You are here: Foswiki>Sysadmin Web>ChavezInfo (25 Sep 2009, NeGu)Edit Attach

ChavezInfo was a managed server at layerdtech which had a uptime of 883 days just before it was decomissioned and replaced by in September 2009.

There is a chavez-tech list for discussion and #chavez for chat, there are also munin stats. It's primary role is as a mirror for the uk, ch and global IMC sites.

See also ChavezMetaInfo | ChavezTips

Table of content :


This is the new server that replaced chavez., it is running CentOS 5 rather then 4 but apart from that everything has been set up as it was on chavez, so the notes below still mostly apply.


This server was decomissioned at the end of September 2009.


This server will host some Mir mirrors, see MirrorHowTo


This server is going to take over some of the sites from AhimsaRsync1Info

System install notes


DAG's repo was enabled:

rpm --import
rpm -K rpmforge-release-0.3.4-1.el4.rf.i386.rpm
rpm -Uvh rpmforge-release-0.3.4-1.el4.rf.i386.rpm 

And the LayeredTech stuff in /etc/yum.conf was commented out and /etc/yum.repos.d/LayeredTech.repo was moved to /etc/yum.repos.d/LayeredTech.repo.bak to disable it.

Nightly yum updates were turned on:

  /etc/init.d/yum start


The public rsyncd server is started via xinit, this is the /etc/xinetd.d/rsync config:

# default: off
# description: The rsync server is a good addition to an ftp server, as it #    allows crc checksumming etc.
service rsync
        disable         = no
        socket_type     = stream
        wait            = no
        user            = root
        server          = /usr/bin/rsync
        server_args     = --daemon
        log_on_failure  += USERID

And this is /etc/rsyncd.conf:

lock file = /var/lock/rsyncd
max connections=15
dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz *.mov *.wmv *.wav *.pdf *.mpg *.mp3 *.avi *.wma *.mp4 *.ogg *.gif *.jpg *.png *.tiff *.asf *.rm *.ram

  path = /var/www/
  comment = Indymedia UK rsync service.
  read only = yes
  use chroot = yes
  read only = yes
  list = yes
  uid = nobody
  gid = nobody

#ng 2006-12-16
  path = /var/www/
  comment = Indymedia CH rsync service.
  read only = yes
  use chroot = yes
  read only = yes
  list = yes
  uid = nobody
  gid = nobody

xinitd needs to be started and set to run:

/etc/init.d/xinitd start
/sbin/chkconfig xinitd on

And port 873 need to be open in the firewall, /etc/sysconfig/iptables

-A INPUT -p tcp -m tcp --dport 873 -j ACCEPT


This is a perl script for restricted rsyncs, it is available in the rsync source code and it has been installed in /usr/local/bin


DenyHosts is a python packake that can be set to add remote hosts to /etc/hosts.deny if they are attempting to brute force ssh.

rpm -Uvh denyhosts

First the config file was copied to /etc/

cp /usr/share/doc/denyhosts-2.2/denyhosts.cfg-dist /etc/denyhosts.conf

And the script for running it was copied to /etc/init.d/

cp /usr/share/doc/denyhosts-2.2/daemon-control-dist /etc/init.d/denyhosts

And these lines were changed:

#DENYHOSTS_CFG   = "/usr/share/denyhosts/denyhosts.cfg"
DENYHOSTS_CFG   = "/etc/denyhosts.conf"

And it was started and set to start on boot:

/etc/init.d/denyhosts start
/sbin/chkconfig --add denyhosts
/sbin/chkconfig denyhosts on


Postfix was installed and system-switch-mail-nox was run to switch to it and sendmail removed:

yum install postfix system-switch-mail
rpm -e sendmail

This was added to the end of /etc/post/ for TLS:

# server settings
smtpd_use_tls = yes
smtpd_enforce_tls = no
smtpd_tls_ask_ccert = yes
smtpd_tls_key_file = /etc/crypt/chavez_privatekey.pem
smtpd_tls_cert_file = /etc/crypt/chavez_server.pem
smtpd_tls_CAfile = /etc/crypt/cacert.pem
smtpd_tls_CApath = /etc/postfix/certs
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
# the following works with postfix 2.2
smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s

# client settings
smtp_use_tls = yes
smtp_enforce_tls = no
smtp_tls_key_file = /etc/crypt/chavez_privatekey.pem
smtp_tls_cert_file = /etc/crypt/chavez_server.pem
smtp_tls_CAfile = /etc/crypt/cacert.pem
smtp_tls_CApath = /etc/postfix/certs
smtp_tls_loglevel = 1
# the following works with postfix 2.2
smtp_tls_session_cache_database = btree:/etc/postfix/smtp_scache
smtp_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom

Encrypted FS

See also SaraiCryptedDisk and CaCertSsl

This is for certs so that they cannot be pinched after a power down and used to decrypt sniffed traffic, after the machine has booted, postfix and apache will not work until the encrypted disk has been mounted.

