**__SERVER GOES DOWN MONDAY, MARCH 19TH AS EARLY AS I CAN DO IT__**
DONE, and Done, we got 64 bits up and running by 4pm, the 19th. LOTS of issues to follow, hopefully all documented here!
====== Upgrade TODO ======
Here is a good todo list for upgrading archon
First thing you need to do is isolate your setup, so that the IP address doesn't collide with the real archon.
* Get the traffic shaping script working with the new 2.6 kernel (or use another one that does the same thing)
* Rebuild sendmail configuration files
* Export and re-import MYSQL data (going from version 4 to version 5)
* Update the DHCP configuration so you don't get warning messages
* Get apache (http and https) running, and set up secure squirrel mail
* NAT gateway... always takes me forever to turn on ALL the needed modules to get that working.
* Clean up the virtual hosting by breaking websites into include files.
* Try kernel without IPV6 and also rebuild mplayer now that you don't have it installed. Maybe this will fix DHCPD which is still broken on archon.
* Fix it so that you can send email from hosts inside the firewall (sure you want to do that or just use certs?)
* MAYBE sendmail woes (sending) are also something to do with IPV6? It is hanging on even a simple telnet to port 25!?
===== Post Reboot =====
You can do these afterwards... shouldn't be too bad if down... (easy enough I just knocked them out before hand)
* ftp up and configured
* irc up and configured (i think so)
* svn setup
* spamassassin
* slimserver
* hexedit
* sirc
* md5deep
* IDL 6.3 (x64)
* smbfs (Samba shares)
* finger (open that up)
* nfs setup (exports and permissions)
* install zgal
* contact Verizon and whitelist your mail server [[http://www2.verizon.net/micro/whitelist/]]
* permissions on the 'easter shore radio' login.
* fix DHCPD, it is NOT working STILL NOT WORKING (just using SAGE as my DHCPD server for now...)
====== Backup ======
===== DVD-R =====
Here is the script I used to create DVD archival set of archon's main files.
#
# simple script to generate rar backups for DVD burning
# a add files to archive
# -ds disable sorting of the file names
# -ol save symbolic links as links and not the files
# -r recurse subdirectories
# -s build solid volumes
# -rv18 build 18 parity volumes
# -v512000 make volumes of 5 megs in size each
nice -n 19 rar a -ds -ol -r -s -rv18 -v512000 archonBackup.rar /etc/ /home/ /nofadz/ /usr/local/
===== mysqld databases =====
* Dump the mysql databases daily to a rotating set of a weeks worth of backups. (0-6 day of the week)
* Pluck out the current week's file to the week of the year file. (week of the year 00-53)
* Pluck out each current month's file. (month of the year 00-12)
* Finally, just copy to the current year.
Here a script that will do this:
# use the date function to generate file names
===== user files =====
I am mirroring the /vault drive with **/etc/cron.daily/mirror_vault.sh**:
#!/bin/sh
#
# make a mirror of /vault
rsync -va /mnt/vault/ /mnt/mirror/vault/
====== Boot ======
===== lilo =====
Modify **/etc/lilo.conf** to lower the boot time
Here is my current {{computers:lilo.conf.txt|lilo.conf}}
====== Cronjobs ======
===== Hourly =====
files are in: **/etc/cron.hourly/**
==== Check NFS Mounts ====
After the last power outage, the NWN servers were not speaking as I hadn't mounted the NFS mounts which share the drives to one another. So, it occurred to me to write a little script to test if the NFS directories were mounted (and if not, go ahead and try and mount them).
NOTE: I moved this to hourly so it will reconnect after a power off / reboot in a more reasonable time.
**/etc/cron.hourly/check_nfs_mounts.sh**:
#!/bin/bash
#
# check_nfs_mounts.sh
# quick check if we have our NFS directories mounted... if not... mount them!
# - dlr 2008/11/12
MOUNTEDTEST=`df | grep '/mnt/nfs/sage/space' | wc -l`
if [ $MOUNTEDTEST -ne 1 ]; then
mount /mnt/nfs/sage/space
fi
MOUNTEDTEST=`df | grep '/mnt/nfs/sage/local/home' | wc -l`
if [ $MOUNTEDTEST -ne 1 ]; then
mount /mnt/nfs/sage/local/home
fi
==== dovecot alive? ====
Not sure why this daemon keeps crashing (because a big time jump (the daily setting of the clock via NTP) caused the daemon to shut itself down without a restart) Here's a little script to keep it running (at least checking on it hourly).
**dovecot-alive.sh**:
!/bin/sh
#
# check the pop3s port and see if dovecot is listening...
DOVECOTCOUNT=`nmap -p 995 localhost | grep pop3s | grep open | wc -l`
if [ $DOVECOTCOUNT -ne 1 ]; then
echo "Restarting dove-cot: /usr/local/sbin/dovecot"
/usr/local/sbin/dovecot
fi
==== ssh alive? ====
sshd died last night, and no one could get in. If I'm not around and this happens... we'll be in trouble. So I made an hourly script that looks for ssh listening on port 22.
**/etc/cron.hourly/sshd-alive.sh** (this is an exact copy of the dovecot one... i should combine into a [[http://en.wikipedia.org/wiki/Master_Control_Program_%28Tron%29|MCP]] script!)
#!/bin/sh
#
# check the ssh port to make sure sshd is still alive
SSHDCOUNT=`nmap -p 22 localhost | grep ssh | grep open | wc -l`
if [ $SSHDCOUNT -ne 1 ]; then
/etc/rc.d/rc.sshd restart
fi
==== Synchronize To Timeserver ====
**NOTE:** I moved this to hourly (it was daily) because too big a time jump, and [[#dovecot]] __SHUTS DOWN__! Found that in the **/var/log/maillog**. SO, if we just set our time every hour, then it won't ever move more than a second, and [[#dovecot]] should be happy with that.
