Systems - Sun2
Basics
Purpose
Sun2 is a vserver host machine that runs debian etch and a number of virtual servers. It acts as a syslog server for all virtual servers exporting /var/log to the logging server for analysis.
Physical Location
This system is located in a rack.
Physical Configuration
See SystemAdministration/EquipmentList
Logical location
- IP: 172.28.50.12 sun2.intra.cacert.org
- IP: 192.168.1.5
Applicable Documentation
This is it
Administration
System Admin:
- Philipp Gühring
Services
Listening services
port
service
access origin
purpose
22
SSH
SSH access for remote administration
514
syslog
172.16.2.0/24
Centralised syslog
Running services
Service
Started from
cron
/etc/init.d/cron
syslog-ng
/etc/init.d/syslog-ng
ssh
/etc/init.d/ssh
ntp
/etc/init.d/ntp
bbackupd
/etc/init.d/boxbackup-client
Other services
- Updates OCSP server using /root/ocspupdate.sh script run from cron.
Connected Systems
- Connected to all vservers:
www - powered off migration webpage
Outbound network connections
- Does backups to 172.28.50.80 tcp dpt:2201
maybe Emails things to 172.16.2.3 TODO
- Does DNS somewhere using 172.28.50.1
- Fetches CRL off CAcert homepage for OCSP use
- NTP to nl.pool.ntp.org
- Firewall rules /etc/firewall.sh (includes firewall rules of all vservers on this host)
Security
Non-distribution packages and modifications
Risk assessments on critical packages
Tasks
Vserver navigation
- list vserver - sudo vserver-stat
- enter vserver - sudo vserver {machine} enter
where are the vserver IP addresses
- more /etc/vservers/*/interfaces/*/ip
building vservers
vserver ${NAME} build -m debootstrap -n ${NAME} --hostname ${NAME}.cacert.org --netdev eth0 --interface ${IP} -- -d lenny -m http://ftp.nl.debian.org/debian
add the IP to SystemAdministration/IPList
- mkdir /var/log/${IP} /var/lib/vservers/${NAME}/var/log/remote /var/lib/vservers/${NAME}/etc/skel/.ssh
add the following to echo "/var/log/${IP} /var/log/remote none ro,bind 0 0" >> /etc/vservers/${NAME}/fstab
- add firewall rules for your new server in sun2:/etc/firewall.sh
change syslogging to remote in /var/lib/vservers/${NAME}/etc/rsyslog.d/remotelog.conf *.* @172.16.2.12 # sun2.intra.cacert.org (cp /var/lib/vservers/cod/etc/rsyslog.d/remotelog.conf /var/lib/vservers/${NAME}/etc/rsyslog.d/remotelog.conf)
- vserver ${NAME} start
- vserver ${NAME} enter
email critical-admin@cacert.org to request access by the sysadmin for that server
email dns-admin@cacert.org to request internal DNS records be added for ${NAME}.intra.cacert.org
- add ${IP} ${NAME} to /etc/hosts
- create admin accounts on that vserver - useradd -m ${ADMIN}
- install ssh key in /home/${ADMIN}/.ssh/authorized_keys
- chown ${ADMIN}:${ADMIN} /home/${ADMIN}/.ssh/authorized_keys
- apt-get install sudo
echo "${ADMIN} ALL=NOPASSWD: ALL" >> /etc/sudoers
- su - ${ADMIN}
echo {gobbledygoodkpassws} > passwd
- sudo passwd ${ADMIN}
- exit
- apt-get install openssh-server postfix cron-apt
sed -i -e 's/^#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config; /etc/init.d/ssh restart
add ${NAME}-admin@cacert.org >> $ADMIN email alias on email system (or email email-admin@cacert.org to request)
echo "MAILTO=${NAME}-admin@cacert.org" > /etc/cron-apt/config.d/config
- sender only postfix config
- cp /var/lib/vservers/blog/etc/postfix/main.cf /var/lib/vservers/blog/etc/postfix/sender_rewrite* /var/lib/vservers/${NAME}/etc/postfix/
- sed -i -e "s/blog/${NAME}/g" -e "s/172\.16\.2\.13/${IP}/g" /var/lib/vservers/${NAME}/etc/postfix/main.cf
echo cacert.org > /var/lib/vservers/${NAME}/etc/mailname
- TODO etc-keeper(?)
Critical Configuration items
== Firewall ==
- /etc/firewall.sh - Firewall configuration
- /etc/cron.monthly/iptables - resets tallies on iptables rules and saves copy in /var/log/x41002/iptables*
- /var/log/x41002/iptables* - firewall logs from monthly tally or restart of /etc/firewall.sh
Changes
Planned
Document Backups