I've put the 60GB drive from backup in admin. We can use it to backup less important machines, like image and quarkprime.
I've patched quark and quarkprime against this vulnerability.
I have installed and configured MailScanner on quark. See this post for details.
While I was upgrading everything else, I thought I might as well upgrade image, to keep things consistent. It now has OpenSSL 0.9.7d and OpenSSH 3.8p1.
I've upgraded NTP from pkgsrc to 4.2.0 in response to some possible security holes.
I installed OpenSSH 3.8p1 from ports, and symlinked all the binaries from /usr/local to /usr. I then changed the rc script to point to /usr/local, and symlinked /etc/ssh to /usr/local/etc.
I've install OpenSSL 0.9.7d on backup. People should link against this rather than the base install when compiling stuff.
I've upgraded sendmail on both the current and new images to protect against security vulnerabilities.
On the RH7.3 image, I upgraded to 8.11.6-27.73. On the RH9 image, I upgraded to 8.12.11-5. I also used DaemonPortsOptions to disallow non-local access to port 25.
I've made some changes to tcp_wrappers to make it more secure on the current and upcoming ACL images. I added 159.28.135. and 159.28.230. to the "ALL: .cs.earlham.edu" in hosts.allow, and an "ALL:ALL" line to hosts.deny.
I turned off the local display that somehow got activated, and enabled management of X terminals.
For the local display, I commented out this line in Xservers:
:0 local /usr/X11R6/bin/X
For the management of terminals, I commented out this line in xdm-config:
DisplayManager.requestPort: 0
I worked with Dawit on installing FreeBSD 5.2.1 on his machine, dawit.admin.cs.earlham.edu.
So far we have configured the following services:
1. X
2. NIS
3. NFS
4. DHCP client
5. sshd
I've upgraded quark to Apache 1.3.31 in response to several security vulnerabilities discovered in 1.3.29.
Ian Kelly graciously solved the CMUgraphics problem by tracking down to needing to add "using namespace std" to the beginning of the header files for the labs.
We're still running into compile errors with CMUgraphics. Here they are:
In file included from Daemon.cpp:7:
GLUTImp.h:76: error: variable or field `GLUTCALLBACK' declared void
GLUTImp.h:76: error: parse error before `(' token
GLUTImp.h:77: error: variable or field `GLUTCALLBACK' declared void
GLUTImp.h:77: error: declaration of `int GLUTImp::GLUTCALLBACK'
GLUTImp.h:76: error: conflicts with previous declaration `int
GLUTImp::GLUTCALLBACK'
GLUTImp.h:77: error: parse error before `(' token
GLUTImp.h:78: error: variable or field `GLUTCALLBACK' declared void
GLUTImp.h:78: error: declaration of `int GLUTImp::GLUTCALLBACK'
GLUTImp.h:76: error: conflicts with previous declaration `int
GLUTImp::GLUTCALLBACK'
GLUTImp.h:78: error: parse error before `(' token
GLUTImp.h:79: error: variable or field `GLUTCALLBACK' declared void
GLUTImp.h:79: error: declaration of `int GLUTImp::GLUTCALLBACK'
GLUTImp.h:76: error: conflicts with previous declaration `int
GLUTImp::GLUTCALLBACK'
GLUTImp.h:79: error: parse error before `(' token
Daemon.cpp:269:2: warning: no newline at end of file
make[1]: *** [Daemon.lo] Error 1
make[1]: Leaving directory `/clients/users/skylar/CMUgraphics-RH9/src'
make: *** [all-recursive] Error 1
GLUTCALLBACK is only called in two places, and never defined. What's up with that?
Because MIMEDefang is a milter and MailScanner needs two queues and two runs of sendmail, there's a significant (2x) performance hit if we use MIMEDefang with sendmail. I've disabled MIMEDefang, and mail acceptance rate went up dramatically on quarkprime. It takes longer to deliver, but we get no more of those 4xx temporary failure messages from sendmail when we run out of MIMEDefang slaves.
I have MailScanner configured and working on quarkprime. This seems to be a nice way to integrate ClamAV and SpamAssassin into one pacakage, and add a few other checks in the process.
Basically, MS works like this:
1. One sendmail process listens on port 25, and puts messages into an incoming queue.
2. MS scans this queue, picks up messages, and runs all its checks on them.
3. Once done checking the messages, MS puts the checked/disinfected/flagged messages into another queue, where another sendmail process picks them up and performs local delivery.
The biggest disadvantage I can see is that this increases the overhead of mail checking, but quark's specs puts us at a significant advantage in this respect. According to the MS docs, a P-II running all sorts of mail checks (SpamAssassin, MIMEDefang, Pyzor, ClamAV, etc., etc., etc.) can process 5,000 a day, which is more than what quark processes, so we should be good in that respect.
Here's the gory details for the setup of MS:
1. Install it from ports.
2. Edit MailScanner.conf. This is extremely well documented, so it's nothing complicated. The big things to notice are that it can call ClamAV and SpamAssassin, so there's no need for the milters.
3. Comment out the milters in $HOSTNAME.mc, so we don't double-check messages. Stop sendmail.
4. Copy mailscanner.sh.sample and mta.sh.sample to mailscanner.sh and mta.sh respectively. Make whatever changes are necessary.
5. Make /var/spool/{mqueue.in,MailScanner/incoming,quarantine}. You might also have to touch /usr/local/etc/MailScanner/rules/bounce.rules.