**/etc/cron.hourly/set_clock_via_network.sh**:
#!/bin/sh
/usr/sbin/ntpdate time-a.nist.gov
===== Daily =====
files are in: **/etc/cron.daily/**
==== Check Free Disk Space ====
**/etc/cron.daily/check_free_disk_space.sh**:
#!/bin/sh
# Shell script to monitor or watch the disk space
# It will send an email to $ADMIN, if the (free avilable) percentage
# of space is >= 90%
# -------------------------------------------------------------------------
# Copyright (c) 2005 nixCraft project
# This script is licensed under GNU GPL version 2.0 or above
# -------------------------------------------------------------------------
# This script is part of nixCraft shell script collection (NSSC)
# Visit http://bash.cyberciti.biz/ for more information.
# ----------------------------------------------------------------------
# Linux shell script to watch disk space (should work on other UNIX oses )
# SEE URL: http://www.cyberciti.biz/tips/shell-script-to-watch-the-disk-space.html
# set admin email so that you can get email
ADMIN="me@somewher.com" # modify this to your email address
# set alert level 90% is default
ALERT=90
df -H --exclude-type=nfs | grep -vE '^Filesystem|tmpfs|cdrom' | awk '{ print $5 " " $1 }' | while read output;
do
#echo $output
usep=$(echo $output | awk '{ print $1}' | cut -d'%' -f1 )
partition=$(echo $output | awk '{ print $2 }' )
if [ $usep -ge $ALERT ]; then
echo "Running out of space \"$partition ($usep%)\" on $(hostname) as on $(date)" |
mail -s "Alert: Almost out of disk space $usep" $ADMIN
fi
done
==== Clean /tmp Folder ====
Things in the /tmp folder seem to clutter up, so I'm going to run a script that deletes anything older than a couple days. (try two to start)
**/etc/cron.daily/clean_tmp_dir.sh**:
#!/bin/sh
#
find /tmp/ -type f -atime +2 -exec rm -f {} \;
====== Daemons ======
===== apache/httpd =====
* move the htdocs out of the main dir
cd /var/www/
mkdir htdocs_orig
mv htdocs/* htdocs_orig/
* modify **/etc/apache/httpd.conf** so that php and ssl stuff will run
* uncomment: Include /etc/apache/mod_php.conf
* uncomment: Include /etc/apache/mod_ssl.conf
* included our vhosts in a separate file
### Section 3: Virtual Hosts
# i moved this to a separate file.... - dlr 2004/05/31
Include /etc/apache/archon_vhosts.conf
* allow server side includes
# If you want to use server side includes, or CGI outside
# ScriptAliased directories, uncomment the following lines.
#
# To use CGI scripts:
#
AddHandler cgi-script .cgi
AddHandler cgi-script .pl
#
# To use server-parsed HTML files
#
#AddType text/html .shtml
#AddHandler server-parsed .shtml
AddType text/html .shtml
AddHandler server-parsed .shtml
AddHandler server-parsed .html
AddHandler server-parsed .htm
* added a common hosting log
# archon specific LogFormat - dlr 20070319
LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" commonvhost
# archon specific LogFormat - dlr 20070319
CustomLog /var/log/apache/allsites_access_log commonvhost
==== Content Migration ====
I'm no longer going to use a 'non-standard' user for the webserver user default. So I'm finding all the files with www (old user/group ID of 200) and chowning them to the standard nobody:nobody apache comes with.
find /var/www/htdocs/ -type f -group 200 -exec chgrp nobody {} \;
find /var/www/htdocs/ -type f -user 200 -exec chown nobody {} \;
==== SSL Key / Cert Generation ====
This is an example of making a key for **lvis.gsfc.nasa.gov**
mkdir /tmp/sslkeys
cd /tmp/sslkeys
openssl genrsa -rand /dev/urandom -out secure.lattice.net.key 1024
openssl req -new -key secure.lattice.net.key -out secure.lattice.net.csr
and then you'll need these responses to these questions (for example): \\
Country Name (2 letter code) [AU]:
US
State or Province Name (full name) [Some-State]:
Maryland
Locality Name (eg, city) []:
Ellicott City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Global Lattice Internet Services
Organizational Unit Name (eg, section) []:
IT Security Department
Common Name (eg, YOUR name) []:
secure.lattice.net
Email Address []:
david@lattice.net
Leave these last two blank
A challenge password []:
An optional company name []:
And then you need to sign the cert, this example is for 10 years.
openssl x509 -req -days 3650 -in secure.lattice.net.csr -signkey secure.lattice.net.key -out secure.lattice.net.crt
# set the permissions for the key
chmod 640 secure.lattice.net.key
chown root:nobody secure.lattice.net.key
mv /tmp/sslkeys/secure.lattice.net.crt /etc/apache/ssl.crt/
mv /tmp/sslkeys/secure.lattice.net.csr /etc/apache/ssl.csr/
mv /tmp/sslkeys/secure.lattice.net.key /etc/apache/ssl.key/
**NOTE**: Be sure the .key file should be permissioned such that only the root and webserver can read the file.
Now to install this certificate where the https stuff can find it. Time to edit **/etc/apache/mod_ssl.conf**
DocumentRoot "/var/www/htdocs/secure"
ServerName secure.lattice.net
ServerAdmin SOME E-MAIL addy # (-8
...
SSLCertificateFile /etc/apache/ssl.crt/secure.lattice.net.crt
...
SSLCertificateKeyFile /etc/apache/ssl.key/secure.lattice.net.key
...
Finally, you need to modify **/etc/rc.d/rc.httpd** so that it fires up the SSL daemon (now that we have configured the mod_ssl part).
