From: ADVAX::"dlq@next.ucns.uga.edu" "David Quarterman" 14-MAY-1991 11:25:56.83 To: arisia::everhart CC: Subj: Our setup doc Received: by ADVAX.DECnet (utk-mail11 v1.5) ; Tue, 14 May 91 11:24:33 EDT Received: from mcnc by ge-dab.GE.COM (5.61/GE-DAB 1.15) with UUCP id AA07783 for ; Tue, 14 May 91 10:47:37 -0400 Received: from server.uga.edu by mcnc.mcnc.org (5.59/MCNC/3-21-91) id AA26508; Tue, 14 May 91 10:19:58 -0400 for arisia.dnet.ge.com!everhart Received: by server.uga.edu (5.57/Ultrix3.0-C) id AA09612; Tue, 14 May 91 10:19:54 -0400 Received: by next.ucns.uga.edu (NeXT-1.0 (From Sendmail 5.52)/NeXT-2.0) id AA15669; Tue, 14 May 91 10:16:03 EDT Date: Tue, 14 May 91 10:16:03 EDT From: dlq@next.ucns.uga.edu (David Quarterman) Message-Id: <9105141416.AA15669@next.ucns.uga.edu> To: arisia::everhart Subject: Our setup doc This is the doc we are distributing to our system admininstrators. If you like you can ftp and pick up the wordperfect version. Hope this makes seense to you. David Steps to take before connecting to the UGA campus network. This document is available on ftp.uga.edu in the /pub directory as netchk.asc for the serial version, and as netchk.wpf for the wordperfect 5.1 formatted version. April 24, 1991 TCP systems (SUN) 1. Contact David Mathews-Morgan to obtain an unique subnet address and subdomain name for your departmental network. phone 542-6468 or DMM@uga.cc.uga.edu for electronic mail. 2. Edit your startup file (/etc/rc.local on suns) to check that the following parameters are set for ifconfig: ifconfig xx0 inet 128.192.z.y netmask 0xffff0000 ifconfig xx0 broadcast 128.192.255.255 -trailers where xx is your interface, z is your departmental subnet and y is your machine in the department. In general the recommendation is to start numbering your departmental machines (hosts) with 2 leaving the entry 1 for a router later when traffic warrants it. That way folks managing the campus net can expect to find a router on host number one in each department. 3. Configure your host so it knows how to reach the domain nameserver: create the file /etc/resolv.conf containing the following lines: domain department.uga.edu nameserver 128.192.1.9 nameserver 128.192.8.4 where department is once again the departmental subdomain you and David Mathews-Morgan decided on. 4. Contact the UGA domain nameserver maintainer Harold Pritchett (harold@uga.cc.uga.edu) and let him know what machines and IP addresses you want to have added to the nameserver. Normally this will be only your main hosts as they are the only ones that will be available 24 hours a day. Exclude your pc's as they are normally not running a mail receiver 24 hours a day. However, if you are running NFS to provide service to your pc's and are not running nis/yp then the pc's will have to be in the nameserver before the sun nfs code will work properly. 5. Now to configure your host so it knows how to reach other machines: add the following line to /etc/rc.local after the ifconfig line. route add 0.0.0.0 128.192.1.1 1 or route add default 128.192.1.1 1 This tells your machine to send any addresses it doesn't know about to the campus gateway and let it take care of sending them to the proper places. 6. Library fixes for letting telnet, ftp, ping etc use the domain nameserver for resolution of names. This requires replacing the Sun shared library with a version containing the versions of "get_host_by_name", etc. which use the DNS system instead of the static host table. Extreme care must be taken since installing a bad shared library will leave you with a system on which almost all commands are broken. Always install the new library with a higher serial number than the old one, and Do not Remove the old library. This way, you can use the mv command (which does not use the shared library) to rename the new library to a number lower than the old one. If you do this, and issue the ldconfig command you will be able to recover your old library. Shared libraries are available on ftp.uga.edu (128.192.6.9) in the /pub/sunfixes directory. Since this fix is necessary before you can ftp by hostname, you will have to use the dotted decimal IP address for retrieving this fix. libc.fix.sun4c.4.1.tar.Z is the name for the sun4 sparc library for sunos 4.1. For the sun3 series of computers, the file is libc.fix.sun3.4.1.tar.Z if you are running sunos 4.1. Versions for sunos 4.1.1 will be made available with the expected names when we get them. The file shlib.etc.README explains how to build and install the library if you need a version which is not available on the server. 7. Obtain the file sendmail.cf.sun from pub/sunfixes on the anonymous ftp server ftp.uga.edu, Install this file in the directory /etc, after renaming the original file from sun to something like /etc/sendmail.cf.orig. 8. Obtain the file /pub/sunfixes/sendmail.mx.sun4.Z from ftp.uga.edu. This is a later release of the sun sendmail mx aware mail program with several security fixes. Copy this file to /usr/lib/sendmail after uncompressing it. This gets you the version of sendmail which can talk to both yellow pages and the domain nameserver. This is required even if you only plan to run a subsidiary mailer since the mx support is required to find the master mailer. After installing this file, issue the command chmod 4551 /usr/lib/sendmail to allow sendmail to work properly. Check the file /etc/defaultdomain. It should read "department.uga.edu" where department is your department as defined above. If you are running SUNOS 4.1.1, it must instead read ".department.uga.edu" since SUN has fixed the sendmail rule sets. If yours doesn't, make it so. After completion of the configuration, you must restart mail with the following commands: ps -ax | grep sendmail | grep -v grep The process number for sendmail is the first number on the results from the above command. kill nnnn where nnnn is the number obtained above /usr/lib/sendmail -bz /usr/lib/sendmail -q1h -bd -om Now your sendmail is restarted, and should be operational. To check it, send mail to yourself and check the from line. It should read "userid@host.department.uga.edu" If it doesn't, please contact the workstation support group. 9. NFS entries in /etc/exports will need to be fully qualified names to work with the access to the world via the domain name service. The NFS clients will need to have entries in the UGA domain nameserver so that they may mount their files. 10. Edit the rc.local file and look for the chmod 666 for /etc/motd. Change it to chmod 644 so only the root user can change it. 11. Check in /etc/syslog.conf for the following lines: #auth.notice ifdef(`LOGHOST', /var/log/authlog, @loghost) mail.debug ifdef(`LOGHOST', /var/log/syslog, @loghost) comment out the mail.debug line by placing a # character in the first position and replace it with lines similar to the following: # The following line is to fix the brain-dead function of # SUN/OS where DNS operation is concerned. mail.debug /var/log/syslog 12. Tn3270 for accessing the ibm mainframe. This code is available on the uga anonymous ftp server ftp.uga.edu as pub/tn3270.4.1.1.tar.Z. 13. NTP for keeping your processor clock synchronized with standard time. This package is available on the anonymous ftp server as pub/sunfixes/ntp.sun4.4.0.3.tar.Z or pub/sunfixes/ntp.sun4.4.1.tar.Z for sun sparc machines running 4.0.3 and 4.1 versions of sunos. The sources are also available should you need to build NTP for other systems. After installing NTP, you should check the file /etc/services for an entry for standard service 123. Some versions of sunos will contain an entry: ntp 123/tcp #network time protocol Add a line immediately after this one which says ntp 123/udp #network time protocol This will give you two lines for ntp, one for tcp and one for udp. 14. Security: a. Remove the + from the /etc/hosts.equiv, /etc/passwd, /etc/groups. Its existence permits people to login to your system if their username matches one on your system without supplying a password. b. Remove /.rhosts as it permits other machines to login to your machine without requiring a password. c. Check /etc/passwd for entries with no password, they permit people to logon to your machine with no password. d. Check the /etc/exports file as the default is to export almost everything read/write. This permits foreign users to modify your system files without your knowledge. You should export filesystems to specific machines with read only access unless there is careful consideration of who can write on your files. e. Read the security paper available via anonymous ftp from ftp.uga.edu as pub/security-paper.ps. There are postscript and text copies available. Hardcopy is available from the workstation support group, phone 542-5110. f. Use decent passwords and change them regularly for root and other powerful ids. All users should use GOOD passwords. See the security paper for description of GOOD passwords. g. System managers should regularly review /etc/passwd and /etc/group for accounts that should be deleted, people in groups they shouldn't belong in and id's that are unknown, as well as accounts without passwords. h. The COPS package provides a means for automating many routine security checking procedures. It is available from ftp.uga.edu as /pub/cops. i. Replace sunview selection module for all versions of sunos and architecture, available from ftp.uga.edu as: pub/sunfixes/patch.sunview.*. j. Check /etc/ttytab for the secure attribute on your tty and pseudo ttys. The console should be the only one with the secure attribute. The secure attribute permits root to login from that device. k. Anonymous FTP. If you set up an anonymous FTP server, you MUST follow the instructions in the CERT memo to avoid security problems. In addition, ensure that all directories (with the exception of a single directory for inbound FTP) MUST have access set to Read/Execute to prevent anyone from storing items on your server, or deleting items from your server. This can be done with the following commands: cd ~ftp find . -type d -exec chmod =rx {} \; 15. Helpful tips and Ideas from various sources: a. Using a QIC-150 cartridge tape as a backup device. The QIC tape drives have no means to sense end of volume. So to use one as a backup device you must give the dump command a set of parameters to indicate how much data the tape can hold. The default setup is for the standard 40 meg drive. The correct command is: /usr/etc/dump 0cdtsf 1250 18 570 /dev/rst0 /target 0 = dump level c = cartridge tape d = Density 1250 bytes per inch t = tracks = 18 s = Size = 600 feel less the usual slop factor f = Output file name /dev/rst0 This is documented in the SUN system administrators manual (in my copy its chapter 6 - File maintenance on page 99). For ULTRIX 4.0 nodes 1. ULTRIX 4.0 is a complete re-install of the operating system. You MUST have a backup of all user files, and any system files which are unique to your system, i.e. /etc/passwd, /etc/group, /etc/exports. The install notes list the files you need to save. 2. Installation over the campus network is probably the easiest way. Before you begin, you MUST have a current license for ULTRIX 4, as it uses the new Program Authorization Key (PAK) licensing. If you don't have a piece of paper which says PAK at the top, and looks like a legal document stop now. If you are a current member of the Campus Software License Group (CSLG) you are licensed and can request your PAK from them. 3. After you have your PAK, you must provide the workstation support group with your real hardware ethernet address, and the name of your machine. Note that this is NOT the ethernet address which will show if you are running DECNET, since DECNET modifies the ethernet address. We will notify you when you can commence your install. 4. Once everything is set up, and you have at least one copy of a GOOD backup you are ready to begin. 5. Shutdown your system, and from the boot rom monitor prompt issue the command to boot your system over the ethernet. boot -f mop(0) 6. At this point, the operating system will load over the network. Issue the command setld -l chico: This will give you the standard install menu, and you can select the products you wish to install. (You can do this more than once, so if you miss something the first time you can get it later). 7. Once you complete the installation, you must restore the system files you saved above, and your user files. You are now done. Call the workstation support group and advise them you are done so they can delete the files created on the remote install system. For DECnet nodes (VMS 5.X) Do all of the system setup from the system manager's account. Several of the steps require more than ordinary user privileges. 1. Contact David Mathews-Morgan to obtain an unique series of DECnet host addresses and names for your departmental machines. 2. Run netconfig to configure your decnet. It will prompt you for your area which is 62 for this campus; your host name which you and David decided on; your host number which once again is one of the ones gotten from David; whether you want to be a router or not - answer no; and some other questions. It will tell you to add a line to the system startup procedure to start DECnet when the system is booted. 3. When it finishes add the line for startnet.com to the system startup configuration file systartup_v5.com in the system manager account. 4. Now set default to sys$system and edit modparams.dat. Set the parameter scsnode="yourhostname" and check the parameter scssystemid=zz where zz=62*1024 + host number. 5. Then run autogen with this command: @sys$update:autogen savparams setparams This will set the parameters so the next time the system is rebooted it will come up with the right values. 6. UCX. If running UCX, check the following: netmask as 255.255.0.0, notrailers, broadcast 128.192.255.255 For Silicon Graphics Systems 1. Contact David Mathews-Morgan to obtain an unique subnet address and subdomain name for your departmental network. Phone 542-6468 or DMM@uga.cc.uga.edu for electronic mail. 2. Edit the file /etc/sys_id and change the existing name to your hostname. Do not include the subdomain and domain name. 3. Edit the file /etc/hosts. The first line should be: 127.0.0.1 localhost Do not modify this line, and do not place entries before this one. On the next line, add your address and fully qualified hostname followed by your hostname only. Example: 128.192.254.20 tulip.chemistry.uga.edu tulip 4. To configure your host so that it can utilize the domain nameserver create the file /usr/etc/resolv.conf. Place the following lines in this file IN THIS ORDER: domain uga.edu nameserver 128.192.1.9 nameserver 128.192.8.4 hostresorder local bind If you are running a version of IRIX prior to 3.3, you cannot utilize this service. In this case you must specify the hostnames to which you would like to connect in /etc/hosts. 5. Contact the UGA domain nameserver maintainer Harold Pritchett (harold@uga.cc.uga.edu) and let him know what machines and IP addresses you want to have added to the nameserver. 6. timed, the time daemon, is used for keeping the processor clock synchronized with standard time. To set this up, edit the file /etc/init.d/networks. Remove the "-M" option from the line: /usr/etc/timed -M `cat $CONFIG/timed.options 2> /dev/null` The "-M" option makes your system a timed master; the other systems running timed as slaves will set their clocks from your system, which may have an inaccurate clock. 7. Set the configuration flags so that the network and timed daemons will be started whenever the system is booted. From the command line, enter the following: # chkconfig network on # chkconfig timed on Then enter: # chkconfig to make sure that these flags are set to "on". To start these daemons, enter from the command line: # /etc/init.d/network stop; /etc/init.d/network start 8. Get the files pub/sgi/sendmail.MX.sgi.Z and pub/sgi/sendmail.cf.sgi.Z from the anonymous ftp server (ftp.uga.edu). This is the SGI sendmail program that can handle MX records. Do the following: a. Uncompress sendmail.MX.sgi.Z and copy it to /usr/lib/sendmail after renaming the existing sendmail to /usr/lib/sendmail.orig. b. Uncompress the file sendmail.cf.sgi.Z and copy it to /usr/lib/sendmail.cf after making a backup copy of the existing sendmail.cf to /usr/lib/sendmail.cf.orig. c. Find the line: DDdomain.uga.edu Change "domain" to your departmental subdomain name. Example: DDchemistry.uga.edu d. Find the lines: DFhostname.domain.uga.edu CFhostname Change "hostname" to your hostname and "domain" to your departmental subdomain name. Example: DFtulip.chemistry.uga.edu CFtulip e. Find the line: ONdomain.uga.edu Change "domain" to your departmental subdomain name, as in step (c) above. f. To stop the old sendmail program and start the new one, enter on the command line: # /etc/init.d/mail stop; /etc/init.d/mail start 9. Create the file /etc/config/login.options, and insert the following lines: syslog=all passwdreq lastlog These will cause all logins (successful and failed) to be logged to the system log, require all logins have passwords, and inform the users of the last successful login attempt on their account. 10. To start logging of ftp and rsh logins, edit the file /usr/etc/inetd.conf. Add "-l" after the rightmost instance of "ftpd" and "-L" after the rightmost instance of "rshd". To suppress information which may assist would-be attackers, add "-S" after the rightmost occurrence of "fingerd". Finally, comment out the line beginning with "tftp" if you do not run diskless IRISes from your host. Do this by adding a "#" as the first character on the line. This will prevent the tftpd daemon from running. tftp allows anyone to access your system without a password. Then enter the following from the command line: # /etc/killall -HUP inetd 11. Make sure the system log file, /usr/adm/SYSLOG, is not readable by anyone other than root: # chmod 700 /usr/adm/SYSLOG 12. If your system will not be in a controlled access area, do not use the visual login icons, as this lists the users on the system and gives would-be intruders a head start. From the command line enter: # chkconfig visuallogin on # chkconfig noiconlogin on 13. Security. As shipped, IRIX has a number of security holes which must be corrected prior to connecting to the network. These are well known and can be exploited easily, thus it is very important to secure the system. a. On a new system, none of the administrative and maintenance logins have passwords. You may close these up either by running the "sysadm syssetup" program and running the "setup" and "syspassword" programs and assigning passwords to these logins or by editing the /etc/passwd file and manually lock these accounts. The preferred method is the latter. A sample entry in the /etc/passwd file is: user::100:1:Iris User:/usr/people/user:/bin/csh The important field here is the second field, which in this case is empty. This is the field for the encrypted password. EVERY login MUST have a password. There are a number of logins which are not normally used and should be locked by placing the string "Locked;" in the password field. These include sys, bin, adm, uucp, nuucp, daemon, lp, man, diag, and sysadm. b. See the passwd(1) man page and section 4.2.3 in the "IRIX System Administrator's Guide" for information on password aging. c. Do NOT use ~.rhosts, /.rhosts, /etc/hosts.equiv, or .netrc files. Make sure none of these are present on the system. d. Make sure that files in your directory are not writeable by others (especially .login, .cshrc, .profile). Make sure that the files in /etc, /bin, and /usr/bin are not writeable by others. e. Read the security paper available via anonymous ftp from ftp.uga.edu as pub/security-paper.ps. There are postscript and text copies available. Hardcopy is available from the workstation support group, phone 542-5110. f. Use decent passwords and change them regularly for root and other powerful ids. All users should use GOOD passwords. See the security paper for description of GOOD passwords. g. System managers should regularly review /etc/passwd and /etc/group for accounts that should be deleted, people in groups they shouldn't belong in and id's that are unknown, as well as accounts without passwords. h. The COPS package provides a means for automating many routine security checking procedures. A SGI version is available from anonymous ftp as pub/sgi/cops.sgi.tar.Z.