked addresses.
The list of a maximum of 100 tracked or blocked ip-adresses is kept in /proc/net/xt_recent/DEFAULT. To manually unblock an ip-address, do, as root,
echo -ip.num.ber > /proc/net/xt_recent/DEFAULT
See man iptables_extensions(8), module xt_recent, and man pam_exec(3).
The iptable-rules that populate the list of addresses in proc/net/xt_recent/DEFAULT can be found in /etc/network/iptables.up.rules. The latter file was created with iptables-save > /etc/network/iptables.up.rules. The script /etc/network/if-pre-up.d/iptables loads the iptable-rules at each startup of the server. On a succesful login, a pam-module, see the line with pam_exec.so in /etc/pam.d/sshd, calls the script /etc/network/unblock.
Network Setup
S15 has, apart from the managment port at 128.130.169.3, four ethernet ports, which are bonded together to one interface, visible at 128.130.169.2. The network is configured from /etc/network/interfaces using the package ifupdown, not yet via systemd configuration files.
Dhcp Server
S15 also is the dhcp-server at our institute, that is, it provides ip-numbers to those client that do not have a fixed ip-address, e.g., laptops. At present, there is a pool of 7 ip-numbers. Therefore, users should organize fixed ip-address as soon as possible. The configuration-file for the dhcp-server, /etc/dhcp/dhcpd.conf, has the following options set differently from the configuration file shipped with the package, now /etc/dhcp/dhcpd.conf.orig:
# option definitions common to all supported networks...
option domain-name "fluid.tuwien.ac.at";
# tunamea.tuwien.ac.at, tunameb.tuwien.ac.at
option domain-name-servers 128.130.4.3, 128.131.4.3;
option lpr-servers 128.130.169.2;
# ntp-servers - RFC 1035 protocol
# tutimeb.tuwien.ac.at, tutimea.tuwien.ac.at, tutimec.tuwien.ac.at;
option ntp-servers 128.130.3.131, 128.130.2.3, 128.131.2.3;
# time-servers - RFC 868 protocol
# tutimeb.tuwien.ac.at, tutimea.tuwien.ac.at;
option time-servers 128.130.3.131, 128.130.2.3;
default-lease-time 7200; # orig: 600
max-lease-time 14400; # orig: 7200
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
# the ip-numbers which can be dynamically distributed
subnet 128.130.169.0 netmask 255.255.255.128 {
range 128.130.169.54 128.130.169.56;
range 128.130.169.65 128.130.169.66;
range 128.130.169.72;
range 128.130.169.63;
option routers 128.130.169.1;
}
Print Server
S15 also is a print server. The web interface of the cups print server can be accessed at the alias of s15, http://druck.fluid.tuwien.ac.at. The print server is configured such that it can be accessed from any address within TU Wien. Therefore, one can print from laptops connected via WLAN. The configuration of the cups server is stored in the file /etc/cups/cupsd.conf.
The differences from the shipped version of cupsd.conf are
# the /var/spool/cups directory filled up to 1.5G
# only store a limited amount of jobs (Default: 500)
MaxJobs 40
# Listen for connections from remote machines.
Listen *:631
# With ServerName commented out, there were "BadRequests",
# no matter what was done with Listen.
#ServerName druck.fluid.tuwien.ac.at
ServerAlias druck.fluid.tuwien.ac.at
ServerAlias druck.fluid
ServerAlias druck
# Restrict access to the server...
<Location />
Order allow,deny
# Allow from within TU Wien
Allow from 128.130.0.0/15
</Location>
# Restrict access to the admin pages...
<Location /admin>
Order allow,deny
Allow from @LOCAL
</Location>
# Restrict access to configuration files...
<Location /admin/conf>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Location>
<Policy default>
.
.
.
# Add Cancel-Job here
# Job-related operations must be done by the owner or an administrator...
<Limit Create-Job Print-Job Print-URI Validate-Job Cancel-Job>
Order deny,allow
</Limit>
# Remove Cancel-Job here
# Only the owner or an administrator authenticate a job...
<Limit CUPS-Authenticate-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
</Policy>
The printer description files for all printers, except canon, were installed from the web-interface of cups, after installing hplip. The printer description file for canon, /etc/cups/ppd/canon.ppd was extracted from the tar-archive of the CQue printer driver, which was obtained from the canon support page, http://www.canon.at/support/products/imagerunner/ir2230.aspx
Customizations
The only customization to the ssh-server in /etc/sshd/sshd_config was to not allow clients to pass environment-variables related to their locale settings,
# Allow client to pass locale environment variables #AcceptEnv LANG LC_*
Package sources are retrieved from the local mirror at gd.tuwien.ac.at, as listed in /etc/apt/sources.list.
The computer clock is synchronized with the TU time servers, not with the ntp pool servers from debian, /etc/systemd/timesyncd.conf.