6. Fire up MailScanner and sendmail using mailscanner.sh and mta.sh. You should be good to go at this point.
Due to problems in flexibility with mod_throttle, I've disabled that module and installed mod_bandwidth instead. It seems to be working much better at keeping excess bandwidth usage down.
Here's the setup I've used for ppckernel.org:
# As much bandwidth as we want on campus
BandWidth 159.28 0
# Limit everyone else to 75kB/s
BandWidth all 75000
# Guarentee 4MB/s on campus
MinBandWidth 159.28 4096000
# Guarente 8kB/s to everyone else
MinBandWidth all 8172
# We can be more generous to the files under 20kB
LargeFileLimit 20 100000
# Limit files between 200kB and 8MB to 50kB/s
LargeFileLimit 200 50000
# Limit anything over 8MB to 25kB/s
LargeFileLimit 8172 25000
I've gotten a Debian image into alpha testing. The image is called ACL_DEB2004052101. It's running on office1 right now.
To keep pine from complaining about self-assigned TLS certs, I've added this line to pine.conf:
smtp-server=smtp.cs.earlham.edu/tls/novalidate-cert
After doing some reading on HTTPS, I discovered that only one SSL cert can be handed out per IP address. This explained why our normal website was getting our webmail's SSL cert. To solve this, I created an IP alias for webmail, and redirected our DNS to that.
I added this line to rc.conf:
ifconfig_bge0_alias1="inet 159.28.230.251 netmask 255.255.255.255"
I then changed NameVirtualHost in httpd.conf to 159.28.230.3, and changed all the VirtualHost declarations from hostnames to IP addresses.
Kevan and I replaced the Summit 48 with the faulty port with a brand spanking new Summit 48. Downtime was less than 15 minutes. All is working now.
I've been testing out freebsd-update on quarkprime. Looks like it works well (or at least no problems).
Lots of stuff to update about backup. It is now running FreeBSD 5.2.1-RELEASE, and working better than under Red Hat Linux 8 Psycho.
More stuff:
1. To work the magazine, use the following procedure:
mt -f /dev/sa0 offline # Unload the current tape
chio move slot n drive 0 # Where n is the tape you want to load
2. Vinum's been a little tricky to set up. Here's the configuration file I'm using for mirroring:
drive a0 device /dev/da1e
drive a1 device /dev/da2e
volume backup
plex org concat
sd drive a0 size 0
plex org concat
sd drive a1 size 0
The concat plexes are just used as a placeholder; it's just one device on each of them getting the same data.
So far, it's pretty simple, but I ran into trouble with the second plex being flagged as faulty. Here's how to solve it:
init -v -w backup.p0 # Initialize the first plex
init -v -w backup.p1 # Initialize the second plex
start backup
start backup.p1.s0
I had to restart saslauthd after portupgrade upgraded cyrus-sasl2.
I upgraded proftpd to 1.2.10rc1 in response to a security hole in CIDRACL.
I hope FC2 isn't so bad, because Debian's apt-get and dselect is just as cumbersome as I remember it. If only FreeBSD had decent disk imaging software....
I just found out that Apache can only handle one SSL cert per socket. This means that the webmail cert gets handed out, which is no better than the www being handed out (the other option). I'll have to regenerate certs, but that will cause some people to complain. Thoughts?
I've enabled ClamAV on quarkprime. It's a free, open-source anti-virus package. It seems to be working beautifully.
I made the following changes:
1. I enabled the Syslog option in clamav.conf so it will log to mail.
2. I added the following line to quarkprime's mc file:
INPUT_MAIL_FILTER(clmilter,S=local:/var/run/clamav/clmilter.sock,F=, T=S:4m;R:4mE)dnl
3. I added these lines to rc.conf:
clamav_enable="YES"
clamav_milter_enable="YES"
clamav_milter_flags="-q -lo /var/run/clamav/clmilter.sock"
I tested Fedora Core 1 (yarrow) on office1. I came to the following conclusions:
* I hate GRUB.
* These fscking USB keyboards are gonna be hell everytime we upgrade. We might want to get PS/2 adapters for them stat.
I'm pulling Debian images down onto quarkprime to give that a whirl. Fedora Core 2 is out on Tuesday with an upgrade to kernel 2.6, so I'll give that a go too. image has plenty of space (20+GB) so we can afford to keep a few testing images around.
Following my guide on here, I generated valid TLS certs for quarkprime. We should be ready to do this for quark.
I had to regenerate the IMAP and POP3 certs on quark, because they were causing an error in Mozilla and Netscape in which the CSADMIN CN was being confused for a hostname. Changing it to imap.cs.earlham.edu/pop3.cs.earlham.edu fixed the problem.
Not wanting to leave German House, I worked my way through the first 200 pages of Practical Postgres. I think I am now ready to do the phone database for tomorrow's power shutdown.
I installed bsd-games from source on the new ACL image. This will allow xscreensaver to use the fortune package for displaying quotes.
I'm running portupgrade on quarkprime now. Test your stuff out to make sure it all works.
I've excluded the following sets of packages from the upgrade:
bsdpan*
postgresql*
mysql*
apache*
sendmail*
These can be upgraded manually if need be.
I upgraded the kernel on the new ACL image to 2.4.26.
I finally got CMUgraphics to compile on the new image.
I had to make the changes the Ian suggested, and also add libgltt.la to the spec file for the gltt RPM.