Dimdim System Setup & Management Manual

Dimdim System Setup & Management Manual
v2.8



General Notes




All the DimDim files which were modified in this document are backed up on
\
\
MET
-
STORAGE
\
Backups
\
DimDim.
There is a mounted folder on the desktop connected to this share. The
easiest way to bu
ild a new server or restore botched settings is to copy over the files from this share. I have
preserved the working directory structure. If the folder become unmounted:

Go to Places
→

Network
→

Windows Network
→

Workgroup
→

MET
-
STORAGE
→

Backups



The DimDim appliance has been given a static IP address of 128.197.101.29 and a hostname of met
-
meet.bu.edu.



The appliance has been configured such that it starts all processes automatically a
nd thus should not have to
be touched after booted.



If any changes are made within the image regarding the DimDim services themselves, the changes will not
apply until after services are restarted. This can be accomplished in two ways:

◦

Restarting the appl
iance

◦

Running a script which restarts the services



/usr/local/dimdim/StartDimdim.sh



If the
IP address of the DimDim server ever changes
, there is a script to update configuration files in:





Config
-
ipaddress.pl <new IP Internal> <port#> <new IP Externa
l>






Generally this will look something like:




sudo /usr/local/dimdim/Config
-
ipaddress.pl 128.197.101.29 80 128.197.101.29



Remote Access




There are two options for remote access.

◦

The VMWare infrastructure client can be used to console into the ap
pliance.

◦

Secure shell (ssh) can be used to gain terminal access.

▪

Ssh access has been limited to the local network (128.197.101.0). If you are not on the network, you
can hop through a system (met
-
vs206.bu.edu for example) which is.

▪

For Windows systems, in
stall a secure shell client such as Putty.

▪

For Linux systems, ssh is installed by default and can be run from a shell.

▪

SSH to met
-
meet.bu.edu and use the met
-
research login. (Root login has been disabled for security
reasons.)



ssh
-
p 2222
-
l met
-
researc
h met
-
meet.bu.edu


▪

After logging in, you can elevate your privileges by spawning a new shell as root:



sudo bash

▪

You will be asked for a password. Use the same password you logged in with.

▪

You will now have access to modify any files you need to.


Upload
ing Files to Appliance




Secure copy (scp) can be used to copy files to/from the appliance.



For Windows systems, install a scp client such as WinSCP.



For Linux systems, scp is installed by default and can be run from a shell.


scp <local_filename>
met
-
research@met
-
meet.bu.edu
:/home/met
-
research/<remote_filename>



SCP to met
-
meet.bu.edu and use the met
-
research login.



Place files in the met
-
research home directory (/home/met
-
research).



Secure shell to applian
ce (or use console) to move file to where you'd like it.


Snapshots / Backups




Snapshots need only be made after changes to the image (passwords changed, modifications to layouts, etc.)
and can be made using the Vmware Infrastructure Client.



As snapshots

are large in size, only two need be kept. Keep the most recent two and delete any older
snapshots. Note that if you deselect the option to save virtual machine memory the image will be much
smaller. There is no need to save the memory.



A clone of the a
ppliance should be made and backed up on a semester basis.



Backups should be stored external to the ESX server.



Snapshots can be restored through the Infrastructure client using the snapshot manager.

◦

Right click on the DimDim VM image and chose Snapshot
-
>Snapshot Manager.

◦

Select the snapshot you wish to revert to and click 'Go to'.

◦

The snapshot will be restored in a matter of seconds. This is all you need to do.


Modifying Passwords for Authorized Users




Edit
/usr/local/dimdim/dimdimPresenter.txt

to cont
ain passwords to be used (not case sensitive, but will
accept special characters).


Creating Symbolic Links for Easier Administration




For files which may require somewhat frequent modification it's easiest to create a link (shortcut) in the
/usr/local/dim
dim directory. To accomplish this, ssh to met
-
meet.bu.edu and then:



cd /usr/local/dimdim



ln
-
s /usr/local/dimdim/ConferenceServer/apache
-
tomcat
-
5.5.17/webapps/dimdim/WEB
-
INF/classes/resources/dimdim.properties



ln
-
s /usr/local/dimdim/ConferenceServer/apac
he
-
tomcat
-
5.5.17/webapps/dimdim/WEB
-
INF/dimdimPresenters.txt



Add in any others that may be useful


Customization Steps Already Taken




Most of the customization modifications are reflected in the backed
up
files located on met
-
storage (as noted
above).



Reco
very can be accomplished by simply copying those files into place on the dimdim appliance.



Changes include:

◦

Removal of an advertisement page that is displayed whenever you enter a conference.

◦

Dimdim configuration options

◦

Modify signin page to allow for pas
sword protection.

◦

Added links to documentation on signin page.

◦

Edited

◦

Modified signing page to display BU specific logos and links


Log Rotation and Cleanup



Install logrotate package

◦

yum install logrotate



Edit configuration file /etc/logrotate.conf

◦

Config
ure logrotate to rotate the log weekly, and keep 4 log files (one months worth).