/usr/sbin/apachectl startssl ;;
==== Wiki Upgrade ====
This is for my personal wiki, but I wanted to log this, as it applies to any installation of doku wiki. Here are the specifics for my install:
cd /home/david/down/dokuwiki/
lynx and get http://www.splitbrain.org/_media/projects/dokuwiki/dokuwiki-2007-06-26b.tgz?id=projects%3Adokuwiki&cache=cache
# untar the new one
tar -zxvf dokuwiki-2007-06-26b.tgz
# make a backup of the current one
# since I forced my wiki into the root directory... I need to do this. I SHOULD move this all to a subdirectory and symlink these directories in!
mkdir backup
rsync -va ~david/public_html/bin/ backup/bin/
rsync -va ~david/public_html/conf/ backup/conf/
rsync -va ~david/public_html/data/ backup/data/
rsync -va ~david/public_html/inc/ backup/inc
rsync -va ~david/public_html/lib/ backup/lib
# move the new stuff over to the current run location
rsync -va dokuwiki-2007-06-26b/ ~/public_html/
# rsync our data back (as root to get the permissions right)
rsync -va ~david/down/dokuwiki/backup/data/ ~david/public_html/data/
# clear the cache
rm -rf ~david/public_html/data/cache/*
# modify .htaccess (just copy and uncomment the line)
# Options -Indexes -MultiViews +FollowSymLinks
# chgrp and chmod the files
chgrp -R nobody ~david/public_html/data
chmod -R g+w ~david/public_html/data
# copy the configuration files
cp ~david/down/dokuwiki/backup/conf/acl.auth.php ~david/public_html/conf/acl.auth.php
cp ~david/down/dokuwiki/backup/conf/local.php ~david/public_html/conf/local.php
cp ~david/down/dokuwiki/backup/conf/users.auth.php ~david/public_html/conf/users.auth.php
===== apcupsd =====
I am sharing the UPS with sage, so that was the easiest to install and get running (RPM package). I am going to install the software on here also, as this one runs on the same UPS.
- Download and install the software (here is the current link: [[http://voxel.dl.sourceforge.net/sourceforge/apcupsd/apcupsd-3.14.4.tar.gz]]
cd /usr/local/src/apcupsd
./configure
make
make install
- Edit the config file, the only changes I made were: (I made this one come down first since it is a slave to the actual machine monitoring the UPS, so I raised the battery level to 10 and the time left to 5 minutes)
UPSTYPE net
DEVICE 10.0.0.2
BATTERYLEVEL 10
MINUTES 5
- Modified **/etc/rc.d/rc.local** to fire up the APC daemon on boot:
# apc ups monitoring daemon
echo 'Firing up apcupsd to monitor the UPS'
/sbin/apcupsd
And I tested it with a simple **apcaccess** call, which gives you the status of the UPS and that looks right. I have NOT tested whether powering down the UPS really will shut everything down... maybe some other day.
===== bind =====
The actual daemon run is **named**. For whatever reason, the last upgrade of slamd64 makes the line in **/etc/named.conf** with the cname call break the program, so I just commented it out and things work OK now: -- 2008/03/01
logging {
category lame-servers { null; };
# category cname { null; };
};
Seems like a good place to put information on **/etc/resolv.conf**
You can stack up to 3 name servers (on separate lines) and stack your domain searches with a space between each.
nameserver ns1.lattice.net
nameserver ns2.lattice.net
search lattice.net nofadz.com
I also want to start the DNS server EARLY in the boot, so that other daemons can do name lookups...hmmm, seems to be in inet2... maybe that was old slackware problem, hehehe.
==== addresses ====
Some core IP addresses:
^ FQDN ^ IP Address ^
| archon.lattice.net| 71.127.151.90|
| imap.lattice.net| //archon.lattice.net alias//|
| ns1.lattice.net| //archon.lattice.net alias//|
| ns2.lattice.net| //sage.lattice.net alias//|
| sage.lattice.net| 71.127.151.91|
| secure.lattice.net| //archon.lattice.net alias//|
==== config ====
**/etc/named.conf** is the big file, and here is the version as of this update.
{{computers:named.conf.txt}}
==== root.hints update ====
Automated script to update root.hints monthly.
===== dhcpd =====
I pulled my hair out over this one. It would not work until I simply RE-INSTALLED the dhcpd package from the source again. That seemed to fix it!
SCRATCH THAT, it is still broken. I think it might be because I have IPV6 installed. It only doesn't work with windows machines... so I'm still suspect that something isn't quite right with maybe the kernel or something. MPlayer is having trouble playing streams because it doesn't reverse lookup with IPv6, so maybe that is a clue. I'll try to fix it after everyone is off NWN for the day (tomorrow morning).
Here is my configuration file
# dhcpd.conf
#
# Configuration file for ISC dhcpd (see 'man dhcpd.conf')
#
# archon.lattice.net dhcpd.conf - dlr 20070322 (spring is here!)
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
#Sets the domain name and our default DNS servers
option domain-name "lattice.net";
option domain-name-servers 10.0.0.1, 10.0.0.2;
option netbios-name-servers 10.0.0.1;
option netbios-dd-server 10.0.0.1;
option netbios-scope "";
option netbios-node-type 8;
#Sets the time loan time in seconds before computers must renew thier leases
default-lease-time 86400;
#Set the maximum amount of time a pc can hold a lease for
max-lease-time 864000;
# I was told to do this :)
# ddns-update-style ad-hoc;
ddns-update-style none;
ddns-ttl 86400;
#This is a subnet which the dhcpd server controlls, note the { this is required
subnet 10.0.0.0 netmask 255.255.255.0 {
#Sets the network gateway / router
option routers 10.0.0.1;
#Sets the network broadcast address
option broadcast-address 10.0.0.255;
#Defines a range of ips to be used as leases
range 10.0.0.100 10.0.0.200;
# specific host definitions
host david { # Set the hostname of the client computer
hardware ethernet 00:50:8d:ed:aa:dd; # Registers the MAC address of the client computer.
fixed-address 10.0.0.42; # This line specifies the IP address for david's computer
}
host krysalis { #Set the hostname of the client computer
hardware ethernet 00:10:dc:a1:d3:aa; # Registers the MAC address of the client computer.
fixed-address 10.0.0.40; # This line specifies the IP address for christine's computer
}
host wirelesslan { # Set the hostname of the client computer
hardware ethernet 00:30:bd:66:4d:b2; # Registers the MAC address of the client computer.
