#language en
= Maintainance and Setup of s15.fluid.tuwien.ac.at =
The operation of s15 can be remotely controlled from its management interface at ms15.fluid.tuwien.ac.at.
The credentials for the management interface, and also for the `root` and `oswat` accounts
on s15 are known to Iris Fula, Rudolf Ladner, Thomas Loimer, and Christiane Lechner.
The user account `oswat` on s15 is used for administrative purposes. Although customizations
can only be done by root, any modified files, e.g., in /etc/, should be owned by oswat.
If, in addition, the original files are saved with the suffix `.orig`, it is easy to find the
differences to a stock debian system. Therefore, for instance, to customize `dhcpd.conf`,
{{{
su; cd /etc
cp -p dhcp/dhcpd.conf dhcp/dhcpd.conf.orig
edit dhcp/dhcpd.conf
chown oswat:oswat dhcp/dhcpd.conf
# find differences; some files, e.g., in logrotate.d,
# must be owned by root, group can be oswat
find /etc -user oswat -o -group oswat -o -name "*.orig"
}}}
The operating system on s15 is debian. Type `lsb_release -a` to get information on the current
release, and type `uname -a` to get the version of the running kernel.
To keep the operating system up to date, from time to time the commands
{{{
apt-get update
apt-get upgrade
apt-get dist-upgrade
}}}
should be issued, as root.
== Ssh-daemon ==
As per the default configuration of the ssh-daemon, `root` is not allowed to log
in to s15 via password authentication from a remote client. Therefore, log
in with your regular account or as `oswat`, and `su` to root.
Alternatively, create a public/private key pair.
The default configuration of the ssh-daemon
given in [attachment:sshd_config /etc/sshd/sshd_config] has been
changed in one single instance.
Clients are not allowed to pass the environment variables related
to their locale settings to their shell on s15,
{{{
# Allow client to pass locale environment variables
#AcceptEnv LANG LC_*
}}}
The machinery for authentication via ldap, i.e., by querying the database that
also feeds tiss, is documented at Self:ldap-authentication or
at Self:loginviatiss (in german).
== Network Setup ==
S15 has, apart from the managment port at 128.130.169.3, four ethernet ports,
which are bonded together to one interface, visible at 128.130.169.2.
The network is configured from
[attachment:interfaces /etc/network/interfaces]
using the package ifupdown, not yet via systemd configuration files.
== Firewall ==
There is a local firewall installed on s15, which
serves to stop dictionary attacks. These manifest themselves
by frequent log-in attempts with common username–password combinations.
The log-in attempts can be observed in `/var/log/auth.log`.
The firewall is implemented by iptable rules.
These rules count the number of log-in attempts from a given ip-number,
and block that number if more than 6 attempts are tried.
On a succesful login, a command in the pam stack removes the ip-number
from which the succesful login originated from the list of tracked addresses.
The list of a maximum of 100 tracked or blocked ip-addresses is kept in
/proc/net/xt_recent/DEFAULT. To manually unblock an ip-address, do, as root,
{{{
# A minus (-) in front of the number
# removes that number from the table.
echo -ip.num.ber > /proc/net/xt_recent/DEFAULT
}}}
See man iptables_extensions(8), module xt_recent, and man pam_exec(3).
The iptable-rules that populate the list of addresses
in `proc/net/xt_recent/DEFAULT` can be found
in [attachment:iptables.up.rules /etc/network/iptables.up.rules]. The latter
file was created with `iptables-save > /etc/network/iptables.up.rules`.
The script [attachment:iptables /etc/network/if-pre-up.d/iptables]
loads the iptable-rules at each startup of the server.
On a succesful login, a pam-module, see the line with pam_exec.so in
[attachment:sshd /etc/pam.d/sshd],
calls the script [attachment:unblock /etc/network/unblock].
== Certificates ==
Certificates have been issued for files.fluid.tuwien.ac.at,
druck.fluid.tuwien.ac.at and s15.fluid.tuwien.ac.at.
Therefore, if users connect with their web browser to either
of these machines, the web browser does not complain about an
untrusted connection. The certificates are stored under
/etc/ssl/*/files_fluid_*. Symbolic links point to them from
/etc/cups/ssl/*.
