Here is a good todo list for upgrading archon

First thing you need to do is isolate your setup, so that the IP address doesn't collide with the real archon.

• Get the traffic shaping script working with the new 2.6 kernel (or use another one that does the same thing)
• Rebuild sendmail configuration files
• Export and re-import MYSQL data (going from version 4 to version 5)
• Update the DHCP configuration so you don't get warning messages
• Get apache (http and https) running, and set up secure squirrel mail
• NAT gateway… always takes me forever to turn on ALL the needed modules to get that working.
• Clean up the virtual hosting by breaking websites into include files.
• Try kernel without IPV6 and also rebuild mplayer now that you don't have it installed. Maybe this will fix DHCPD which is still broken on archon.
• Fix it so that you can send email from hosts inside the firewall (sure you want to do that or just use certs?)
• MAYBE sendmail woes (sending) are also something to do with IPV6? It is hanging on even a simple telnet to port 25!?

You can do these afterwards… shouldn't be too bad if down… (easy enough I just knocked them out before hand)

• ftp up and configured
• irc up and configured (i think so)
• svn setup
• spamassassin
• slimserver
• hexedit
• sirc
• md5deep
• IDL 6.3 (x64)
• smbfs (Samba shares)
• finger (open that up)
• nfs setup (exports and permissions)
• install zgal
• contact Verizon and whitelist your mail server http://www2.verizon.net/micro/whitelist/
• permissions on the 'easter shore radio' login.
• fix DHCPD, it is NOT working STILL NOT WORKING (just using SAGE as my DHCPD server for now…)

Here is the script I used to create DVD archival set of archon's main files.

#
# simple script to generate rar backups for DVD burning
# a         add files to archive
# -ds       disable sorting of the file names
# -ol       save symbolic links as links and not the files
# -r        recurse subdirectories
# -s        build solid volumes
# -rv18      build 18 parity volumes
# -v512000  make volumes of 5 megs in size each

nice -n 19 rar a -ds -ol -r -s -rv18 -v512000 archonBackup.rar /etc/ /home/ /nofadz/ /usr/local/

• Dump the mysql databases daily to a rotating set of a weeks worth of backups. (0-6 day of the week)
• Pluck out the current week's file to the week of the year file. (week of the year 00-53)
• Pluck out each current month's file. (month of the year 00-12)
• Finally, just copy to the current year.

Here a script that will do this:

# use the date function to generate file names

I am mirroring the /vault drive with /etc/cron.daily/mirror_vault.sh:

#!/bin/sh
#
# make a mirror of /vault
 
rsync -va /mnt/vault/ /mnt/mirror/vault/

Modify /etc/lilo.conf to lower the boot time

Here is my current lilo.conf

files are in: /etc/cron.hourly/

Not sure why this daemon keeps crashing (because a big time jump (the daily setting of the clock via NTP) caused the daemon to shut itself down without a restart) Here's a little script to keep it running (at least checking on it hourly).

dovecot-alive.sh:

!/bin/sh
#
# check the pop3s port and see if dovecot is listening...
 
DOVECOTCOUNT=`nmap -p 995 localhost | grep pop3s | grep open | wc -l`
 
if [ $DOVECOTCOUNT -ne 1 ]; then
  echo "Restarting dove-cot: /usr/local/sbin/dovecot"
  /usr/local/sbin/dovecot
fi

sshd died last night, and no one could get in. If I'm not around and this happens… we'll be in trouble. So I made an hourly script that looks for ssh listening on port 22.

/etc/cron.hourly/sshd-alive.sh (this is an exact copy of the dovecot one… i should combine into a MCP script!)

#!/bin/sh
#
# check the ssh port to make sure sshd is still alive
 
SSHDCOUNT=`nmap -p 22 localhost | grep ssh | grep open | wc -l`
 
if [ $SSHDCOUNT -ne 1 ]; then
  /etc/rc.d/rc.sshd restart
fi

NOTE: I moved this to hourly (it was daily) because too big a time jump, and dovecot SHUTS DOWN! Found that in the /var/log/maillog. SO, if we just set our time every hour, then it won't ever move more than a second, and dovecot should be happy with that.

/etc/cron.hourly/set_clock_via_network.sh:

#!/bin/sh
/usr/sbin/ntpdate time-a.nist.gov

files are in: /etc/cron.daily/

/etc/cron.daily/check_free_disk_space.sh:

#!/bin/sh
# Shell script to monitor or watch the disk space
# It will send an email to $ADMIN, if the (free avilable) percentage 
# of space is >= 90% 
# -------------------------------------------------------------------------
# Copyright (c) 2005 nixCraft project <http://cyberciti.biz/fb/>
# This script is licensed under GNU GPL version 2.0 or above
# -------------------------------------------------------------------------
# This script is part of nixCraft shell script collection (NSSC)
# Visit http://bash.cyberciti.biz/ for more information.
# ----------------------------------------------------------------------
# Linux shell script to watch disk space (should work on other UNIX oses )
# SEE URL: http://www.cyberciti.biz/tips/shell-script-to-watch-the-disk-space.html
# set admin email so that you can get email
ADMIN="me@somewher.com"  # modify this to your email address
# set alert level 90% is default
ALERT=90
df -H --exclude-type=nfs | grep -vE '^Filesystem|tmpfs|cdrom' | awk '{ print $5 " " $1 }' | while read output;
do
  #echo $output
  usep=$(echo $output | awk '{ print $1}' | cut -d'%' -f1  )
  partition=$(echo $output | awk '{ print $2 }' )
  if [ $usep -ge $ALERT ]; then
    echo "Running out of space \"$partition ($usep%)\" on $(hostname) as on $(date)" | 
     mail -s "Alert: Almost out of disk space $usep" $ADMIN
  fi
done

Things in the /tmp folder seem to clutter up, so I'm going to run a script that deletes anything older than a couple days. (try two to start)

/etc/cron.daily/clean_tmp_dir.sh:

#!/bin/sh
#
find /tmp/ -type f -atime +2 -exec rm -f {} \;

• move the htdocs out of the main dir

cd /var/www/
mkdir htdocs_orig
mv htdocs/* htdocs_orig/

• modify /etc/apache/httpd.conf so that php and ssl stuff will run
  • uncomment: Include /etc/apache/mod_php.conf
  • uncomment: Include /etc/apache/mod_ssl.conf
  • included our vhosts in a separate file

    ### Section 3: Virtual Hosts
    # i moved this to a separate file.... - dlr  2004/05/31
    Include /etc/apache/archon_vhosts.conf

• allow server side includes

    # If you want to use server side includes, or CGI outside
    # ScriptAliased directories, uncomment the following lines.
    #
    # To use CGI scripts:
    #
    AddHandler cgi-script .cgi
    AddHandler cgi-script .pl
    #
    # To use server-parsed HTML files
    #
    #AddType text/html .shtml
    #AddHandler server-parsed .shtml
    AddType text/html .shtml
    AddHandler server-parsed .shtml
    AddHandler server-parsed .html
    AddHandler server-parsed .htm

• added a common hosting log

    # archon specific LogFormat - dlr 20070319
    LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" commonvhost
    # archon specific LogFormat - dlr 20070319
    CustomLog /var/log/apache/allsites_access_log commonvhost

I'm no longer going to use a 'non-standard' user for the webserver user default. So I'm finding all the files with www (old user/group ID of 200) and chowning them to the standard nobody:nobody apache comes with.

find /var/www/htdocs/ -type f -group 200 -exec chgrp nobody {} \;
find /var/www/htdocs/ -type f -user 200 -exec chown nobody {} \;

This is an example of making a key for lvis.gsfc.nasa.gov

mkdir /tmp/sslkeys
cd /tmp/sslkeys
openssl genrsa -rand /dev/urandom -out secure.lattice.net.key 1024
openssl req -new -key secure.lattice.net.key -out secure.lattice.net.csr

and then you'll need these responses to these questions (for example):

Country Name (2 letter code) [AU]:
US
State or Province Name (full name) [Some-State]:
Maryland
Locality Name (eg, city) []:
Ellicott City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Global Lattice Internet Services
Organizational Unit Name (eg, section) []:
IT Security Department
Common Name (eg, YOUR name) []:
secure.lattice.net
Email Address []:
david@lattice.net

Leave these last two blank

A challenge password []:
An optional company name []:

And then you need to sign the cert, this example is for 10 years.

openssl x509 -req -days 3650 -in secure.lattice.net.csr -signkey secure.lattice.net.key -out secure.lattice.net.crt
# set the permissions for the key
chmod 640 secure.lattice.net.key
chown root:nobody secure.lattice.net.key
mv /tmp/sslkeys/secure.lattice.net.crt /etc/apache/ssl.crt/
mv /tmp/sslkeys/secure.lattice.net.csr /etc/apache/ssl.csr/
mv /tmp/sslkeys/secure.lattice.net.key /etc/apache/ssl.key/

NOTE: Be sure the .key file should be permissioned such that only the root and webserver can read the file.

Now to install this certificate where the https stuff can find it. Time to edit /etc/apache/mod_ssl.conf

DocumentRoot "/var/www/htdocs/secure"
ServerName secure.lattice.net
ServerAdmin SOME E-MAIL addy # (-8
...
SSLCertificateFile /etc/apache/ssl.crt/secure.lattice.net.crt
...
SSLCertificateKeyFile /etc/apache/ssl.key/secure.lattice.net.key
...

Finally, you need to modify /etc/rc.d/rc.httpd so that it fires up the SSL daemon (now that we have configured the mod_ssl part).