fixed-address 10.0.0.11; # This line specifies the IP address for the wireless lan (inside)
}
}
I just added this to /etc/rc.d/rc.local
# this is required to enable us to respond to windows clients
route add -host 255.255.255.255 dev eth1
echo 'Firing up DHPC daemon: /usr/sbin/dhcpd eth1'
/usr/sbin/dhcpd eth1
===== dovecot =====
==== Upgrading ====
- Downloaded latest version (1.2.16)
- Uncompress in **/usr/local/src**
- Build:
./configure
make
make install
- Fix the certificate (make a new one)
- cd /usr/local/src/dovecot-1.2.16/doc
- mv dovecot-openssl.cnf dovecot-openssl.cnf.orig
- nano dovecot-openssl.cnf ### and paste in your values
- chmod 755 mkcert.sh
- mv /etc/ssl/certs/dovecot.pem /etc/ssl/certs/dovecot.pem.20101210
- mv /etc/ssl/private/dovecot.pem /etc/ssl/private/dovecot.pem.20101210
- ./mkcert.sh
- chmod 600 /etc/ssl/private/dovecot.pem # it already was, but just in case
- Restart **dovecot** (i just killed the process and then run it again)
==== Initial Install ====
* Download the source from [[http://www.dovecot.org/download.html|Dovecot home page]].
* Compile and install
./configure
make
make install
* Modify **/usr/local/etc/dovecot.conf** (since we installed from source, and I didn't set any paths, we're all in /usr/local... so I changed that throughout the configuration file.
# any time you find /usr/libexec make it /usr/local/libexec
# allowed protocols (I am only going to allow IMAP to localhost, force IMAPS(993) or POP3S(995) from the outside)
protocols = imap imaps pop3s
# and later in
protocol imap {
# archon only will do IMAP to localhost
listen = localhost:143
ssl_listen = *:993
# and I put this in for the pop3 (only pop3s mind you) to work
pop3_uidl_format = %08Xu%08Xv
* I also commented out all the PAM authentication because slackware doesn't seem to have it. I then just uncommented the 'shadow' section to use that for authentication.
* Added a dovecot group and user (used ID and GID 97:97)
# in /etc/group
dovecot::97:dovecot
#
# in /etc/passwd
dovecot:x:97:97:dovecot:/:
#
# in /etc/shadow
dovecot:*:9797:0:::::
* Generate the keys and stick them where dovecot is looking for them (Config file {{computers:dovecot-openssl.cnf.txt|dovecot-openssl.cnf.txt}}) (NOTE: 2008/10/03 - I updated this to use the server archon.lattice.net instead of imap, since the name conflicts and thunderbird was complaining and regenerated the keys so they are current)
cd /usr/local/src/dovecot-1.0.rc26/doc
jed dovecot-openssl.cnf # and put in all your stuff
chmod 755 mkcert.sh
./mkcert.sh
chmod 600 /etc/ssl/private/dovecot.pem # it already was, but just in case
* And add this to **/etc/rc.d/rc.local** of course.
echo 'Firing up our IMAP server: /usr/local/sbin/dovecot'
/usr/local/sbin/dovecot
===== inetd =====
**NOTE** I just used dovecot, because it was easy to figure out how to configure it. YEAH!!\\
[[computers:serverconfig#dovecot|dovecot imapd daemon]]
**/etc/inetd.conf**
Just commented out the **auth** service. It was conflicting with *bind/named*.
==== imapd ====
I did away with the included IMAP daemon, because I could NOT get it do work. My experience with CentOS taught me that the 'dovecot' package, just worked right out of the box. Sure enough, I got that to install and run without too much trouble (the documentation got me through it fairly quickly).
===== ircd =====
Pretty straight forward on the build. I don't remember much about the configuration other than we commented out a LOT of it (so the server is local only).
cd /usr/local/src/irc2.11.1p1
./configure
cd /usr/local/src/irc2.11.1p1/x86_64-unknown-linux-gnu
make install
Then you'll want to modify the configuration files (the ircd files in **/usr/local/etc/**).
Here are my config files so you can exploit the weakness of this death star.
{{computers:ircd.conf.txt|/usr/local/etc/ircd.conf}} and {{computers:ircd.motd.txt|/usr/local/etc/ircd.motd}}
And don't forget to add this to the **/etc/rc.d/rc.local** after you get your configuration files in place
# fire up ircd
echo 'Firing up ircd: /usr/local/sbin/ircd -c'
/usr/local/sbin/ircd -c
===== mysqld =====
==== Exporting DB ====
Export the current database from archon
mysqldump --all-databases --user=root -p > ~/mysql_dump.sql
And then to import, just fire up [[computers:serverconfig#phpmyadmin|phpMyAdmin]] and execute the .sql file. (and cross your fingers!)
Of course, if the file is large (the archon dump IS), you'll need to try just piping the MYSQL file into mysql.
mysql --user=root -p < /root/mysql_archon20070311_all_databases_dump.sql
==== Setup ====
* Uncomment the 'skip networking' in **/etc/rc.d/rc.mysqld**
* as **root** you need to run these: (to init the database)
mysql_install_db
chown -R mysql:mysql /var/lib/mysql/
* fire up the database & change the root password
cd /usr ; /usr/bin/mysqld_safe &
/usr/bin/mysqladmin -u root password 'new-password'
===== sendmail =====
==== IGNORE THIS FOR NOW ====
**NOTE:** A lot of this cert stuff was found here: [[http://www.linuxquestions.org/questions/showthread.php?t=224543]]
* if you don't already have them, you'll need to make certificates for sendmail
mkdir /etc/mail/certs/
cd /etc/mail/certs/
openssl req -new -x509 -keyout CA.key.pem -out CA.cert.pem -days 1865
When prompted for the Common Name be sure to enter the FQDN of your webserver i.e. www.mywebserver.com
Now that we have our own CA lets go ahead and make a certificate and sign it.
openssl req -nodes -new -x509 -keyout smtp.key.pem -out smtp.cert.pem -days 1460
Note that the CA is good for 5 years (1865 days) and the cert is good for 4 years (1460 days). Its always a good idea to make the cert invalid before
the CA that signed it.