== File server ==
The file server is implemented by a webdav cgi wrapper program
from http://webdavcgi.sourceforge.net. The setup of the apache
web server and the cgi script is described on a separate
[:webdav-setup: page].
== Dhcp Server ==
S15 also is the dhcp-server at our institute, that is, it provides
ip-numbers to those machines that do not have a fixed ip-address,
e.g., laptops. At present, there is a pool of 7 ip-numbers.
Therefore, users should set their computer to a
fixed ip-address as soon as possible.
The configuration-file for the dhcp-server,
[attachment:dhcpd.conf /etc/dhcp/dhcpd.conf],
has the following options set differently from the configuration file
shipped with the package, now /etc/dhcp/dhcpd.conf.orig:
{{{
# option definitions common to all supported networks...
option domain-name "fluid.tuwien.ac.at";
# tunamea.tuwien.ac.at, tunameb.tuwien.ac.at
option domain-name-servers 128.130.4.3, 128.131.4.3;
option lpr-servers 128.130.169.2;
# ntp-servers - RFC 1035 protocol
# tutimeb.tuwien.ac.at, tutimea.tuwien.ac.at, tutimec.tuwien.ac.at;
option ntp-servers 128.130.3.131, 128.130.2.3, 128.131.2.3;
# time-servers - RFC 868 protocol
# tutimeb.tuwien.ac.at, tutimea.tuwien.ac.at;
option time-servers 128.130.3.131, 128.130.2.3;
default-lease-time 7200; # orig: 600
max-lease-time 14400; # orig: 7200
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
# the ip-numbers which can be dynamically distributed
subnet 128.130.169.0 netmask 255.255.255.128 {
range 128.130.169.54 128.130.169.56;
range 128.130.169.65 128.130.169.66;
range 128.130.169.72;
range 128.130.169.63;
option routers 128.130.169.1;
}
}}}
== Print Server ==
S15 also is a print server. The web interface of the cups print server
can be accessed at the alias of s15, https://druck.fluid.tuwien.ac.at.
The print server is configured such that it can be accessed from any address
within TU Wien. Therefore, one can print from laptops connected via WLAN.
The configuration of the cups server is stored in the file
[attachment:cupsd.conf /etc/cups/cupsd.conf].
The differences from the shipped version of cupsd.conf are
{{{
# the /var/spool/cups directory filled up to 1.5G
# only store a limited amount of jobs (Default: 500)
MaxJobs 40
# Listen for connections from remote machines.
Listen *:631
# With ServerName commented out, there were "BadRequests",
# no matter what was done with Listen.
#ServerName druck.fluid.tuwien.ac.at
ServerAlias druck.fluid.tuwien.ac.at
ServerAlias druck.fluid
ServerAlias druck
# Restrict access to the server...
Order allow,deny
# Allow from within TU Wien
Allow from 128.130.0.0/15
# Restrict access to the admin pages...
Order allow,deny
Allow from @LOCAL
# Restrict access to configuration files...
AuthType Default
Require user @SYSTEM
Order deny,allow
.
.
.
# Add Cancel-Job here
# Job-related operations must be done by the owner or an administrator...
Order deny,allow
# Remove Cancel-Job here
# Only the owner or an administrator authenticate a job...
Require user @OWNER @SYSTEM
Order deny,allow
}}}
The printer description files for all printers, except canon, were installed
from the web-interface of cups, after installing hplip.
The printer description file for canon,
[attachment:canon.ppd /etc/cups/ppd/canon.ppd] was extracted
from the tar-archive of the CQue printer driver, which was obtained from
the canon support page, http://www.canon.at/support/products/imagerunner/ir2230.aspx
== Installation of software packages ==
New packages are installed with `apt-get install packagename`.
The description and list of packages can be found at
https://www.debian.org/distrib/packages.
The packages are retrieved from the local mirror at gd.tuwien.ac.at,
as listed in [attachment:sources.list /etc/apt/sources.list].
== Time synchronization ==
The computer clock is synchronized with the TU time servers, not with the
ntp pool servers from debian, [attachment:timesyncd.conf /etc/systemd/timesyncd.conf].