      /usr/sbin/apachectl startssl ;;

This is for my personal wiki, but I wanted to log this, as it applies to any installation of doku wiki. Here are the specifics for my install:

cd /home/david/down/dokuwiki/
lynx and get http://www.splitbrain.org/_media/projects/dokuwiki/dokuwiki-2007-06-26b.tgz?id=projects%3Adokuwiki&cache=cache
# untar the new one
tar -zxvf dokuwiki-2007-06-26b.tgz
# make a backup of the current one
# since I forced my wiki into the root directory... I need to do this.  I SHOULD move this all to a subdirectory and symlink these directories in!
mkdir backup
rsync -va ~david/public_html/bin/  backup/bin/
rsync -va ~david/public_html/conf/ backup/conf/
rsync -va ~david/public_html/data/ backup/data/
rsync -va ~david/public_html/inc/  backup/inc
rsync -va ~david/public_html/lib/  backup/lib
# move the new stuff over to the current run location
rsync -va dokuwiki-2007-06-26b/ ~/public_html/
# rsync our data back (as root to get the permissions right)
rsync -va ~david/down/dokuwiki/backup/data/ ~david/public_html/data/
# clear the cache
rm -rf ~david/public_html/data/cache/*
# modify .htaccess (just copy and uncomment the line)
# Options -Indexes -MultiViews +FollowSymLinks
# chgrp and chmod the files
chgrp -R nobody ~david/public_html/data
chmod -R g+w ~david/public_html/data
# copy the configuration files
cp ~david/down/dokuwiki/backup/conf/acl.auth.php ~david/public_html/conf/acl.auth.php
cp ~david/down/dokuwiki/backup/conf/local.php ~david/public_html/conf/local.php
cp ~david/down/dokuwiki/backup/conf/users.auth.php ~david/public_html/conf/users.auth.php

The actual daemon run is named. For whatever reason, the last upgrade of slamd64 makes the line in /etc/named.conf with the cname call break the program, so I just commented it out and things work OK now: – 2008/03/01

logging {
        category lame-servers { null; };
#       category cname { null; };
};

Seems like a good place to put information on /etc/resolv.conf

You can stack up to 3 name servers (on separate lines) and stack your domain searches with a space between each.

nameserver ns1.lattice.net
nameserver ns2.lattice.net
search lattice.net nofadz.com

I also want to start the DNS server EARLY in the boot, so that other daemons can do name lookups…hmmm, seems to be in inet2… maybe that was old slackware problem, hehehe.

Some core IP addresses:

/etc/named.conf is the big file, and here is the version as of this update.

named.conf.txt

Automated script to update root.hints monthly.

I pulled my hair out over this one. It would not work until I simply RE-INSTALLED the dhcpd package from the source again. That seemed to fix it!

SCRATCH THAT, it is still broken. I think it might be because I have IPV6 installed. It only doesn't work with windows machines… so I'm still suspect that something isn't quite right with maybe the kernel or something. MPlayer is having trouble playing streams because it doesn't reverse lookup with IPv6, so maybe that is a clue. I'll try to fix it after everyone is off NWN for the day (tomorrow morning).

Here is my configuration file

# dhcpd.conf
#
# Configuration file for ISC dhcpd (see 'man dhcpd.conf')
#
# archon.lattice.net dhcpd.conf - dlr 20070322 (spring is here!)
 
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
 
#Sets the domain name and our default DNS servers
option domain-name                      "lattice.net";
option domain-name-servers              10.0.0.1, 10.0.0.2;
option netbios-name-servers             10.0.0.1;
option netbios-dd-server                10.0.0.1;
option netbios-scope                    "";
option netbios-node-type                8;
 
#Sets the time loan time in seconds before computers must renew thier leases
default-lease-time                      86400;
#Set the maximum amount of time a pc can hold a lease for
max-lease-time                          864000;
 
# I was told to do this :)
# ddns-update-style ad-hoc;
ddns-update-style none;
ddns-ttl                                86400;
 
#This is a subnet which the dhcpd server controlls, note the { this is required
subnet 10.0.0.0 netmask 255.255.255.0 {
  #Sets the network gateway / router
  option routers                        10.0.0.1;
  #Sets the network broadcast address
  option broadcast-address              10.0.0.255;
 
  #Defines a range of ips to be used as leases
  range 10.0.0.100 10.0.0.200;
 
# specific host definitions
  host david {                           # Set the hostname of the client computer
    hardware ethernet 00:50:8d:ed:aa:dd; # Registers the MAC address of the client computer.
    fixed-address 10.0.0.42;             # This line specifies the IP address for david's computer
  }
  host krysalis {                        #Set the hostname of the client computer
    hardware ethernet 00:10:dc:a1:d3:aa; # Registers the MAC address of the client computer.
    fixed-address 10.0.0.40;             # This line specifies the IP address for christine's computer
  }
  host wirelesslan {                     # Set the hostname of the client computer
    hardware ethernet 00:30:bd:66:4d:b2; # Registers the MAC address of the client computer.
    fixed-address 10.0.0.11;             # This line specifies the IP address for the wireless lan (inside)
  }
 
}

I just added this to /etc/rc.d/rc.local

# this is required to enable us to respond to windows clients
route add -host 255.255.255.255 dev eth1
echo 'Firing up DHPC daemon: /usr/sbin/dhcpd eth1'
/usr/sbin/dhcpd eth1

• Download the source from Dovecot home page.
• Compile and install

./configure
make
make install

• Modify /usr/local/etc/dovecot.conf (since we installed from source, and I didn't set any paths, we're all in /usr/local… so I changed that throughout the configuration file.

