Details on the current configuration of tyr.example.com can be found below. 10/11/2012
Details for the raid1 configuration are as follows:
Disk /dev/sda: 2000.4 GB, 2000398934016 bytes
255 heads, 63 sectors/track, 243201 cylinders, total 3907029168 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000
Device Boot Start End Blocks Id System
/dev/sda1 * 63 209728574 104864256 fd Linux raid autodetect
/dev/sda2 209728575 213937604 2104515 82 Linux swap / Solaris
/dev/sda3 213937605 218146634 2104515 fd Linux raid autodetect
/dev/sda4 218146635 3907024064 1844438715 fd Linux raid autodetect
Disk /dev/sdb: 2000.4 GB, 2000398934016 bytes
255 heads, 63 sectors/track, 243201 cylinders, total 3907029168 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000
Device Boot Start End Blocks Id System
/dev/sdb1 * 63 209728574 104864256 fd Linux raid autodetect
/dev/sdb2 209728575 213937604 2104515 82 Linux swap / Solaris
/dev/sdb3 213937605 218146634 2104515 fd Linux raid autodetect
/dev/sdb4 218146635 3907024064 1844438715 fd Linux raid autodetect
A couple of configuration files here
ARRAY /dev/md0 metadata=0.90 UUID=f1170fdc:c5862a0b:c44c77eb:7ee19756
ARRAY /dev/md1 metadata=0.90 UUID=6b8fa769:3e959845:c44c77eb:7ee19756
ARRAY /dev/md2 metadata=0.90 UUID=5bc914b2:ccb24434:c44c77eb:7ee19756
# /etc/conf.d/mdadm: config file for /etc/init.d/mdadm
# Misc options to pass to mdadm in monitor mode.
# For more info, run `mdadm --monitor --help` or see
# the mdadm(8) manpage.
MDADM_OPTS="--syslog [email protected]"
/dev/md0 / ext4 noauto,noatime 1 2
/dev/sda2 none swap sw 0 0
/dev/sdb2 none swap sw 0 0
/dev/md1 /tmp ext4 nosuid,noexec,nodev 0 1
/dev/md2 /var ext4 noatime 0 1
/dev/cdrom /mnt/cdrom auto noauto,ro 0 0
This server handles all DHCP and PXE/BOOTP services for all vlans we manage (staff, pc, mac, union, residence halls etc). An 802.1Q configuration is required for layer2 IP traffic. Here is the current list aliased interfaces.
modules="iproute2"
config_eth0="null"
config_eth1="null"
config_eth2="null"
#config_eth0="192.168.17.166 netmask 255.255.255.224"
#routes_eth0="default via 192.168.0.10"
vlans_eth0="21 22 57 61 71 81 91 101 111 121 131 141 151 171 181 461"
dns_domain_eth0="example.com"
dns_servers_eth0="192.168.1.10 192.168.10.10 192.168.20.10"
vlan21_name="vlan21"
vlan22_name="vlan22"
vlan57_name="vlan57"
vlan61_name="vlan61"
vlan71_name="vlan71"
vlan81_name="vlan81"
vlan91_name="vlan91"
vlan101_name="vlan101"
vlan111_name="vlan111"
vlan121_name="vlan121"
vlan131_name="vlan131"
vlan141_name="vlan141"
vlan151_name="vlan151"
vlan171_name="vlan171"
vlan181_name="vlan181"
vlan461_name="vlan461"
config_vlan21="192.168.2.126 netmask 255.255.255.128"
config_vlan22="192.168.241.254 netmask 255.255.255.0"
config_vlan57="192.168.16.126 netmask 255.255.255.128"
config_vlan61="192.168.6.254 netmask 255.255.255.0"
config_vlan71="192.168.7.254 netmask 255.255.255.0"
config_vlan81="192.168.8.254 netmask 255.255.255.0"
config_vlan91="192.168.9.254 netmask 255.255.255.0"
config_vlan101="192.168.10.254 netmask 255.255.255.0"
config_vlan111="192.168.11.254 netmask 255.255.255.0"
config_vlan121="192.168.12.254 netmask 255.255.255.0"
config_vlan131="192.168.13.254 netmask 255.255.255.0"
config_vlan141="192.168.14.254 netmask 255.255.255.0"
config_vlan151="192.168.15.254 netmask 255.255.255.0"
config_vlan171="192.168.17.166 netmask 255.255.255.224"
routes_vlan171="default via 192.168.17.161"
config_vlan181="192.168.18.254 netmask 255.255.255.0"
config_vlan461="192.168.16.254 netmask 255.255.255.128"
Below is a current list of services which this lamp stack handles.
