Maintainance and Setup of s15.fluid.tuwien.ac.at
Contents
The operation of s15 can be remotely controlled from its management interface at ms15.fluid.tuwien.ac.at.
The credentials for the management interface, and also for the root and oswat accounts on s15 are known to Iris Fula, Sebastian Böhm, Thomas Loimer, Francesco Zonta and Francesco Romanò. The user account oswat on s15 is used for administrative purposes. Although customizations can only be done by root, any modified files, e.g., in /etc/, should be owned by oswat. If, in addition, the original files are saved with the suffix .orig, it is easy to find the differences to a stock debian system. Therefore, for instance, to customize dhcpd.conf,
su; cd /etc cp -p dhcp/dhcpd.conf dhcp/dhcpd.conf.orig edit dhcp/dhcpd.conf chown oswat:oswat dhcp/dhcpd.conf # find differences; some files, e.g., in logrotate.d, # must be owned by root, group can be oswat find /etc -user oswat -o -group oswat -o -name "*.orig"
The operating system on s15 is debian. Type lsb_release -a to get information on the current release, and type uname -a to get the version of the running kernel.
To keep the operating system up to date, from time to time the commands
apt-get update apt-get upgrade apt-get dist-upgrade
should be issued, as root.
Installation of software packages
The list of software installed on s15 is maintained on a separate page, s15-software. Please, if any software is installed, e.g., using apt-get install, update that list.
The packages are retrieved from the official debian mirror at ftp.at.debian.org, as listed in /etc/apt/sources.list.
Ssh-daemon
As per the default configuration of the ssh-daemon, root is not allowed to log in to s15 via password authentication from a remote client. Therefore, log in with your regular account or as oswat, and su to root. Alternatively, create a public/private key pair.
The default configuration of the ssh-daemon given in /etc/sshd/sshd_config has been changed in one single instance. Clients are not allowed to pass the environment variables related to their locale settings to their shell on s15,
# Allow client to pass locale environment variables #AcceptEnv LANG LC_*
The machinery for authentication via ldap, i.e., by querying the database that also feeds tiss, is documented at ldap-authentication or at loginviatiss (in german).
Network setup
S15 has, apart from the managment port at 128.130.169.3, four ethernet ports, which are bonded together to one interface, visible at 128.130.169.2. The network is configured from /etc/network/interfaces using the package ifupdown, not yet via systemd configuration files.
Firewall
There is a local firewall installed on s15, which serves to stop dictionary attacks. These manifest themselves by frequent log-in attempts with common username–password combinations. The log-in attempts can be observed in /var/log/auth.log. The firewall is implemented by iptable rules. These rules count the number of log-in attempts from a given ip-number, and block that number if more than 6 attempts are tried. On a succesful login, a command in the pam stack removes the ip-number from which the succesful login originated from the list of tracked addresses.
The list of a maximum of 100 tracked or blocked ip-addresses is kept in /proc/net/xt_recent/DEFAULT. To manually unblock an ip-address, do, as root,
# A minus (-) in front of the number # removes that number from the table. echo -ip.num.ber > /proc/net/xt_recent/DEFAULT
See man iptables_extensions(8), module xt_recent, and man pam_exec(3).
The iptable-rules that populate the list of addresses in proc/net/xt_recent/DEFAULT can be found in /etc/network/iptables.up.rules. The latter file was created with iptables-save > /etc/network/iptables.up.rules. The script /etc/network/if-pre-up.d/iptables loads the iptable-rules at each startup of the server. On a succesful login, a pam-module, see the line with pam_exec.so in /etc/pam.d/sshd, calls the script /etc/network/unblock.
Certificates
Certificates have been issued for files.fluid.tuwien.ac.at, druck.fluid.tuwien.ac.at and s15.fluid.tuwien.ac.at. Therefore, if users connect with their web browser to either of these machines, the web browser does not complain about an untrusted connection. The certificates are stored under /etc/ssl/*/files_fluid_*. Symbolic links point to them from /etc/cups/ssl/*.
File server
The file server is implemented by a webdav cgi wrapper program from http://webdavcgi.sourceforge.net. The setup of the apache web server and the cgi script is described on a separate page.
