ChavezInfo

chavez.indymedia.org was a managed server at layerdtech which had a uptime of 883 days just before it was decomissioned and replaced by chavez2.indymedia.org.uk in September 2009.

There is a chavez-tech list for discussion and #chavez for chat, there are also munin stats. It's primary role is as a mirror for the uk, ch and global IMC sites.

See also ChavezMetaInfo | ChavezTips

Table of content :

chavez2

This is the new server that replaced chavez., it is running CentOS 5 rather then 4 but apart from that everything has been set up as it was on chavez, so the notes below still mostly apply.

chavez

This server was decomissioned at the end of September 2009.

Mirrors

This server will host some Mir mirrors, see MirrorHowTo

rsync

This server is going to take over some of the sites from AhimsaRsync1Info

System install notes

Yum

DAG's repo was enabled:

wget http://dag.wieers.com/packages/rpmforge-release/rpmforge-release-0.3.4-1.el4.rf.i386.rpm
rpm --import http://dag.wieers.com/packages/RPM-GPG-KEY.dag.txt
rpm -K rpmforge-release-0.3.4-1.el4.rf.i386.rpm
rpm -Uvh rpmforge-release-0.3.4-1.el4.rf.i386.rpm 

And the LayeredTech stuff in /etc/yum.conf was commented out and /etc/yum.repos.d/LayeredTech.repo was moved to /etc/yum.repos.d/LayeredTech.repo.bak to disable it.

Nightly yum updates were turned on:

  /etc/init.d/yum start

rsyncd

The public rsyncd server is started via xinit, this is the /etc/xinetd.d/rsync config:

# default: off
# description: The rsync server is a good addition to an ftp server, as it #    allows crc checksumming etc.
service rsync
{
        disable         = no
        socket_type     = stream
        wait            = no
        user            = root
        server          = /usr/bin/rsync
        server_args     = --daemon
        log_on_failure  += USERID
}

And this is /etc/rsyncd.conf:

lock file = /var/lock/rsyncd
max connections=15
dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz *.mov *.wmv *.wav *.pdf *.mpg *.mp3 *.avi *.wma *.mp4 *.ogg *.gif *.jpg *.png *.tiff *.asf *.rm *.ram

[www.indymedia.org.uk]
  path = /var/www/www.indymedia.org.uk
  comment = Indymedia UK rsync service.
  read only = yes
  use chroot = yes
  read only = yes
  list = yes
  uid = nobody
  gid = nobody

#ng 2006-12-16
[ch.indymedia.org]
  path = /var/www/ch.indymedia.org
  comment = Indymedia CH rsync service.
  read only = yes
  use chroot = yes
  read only = yes
  list = yes
  uid = nobody
  gid = nobody

xinitd needs to be started and set to run:

/etc/init.d/xinitd start
/sbin/chkconfig xinitd on

And port 873 need to be open in the firewall, /etc/sysconfig/iptables

-A INPUT -p tcp -m tcp --dport 873 -j ACCEPT

rrsync

This is a perl script for restricted rsyncs, it is available in the rsync source code and it has been installed in /usr/local/bin

DenyHosts

DenyHosts is a python packake that can be set to add remote hosts to /etc/hosts.deny if they are attempting to brute force ssh.

rpm -Uvh denyhosts

First the config file was copied to /etc/

cp /usr/share/doc/denyhosts-2.2/denyhosts.cfg-dist /etc/denyhosts.conf

And the script for running it was copied to /etc/init.d/

cp /usr/share/doc/denyhosts-2.2/daemon-control-dist /etc/init.d/denyhosts

And these lines were changed:

#DENYHOSTS_CFG   = "/usr/share/denyhosts/denyhosts.cfg"
DENYHOSTS_CFG   = "/etc/denyhosts.conf"

And it was started and set to start on boot:

/etc/init.d/denyhosts start
/sbin/chkconfig --add denyhosts
/sbin/chkconfig denyhosts on

Postfix

Postfix was installed and system-switch-mail-nox was run to switch to it and sendmail removed:

yum install postfix system-switch-mail
system-switch-mail-nox
rpm -e sendmail

This was added to the end of /etc/post/main.cf for TLS:

# server settings
smtpd_use_tls = yes
smtpd_enforce_tls = no
smtpd_tls_ask_ccert = yes
smtpd_tls_key_file = /etc/crypt/chavez_privatekey.pem
smtpd_tls_cert_file = /etc/crypt/chavez_server.pem
smtpd_tls_CAfile = /etc/crypt/cacert.pem
smtpd_tls_CApath = /etc/postfix/certs
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
# the following works with postfix 2.2
smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s

# client settings
smtp_use_tls = yes
smtp_enforce_tls = no
smtp_tls_key_file = /etc/crypt/chavez_privatekey.pem
smtp_tls_cert_file = /etc/crypt/chavez_server.pem
smtp_tls_CAfile = /etc/crypt/cacert.pem
smtp_tls_CApath = /etc/postfix/certs
smtp_tls_loglevel = 1
# the following works with postfix 2.2
smtp_tls_session_cache_database = btree:/etc/postfix/smtp_scache
smtp_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom

Encrypted FS

See also SaraiCryptedDisk and CaCertSsl

This is for certs so that they cannot be pinched after a power down and used to decrypt sniffed traffic, after the machine has booted, postfix and apache will not work until the encrypted disk has been mounted.