apache2 | default
arpwatch | default
auditd | default
bootmisc | boot
devfs | sysinit
dhcpd | default
dmesg | sysinit
fsck | boot
hostname | boot
hwclock | boot
in.tftpd | default
keymaps | boot
killprocs | shutdown
local | default
localmount | boot
mdadm | boot
modules | boot
mount-ro | shutdown
mtab | boot
mysql | default
net.eth0 | default
net.lo | boot
netmount | default
ntp-client | default
procfs | boot
root | boot
savecache | shutdown
sshd | default
swap | boot
sysctl | boot
syslog-ng | default
termencoding | boot
udev-postmount | default
urandom | boot
vixie-cron | default
The DHCPD service is managed by the phpDHCPAdmin software. Two configuration file modifications are required.
# /etc/conf.d/dhcpd: config file for /etc/init.d/dhcpd
# If you require more than one instance of dhcpd you can create symbolic
# links to dhcpd service like so
# cd /etc/init.d
# ln -s dhcpd dhcpd.foo
# cd ../conf.d
# cp dhcpd dhcpd.foo
# Now you can edit dhcpd.foo and specify a different configuration file.
# You'll also need to specify a pidfile in that dhcpd.conf file.
# See the pid-file-name option in the dhcpd.conf man page for details.
# If you wish to run dhcpd in a chroot, uncomment the following line
# DHCPD_CHROOT="/var/lib/dhcp/chroot"
# All file paths below are relative to the chroot.
# You can specify a different chroot directory but MAKE SURE it's empty.
# Specify a configuration file - the default is /etc/dhcp/dhcpd.conf
DHCPD_CONF="/var/www/tyr.example.com/phpDHCPAdmin/conf/dhcpd.conf"
Only the line that is to be modified to reflect the path to the leases file within the phpDHCPAdmin software
#local leasefile="$(get_var lease-file-name /var/lib/dhcp/${SVCNAME}.leases)"
local leasefile="$(get_var lease-file-name /var/www/tyr.example.com/phpDHCPAdmin/conf/${SVCNAME}.leases)"
The BOOTP services relies heavily upon the Apache imaging.example.com CNAME DNS entry & VHOST configuration. The configuration file should reflect the path to the tftproot as being a part of the imaging.example.com VHOST root directory. See below:
# /etc/init.d/in.tftpd
# Path to server files from
# Depending on your application you may have to change this.
# This is commented out to force you to look at the file!
#INTFTPD_PATH="/var/tftp/"
#INTFTPD_PATH="/tftpboot/"
INTFTPD_PATH="/var/www/tyr.example.com/imaging/tftp"
# For more options, see in.tftpd(8)
# -R 4096:32767 solves problems with ARC firmware, and obsoletes
# the /proc/sys/net/ipv4/ip_local_port_range hack.
# -s causes $INTFTPD_PATH to be the root of the TFTP tree.
# -l is passed by the init script in addition to these options.
INTFTPD_OPTS="-R 4096:32767 -s ${INTFTPD_PATH}"
The current apache configuration requires modifications to several files. The default configuration options which get globally applied to all VHOSTS, the default system configuration file which indicate specific options to run apache with, and the VHOST configuration(s).
