#language en

= Maintainance of s15.fluid.tuwien.ac.at =

The operation of s15 can be remotely controlled from its management interface at ms15.fluid.tuwien.ac.at.

The credentials for the management interface, and also for the `root` and `oswat` accounts
on s15 are known to Iris Fula, Rudolf Ladner, Thomas Loimer, and Christiane Lechner.
The user account `oswat` on s15 is used for administrative purposes. Although customizations
can only be done by root, any modified files, e.g., in /etc/, should be owned by oswat.
If, in addition, the original files are saved with the suffix `.orig`, it is easy to find the
differences to a stock debian system. Therefore, for instance, to customize `dhcpd.conf`,
{{{
su; cd /etc
cp -p dhcp/dhcpd.conf dhcp/dhcpd.conf.orig
edit dhcp/dhcpd.conf
chown oswat:oswat dhcp/dhcpd.conf
# find differences; some files, e.g., in logrotate.d, must be owned by root, group can be oswat
find /etc -user oswat -o -group oswat -o -name "*.orig"
}}}

The operating system on s15 is debian. Type `lsb_release -a` to get information on the current
release, and type `uname -a` to get the version of the running kernel.

To keep the operating system up to date, from time to time the commands
{{{
apt-get update
apt-get upgrade
apt-get dist-upgrade
}}}
should be issued, as root.

== Firewall ==

There is a local firewall installed on s15, which
serves to stop the frequent dictionary attacks. These manifest themselves
by frequent log-in attempts with common username - password combinations.
The log-in attempts can be observed in `/var/log/auth.log`.
The firewall is implemented by iptable rules.
These rules count the number of log-in attempts from a given ip-number,
and block that number if more than 6 attempts are tried.
On a succesful login, a command in the pam stack removes the ip-number
from which the succesful login originated from the list of tracked addresses.

See the iptable-rules in the file attachment:iptables.up.rules,
which was created with `iptables-save > /etc/network/iptables.up.rules`.
The script [attachment:iptables /etc/network/if-pre-up.d/iptables]
loads the iptable-rules at each startup of the server.
On a succesful login, a pam-module, see the line with pam_exec.so in
[attachment:sshd /etc/pam.d/sshd],
calls the script [attachment:unblock /etc/networkk/unblock].