Next, we must put the right permissions on our cert as it contains sensitive data
chmod 600 smtp.cert.pem smtp.key.pem
FYI, If you want to see the contents of the cert, go ahead and run this command
openssl x509 -noout -text -in smtp.cert.pem
Some information you might like
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Maryland
Locality Name (eg, city) []:Ellicott City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Global Lattice Internet Services
Organizational Unit Name (eg, section) []:Secure Communications Department
Common Name (eg, YOUR name) []:archon.lattice.net
Email Address []:root@lattice.net
==== aliases ====
Aliases can be setup in the **/etc/mail/aliases**, and the following is an example of updating the hash table after editing the virtual user table.
cd /etc/mail
makemap hash aliases < aliases
/etc/rc.d/rc.sendmail restart
==== sendmail.cf ====
* Building the .cf file from the .mc file. Start with the provided base file and build up the config
cd /usr/share/sendmail/cf/cf
# I want the TLS authentication
cp sendmail-slackware-tls.mc archon.mc
Add the following lines to enable spam blocking (well, it helps a little anyway).
FEATURE(`dnsbl',`list.dsbl.org')dnl
FEATURE(`dnsbl',`sbl-xbl.spamhaus.org')dnl
dnl# Set and outgoing server to pass email through since we are being blocked by DNS block lists now
define(`SMART_HOST',`outgoing.verizon.net')
Need to add an entry to ** /etc/mail/access** file to authorize the email being sent by archon
AuthInfo:outgoing.verizon.net "U:user" "I:user" "P:password" "M:PLAIN"
Then go ahead and build up the configuration file and install it.
sh Build archon.mc
cp archon.cf /etc/mail/sendmail.cf
==== virtusertable ====
Aliases can be setup in the **/etc/mail/virtusertable**, and the following is an example of updating the hash table after editing the virtual user table.
cd /etc/mail
makemap hash virtusertable < virtusertable
/etc/rc.d/rc.sendmail restart
===== slimserver =====
==== Version 7.0 ====
Installed 2008/04/26 - dlr - latest version installed since the old one stopped working after I rebooted?! (PERL upgrade probably)
Looks like it was getting confused with the old version that was already installed... so I moved all of the files that mentioned 'slim' into ~/slimserverStuff to get it out of the normal path.
- Moved old slimserver stuff first:
cd ~/
mkdir slimserverStuff
mv Cache slimserverStuff
mv slimserver.pref slimserverStuff
- As root, install the server:
cd /usr/local/archon
tar -zxvf squeezecenter-7.0.tgz
chown -R quake:mp3 squeezecenter-7.0-17793
cd /usr/local
ln -s /usr/local/archon/squeezecenter-7.0-17793 slimserver
- As root, install PERL modules that it needs (doesn't work automagically as it should):
/usr/bin/perl -MCPAN -e shell
cpan>install Compress::Zlib
cpan>install GD
- Add this to **/etc/rc.d/rc.local** so it will run at start (as the quake user, not as root):
# slimserver
echo 'Firing up slimserver'
sudo -u quake /usr/local/slimserver/slimserver.pl --daemon
==== Version 6.5.1 ====
Download from slimdevices.com [[http://www.slimdevices.com/su_downloads.html]]
rpm2tgz SlimServer_v6.5.1.noarch.rpm
installpkg SlimServer_v6.5.1.noarch.tgz
mv /usr/local/slimserver/ /usr/local/archon/SlimServer_v6.5.1
ln -s /usr/local/archon/SlimServer_v6.5.1 /usr/local/slimserver
chown -R quake /usr/local/archon/SlimServer_v6.5.1/
chown quake /etc/slimserver.conf
# as the 'quake' user:
/usr/local/archon/SlimServer_v6.5.1/Bin/build-perl-modules.pl YAML::Syck
# need to do this, because we're x86_64 and this doesn't match our local MYSQL
cp /usr/share/mysql/english/errmsg.sys /usr/local/slimserver/MySQL/errmsg.sys
# to run this
/usr/local/slimserver/slimserver.pl --daemon
There was a problem with the [wmadec] program, I think because of the 64bit (or maybe just linux not windoze). Anyhoo, found this work around... in **/usr/local/slimserver/slimserver-convert.conf** (which over-rides options in **/usr/local/slimserver/convert.conf**) put this:
wma wav squeezebox *
[ffmpeg] -v 0 -i $FILE$ -f wav -
wma mp3 * *
[ffmpeg] -v 0 -i $FILE$ -f wav - | [lame] -x -m s -r -S -q 5 -s 44.1 - -
===== smbd (samba) =====
make a reasonable **/etc/samba/smb.conf** that doesn't allow outside connections (also have them dropped at eth0 (wan)) so outsiders cannot hit the server / files.
[global]
workgroup = DCGAMER
netbios name = ARCHON
wins support = yes
server string = Archon Samba Server
# don't log, we get hammered from the outside
# log file = /var/log/samba.%m
max log size = 50
interfaces = eth1 lo
hosts deny = ALL
hosts allow = 10.0.0.0/24 127.
security = share
[vault]
comment = Archon Vault
path = /vault/
public = yes
only guest = yes
writable = no
printable = no
I also enabled cups so that the printing would work from here also... why not:
chmod 755 /etc/rc.d/rc.cups
/etc/rc.d/rc.cups start
===== spamd (Spamassassin) =====
[[http://spamassassin.apache.org/downloads.cgi|Spamassissin Download Page]]
cd /usr/local/src
tar -jxvf ~/downloads/Mail-SpamAssassin-3.1.8.tar.bz2
perl Makefile.PL
make
make install
here is a **/etc/rc.d/rc.spamd** I found: {{computers:rc.spamd.txt|rc.spamd}}
add this to **etc/rc.d/rc.local**
# spamd -- SAVE US hehehe
echo 'Firing up SPAMD spam assassin filter:'
/etc/rc.d/rc.spamd start
===== sshd =====
* Enable the X windows pipe by default in **/etc/ssh/ssh_config**
ForwardX11 yes
ForwardX11Trusted yes
* Enable the X windows pipe by default in **/etc/ssh/sshd_config**
X11Forwarding yes
===== talkd =====
Just uncomment the talkd line in **/etc/inetd.conf** and restart
===== vsftpd =====
I want just anonymous FTP available to the outside... ok, I added a couple 'choice' users to be able to FTP. So I modified the configuration file so that it checks a list, and if you're on the list... you can ftp (do not abuse this).