Only the line which requires editing
APACHE2_OPTS="-D DEFAULT_VHOST -D CACHE -D MEM_CACHE -D INFO -D SSL -D SSL_DEFAULT_VHOST -D LANGUAGE -D PHP5 -D SECURITY"
Only the lines which provide ACL for allowed subnets. This applies globally to all configured VHOSTS.
# We configure the "default" to be a very restrictive set of features.
<Directory />
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from 192.168.6.0/24
Allow from 192.168.7.0/24
Allow from 192.168.8.0/24
Allow from 192.168.9.0/24
Allow from 192.168.10.0/24
Allow from 192.168.11.0/24
Allow from 192.168.12.0/24
Allow from 192.168.13.0/24
Allow from 192.168.14.0/24
Allow from 192.168.15.0/24
Allow from 192.168.16.0/24
Allow from 192.168.17.0/24
Allow from 192.168.18.0/24
Allow from 192.168.241.0/24
#Deny from all
</Directory>
Here is where any VHOST configuration will be loaded from.
The default VHOST for this server
ServerAdmin [email protected]
Listen 80
NameVirtualHost *:80
Listen 443
NameVirtualHost *:443
<IfDefine DEFAULT_VHOST>
<VirtualHost *:80>
ServerName tyr.example.com
<IfModule mpm_peruser_module>
ServerEnvironment apache apache
</IfModule>
DocumentRoot "/var/www/tyr.example.com/mediawiki"
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
</VirtualHost>
</IfDefine>
<IfDefine SSL>
<IfDefine SSL_DEFAULT_VHOST>
<IfModule ssl_module>
<VirtualHost *:443>
ServerName tyr.example.com
ErrorLog /var/log/apache2/ssl_error_log
<IfModule log_config_module>
TransferLog /var/log/apache2/ssl_access_log
</IfModule>
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT
SSLCertificateFile /etc/ssl/apache2/tyr.example.com/tyr.example.com.cer
SSLCertificateKeyFile /etc/ssl/apache2/tyr.example.com/tyr.example.com.key
SSLCertificateChainFile /etc/ssl/apache2/incommon-chain.cer
DocumentRoot "/var/www/tyr.example.com/mediawiki"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<IfModule setenvif_module>
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</IfModule>
</VirtualHost>
</IfModule>
</IfDefine>
</IfDefine>
The SSL certificates for VHOST tyr.example.com as as follows:
PATH: ''/etc/ssl/apache2/tyr.example.com''
- ''tyr.example.com.key'' - Private key used to load signed certificates
- ''tyr.example.com.orig'' - Password protected private key (original)
- ''tyr.example.com.csr'' - Certificate signing request certificate
- ''tyr.example.com.cer'' - Signed certificate
<IfDefine DEFAULT_VHOST>
<VirtualHost *:80>
ServerName db.example.com
<IfModule mpm_peruser_module>
ServerEnvironment apache apache
</IfModule>
DocumentRoot "/var/www/tyr.example.com/db"
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
</VirtualHost>
</IfDefine>
<IfDefine SSL>
<IfDefine SSL_DEFAULT_VHOST>
<IfModule ssl_module>
<VirtualHost *:443>
ServerName db.example.com
ErrorLog /var/log/apache2/db_ssl_error_log
<IfModule log_config_module>
TransferLog /var/log/apache2/db_ssl_access_log
</IfModule>
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT
SSLCertificateFile /etc/ssl/apache2/db.example.com/db.example.com.cer
SSLCertificateKeyFile /etc/ssl/apache2/db.example.com/db.example.com.key
SSLCertificateChainFile /etc/ssl/apache2/incommon-chain.cer
DocumentRoot "/var/www/tyr.example.com/db"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<IfModule setenvif_module>
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</IfModule>
</VirtualHost>
</IfModule>
</IfDefine>
</IfDefine>
The SSL certificates for VHOST db.example.com as as follows:
PATH: ''/etc/ssl/apache2/db.example.com''
- ''db.example.com.key'' - Private key used to load signed certificates
- ''db.example.com.orig'' - Password protected private key (original)
- ''db.example.com.csr'' - Certificate signing request certificate
- ''db.example.com.cer'' - Signed certificate
<IfDefine DEFAULT_VHOST>
<VirtualHost *:80>
ServerName dhcp.example.com
<IfModule mpm_peruser_module>
ServerEnvironment apache apache
</IfModule>
DocumentRoot "/var/www/tyr.example.com/phpDHCPAdmin"
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
</VirtualHost>
</IfDefine>
<IfDefine SSL>
<IfDefine SSL_DEFAULT_VHOST>
<IfModule ssl_module>
<VirtualHost *:443>
ServerName dhcp.example.com
ErrorLog /var/log/apache2/dhcp_ssl_error_log
<IfModule log_config_module>
TransferLog /var/log/apache2/dhcp_ssl_access_log
</IfModule>
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT
SSLCertificateFile /etc/ssl/apache2/dhcp.example.com/dhcp.example.com.cer
SSLCertificateKeyFile /etc/ssl/apache2/dhcp.example.com/dhcp.example.com.key
SSLCertificateChainFile /etc/ssl/apache2/incommon-chain.cer
DocumentRoot "/var/www/tyr.example.com/phpDHCPAdmin"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<IfModule setenvif_module>
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</IfModule>
</VirtualHost>
</IfModule>
</IfDefine>
</IfDefine>
The SSL certificates for VHOST dhcp.example.com as as follows:
PATH: ''/etc/ssl/apache2/dhcp.example.com''
- ''dhcp.example.com.key'' - Private key used to load signed certificates
- ''dhcp.example.com.orig'' - Password protected private key (original)
- ''dhcp.example.com.csr'' - Certificate signing request certificate
- ''dhcp.example.com.cer'' - Signed certificate
<IfDefine DEFAULT_VHOST>
<VirtualHost *:80>
ServerName sso.example.com
<IfModule mpm_peruser_module>
ServerEnvironment apache apache
</IfModule>
DocumentRoot "/var/www/tyr.example.com/myTFH"
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
</VirtualHost>
</IfDefine>
<IfDefine SSL>
<IfDefine SSL_DEFAULT_VHOST>
<IfModule ssl_module>
<VirtualHost *:443>
ServerName sso.example.com
ErrorLog /var/log/apache2/sso_ssl_error_log
<IfModule log_config_module>
TransferLog /var/log/apache2/sso_ssl_access_log
</IfModule>
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT
SSLCertificateFile /etc/ssl/apache2/sso.example.com/sso.example.com.cer
SSLCertificateKeyFile /etc/ssl/apache2/sso.example.com/sso.example.com.key
SSLCertificateChainFile /etc/ssl/apache2/incommon-chain.cer
DocumentRoot "/var/www/tyr.example.com/myTFH"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<IfModule setenvif_module>
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</IfModule>
</VirtualHost>
</IfModule>
</IfDefine>
</IfDefine>
The SSL certificates for VHOST sso.example.com as as follows:
PATH: ''/etc/ssl/apache2/sso.example.com''
- ''sso.example.com.key'' - Private key used to load signed certificates
- ''sso.example.com.orig'' - Password protected private key (original)
- ''sso.example.com.csr'' - Certificate signing request certificate
- ''sso.example.com.cer'' - Signed certificate
<IfDefine DEFAULT_VHOST>
<VirtualHost *:80>
ServerName imaging.example.com
<IfModule mpm_peruser_module>
ServerEnvironment apache apache
</IfModule>
DocumentRoot "/var/www/tyr.example.com/imaging"
</VirtualHost>
</IfDefine>```
##### softwaredb.example.com #####
```<IfDefine DEFAULT_VHOST>