# any time you find /usr/libexec make it /usr/local/libexec
# allowed protocols (I am only going to allow IMAP to localhost, force IMAPS(993) or POP3S(995) from the outside)
protocols = imap imaps pop3s
# and later in 
protocol imap {
  # archon only will do IMAP to localhost
  listen = localhost:143
  ssl_listen = *:993
# and I put this in for the pop3 (only pop3s mind you) to work
  pop3_uidl_format = %08Xu%08Xv

• I also commented out all the PAM authentication because slackware doesn't seem to have it. I then just uncommented the 'shadow' section to use that for authentication.
• Added a dovecot group and user (used ID and GID 97:97)

# in /etc/group
dovecot::97:dovecot
#
# in /etc/passwd
dovecot:x:97:97:dovecot:/:
#
# in /etc/shadow
dovecot:*:9797:0:::::

• Generate the keys and stick them where dovecot is looking for them (Config file dovecot-openssl.cnf.txt) (NOTE: 2008/10/03 - I updated this to use the server archon.lattice.net instead of imap, since the name conflicts and thunderbird was complaining and regenerated the keys so they are current)

cd /usr/local/src/dovecot-1.0.rc26/doc
jed dovecot-openssl.cnf  # and put in all your stuff
chmod 755 mkcert.sh
./mkcert.sh
chmod 600 /etc/ssl/private/dovecot.pem  # it already was, but just in case

• And add this to /etc/rc.d/rc.local of course.

echo 'Firing up our IMAP server: /usr/local/sbin/dovecot'
/usr/local/sbin/dovecot

NOTE I just used dovecot, because it was easy to figure out how to configure it. YEAH!!
dovecot imapd daemon

/etc/inetd.conf

Just commented out the auth service. It was conflicting with *bind/named*.

I did away with the included IMAP daemon, because I could NOT get it do work. My experience with CentOS taught me that the 'dovecot' package, just worked right out of the box. Sure enough, I got that to install and run without too much trouble (the documentation got me through it fairly quickly).

Pretty straight forward on the build. I don't remember much about the configuration other than we commented out a LOT of it (so the server is local only).

cd /usr/local/src/irc2.11.1p1
./configure
cd /usr/local/src/irc2.11.1p1/x86_64-unknown-linux-gnu
make install

Then you'll want to modify the configuration files (the ircd files in /usr/local/etc/).

Here are my config files so you can exploit the weakness of this death star.

/usr/local/etc/ircd.conf and /usr/local/etc/ircd.motd

And don't forget to add this to the /etc/rc.d/rc.local after you get your configuration files in place

# fire up ircd
echo 'Firing up ircd: /usr/local/sbin/ircd -c'
/usr/local/sbin/ircd -c

Export the current database from archon

mysqldump --all-databases --user=root -p > ~/mysql_dump.sql

And then to import, just fire up phpMyAdmin and execute the .sql file. (and cross your fingers!)

Of course, if the file is large (the archon dump IS), you'll need to try just piping the MYSQL file into mysql.

mysql --user=root -p < /root/mysql_archon20070311_all_databases_dump.sql

• Uncomment the 'skip networking' in /etc/rc.d/rc.mysqld
• as root you need to run these: (to init the database)

mysql_install_db
chown -R mysql:mysql /var/lib/mysql/

• fire up the database & change the root password

cd /usr ; /usr/bin/mysqld_safe &
/usr/bin/mysqladmin -u root password 'new-password'

NOTE: A lot of this cert stuff was found here: http://www.linuxquestions.org/questions/showthread.php?t=224543

• if you don't already have them, you'll need to make certificates for sendmail

mkdir /etc/mail/certs/
cd /etc/mail/certs/
openssl req -new -x509 -keyout CA.key.pem -out CA.cert.pem -days 1865

When prompted for the Common Name be sure to enter the FQDN of your webserver i.e. www.mywebserver.com Now that we have our own CA lets go ahead and make a certificate and sign it.

openssl req -nodes -new -x509 -keyout smtp.key.pem -out smtp.cert.pem -days 1460

Note that the CA is good for 5 years (1865 days) and the cert is good for 4 years (1460 days). Its always a good idea to make the cert invalid before the CA that signed it.

Next, we must put the right permissions on our cert as it contains sensitive data

chmod 600 smtp.cert.pem smtp.key.pem

FYI, If you want to see the contents of the cert, go ahead and run this command

openssl x509 -noout -text -in smtp.cert.pem

Some information you might like

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Maryland
Locality Name (eg, city) []:Ellicott City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Global Lattice Internet Services
Organizational Unit Name (eg, section) []:Secure Communications Department
Common Name (eg, YOUR name) []:archon.lattice.net
Email Address []:root@lattice.net

Aliases can be setup in the /etc/mail/aliases, and the following is an example of updating the hash table after editing the virtual user table.

cd /etc/mail
makemap hash aliases < aliases
/etc/rc.d/rc.sendmail restart

• Building the .cf file from the .mc file. Start with the provided base file and build up the config

cd /usr/share/sendmail/cf/cf
# I want the TLS authentication
cp sendmail-slackware-tls.mc archon.mc

Add the following lines to enable spam blocking (well, it helps a little anyway).