◦

Create new section:




/usr/local/dimdim/nginx/logs/access.log{




rotate 4




weekly




endscript



}




Create file to run logrotate in cron

■

Edit /etc/cron.weekly/logrotate




#!/bin/sh



/usr/sbin/logrotate /etc/logrotate.conf



EXITVALUE=$?



if [ $EXITVALUE != 0 ]; then





/usr/bin/logger
-
t logrotate "ALERT exited abnormally with [$EXITVALUE]"



fi



exit 0




Cleanup old log files from screensharing on a weekly basis:


◦

Ad
d in this line to logrotate:


rm /usr/local/dimdim/DTP3/Reflector/etc/log/*.log



Stop DimDim at 1am and start again at 6am




Edit /etc/crontab and add these lines



00 1 * * * * root /usr/local/dimdim/StopDimdim.sh


00 6 * * * * root /usr/local/dimdim/Star
tDimdim.sh


Historical Logging Feature




Create directory /usr/local/dimdim/stats



Create a file testLog.sh


#!/bin/bash



echo
-
e "DimDim Historical Log Generated on `date
-
u`:
\
n
\
n"



df
-
h / | grep %



echo
-
e "
\
n
\
nSSH Login Attempts:
\
n"



cat /var/log/se
cure | grep Accepted | awk '{print $1,$2,$3,$9,$11}' | sort | uniq



echo
-
e "
\
nDimDim Conference Starts:
\
n"



grep '"GET /dimdim/StartNewConferenceCheck.action' /usr/local/dimdim/nginx/logs/access.log | awk '{print
substr($4,2),"
\
t",$1,"
\
t",substr($7,ind
ex($7,"confKey="),(index($7,"&confName")
-

index($7,"confKey="))),"
\
t","PW=",substr($7,index($7,"&email=")+7,(index($7,"&presenterAV")
-

index($7,"&email=")
-
7)),"
\
t",$9,$10}' | sed 's/%20/ /g' | sed 's/200 69/FAIL/g' | sed 's/200 .*/SUCCESS/g'



echo
-
e "
\
nDimDim Conference Joins:
\
n"



grep '"GET /dimdim/JoinConference.action' /usr/local/dimdim/nginx/logs/access.log |awk '{print
substr($4,2),"
\
t",$1, "
\
t",substr($7,index($7,"confKey="),(index($7,"&osType")
-

index($7,"confKey="))),"
\
t",substr($7,index($7,"o
sType="),(index($7,"&browserType")
-

index($7,"osType="))),"
\
t",substr($7,index($7,"browserType="),(index($7,"&browserVersion")
-

index($7,"browserType=")))}'




Change permissions on testLog.sh


chmod ug+x testLog.sh




Add to Logrotate weekly cron job so tha
t it runs just before it.


Edit /etc/cron.weekly/logrotate and add in (just after #!/bin/sh)


/usr/local/dimdim/stats/testLog.sh | /bin/mail
-
s "Dimdim Weekly Historical Logging"
mmhelp@bu.edu



Hardening Steps Already
Taken




All these steps must be taken as root


sudo bash




Make root password more difficult (password dimdimrootAdm1n)




Create local user met
-
research (password MetErtUser09)




Add met
-
research to sudoers file


visudo




Restrict ssh access to met
-
research use
r only


vi /etc/ssh/sshd_config




Add line



AllowUsers

met
-
research




Modify line



PermitRootLogin no




Run sshd on a non
-
standard port


vi /etc/ssh/sshd_config



Modify line



Port 2222




Restrict ssh access to local subnet only


/sbin/iptables
-
A INP
UT
--
source 128.197.101.0/24
-
p tcp
--
dport 2222
-
j ACCEPT //allow your subnet


/sbin/iptables
-
A INPUT
-
p tcp
--
dport 2222
-
j DROP //Block all other access




Block mDNS port as we found it to be a vulnerability


iptables
-
A INPUT
-
p udp
--
dport 5353
-
j DRO
P




Save iptables rules so that they persist on reboot


/etc/init.d/iptables save




Integrity checking of file system



Install and configure Aide package




1. Login to met
-
meet.bu.edu and run




sudo yum install aide




2. Edit configuration file and add

in excluded directories:




sudo vi /etc/aide.conf




Add these lines:




!/usr/local/dimdim/nginx



!/usr/local/dimdim/red5



!/usr/local/dimdim/ConferenceServer/apache
-
tomcat
-
5.5.17/logs



!/usr/local/dimdim/CobrowsingManager/logs



!/usr/local/dimdim/M
ediaserver



!/usr/local/dimdim/CobrowsingManager/archive/cob/content



!/usr/local/dimdim/DTP3/Reflector



!/var/log



!/usr/local/dimdim/ConferenceServer/apache
-
tomcat
-
5.5.17/work/Catalina/localhost





Comment out (prepent # to the line) any other lines

in the file which contain /var/log




3. Initialize or Update Database




/usr/sbin/aide
--
init




4. Copy initial database to current database




cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz




5. Run a trial check




/usr/sbin/aide
--
chec
k




6. Set up Aide to run on a weekly basis through cron. Send reports to met meet support.






Create a file in /etc/cron.weekly/ called aide.cron, with the following contents:




#!/bin/bash



/usr/sbin/aide
--
check | /bin/mail
-
s "Weekly Aide Data"
mmhelp@bu.edu




Secure admin page so that only local subnet can access it

◦

Edit /usr/local/dimdim/nginx/conf/nginx.conf and add this section anywhere under http{



location /dimdim/jsp/admin {




proxy_pass http://127.0.0.1:40000;





allow 127.0.0.1/3
2;





allow 128.197.101.0/24;





deny all;




}


In Case of Failure




At the moment if the ESX fails and we lose the DimDim image, we need to rebuild it.



See steps at beginning of guide to map to the backup location.



The VMWare appliance can be reloaded from the backup on MET
-
STORAGE (Under Backup/DimDim/ESX
Appliance).



Once it is reloaded the major changes can be put into place by copying over the files from the Backup File
Structure also on MET
-
STORAGE.



The rest of

the changes (log rotation and hardening) can be accomplished by following the steps earlier in this
guide.