The only thing I changed in **/etc/vsftpd** was
# I just want anonymous ftp... everyone can use scp or sftp to move files around
local_enable=YES
userlist_deny=NO
userlist_enable=YES
So you need to add users to **/etc/vsftpd.user_list**
And, uncomment vsftp in **/etc/inetd.conf** and restart.
====== Kernel ======
I finally got ALL the correct modules installed so that the netfilter works.
Here is my current kernel configuration file: {{computers:archon.lattice.net.kernel.config.txt}}
Downloaded the latest stable kernel:
[[http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.20.tar.bz2|linux-2.6.20.tar.bz2]]
cd /usr/src/
tar -jxvf linux-2.6.20.2.tar.bz2
mv linux-2.6.20/ linux-2.6.20.2
ln -s linux-2.6.20.2 linux
cd linux
make menuconfig
# set all your options
make
make install
make modules_install
====== Libraries ======
===== a52dec =====
a52dec-0.7.4 ([[http://liba52.sourceforge.net/downloads.html|Directly from the development page]] )\\
./configure
make
make install
===== faad2 =====
faad2-2.0 ([[http://prdownloads.sourceforge.net/faac/faad2-2.0.zip?download|Sourceforge]]) \\
NOTE: After you generate the Makefile you need to edit out the bottom. It is broken.
autoreconf -vif
./configure
# edit the Makefile and REMOVE the bottom RPM section (it is broken and we aren't doing that anyway)
make
make install
===== ffmpeg =====
Download the SVN [[http://ffmpeg.mplayerhq.hu/download.html|ffmpeg development page]]
./configure --enable-liba52 --enable-gpl --enable-libmp3lame --enable-libogg --enable-libvorbis \
--enable-libtheora --enable-libfaad --enable-pthreads
make
make install
===== flac =====
flac-1.1.2 ([[http://flac.sourceforge.net/download.html|Sourceforge]]) \\
./configure
make
make install
===== id3lib =====
id3lib-3.8.3 ([http://id3lib.sourceforge.net/])
./configure
make
make install
===== id3tag =====
libid3tag-0.15.1b ([[http://sourceforge.net/project/showfiles.php?group_id=12349|Sourceforge Page]] )\\
./configure
make
make install
===== lame =====
lame-3.97 [[http://lame.sourceforge.net/download.php|Download]]
./configure
make
make install
===== theora libs =====
[[http://www.theora.org/|The Theora development page]]
=== libtheora-1.0alpha7 ===
./configure
make
make install
=== libogg-1.1.3 ===
./configure
make
make install
=== libvorbis-1.1.2 ===
./configure
make
make install
====== Mainboard ======
===== Archon =====
Tyan [[http://www.tyan.com/product_board_detail.aspx?pid=451|Thunder K8-S2880]]\\
Alternate link -> Tyan [[http://www.amdboard.com/tyan_s2880_opteron_board.html|Thunder K8-S2880]]
* IDE Chipset: AMD-8111
* RAID bus controller: Promise Technology, Inc. PDC20378 (FastTrak 378/SATA 378) (rev 02)
===== Testbed =====
Abit [[http://www.abit-usa.com/products/mb/products.php?categories=1&model=32|KX7-333R]]
* IDE Chipset: VIA KT333 /VT8233A
* Raid chipset HPT372 RAID controller
====== Mouse ======
===== gpm =====
your **/etc/rc.d/rc.gpm** should be this for a 3 button wheel mouse:
/usr/sbin/gpm -m /dev/mouse -t imps2
See the X11 section to modify that for activating the wheel mouse (I cannot seem to live without it now).
====== Network ======
===== Configuration =====
==== NAT Gateway ====
You're going to need (I just make them all as modules, and let the kernel sort it out) the net/ipv4/netfilter stuff. I literally just make a whole lot of modules and hope I get the right ones. It says "required for NAT" in several places.
For the local LAN you need to let the machines get out. Just add this code to **/etc/rc.d/rc.local**
# In the NAT table (-t nat), Append a rule (-A) after routing
# (POSTROUTING) for all packets going out ppp0 (-o ppp0) which says to
# MASQUERADE the connection (-j MASQUERADE).
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
==== resolv.conf ====
Use yourself as name server, because you are the man.
# /etc/resolv.conf for archon.lattice.net - dlr 20070317
#
nameserver 127.0.0.1
search lattice.net nofadz.com gsfc.nasa.gov
===== Monitoring =====
==== net-snmpd ====
[[http://www.net-snmp.org/download.html|net-snmpd]] download page.
./configure
# with the following responses: '3' (default), 'david@lattice.net', 'Ellicott City, MD USA',
# '/var/log/snmpd.log' (default), '/var/net-snmp' (default)
make
make install
ldconfig
Rename the example snmpd.conf to **/etc/snmpd/snmpd.conf**, and modify it with the following changes:
# sec.name source community
com2sec local localhost archcomm
com2sec mynetwork 10.0.0.0/24 archcomm
com2sec mynetwork 71.127.151.0/24 archcomm
# and down the road...
syscontact "david "
syslocation "Ellicott City, MD USA"
Modify your **/etc/rc.d/rc.local** with the following line:
/usr/local/sbin/snmpd -c /etc/snmpd/snmpd.conf
Here is how you can test if your daemon is running properly
snmpwalk -v 1 -c "archcomm" localhost
==== mrtg ====
[[http://oss.oetiker.ch/mrtg/]]
I have mrtg installed as **/usr/local/archon/mrtg-2.15.2/** and sym linked it:
ln -s /usr/local/archon/mrtg-2.15.2 /usr/local/mrtg
Build it as instructed:
cd /usr/local/mrtg
./configure
make
Configure it with in **/usr/local/mrtg/conf**
mkdir /usr/local/mrtg/conf
cd /usr/local/mrtg/conf
/usr/local/mrtg/bin/cfgmaker archcomm@archon.lattice.net > archon_mrtg.cfg
/usr/local/mrtg/bin/cfgmaker archcomm@sage.lattice.net > sage_mrtg.cfg
# make directories for the data to be stored:
mkdir /var/www/htdocs/secure/staff/archon/
mkdir /var/www/htdocs/secure/staff/sage/
Modify each config file so that the following options are used (replace WWW dir properly!):
Options[_]: growright, bits
WorkDir: /var/www/htdocs/secure/staff/archon/
Go to the working directory and generate an index file:
cd /var/www/htdocs/secure/staff/archon/
/usr/local/mrtg/bin/indexmaker /usr/local/mrtg/conf/archon_mrtg.cfg > index.html
I have a script that runs via a cron job, here is my **/root/mrtg/run_mrtg.sh**
#!/bin/sh
#
/usr/local/mrtg/bin/mrtg /usr/local/mrtg/conf/archon_mrtg.cfg
/usr/local/mrtg/bin/mrtg /usr/local/mrtg/conf/sage_mrtg.cfg
Here is my crontab entry that runs the shell script every 5 minutes
# Run MRTG network status every 5 minutes:
*/5 * * * * /root/mrtg/run_mrtg.sh 1> /dev/null 2> /dev/null
===== Security =====
==== Packet Filtering ====
Someone found a way through the firewall once to hit the Samba server.. so I added these lines to **/etc/rc.d/rc.local** to just drop any samba packets at the WAN interface.
I also blocked the slim server access from outside, just seemed like a bad idea 8-) (and just now added apcupsd to the list of blocked from the outside //2008/11/13 10:43//)
# block SMB ports from the outside
iptables -A INPUT -i eth0 -p udp --dport 137 -j DROP
iptables -A INPUT -i eth0 -p udp --sport 137 -j DROP
iptables -A INPUT -i eth0 -p udp --dport 138 -j DROP
iptables -A INPUT -i eth0 -p udp --sport 138 -j DROP
iptables -A INPUT -i eth0 -p tcp --dport 139 -j DROP
iptables -A INPUT -i eth0 -p tcp --sport 139 -j DROP
iptables -A INPUT -i eth0 -p tcp --dport 445 -j DROP
iptables -A INPUT -i eth0 -p tcp --sport 445 -j DROP
# and to be sure, we don't send anything out on these ports also
iptables -A OUTPUT -o eth0 -p udp --dport 137 -j DROP
iptables -A OUTPUT -o eth0 -p udp --sport 137 -j DROP
iptables -A OUTPUT -o eth0 -p udp --dport 138 -j DROP
iptables -A OUTPUT -o eth0 -p udp --sport 138 -j DROP
iptables -A OUTPUT -o eth0 -p tcp --dport 139 -j DROP
iptables -A OUTPUT -o eth0 -p tcp --sport 139 -j DROP
iptables -A OUTPUT -o eth0 -p tcp --dport 445 -j DROP
iptables -A OUTPUT -o eth0 -p tcp --sport 445 -j DROP
# block port 3551 so that apcupsd cannot be seen from outside
iptables -A OUTPUT -o eth0 -p tcp --dport 3551 -j DROP
iptables -A OUTPUT -o eth0 -p tcp --sport 3551 -j DROP
# block port 9000 so slimserver can't be accesed from outside
iptables -A OUTPUT -o eth0 -p tcp --dport 9000 -j DROP
iptables -A OUTPUT -o eth0 -p tcp --sport 9000 -j DROP
==== sshd config ====
Only allow protocol 2 connections **/etc/ssh/sshd_config**:
# only allow valid users to login
AllowGroups nofadz users
# do not let root log in directly
PermitRootLogin no
# only allow protocol 2
Protocol 2
===== Shaping =====
I built this script off something I found online (like everything really), not sure if this is the RIGHT way to do this, but this seems to work.
{{computers:htb.homebrew.txt|/etc/rc.d/htp.homebrew}}
And I put this in my **/etc/rc.d/rc.local** to fire up on boot.
====== Package Updates ======
===== slackupdate (modified) =====
**NOTE: Depreciated... I think slapt-get is the way to go (see below)**
Slamd64 is the slackware x64 home, and you can get all the packages at [[http://slamd64.com/index.php?page=getslamd64|this get slamd64 page]]
I've modified the slackupdate.sh shell script so that it will update packages from slamd64. The script is {{computers:slackupdate_0.7.1_slamd64.sh.txt|here}}.
Here are the modifications:
# modified the server list at the top
Server1="ftp://anorien.warwick.ac.uk/slamd64/"
Server2="ftp://mirror.vbfx.com/slamd64/"
Server3="ftp://ftp.heanet.ie/pub/slamd64/"
Server4="ftp://ftp.nara.wide.ad.jp/pub/Linux/Slamd64/"
Server5="ftp://ftp.slackware.pl/pub/slamd64/"
# turned OFF version check ~ line 53
VersionCheck=0 # VersionCheck: 0 - Do not check for a newer version of slackupdate
# since this often takes WAY too long
# forced slamd as the base version ~ line 628
Version1='slamd64'
# forced gpg usage to NO ~ line 166
Use_GPG=0
===== slapt-get =====
Download the source tar from [[http://software.jaos.org/|slapt-get home page]].
cd /usr/local/src/slapt-get-0.9.11g
make
make install
Modify **/etc/slapt-get/slapt-getrc** with
SOURCE=ftp://anorien.warwick.ac.uk/slamd64/slamd64-11.0/
And then you need to run update
slapt-get --update
# and then upgrade our packages, go ahead and get everything
slapt-get --upgrade --ignore-excludes
====== Troubleshooting ======
* **The terminal colors that we all loved so much are gone? How to fix?**
Found [[http://forums.slamd64.com/viewtopic.php?t=517&highlight=colors|this link about colors]] on the slamd64.com site.
The solution was just to re-install the pkgtools package.
====== User Programs ======
===== bittorrent =====
Welp, I don't see it in the extras directory.... that's odd?
