. '''To [[SystemAdministration/Systems|Systems Overview]]''' ---- = Systems - Sun2 = = Basics = == Purpose == Sun2 is a vserver host machine that runs debian etch and a number of virtual servers. It acts as a syslog server for all virtual servers exporting /var/log to the logging server for analysis. == Physical Location == This system is located in a rack. == Physical Configuration == See [[SystemAdministration/EquipmentList]] == Logical location == * IP: 172.28.50.12 sun2.intra.cacert.org * IP: 192.168.1.5 == Applicable Documentation == This is it :-) == Administration == System Admin: * Philipp Gühring = Services = == Listening services == || port || service || access origin || purpose || || 22 || SSH || [[SystemAdministration/Systems/hopper|hopper]] || SSH access for remote administration || || 514 || syslog || 172.16.2.0/24 || Centralised syslog || == Running services == || Service || Started from || || cron || /etc/init.d/cron || || syslog-ng || /etc/init.d/syslog-ng || || ssh || /etc/init.d/ssh || || ntp || /etc/init.d/ntp || || bbackupd ||/etc/init.d/boxbackup-client || == Other services == Updates OCSP server using /root/ocspupdate.sh script run from cron. == Connected Systems == Connected to all vservers: 1. [[SystemAdministration/Systems/OCSP|OCSP]] 1. [[SystemAdministration/Systems/Crl|crl]] 1. [[SystemAdministration/Systems/Wiki|wiki]] 1. [[SystemAdministration/Systems/Blog|Blog]] 1. [[SystemAdministration/Systems/Irc|irc]] 1. [[SystemAdministration/Systems/Svn|SVN]] 1. [[SystemAdministration/Systems/Bugs|bugs]] 1. [[SystemAdministration/Systems/Lists|lists]] 1. [[SystemAdministration/Systems/Www|www]] - powered off migration webpage 1. [[SystemAdministration/Systems/Email|email]] 1. [[SystemAdministration/Systems/Community|webmail]] 1. [[SystemAdministration/Systems/Test2|test2]] 1. [[SystemAdministration/Systems/Dupes|dupes]] 1. [[SystemAdministration/Systems/Translingo|translingo]] 1. [[SystemAdministration/Systems/Cats|CATS]] 1. [[SystemAdministration/Systems/Issue|issue]] 1. [[SystemAdministration/Systems/Logging|logging]] 1. [[SystemAdministration/Systems/Forum|forum]] 1. [[SystemAdministration/Systems/Cod|cod]] 1. [[SystemAdministration/Systems/Emailout|emailout]] === Outbound network connections === * Does backups to 172.28.50.80 tcp dpt:2201 * maybe Emails things to 172.16.2.3 '''TODO''' * Does DNS somewhere using 172.28.50.1 * Fetches CRL off CAcert homepage for OCSP use * NTP to nl.pool.ntp.org * Firewall rules /etc/firewall.sh (includes firewall rules of all vservers on this host) = Security = == Non-distribution packages and modifications == == Risk assessments on critical packages == = Tasks = == Vserver navigation == 1. list vserver - sudo vserver-stat 1. enter vserver - sudo vserver {machine} enter == where are the vserver IP addresses == * more /etc/vservers/*/interfaces/*/ip == building vservers == * ''vserver ${NAME} build -m debootstrap -n ${NAME} --hostname ${NAME}.cacert.org --netdev eth0 --interface ${IP} -- -d lenny -m http://ftp.nl.debian.org/debian'' * add the IP to [[SystemAdministration/IPList]] * mkdir /var/log/${IP} /var/lib/vservers/${NAME}/var/log/remote /var/lib/vservers/${NAME}/etc/skel/.ssh * add the following to echo "/var/log/${IP} /var/log/remote none ro,bind 0 0" >> /etc/vservers/${NAME}/fstab * add firewall rules for your new server in sun2:/etc/firewall.sh * change syslogging to remote in /var/lib/vservers/${NAME}/etc/rsyslog.d/remotelog.conf ''*.* @172.16.2.12'' # sun2.intra.cacert.org (''cp /var/lib/vservers/cod/etc/rsyslog.d/remotelog.conf /var/lib/vservers/${NAME}/etc/rsyslog.d/remotelog.conf'') * vserver ${NAME} start * vserver ${NAME} enter * email critical-admin@cacert.org to request access by the sysadmin for that server * email dns-admin@cacert.org to request internal DNS records be added for ${NAME}.intra.cacert.org * add ${IP} ${NAME} to /etc/hosts * create admin accounts on that vserver - useradd -m ${ADMIN} * install ssh key in /home/${ADMIN}/.ssh/authorized_keys * chown ${ADMIN}:${ADMIN} /home/${ADMIN}/.ssh/authorized_keys * apt-get install sudo * echo "${ADMIN} ALL=NOPASSWD: ALL" >> /etc/sudoers * su - ${ADMIN} * echo {gobbledygoodkpassws} > passwd * sudo passwd ${ADMIN} * exit * apt-get install openssh-server postfix cron-apt * sed -i -e 's/^#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config; /etc/init.d/ssh restart * add ${NAME}-admin@cacert.org >> $ADMIN email alias on email system (or email email-admin@cacert.org to request) * echo "MAILTO=${NAME}-admin@cacert.org" > /etc/cron-apt/config.d/config * sender only postfix config * cp /var/lib/vservers/blog/etc/postfix/main.cf /var/lib/vservers/blog/etc/postfix/sender_rewrite* /var/lib/vservers/${NAME}/etc/postfix/ * sed -i -e "s/blog/${NAME}/g" -e "s/172\.16\.2\.13/${IP}/g" /var/lib/vservers/${NAME}/etc/postfix/main.cf * echo cacert.org > /var/lib/vservers/${NAME}/etc/mailname * TODO etc-keeper(?) = Critical Configuration items = == Firewall == * /etc/firewall.sh - Firewall configuration * /etc/cron.monthly/iptables - resets tallies on iptables rules and saves copy in /var/log/x41002/iptables* * /var/log/x41002/iptables* - firewall logs from monthly tally or restart of /etc/firewall.sh = Changes = == Planned == === Document Backups === ---- . CategorySystems