FEATURE(`dnsbl',`list.dsbl.org')dnl
FEATURE(`dnsbl',`sbl-xbl.spamhaus.org')dnl
dnl# Set and outgoing server to pass email through since we are being blocked by DNS block lists now
define(`SMART_HOST',`outgoing.verizon.net')

Need to add an entry to /etc/mail/access file to authorize the email being sent by archon

AuthInfo:outgoing.verizon.net "U:user" "I:user" "P:password" "M:PLAIN"

Then go ahead and build up the configuration file and install it.

sh Build archon.mc
cp archon.cf /etc/mail/sendmail.cf  

Aliases can be setup in the /etc/mail/virtusertable, and the following is an example of updating the hash table after editing the virtual user table.

cd /etc/mail
makemap hash virtusertable < virtusertable
/etc/rc.d/rc.sendmail restart

Installed 2008/04/26 - dlr - latest version installed since the old one stopped working after I rebooted?! (PERL upgrade probably)

Looks like it was getting confused with the old version that was already installed… so I moved all of the files that mentioned 'slim' into ~/slimserverStuff to get it out of the normal path.

1. Moved old slimserver stuff first:

   cd ~/
   mkdir slimserverStuff
   mv Cache slimserverStuff
   mv slimserver.pref slimserverStuff

2. As root, install the server:

   cd /usr/local/archon
   tar -zxvf squeezecenter-7.0.tgz
   chown -R quake:mp3 squeezecenter-7.0-17793
   cd /usr/local
   ln -s /usr/local/archon/squeezecenter-7.0-17793 slimserver

3. As root, install PERL modules that it needs (doesn't work automagically as it should):

   /usr/bin/perl -MCPAN -e shell
   cpan>install Compress::Zlib
   cpan>install GD

4. Add this to /etc/rc.d/rc.local so it will run at start (as the quake user, not as root):

   # slimserver
   echo 'Firing up slimserver'
   sudo -u quake /usr/local/slimserver/slimserver.pl --daemon

Download from slimdevices.com http://www.slimdevices.com/su_downloads.html

rpm2tgz SlimServer_v6.5.1.noarch.rpm
installpkg SlimServer_v6.5.1.noarch.tgz
mv /usr/local/slimserver/ /usr/local/archon/SlimServer_v6.5.1
ln -s /usr/local/archon/SlimServer_v6.5.1 /usr/local/slimserver
chown -R quake /usr/local/archon/SlimServer_v6.5.1/
chown quake /etc/slimserver.conf

# as the 'quake' user:
/usr/local/archon/SlimServer_v6.5.1/Bin/build-perl-modules.pl YAML::Syck
# need to do this, because we're x86_64 and this doesn't match our local MYSQL
cp /usr/share/mysql/english/errmsg.sys /usr/local/slimserver/MySQL/errmsg.sys

# to run this
/usr/local/slimserver/slimserver.pl --daemon

There was a problem with the [wmadec] program, I think because of the 64bit (or maybe just linux not windoze). Anyhoo, found this work around… in /usr/local/slimserver/slimserver-convert.conf (which over-rides options in /usr/local/slimserver/convert.conf) put this:

wma wav squeezebox *
  [ffmpeg] -v 0 -i $FILE$ -f wav -

wma mp3 * *
  [ffmpeg] -v 0 -i $FILE$ -f wav - | [lame] -x -m s -r -S -q 5 -s 44.1 - -

make a reasonable /etc/samba/smb.conf that doesn't allow outside connections (also have them dropped at eth0 (wan)) so outsiders cannot hit the server / files.

[global]
workgroup = DCGAMER
netbios name = ARCHON
wins support = yes
server string = Archon Samba Server
# don't log, we get hammered from the outside
# log file = /var/log/samba.%m
max log size = 50
interfaces = eth1 lo
hosts deny = ALL
hosts allow = 10.0.0.0/24 127.
security = share

[vault]
    comment = Archon Vault
    path = /vault/
    public = yes
    only guest = yes
    writable = no
    printable = no

I also enabled cups so that the printing would work from here also… why not:

chmod 755 /etc/rc.d/rc.cups
/etc/rc.d/rc.cups start

Spamassissin Download Page

cd /usr/local/src
tar -jxvf ~/downloads/Mail-SpamAssassin-3.1.8.tar.bz2
perl Makefile.PL
make
make install           

here is a /etc/rc.d/rc.spamd I found: rc.spamd

add this to etc/rc.d/rc.local

# spamd -- SAVE US hehehe
echo 'Firing up SPAMD spam assassin filter:'
/etc/rc.d/rc.spamd start

• Enable the X windows pipe by default in /etc/ssh/ssh_config

   ForwardX11 yes
   ForwardX11Trusted yes

• Enable the X windows pipe by default in /etc/ssh/sshd_config

   X11Forwarding yes

Just uncomment the talkd line in /etc/inetd.conf and restart

I want just anonymous FTP available to the outside… ok, I added a couple 'choice' users to be able to FTP. So I modified the configuration file so that it checks a list, and if you're on the list… you can ftp (do not abuse this).