<VirtualHost *:80>
ServerName softwaredb.example.com
<IfModule mpm_peruser_module>
ServerEnvironment apache apache
</IfModule>
DocumentRoot "/var/www/tyr.example.com/softwareDB"
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
</VirtualHost>
</IfDefine>
<IfDefine SSL>
<IfDefine SSL_DEFAULT_VHOST>
<IfModule ssl_module>
<VirtualHost *:443>
ServerName softwaredb.example.com
ErrorLog /var/log/apache2/softwaredb_ssl_error_log
<IfModule log_config_module>
TransferLog /var/log/apache2/softwaredb_ssl_access_log
</IfModule>
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT
SSLCertificateFile /etc/ssl/apache2/sso.example.com/softwaredb.example.com.cer
SSLCertificateKeyFile /etc/ssl/apache2/sso.example.com/softwaredb.example.com.key
SSLCertificateChainFile /etc/ssl/apache2/incommon-chain.cer
DocumentRoot "/var/www/tyr.example.com/softwareDB"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<IfModule setenvif_module>
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</IfModule>
</VirtualHost>
</IfModule>
</IfDefine>
</IfDefine>
The SSL certificates for VHOST softwaredb.example.com as as follows:
PATH: ''/etc/ssl/apache2/softwaredb.example.com''
- ''softwaredb.example.com.key'' - Private key used to load signed certificates
- ''softwaredb.example.com.orig'' - Password protected private key (original)
- ''softwaredb.example.com.csr'' - Certificate signing request certificate
- ''softwaredb.example.com.cer'' - Signed certificate
<IfDefine SSL>
<IfDefine SSL_DEFAULT_VHOST>
<IfModule ssl_module>
<VirtualHost *:443>
ServerName inventory.example.com
ErrorLog /var/log/apache2/inventory_ssl_error_log
<IfModule log_config_module>
CustomLog /var/log/apache2/inventory_ssl_access_log combined
</IfModule>
SSLEngine on
SSLInsecureRenegotiation off
SSLProtocol -ALL +SSLv3 +TLSv1
SSLHonorCipherOrder On
SSLCipherSuite RC4-SHA:RC4+RSA:HIGH:!ADH:!EXPORT
SSLCertificateFile /etc/ssl/apache2/inventory.example.com/inventory.example.com.cer
SSLCertificateKeyFile /etc/ssl/apache2/inventory.example.com/inventory.example.com.key
SSLCertificateChainFile /etc/ssl/apache2/incommon-chain.cer
DocumentRoot "/var/www/tyr.example.com/inventory/MLIB-Inventory"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<IfModule setenvif_module>
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</IfModule>
</VirtualHost>
</IfModule>
</IfDefine>
</IfDefine>
The SSL certificates for VHOST inventory.example.com as as follows:
PATH: ''/etc/ssl/apache2/inventory.example.com''
- ''inventory.example.com.key'' - Private key used to load signed certificates
- ''inventory.example.com.orig'' - Password protected private key (original)
- ''inventory.example.com.csr'' - Certificate signing request certificate
- ''inventory.example.com.cer'' - Signed certificate, expires 02242017
<IfDefine DEFAULT_VHOST>
<VirtualHost *:80>
ServerName licenses.example.com
<IfModule mpm_peruser_module>
ServerEnvironment apache apache
</IfModule>
DocumentRoot "/var/www/tyr.example.com/licenses"
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
</VirtualHost>
</IfDefine>
<IfDefine SSL>
<IfDefine SSL_DEFAULT_VHOST>
<IfModule ssl_module>
<VirtualHost *:443>
ServerName licenses.example.com
ErrorLog /var/log/apache2/licenses_ssl_error_log
<IfModule log_config_module>
CustomLog /var/log/apache2/licenses_ssl_access_log combined
</IfModule>
SSLEngine on
SSLInsecureRenegotiation off
SSLProtocol -ALL +SSLv3 +TLSv1
SSLHonorCipherOrder On