Dhcp server
S15 also is the dhcp-server at our institute, that is, it provides ip-numbers to those machines that do not have a fixed ip-address, e.g., laptops. At present, there is a pool of 7 ip-numbers. Therefore, users should set their computer to a fixed ip-address as soon as possible. The configuration-file for the dhcp-server, /etc/dhcp/dhcpd.conf, has the following options set differently from the configuration file shipped with the package, now /etc/dhcp/dhcpd.conf.orig:
# option definitions common to all supported networks...
option domain-name "fluid.tuwien.ac.at";
# tunamea.tuwien.ac.at, tunameb.tuwien.ac.at
option domain-name-servers 128.130.4.3, 128.131.4.3;
option lpr-servers 128.130.169.2;
# ntp-servers - RFC 1035 protocol
# tutimeb.tuwien.ac.at, tutimea.tuwien.ac.at, tutimec.tuwien.ac.at;
option ntp-servers 128.130.3.131, 128.130.2.3, 128.131.2.3;
# time-servers - RFC 868 protocol
# tutimeb.tuwien.ac.at, tutimea.tuwien.ac.at;
option time-servers 128.130.3.131, 128.130.2.3;
default-lease-time 7200; # orig: 600
max-lease-time 14400; # orig: 7200
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
# the ip-numbers which can be dynamically distributed
subnet 128.130.169.0 netmask 255.255.255.128 {
range 128.130.169.54 128.130.169.56;
range 128.130.169.65 128.130.169.66;
range 128.130.169.72;
range 128.130.169.63;
option routers 128.130.169.1;
}
Print server
S15 also is a print server. The web interface of the cups print server can be accessed at the alias of s15, https://druck.fluid.tuwien.ac.at. The print server is configured such that it can be accessed from any address within TU Wien. Therefore, one can print from laptops connected via WLAN. The configuration of the cups server is stored in the file /etc/cups/cupsd.conf.
The self-signed certificates shipped with cups and located under /etc/cups/ssl/server.{crt|key} were replaced by symbolic links to the real certificate for s15, under /etc/ssl/certs/files_fluid*.crt and /etc/ssl/private/files_fluid*.key.
The differences from the shipped version of cupsd.conf are
# the /var/spool/cups directory filled up to 1.5G
# only store a limited amount of jobs (Default: 500)
MaxJobs 40
# Listen for connections from remote machines.
Listen *:631
# With ServerName commented out, there were "BadRequests",
# no matter what was done with Listen.
#ServerName druck.fluid.tuwien.ac.at
ServerAlias druck.fluid.tuwien.ac.at
ServerAlias druck.fluid
ServerAlias druck
# Restrict access to the server...
<Location />
Order allow,deny
# Allow from within TU Wien
Allow from 128.130.0.0/15
</Location>
# Restrict access to the admin pages...
<Location /admin>
Order allow,deny
Allow from @LOCAL
</Location>
# Restrict access to configuration files...
<Location /admin/conf>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Location>
<Policy default>
.
.
.
# Add Cancel-Job here
# Job-related operations must be done by the owner or an administrator...
<Limit Create-Job Print-Job Print-URI Validate-Job Cancel-Job>
Order deny,allow
</Limit>
# Remove Cancel-Job here
# Only the owner or an administrator authenticate a job...
<Limit CUPS-Authenticate-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
</Policy>
The printer description files for all printers, except canon, were installed from the web-interface of cups, after installing hplip. The printer description file for canon, /etc/cups/ppd/canon.ppd was extracted from the tar-archive of the CQue printer driver, which was obtained from the canon support page, http://www.canon.at/support/products/imagerunner/ir2230.aspx
Time synchronization
The computer clock is synchronized with the TU time servers, not with the ntp pool servers from debian, /etc/systemd/timesyncd.conf.
timedatectl set-ntp true rm /etc/localtime cp /usr/share/zoneinfo/Europe/Vienna /etc/localtime
Privileges for oswat
The privileges for oswat were elevated slightly.
# For cups, lpadmin; adm to see log files usermod -a -G adm,lpadmin oswat
Resource usage metrics
Resource usage on s15 is tracked using munin:
apt-get install munin munin-node libapache2-mod-fcgid
a2enmod fcgid
cp -n /etc/munin/munin.conf /etc/munin/munin.conf.orig
cp -n /etc/munin/apache24.conf /etc/munin/apache24.conf.orig
chown oswat:oswat /etc/munin/munin.conf
chown oswat:oswat /etc/munin/apache24.conf
cat >/etc/munin/munin.conf <<EOF
includedir /etc/munin/munin-conf.d
[s15.fluid.tuwien.ac.at]
address 127.0.0.1
use_node_name yes
EOF
cat >/etc/apache2/conf-available/munin.conf <<EOF
Alias /munin /var/cache/munin/www
<Directory /var/cache/munin/www>
<RequireAny>
Require ip 128.131.36.0/24
Require ip 128.130.169.0/25
</RequireAny>
Options None
</Directory>
ScriptAlias /munin-cgi/munin-cgi-graph /usr/lib/munin/cgi/munin-cgi-graph
<Location /munin-cgi/munin-cgi-graph>
<RequireAny>
Require ip 128.131.36.0/24
Require ip 128.130.169.0/25
</RequireAny>
<IfModule mod_fcgid.c>
SetHandler fcgid-script
</IfModule>
<IfModule !mod_fcgid.c>
SetHandler cgi-script
</IfModule>
</Location>
EOF
service munin-node restart
service apache2 restart