The only thing I changed in /etc/vsftpd was

# I just want anonymous ftp... everyone can use scp or sftp to move files around
local_enable=YES
userlist_deny=NO
userlist_enable=YES

So you need to add users to /etc/vsftpd.user_list

And, uncomment vsftp in /etc/inetd.conf and restart.

I finally got ALL the correct modules installed so that the netfilter works. Here is my current kernel configuration file: archon.lattice.net.kernel.config.txt

Downloaded the latest stable kernel: linux-2.6.20.tar.bz2

cd /usr/src/
tar -jxvf linux-2.6.20.2.tar.bz2
mv linux-2.6.20/ linux-2.6.20.2
ln -s linux-2.6.20.2 linux
cd linux
make menuconfig
# set all your options
make
make install
make modules_install

a52dec-0.7.4 (Directly from the development page )

./configure
make
make install

faad2-2.0 (Sourceforge)

NOTE: After you generate the Makefile you need to edit out the bottom. It is broken.

autoreconf -vif
./configure
# edit the Makefile and REMOVE the bottom RPM section (it is broken and we aren't doing that anyway)
make
make install

Download the SVN ffmpeg development page

./configure --enable-liba52 --enable-gpl  --enable-libmp3lame --enable-libogg --enable-libvorbis \
 --enable-libtheora --enable-libfaad --enable-pthreads
make
make install

flac-1.1.2 (Sourceforge)

./configure
make
make install

id3lib-3.8.3 ([http://id3lib.sourceforge.net/])

./configure
make
make install

libid3tag-0.15.1b (Sourceforge Page )

./configure
make
make install

lame-3.97 Download

./configure
make
make install

The Theora development page

./configure
make
make install

./configure
make
make install

./configure
make
make install

Tyan Thunder K8-S2880
Alternate link → Tyan Thunder K8-S2880

• IDE Chipset: AMD-8111
• RAID bus controller: Promise Technology, Inc. PDC20378 (FastTrak 378/SATA 378) (rev 02)

Abit KX7-333R

• IDE Chipset: VIA KT333 /VT8233A
• Raid chipset HPT372 RAID controller

your /etc/rc.d/rc.gpm should be this for a 3 button wheel mouse:

/usr/sbin/gpm -m /dev/mouse -t imps2

See the X11 section to modify that for activating the wheel mouse (I cannot seem to live without it now).

You're going to need (I just make them all as modules, and let the kernel sort it out) the net/ipv4/netfilter stuff. I literally just make a whole lot of modules and hope I get the right ones. It says “required for NAT” in several places.

For the local LAN you need to let the machines get out. Just add this code to /etc/rc.d/rc.local

# In the NAT table (-t nat), Append a rule (-A) after routing
# (POSTROUTING) for all packets going out ppp0 (-o ppp0) which says to
# MASQUERADE the connection (-j MASQUERADE).
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

Use yourself as name server, because you are the man.

# /etc/resolv.conf for archon.lattice.net - dlr 20070317
#
nameserver 127.0.0.1
search lattice.net nofadz.com gsfc.nasa.gov

net-snmpd download page.

./configure  
# with the following responses:  '3' (default), 'david@lattice.net', 'Ellicott City, MD USA',
#                                '/var/log/snmpd.log' (default), '/var/net-snmp' (default)
make
make install
ldconfig

Rename the example snmpd.conf to /etc/snmpd/snmpd.conf, and modify it with the following changes:

#       sec.name  source          community
com2sec local     localhost         archcomm
com2sec mynetwork 10.0.0.0/24       archcomm
com2sec mynetwork 71.127.151.0/24   archcomm

# and down the road...

syscontact "david <david@lattice.net>"
syslocation "Ellicott City, MD USA"

Modify your /etc/rc.d/rc.local with the following line:

/usr/local/sbin/snmpd -c /etc/snmpd/snmpd.conf

Here is how you can test if your daemon is running properly

snmpwalk -v 1 -c "archcomm" localhost  

http://oss.oetiker.ch/mrtg/

I have mrtg installed as /usr/local/archon/mrtg-2.15.2/ and sym linked it:

ln -s /usr/local/archon/mrtg-2.15.2 /usr/local/mrtg

Build it as instructed:

cd /usr/local/mrtg
./configure
make

Configure it with in /usr/local/mrtg/conf

mkdir /usr/local/mrtg/conf
cd /usr/local/mrtg/conf
/usr/local/mrtg/bin/cfgmaker archcomm@archon.lattice.net > archon_mrtg.cfg
/usr/local/mrtg/bin/cfgmaker archcomm@sage.lattice.net > sage_mrtg.cfg
# make directories for the data to be stored:
mkdir /var/www/htdocs/secure/staff/archon/
mkdir /var/www/htdocs/secure/staff/sage/

Modify each config file so that the following options are used (replace WWW dir properly!):