SSLCipherSuite RC4-SHA:RC4+RSA:HIGH:!ADH:!EXPORT
SSLCertificateFile /etc/ssl/apache2/licenses.example.com/licenses.example.com.cer
SSLCertificateKeyFile /etc/ssl/apache2/licenses.example.com/licenses.example.com.key
SSLCertificateChainFile /etc/ssl/apache2/incommon-chain.cer
DocumentRoot "/var/www/tyr.example.com/licenses"
<Directory "/var/www/tyr.example.com/licenses">
Order allow,deny
Allow from 192.168.16.0/24
#Deny from all
Options FollowSymLinks
RewriteEngine on
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php/welcome/index/$1 [L]
</Directory>
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<IfModule setenvif_module>
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</IfModule>
</VirtualHost>
</IfModule>
</IfDefine>
</IfDefine>
The SSL certificates for VHOST inventory.example.com as as follows:
PATH: ''/etc/ssl/apache2/inventory.example.com''
- ''licenses.example.com.key'' - Private key used to load signed certificates
- ''licenses.example.com.orig'' - Password protected private key (original)
- ''licenses.example.com.csr'' - Certificate signing request certificate
- ''licenses.example.com.cer'' - Signed certificate, expires 02242017
By default the MySQL service will only allow incoming connections on the local interface. This is a security pre-caution to prevent against unauthorized TCP port access outside of the currently running server. A combination of ACL's using TCPWrappers will help mitigate connects to the MySQL service as for the OmniPage campus service to have access to the softwaredb.example.com MySQL database binding MySQL to a public IP is necessary.
#bind-address = 127.0.0.1
bind-address = 192.168.17.166
Because tyr is listening on all available staff, public, server & labs subnets this service can monitor for MAC hardware changes in regards to man in the middle attack scenarios of machines trying to spoof the default gateway per subnet.
# Config file for /etc/init.d/arpwatch
# see arpwatch.8 for more information
#IFACES="eth0 eth1"
#IFACES="eth0"
IFACES="vlan21 vlan22 vlan57 vlan61 vlan71 vlan81 vlan91 vlan101 vlan111 vlan121 vlan131 vlan141 vlan151 vlan171 vlan181 vlan461"
# Additional options to pass to arpwatch.
OPTIONS="-N -p"
# Comment this line if you wish arpwatch to run as root user (not recommended)
ARPUSER="arpwatch"
Currently runs Perl script as cron job.
Location of Perl script: /usr/local/WakeonLan/
Location of logfile: /var/log/wakeonlan
Location: /usr/local/1by1
These policies pertain to system management. Please follow this guide to ensure steps are taken so that this server does NOT become a development testing ground for projects.
When creating new accounts on the MySQL database there are a few things that should be addressed to eliminate unauthorized/un-necessary access to other database's etc. A strict set of permissions per account should be used to ensure one user account compromise does not lead to full and complete write access to the remainder of the database's.
This portion should proceed any account creation to ensure proper permissions can be assigned to the new account(s)
mysql -u root -p -e "CREATE DATABASE dbname"
Below are a few examples of creating new users with various levels of privilege on a per database basis. Please note that the remote user examples should be VERY limited as very seldom (IF AT ALL) should you allow a remote direct connection to the MySQL service.
These should be used most frequently as any new web applications that require database access should be installed on this server as a VHOST (see Apache policy)
This example provides strict connection parameters as well as read only privileges for the specified user account to all tables on specified database
mysql -u root -p -e "CREATE USER dbUser@localhost IDENTIFIED BY 'dbPass'; GRANT SELECT, REFERENCES, INDEX ON dbName.* TO dbUser@dbHost; FLUSH PRIVILEGES"
This example provides strict connection parameters as well as read only privileges for the specified user account to a specified table on specified database (if multiple tables should be allowed read access for this user you must issue the 'GRANT SELECT' for each table)
mysql -u root -p -e "CREATE USER dbUser@localhost IDENTIFIED BY 'dbPass'; GRANT SELECT, REFERENCES, INDEX ON dbName.dbTable TO dbUser@dbHost; FLUSH PRIVILEGES"
This example provides strict connection parameters as well as write, select, update, delete, execute privileges for the specified user account to all tables on specified database
mysql -u root -p -e "CREATE USER dbUser@localhost IDENTIFIED BY 'dbPass'; GRANT SELECT, INSERT, UPDATE, DELETE, REFERENCES, INDEX, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE ON ON dbName.* TO dbUser@dbHost; FLUSH PRIVILEGES"
This example provides strict connection parameters as well as write, select, update, delete, execute privileges for the specified user account to a specified table on specified database (if multiple tables should be allowed read access for this user you must issue the 'GRANT SELECT' for each table)
mysql -u root -p -e "CREATE USER dbUser@localhost IDENTIFIED BY 'dbPass'; GRANT SELECT, INSERT, UPDATE, DELETE, REFERENCES, INDEX, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE ON ON dbName.dbTable TO dbUser@dbHost; FLUSH PRIVILEGES"
Here are examples (similar to above) where a remote connection may be used (per user & per database restrictions apply). Please note that these commands allow access from anywhere which is bad practice in terms of the 'deny all by default' methods. A better use of these commands is to restrict new account creation by subnet or specific IP ranges (see first example)
mysql -u root -p -e "CREATE USER [email protected].% IDENTIFIED BY 'dbPass'; GRANT SELECT, REFERENCES, INDEX ON dbName.* TO [email protected].%; FLUSH PRIVILEGES"
mysql -u root -p -e "CREATE USER [email protected].% IDENTIFIED BY 'dbPass'; GRANT SELECT, REFERENCES, INDEX ON dbName.dbTable TO [email protected].%; FLUSH PRIVILEGES"
mysql -u root -p -e "CREATE USER [email protected].% IDENTIFIED BY 'dbPass'; GRANT SELECT, INSERT, UPDATE, DELETE, REFERENCES, INDEX, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE ON ON dbName.* TO [email protected]%; FLUSH PRIVILEGES"
mysql -u root -p -e "CREATE USER [email protected].% IDENTIFIED BY 'dbPass'; GRANT SELECT, INSERT, UPDATE, DELETE, REFERENCES, INDEX, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE ON ON dbName.dbTable TO [email protected].%; FLUSH PRIVILEGES"
mysql -u root -p -e "CREATE USER dbUser@% IDENTIFIED BY 'dbPass'; GRANT SELECT, REFERENCES, INDEX ON dbName.* TO dbUser@%; FLUSH PRIVILEGES"
mysql -u root -p -e "CREATE USER dbUser@% IDENTIFIED BY 'dbPass'; GRANT SELECT, REFERENCES, INDEX ON dbName.dbTable TO dbUser@%; FLUSH PRIVILEGES"
mysql -u root -p -e "CREATE USER dbUser@% IDENTIFIED BY 'dbPass'; GRANT SELECT, INSERT, UPDATE, DELETE, REFERENCES, INDEX, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE ON ON dbName.* TO dbUser@%; FLUSH PRIVILEGES"
mysql -u root -p -e "CREATE USER dbUser@% IDENTIFIED BY 'dbPass'; GRANT SELECT, INSERT, UPDATE, DELETE, REFERENCES, INDEX, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE ON ON dbName.dbTable TO dbUser@%; FLUSH PRIVILEGES"
The old tyr.example.com used the default webserver root for everything. Despite my best efforts at implementing a process for new projects (requiring a vhost, associated database with restricted set of permissions etc) it got convoluted and hard to maintain quite quickly.
To disparage this practice from occurring again I have forced vhost's for each project and am now implementing a new policy that no new projects will go on this server without first being tested on a development server. New projects will be created with the following guidelines:
All new projects will use a vhost configuration within apache.