To mount it do this:

$ ssh chavez.indymedia.org.uk
$ sudo /root/bin/mnt-crypt

The mnt-crypt script contains the following:

#!/bin/bash

echo "This script mounts the encrypted partition at /etc/crypt"
echo "If you mistype the password then do this before running this again:"
echo "/sbin/cryptsetup remove crypt"

# create the loop device
/sbin/losetup /dev/loop0 /crypt

# decrypt the loopback device
/sbin/cryptsetup create crypt /dev/loop0

# mount the partition
/bin/mount /dev/mapper/crypt /etc/crypt

# start apache
/etc/init.d/apache start

# start postfix
/etc/init.d/postfix start

It was created like this:

cd /
dd if=/dev/urandom of=/crypt bs=1M count=10
/sbin/losetup /dev/loop0 /crypt
/sbin/cryptsetup -y create crypt /dev/loop0 
mkfs.ext3 /dev/mapper/crypt 
mount /dev/mapper/crypt /etc/crypt

Generating the key and cert

See: CaCertSsl

The following script is saved as /root/bin/chavez-cert and it greps for ServerNames and ServerAliases and then generates a csr for cacert.org

#!/bin/sh

HTTPD_VHOSTS_DIR=/etc/httpd/vhosts-ssl.d/
DATE=`date "+%Y-%m-%d_%H-%M-%S"`
CERTS_DIR="/etc/crypt"
CERTS_DIR_NEW="$CERTS_DIR/.$DATE"
HOST=chavez
COMMONNAME=chavez.indymedia.org

# be safe about permissions
LASTUMASK=`umask`
umask 077

# OpenSSL for HPUX needs a random file
RANDOMFILE=$HOME/.rnd

# create a config file for openssl
CONFIG=`mktemp -q /tmp/openssl-conf.XXXXXXXX`
if [ ! $? -eq 0 ]; then
    echo "Could not create temporary config file. exiting"
    exit 1
fi

echo "Private Key and Certificate Signing Request Generator"
echo "This script was designed to suit the request format needed by"
echo "the CAcert Certificate Authority. www.CAcert.org"
echo

  # if the certs directory doesn't exist then create it
  if [[ ! -d $CERTS_DIR_NEW ]]; then
    mkdir -p $CERTS_DIR_NEW
  fi

  # get the ServerNames
  SERVER_NAMES=`grep -h ServerName $HTTPD_VHOSTS_DIR/* | sed  s/ServerName//g `
  for name in $SERVER_NAMES
    do
      if [ "$SANAMES" = "" ]; then
          SANAMES="DNS:$name"
      else
          SANAMES="$SANAMES, DNS:$name"
      fi
  done

  # get the ServerAliases 
  SERVER_ALIASES=`grep -h ServerAlias $HTTPD_VHOSTS_DIR/* | sed  s/ServerAlias//g `
  for name in $SERVER_ALIASES
    do
      if [ "$SANAMES" = "" ]; then
          SANAMES="DNS:$name"
      else
          SANAMES="$SANAMES, DNS:$name"
      fi
  done


# Config File Generation
cat <<EOF > $CONFIG
# -------------- BEGIN custom openssl.cnf -----
 HOME                    = $CERTS_DIR_NEW
 oid_section             = new_oids
 [ new_oids ]
 [ req ]
 default_days            = 730
 default_keyfile         = $CERTS_DIR_NEW/${HOST}-privatekey.pem
 distinguished_name      = req_distinguished_name
 encrypt_key             = no
 string_mask             = nombstr
 req_extensions          = v3_req 
 [ req_distinguished_name ]
 commonName              = Common Name (eg, YOUR name)
 commonName_default      = $COMMONNAME
 commonName_max          = 64
 [ v3_req ]
EOF

if [ ! "$SANAMES" = "" ]; then
    echo "subjectAltName=$SANAMES" >> $CONFIG
fi

echo "# -------------- END custom openssl.cnf -----" >> $CONFIG

echo "Running OpenSSL..."
  echo "Running OpenSSL..."
  openssl req -batch -config $CONFIG -newkey rsa:2048 -out ${CERTS_DIR_NEW}/${HOST}-csr.pem



  echo "Copy the following Certificate Request and paste into CAcert website to obtain a Certificate."
  echo "When you receive your certificate, you save it to"
  echo "${CERTS_DIR_NEW}/${HOST}-cert.pem"
  echo
  cat ${CERTS_DIR_NEW}/${HOST}-csr.pem
  echo
  echo The Certificate request is also available in ${CERTS_DIR_NEW}/${HOST}-csr.pem
  echo The Private Key is stored in ${CERTS_DIR_NEW}/${HOST}-privatekey.pem
  echo These will all need moving to ${CERTS_DIR}, like this:
  echo mv ${CERTS_DIR_NEW}/\* ${CERTS_DIR}/ 
  echo


rm $CONFIG

#restore umask
umask $LASTUMASK

munin

munin and munin-node were installed from http://munin.projects.linpro.no/

And this was added to /etc/munin/munin.conf

[chavez.indymedia.org.uk]
    address 127.0.0.1
    use_node_name yes

service

Various services have been disabled:

for service in bluetooth firstboot kudzu mdmonitor nfslock portmap rpcgssd rpcidmapd smartd gpm autofs cpuspeed cups hidd pcscd; do chkconfig $service off /etc/init.d/$service stop done