Options[_]: growright, bits
WorkDir: /var/www/htdocs/secure/staff/archon/

Go to the working directory and generate an index file:

cd /var/www/htdocs/secure/staff/archon/
/usr/local/mrtg/bin/indexmaker /usr/local/mrtg/conf/archon_mrtg.cfg > index.html

I have a script that runs via a cron job, here is my /root/mrtg/run_mrtg.sh

#!/bin/sh
#
/usr/local/mrtg/bin/mrtg /usr/local/mrtg/conf/archon_mrtg.cfg
/usr/local/mrtg/bin/mrtg /usr/local/mrtg/conf/sage_mrtg.cfg

Here is my crontab entry that runs the shell script every 5 minutes

# Run MRTG network status every 5 minutes:
*/5 * * * * /root/mrtg/run_mrtg.sh 1> /dev/null 2> /dev/null

Someone found a way through the firewall once to hit the Samba server.. so I added these lines to /etc/rc.d/rc.local to just drop any samba packets at the WAN interface.

I also blocked the slim server access from outside, just seemed like a bad idea

# block SMB ports from the outside
iptables -A INPUT -i eth0 -p udp --dport 137 -j DROP
iptables -A INPUT -i eth0 -p udp --sport 137 -j DROP
iptables -A INPUT -i eth0 -p udp --dport 138 -j DROP
iptables -A INPUT -i eth0 -p udp --sport 138 -j DROP
iptables -A INPUT -i eth0 -p tcp --dport 139 -j DROP
iptables -A INPUT -i eth0 -p tcp --sport 139 -j DROP
iptables -A INPUT -i eth0 -p tcp --dport 445 -j DROP
iptables -A INPUT -i eth0 -p tcp --sport 445 -j DROP
 
# and to be sure, we don't send anything out on these ports also
iptables -A OUTPUT -o eth0 -p udp --dport 137 -j DROP
iptables -A OUTPUT -o eth0 -p udp --sport 137 -j DROP
iptables -A OUTPUT -o eth0 -p udp --dport 138 -j DROP
iptables -A OUTPUT -o eth0 -p udp --sport 138 -j DROP
iptables -A OUTPUT -o eth0 -p tcp --dport 139 -j DROP
iptables -A OUTPUT -o eth0 -p tcp --sport 139 -j DROP
iptables -A OUTPUT -o eth0 -p tcp --dport 445 -j DROP
iptables -A OUTPUT -o eth0 -p tcp --sport 445 -j DROP
 
# block port 9000 so slimserver can't be accesed from outside
iptables -A OUTPUT -o eth0 -p tcp --dport 9000 -j DROP
iptables -A OUTPUT -o eth0 -p tcp --sport 9000 -j DROP

Only allow protocol 2 connections /etc/ssh/sshd_config:

# only allow valid users to login
AllowGroups nofadz users
# do not let root log in directly
PermitRootLogin no
# only allow protocol 2
Protocol 2

I built this script off something I found online (like everything really), not sure if this is the RIGHT way to do this, but this seems to work.

/etc/rc.d/htp.homebrew

And I put this in my /etc/rc.d/rc.local to fire up on boot.

NOTE: Depreciated… I think slapt-get is the way to go (see below)

Slamd64 is the slackware x64 home, and you can get all the packages at this get slamd64 page

I've modified the slackupdate.sh shell script so that it will update packages from slamd64. The script is here. Here are the modifications:

# modified the server list at the top
Server1="ftp://anorien.warwick.ac.uk/slamd64/"
Server2="ftp://mirror.vbfx.com/slamd64/"
Server3="ftp://ftp.heanet.ie/pub/slamd64/"
Server4="ftp://ftp.nara.wide.ad.jp/pub/Linux/Slamd64/"
Server5="ftp://ftp.slackware.pl/pub/slamd64/"
 
# turned OFF version check ~ line 53
VersionCheck=0  # VersionCheck: 0 - Do not check for a newer version of slackupdate
                # since this often takes WAY too long
 
# forced slamd as the base version ~ line 628
Version1='slamd64'
 
# forced gpg usage to NO ~ line 166
  Use_GPG=0

Download the source tar from slapt-get home page.

cd /usr/local/src/slapt-get-0.9.11g
make
make install

Modify /etc/slapt-get/slapt-getrc with

SOURCE=ftp://anorien.warwick.ac.uk/slamd64/slamd64-11.0/

And then you need to run update

slapt-get --update
# and then upgrade our packages, go ahead and get everything
slapt-get --upgrade --ignore-excludes          

• The terminal colors that we all loved so much are gone? How to fix?

    Found [[http://forums.slamd64.com/viewtopic.php?t=517&highlight=colors|this link about colors]] on the slamd64.com site.
    The solution was just to re-install the pkgtools package.

Welp, I don't see it in the extras directory…. that's odd?

Download http://rigaux.org/hexedit-1.2.12.src.tgz and install

./configure
make
make install

You need to install id3lib first, but after that, installing this program was simple:

make
make install

Untar the install program in /usr/local/archon/rsi/ and then run ./install from there and press the keys like a good little monkey. I'm going to try and put local installs all in this directory and then symlink out to /usr/local/ if the programs want to be there. I dunno, keeps it cleaner to put it all under archon I think.

Use my personal license file, and good to go.

Go to the download page and grab the stable one.

make linux
make install

MPlayer v1.0rc1 (MPlayer main page)

./configure
make
make install

And you'll want to get all the codecs:

AMD64bit codecs

# untar the codecs into /usr/local/lib/codecs and link it as well:
tar -jxvf ../essential-20061022.tar.bz2
mv essential-20061022 /usr/local/lib/codecs
ln -s /usr/local/lib/codecs /usr/local/lib/win32
tar -jxvf ../essential-amd64-20061203.tar.bz2
mv essential-amd64-20061203/* /usr/local/lib/codecs/

Grab this package, and just put the program podcast.pl in /usr/local/bin/:

as root, you need to install XML:Simple

perl -MCPAN -e shell
install XML::Simple

And then setup a directory and configuration file

mkdir /vault/audio/podcasts/
mkdir /vault/audio/podcasts/mp3/
cp perlpodcast.conf /vault/audio/podcasts/
cat /vault/audio/podcasts/perlpodcast.conf
########### my perlpodcast.conf ###########
sources_file /vault/audio/podcasts/sources.txt
mp3_dir /vault/audio/podcasts/mp3
playlist_file /vault/audio/podcasts/playlist.pls
history_file /vault/audio/podcasts/history.dat

You'll want to add this to your crontab:

# Check for new podcasts at 4:20pm on Friday day of the week:
20 16 * * 5 /usr/local/bin/podcast.pl -c /vault/audio/podcasts/perlpodcast.conf 1> /dev/null

• adding the header and bounce options

Copy the rar binary into /usr/local/bin/

I found a source tar on a debian page: http://ftp.debian.org/debian/pool/main/s/sirc/sirc_2.211.orig.tar.gz

This one is very straight forward (you'll just need to answer a few questions).

./install

This program will convert any GPS binary file into RINEX. It is the swiss army knife of GPS processing.

Download the 64bit one http://facility.unavco.org/software/teqc/development/teqc_Lx86_64d.tar.Z

And just untar it in /usr/local/bin/

You can grab it here at the zgal main page.

./install-zgal.sh
#
# Don't forget to install the perl module Image::Size
#
tar xvfz Image-Size-2.98.tar.gz
cd Image-Size-2.98
#
# To build:
#
perl Makefile.PL
make && make test
#
# If Image::Size passes all tests, then:
#
make install

Anti-virus tool. You may want to consider installing this on archon to scan incoming emails?

Calm AV

• Download the latest version from phpMyAdmin Home
• Untar into /var/www/htdocs/ and then make a symlink to phpMyAdmin (to the current version)

cd /var/www/htdocs/staff  # you may have to make this one (not sure where you are)
tar -jxvf ~/downloads/phpMyAdmin-2.10.0.2-all-languages-utf-8-only.tar.bz2
ln -s phpMyAdmin-2.10.0.2-all-languages-utf-8-only phpMyAdmin

• Generate a configuration file /var/www/htdocs/staff/phpMyAdmin/config.inc.php

• Grab from the squirrelmail download page
• Make a directory and install the files.

mkdir /var/www/htdocs/secure/
cd /var/www/htdocs/secure/
tar -jxvf ~/downloads/squirrelmail-1.4.9a.tar.bz2
ln -s squirrelmail-1.4.9a mail

• Build up the directories needed

mkdir /usr/local/var/squirrelmail
mkdir /usr/local/var/squirrelmail/attach
mv /var/www/htdocs/secure/mail/data /usr/local/var/squirrelmail
chown -R nobody:nobody /usr/local/var/squirrelmail/attach /usr/local/var/squirrelmail/data
chmod 0730 /usr/local/var/squirrelmail/attach

• Run the config program (there are lots of settings, just make sure the paths and dovecot are set for sure)

./configure  # which just calls ./config/conf.pl

• Need to increase the allowed memory for PHP: /etc/apache/php.ini

memory_limit = 128M      ; Maximum amount of memory a script may consume (128MB)

make sure that your *gpm* is using IMPS/2 also (see above)

add these lines to your /etc/X11/xorg.conf:

    Option      "Protocol"    "IMPS/2"  # change PS/2 to IMPS/2 to get the scroll wheel
    Option      "ZAxisMapping" "4 5"
    Option      "Emulate3Buttons" "no"

To make the X server NOT listen on port 6000 for X11 connections, do these:

Taken directly from http://slackworld.berlios.de/02/tips.html

/usr/X11R6/bin/startx:
serverargs="-nolisten tcp"

/etc/X11/gdm/gdm.conf:
command=/usr/X11R6/bin/X -nolisten tcp

/etc/X11/xdm/Xservers:
:0 local /usr/X11R6/bin/X -nolisten tcp

/opt/kde/share/config/kdm/Xservers:
:0 local@tty1 /usr/X11R6/bin/X vt7 -nolisten tcp