To mount it do this:

$ ssh
$ sudo /root/bin/mnt-crypt

The mnt-crypt script contains the following:


echo "This script mounts the encrypted partition at /etc/crypt"
echo "If you mistype the password then do this before running this again:"
echo "/sbin/cryptsetup remove crypt"

# create the loop device
/sbin/losetup /dev/loop0 /crypt

# decrypt the loopback device
/sbin/cryptsetup create crypt /dev/loop0

# mount the partition
/bin/mount /dev/mapper/crypt /etc/crypt

# start apache
/etc/init.d/apache start

# start postfix
/etc/init.d/postfix start

It was created like this:

cd /
dd if=/dev/urandom of=/crypt bs=1M count=10
/sbin/losetup /dev/loop0 /crypt
/sbin/cryptsetup -y create crypt /dev/loop0 
mkfs.ext3 /dev/mapper/crypt 
mount /dev/mapper/crypt /etc/crypt

Generating the key and cert

See: CaCertSsl

The following script is saved as /root/bin/chavez-cert and it greps for ServerNames and ServerAliases and then generates a csr for


DATE=`date "+%Y-%m-%d_%H-%M-%S"`

# be safe about permissions
umask 077

# OpenSSL for HPUX needs a random file

# create a config file for openssl
CONFIG=`mktemp -q /tmp/openssl-conf.XXXXXXXX`
if [ ! $? -eq 0 ]; then
    echo "Could not create temporary config file. exiting"
    exit 1

echo "Private Key and Certificate Signing Request Generator"
echo "This script was designed to suit the request format needed by"
echo "the CAcert Certificate Authority."

  # if the certs directory doesn't exist then create it
  if [[ ! -d $CERTS_DIR_NEW ]]; then
    mkdir -p $CERTS_DIR_NEW

  # get the ServerNames
  SERVER_NAMES=`grep -h ServerName $HTTPD_VHOSTS_DIR/* | sed  s/ServerName//g `
  for name in $SERVER_NAMES
      if [ "$SANAMES" = "" ]; then
          SANAMES="$SANAMES, DNS:$name"

  # get the ServerAliases 
  SERVER_ALIASES=`grep -h ServerAlias $HTTPD_VHOSTS_DIR/* | sed  s/ServerAlias//g `
  for name in $SERVER_ALIASES
      if [ "$SANAMES" = "" ]; then
          SANAMES="$SANAMES, DNS:$name"

# Config File Generation
cat <<EOF > $CONFIG
# -------------- BEGIN custom openssl.cnf -----
 HOME                    = $CERTS_DIR_NEW
 oid_section             = new_oids
 [ new_oids ]
 [ req ]
 default_days            = 730
 default_keyfile         = $CERTS_DIR_NEW/${HOST}-privatekey.pem
 distinguished_name      = req_distinguished_name
 encrypt_key             = no
 string_mask             = nombstr
 req_extensions          = v3_req 
 [ req_distinguished_name ]
 commonName              = Common Name (eg, YOUR name)
 commonName_default      = $COMMONNAME
 commonName_max          = 64
 [ v3_req ]

if [ ! "$SANAMES" = "" ]; then
    echo "subjectAltName=$SANAMES" >> $CONFIG

echo "# -------------- END custom openssl.cnf -----" >> $CONFIG

echo "Running OpenSSL..."
  echo "Running OpenSSL..."
  openssl req -batch -config $CONFIG -newkey rsa:2048 -out ${CERTS_DIR_NEW}/${HOST}-csr.pem

  echo "Copy the following Certificate Request and paste into CAcert website to obtain a Certificate."
  echo "When you receive your certificate, you save it to"
  echo "${CERTS_DIR_NEW}/${HOST}-cert.pem"
  cat ${CERTS_DIR_NEW}/${HOST}-csr.pem
  echo The Certificate request is also available in ${CERTS_DIR_NEW}/${HOST}-csr.pem
  echo The Private Key is stored in ${CERTS_DIR_NEW}/${HOST}-privatekey.pem
  echo These will all need moving to ${CERTS_DIR}, like this:
  echo mv ${CERTS_DIR_NEW}/\* ${CERTS_DIR}/ 


#restore umask


munin and munin-node were installed from

And this was added to /etc/munin/munin.conf

    use_node_name yes


Various services have been disabled:

for service in bluetooth firstboot kudzu mdmonitor nfslock portmap rpcgssd rpcidmapd smartd gpm autofs cpuspeed cups hidd pcscd; do chkconfig $service off /etc/init.d/$service stop done
Topic revision: r14 - 25 Sep 2009, NeGu
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback