Differences

This shows you the differences between two versions of the page.

--- build:todo [2006/03/16 22:48]
70.230.163.142 Added mailing lists. (CMB)
+++ build:todo [2007/06/13 15:26] (current)
206.197.251.253 Added Done for SSL
@@ Line 2: / Line 2: @@
 We've still got plenty of work to do before we can move the new system(s) into production.
+===== TODO on Bud on 2007-06-13 =====
+<code>
+TLS/SASL additions to Postfix (DONE by CMB, except for SSL certificates)
+	Have not yet implemented since rebuilding Bud.
+	Documentation on wiki page is not clear; needs work.
+		Try to be consistent with existing docs, and use postconf -e.
+		We have previous history and 'script' files to work with too.
+	Copy over from Dark any static IPs that are allowed to send email through us.
+MailMan (2-3 hr)
+	Install, configure, and test.
+	Ensure archives can be viewed via the web.
+		Should have a password, like existing site.
+		We can leave the previous archives on Dark temporarily.
+			Remove rewrite rules from .htaccess file when we move those to Bud too.
+	Ensure we have a plan to maintain the lists.
+	Copy list memberships from Dark/Michelob.
+Backups (2-3 hr)
+	Ensure everything we need to back up gets backed up.
+	Create SSH restrictions to copy backups from one server to the other.
+		Give 'backup' user write access to /var/backups/bud/ and budlight/.
+		In ~backup/.ssh/authorized_keys:
+			from="bud,bud.sluug.org,static-206.196.99.162.primary.net",command="cat > /var/backups/bud/bud-`date +'%Y%m%d'`.tar.gz",no-pty,no-port-forwarding,no-x11-forwarding ssh-dsa ......
+	Rotate backups, so we don't keep too many around.
+		Would be nice to keep:
+backup per day for 1 week (or 2 weeks)
+backup per week for a year (or 1-6 months)
+backup per month forever
+	Need to be able to back up MySQL data properly.
+		I don't think copying the directories works correctly.
+Move MX record to Bud (READY to flip switch [MX record in DNS] for Plan A - CMB)
+	Plan A: have email bounce from Bud to Dark
+		We could do this on a per-user basis.
+	Plan B: do not move MX record, until users change their settings on Dark/Michelob.
+		Problem is that we'd tell them how via email, which they might not get.
+			Some of our users read email very infrequently.
+System Monitoring and Admin (2-4 hr)
+	Monitor Apache logs for missing pages.
+	Scripts for user creation.
+		Primarily for Budlight.
+		Probably want to maintain UIDs.
+			But ensure that regular user UIDs are > 1000, per Debian requirements.
+		Manually copy user directories from Michelob/Dark?
+	Metrics on emails (spam).
+	Metrics on web.
+	What else do we need?
+SSL Certificates (1-2 hr) (DONE - LVL created openssl-gencrt)
+	Need to be consistent in parameters we pass in to create various certificates.
+		Would be nice to not have to type the parameters in every time.
+	Move all SSL cert creation to one place in the docs.
+		http://wiki.sluug.org/build/security
+		Currently some stuff in build/misc, build/apache, and build/postfix.
+</code>
+===== Things that can wait until later =====
+<code>
+Rebuilding Budlight
+	Build based on Bud build documentation on Wiki.
+	Requires an on-site visit to install the OS.
+		Be prepared with the CORRECT network settings.
+		Be prepated with the install docs from the wiki.
+	Apache for users.sluug.org on Budlight.
+		<Directory /home/*/public_html>
+			AllowOverride All
+			Options Indexes FollowSymLinks
+		</Directory>
+	Migrate users from Dark/Michelob.
+Security
+	Change shell from /bin/sh for accounts 1-99.
+		Change to either /bin/false or /usr/sbin/nologin.
+	Documentation on http://wiki.sluug.org/build/security page.
+		Section for each of:
+			GPG, SSL certs, rootkit checker, tripwire, tiger, john-the-ripper, etc.
+		Move Security section (containing GPG info) from 'misc' page.
+	From http://www.linuxsecurity.com/docs/harden-doc/html/securing-debian-howto/ch4.en.html:
+		Mount /tmp nosuid,noexec,nodev
+		Mount /home nodev
+		Mount /usr ro
+			Edit ''/etc/apt/apt.conf'' to add:
+				DPkg
+				{
+					Pre-Invoke  { "mount /usr -o remount,rw" };
+					Post-Invoke { "mount /usr -o remount,ro" };
+				};
+			Found a note saying that sometimes the ro remount does not work.
+				That doesn't leave us any more vulnerable than if we did not implement this.
+				Will get remounted ro the next time we install something.
+			We should probably point /usr/src at /usr/local/src then.
+		Run tripwire or daily checksums:
+			for dir in /bin/ /sbin/ /usr/bin/ /usr/sbin/ /lib/ /usr/lib/; do
+				find $dir -type f | xargs /usr/bin/md5sum > /var/backups/checksums-$DATE.txt
+			done
+	Security stuff to install/use.
+		john (run it daily, send reports to sysadmin)
+			really need to filter and only send email if problems
+		chkrootkit
+		tiger (internal audit, sends report every day to root)
+		tripwire
+		checksecurity
+		logcheck logcheck-database
+	Web content should NOT be owned by www-data, per Debian security manual!
+		(Although /var/www/index.html is.)
+		I don't know how to make data readable by www-data, but writable by a group.
+System Tuning
+	It would probably be a good idea to mount the /var partition with the noatime flag.
+	Hard drive tuning.
+		Set noatime option in /etc/fstab.
+			mount /var -o remount
+		hdparm -t /dev/ida/c0d0p11 (speed test, spare partition, just in case)
+		hdparm -vi (get info)
+		hdparm -m max_blocks_per_io
+	Tune some TCP/IP settings.
+		NOTE: With everything running, but no clients/load, we're using less than 300MB of RAM.
+		Edit /etc/sysctl.conf:
+			# Use TCP syncookies when needed (see http://www.ibm.com/developerworks/linux/library/l-tune-lamp-1/)
+			net.ipv4.tcp_syncookies = 1
+			# Increase TCP max buffer sizes
+			net.core.rmem_max = 16777216
+			net.core.wmem_max = 16777216
+			# Increase Linux autotuning TCP buffer limits
+			net.ipv4.tcp_rmem = 4096 87380 16777216
+			net.ipv4.tcp_wmem = 4096 65536 16777216
+			# Increase number of ports available
+			net.ipv4.ip_local_port_range = 1024 65000
+		sysctl -p /etc/sysctl.conf
+Tune DokuWiki
+	Remove globe icon.
+	Make the trace work like my web site.
+	Probably wait for new version, which should be out in early June.
+Tune SpamAssassin config.
+	Install more/better SpamAssassin rules.
+		Rules Du Jure.
+	Get pyzor/razor/spamassasin rule updates from debian-volatile repository.
+		These packages aren't actually updated there.
+Add some RBLs to Postfix config.
+Add HTTPS to Apache config.
+	Simple, once we get SSL certificates scripted.
+Consider some Apache tuning.
+	Tuning per http://www.ibm.com/developerworks/linux/library/l-tune-lamp-2.html
+		Set MaxRequestsPerChild 1000 in apache.conf
+			Once a processes has served 1000 HTTP requests, kill it and start a new one.
+			Good to prevent memory leaks.
+			Make change in /etc/apache2/conf.d file if possible.
+		<Directory />
+			AllowOverride None # Don't look for .htaccess files above vhosts' root dirs.
+			Options -Indexes FollowSymLinks # No indexes unless explicit in vhost; FollowSymLinks for performance
+		</Directory>
+		Keep-alive settings (override what's in default apache.conf)
+			KeepAlive On
+			MaxKeepAliveRequests 100
+			KeepAliveTimeout 1	# very short - 1 second; may solve AJAX "state 3" problem, else KeepAlive Off
+	/server-status and /server-info
+		Only from localhost. Probably doesn't matter which vhosts.
+		<Location /server-status>
+			SetHandler server-status
+			Order deny,allow
+			Deny from all
+			Allow from 127.0.0.1
+		</Location>
+		<Location /server-info>
+			SetHandler server-info
+			Order deny,allow
+			Deny from all
+			Allow from 127.0.0.1
+		</Location>
+</code>
 ===== Commands =====
 (Enter any command-line programs you want to have installed here.)
+Jeff: mutt, lsof, strace, tcpdump (just off the top off my head - probably I will think of more later)
 ===== Operating System =====
@@ Line 14: / Line 187: @@
 Need to fix the console not coming back up after it blanks out. May be APM power settings. (Our current kernel doesn't support APM.)
+It would probably be a good idea to mount the /var partition with the noatime flag.
 ===== Kernel =====
@@ Line 81: / Line 256: @@
 We also need to set up restricted users in sudo, who can only run a few commands.

SLUUG Wiki

User Tools

Site Tools

Differences

Page Tools