===== hexedit =====
Download [[http://rigaux.org/hexedit-1.2.12.src.tgz]] and install
./configure
make
make install
===== id3v2 =====
You need to install id3lib first, but after that, installing this program was simple:
make
make install
===== IDL =====
Untar the install program in **/usr/local/archon/rsi/** and then run **./install** from there and press the keys like a good little monkey. I'm going to try and put local installs all in this directory and then symlink out to /usr/local/ if the programs want to be there. I dunno, keeps it cleaner to put it all under archon I think.
Use my personal license file, and good to go.
===== md5deep =====
Go to the [[http://md5deep.sourceforge.net/#download|download]] page and grab the stable one.
make linux
make install
===== MPlayer =====
MPlayer v1.0rc1 ([[http://www.mplayerhq.hu/|MPlayer main page]]) \\
./configure
make
make install
And you'll want to get all the codecs:
[[http://www1.mplayerhq.hu/MPlayer/releases/codecs/essential-amd64-20061203.tar.bz2|AMD64bit codecs]]
# untar the codecs into /usr/local/lib/codecs and link it as well:
tar -jxvf ../essential-20061022.tar.bz2
mv essential-20061022 /usr/local/lib/codecs
ln -s /usr/local/lib/codecs /usr/local/lib/win32
tar -jxvf ../essential-amd64-20061203.tar.bz2
mv essential-amd64-20061203/* /usr/local/lib/codecs/
===== perl podcast =====
Grab this package, and just put the program //podcast.pl// in **/usr/local/bin/**:
as root, you need to install XML:Simple
perl -MCPAN -e shell
install XML::Simple
And then setup a directory and configuration file
mkdir /vault/audio/podcasts/
mkdir /vault/audio/podcasts/mp3/
cp perlpodcast.conf /vault/audio/podcasts/
cat /vault/audio/podcasts/perlpodcast.conf
########### my perlpodcast.conf ###########
sources_file /vault/audio/podcasts/sources.txt
mp3_dir /vault/audio/podcasts/mp3
playlist_file /vault/audio/podcasts/playlist.pls
history_file /vault/audio/podcasts/history.dat
You'll want to add this to your crontab:
# Check for new podcasts at 4:20pm on Friday day of the week:
20 16 * * 5 /usr/local/bin/podcast.pl -c /vault/audio/podcasts/perlpodcast.conf 1> /dev/null
===== pine =====
* adding the header and bounce options
===== rar =====
Copy the rar binary into **/usr/local/bin/**
===== sirc =====
I found a source tar on a debian page: [[http://ftp.debian.org/debian/pool/main/s/sirc/sirc_2.211.orig.tar.gz]]
This one is very straight forward (you'll just need to answer a few questions).
./install
===== teqc =====
This program will convert any GPS binary file into RINEX. It is the swiss army knife of GPS processing.
Download the 64bit one [[http://facility.unavco.org/software/teqc/development/teqc_Lx86_64d.tar.Z]]
And just untar it in **/usr/local/bin/**
===== zgal =====
You can grab it here at the [[http://zgal.sourceforge.net/|zgal main page]].
./install-zgal.sh
#
# Don't forget to install the perl module Image::Size
#
tar xvfz Image-Size-2.98.tar.gz
cd Image-Size-2.98
#
# To build:
#
perl Makefile.PL
make && make test
#
# If Image::Size passes all tests, then:
#
make install
====== Utils ======
===== calm AV =====
Anti-virus tool. You may want to consider installing this on archon to scan incoming emails?
[[http://www.clamav.net/|Calm AV]]
===== phpMyAdmin =====
* Download the latest version from [[http://www.phpmyadmin.net/home_page/index.php|phpMyAdmin Home]]
* Untar into **/var/www/htdocs/** and then make a symlink to phpMyAdmin (to the current version)
cd /var/www/htdocs/staff # you may have to make this one (not sure where you are)
tar -jxvf ~/downloads/phpMyAdmin-2.10.0.2-all-languages-utf-8-only.tar.bz2
ln -s phpMyAdmin-2.10.0.2-all-languages-utf-8-only phpMyAdmin
* Generate a configuration file **/var/www/htdocs/staff/phpMyAdmin/config.inc.php**
===== squirrelmail =====
* Grab from the squirrelmail [[http://www.squirrelmail.org/download.php|download page]]
* Make a directory and install the files.
mkdir /var/www/htdocs/secure/
cd /var/www/htdocs/secure/
tar -jxvf ~/downloads/squirrelmail-1.4.9a.tar.bz2
ln -s squirrelmail-1.4.9a mail
* Build up the directories needed
mkdir /usr/local/var/squirrelmail
mkdir /usr/local/var/squirrelmail/attach
mv /var/www/htdocs/secure/mail/data /usr/local/var/squirrelmail
chown -R nobody:nobody /usr/local/var/squirrelmail/attach /usr/local/var/squirrelmail/data
chmod 0730 /usr/local/var/squirrelmail/attach
* Run the config program (there are lots of settings, just make sure the paths and dovecot are set for sure)
./configure # which just calls ./config/conf.pl
* Need to increase the allowed memory for PHP: **/etc/apache/php.ini**
memory_limit = 128M ; Maximum amount of memory a script may consume (128MB)
====== X11 ======
make sure that your *gpm* is using IMPS/2 also (see above)
add these lines to your **/etc/X11/xorg.conf**:
Option "Protocol" "IMPS/2" # change PS/2 to IMPS/2 to get the scroll wheel
Option "ZAxisMapping" "4 5"
Option "Emulate3Buttons" "no"
To make the X server NOT listen on port 6000 for X11 connections, do these:
Taken directly from [[http://slackworld.berlios.de/02/tips.html]]
/usr/X11R6/bin/startx:
serverargs="-nolisten tcp"
/etc/X11/gdm/gdm.conf:
command=/usr/X11R6/bin/X -nolisten tcp
/etc/X11/xdm/Xservers:
:0 local /usr/X11R6/bin/X -nolisten tcp
/opt/kde/share/config/kdm/Xservers:
:0 local@tty1 /usr/X11R6/bin/X vt7 -nolisten tcp