Dimdim System Setup & Management Manual
v2.8
General Notes
All the DimDim files which were modified in this document are backed up on
\
\
MET
-
STORAGE
\
Backups
\
DimDim.
There is a mounted folder on the desktop connected to this share. The
easiest way to bu
ild a new server or restore botched settings is to copy over the files from this share. I have
preserved the working directory structure. If the folder become unmounted:
Go to Places
→
Network
→
Windows Network
→
Workgroup
→
MET
-
STORAGE
→
Backups
The DimDim appliance has been given a static IP address of 128.197.101.29 and a hostname of met
-
meet.bu.edu.
The appliance has been configured such that it starts all processes automatically a
nd thus should not have to
be touched after booted.
If any changes are made within the image regarding the DimDim services themselves, the changes will not
apply until after services are restarted. This can be accomplished in two ways:
◦
Restarting the appl
iance
◦
Running a script which restarts the services
/usr/local/dimdim/StartDimdim.sh
If the
IP address of the DimDim server ever changes
, there is a script to update configuration files in:
Config
-
ipaddress.pl <new IP Internal> <port#> <new IP Externa
l>
Generally this will look something like:
sudo /usr/local/dimdim/Config
-
ipaddress.pl 128.197.101.29 80 128.197.101.29
Remote Access
There are two options for remote access.
◦
The VMWare infrastructure client can be used to console into the ap
pliance.
◦
Secure shell (ssh) can be used to gain terminal access.
▪
Ssh access has been limited to the local network (128.197.101.0). If you are not on the network, you
can hop through a system (met
-
vs206.bu.edu for example) which is.
▪
For Windows systems, in
stall a secure shell client such as Putty.
▪
For Linux systems, ssh is installed by default and can be run from a shell.
▪
SSH to met
-
meet.bu.edu and use the met
-
research login. (Root login has been disabled for security
reasons.)
ssh
-
p 2222
-
l met
-
researc
h met
-
meet.bu.edu
▪
After logging in, you can elevate your privileges by spawning a new shell as root:
sudo bash
▪
You will be asked for a password. Use the same password you logged in with.
▪
You will now have access to modify any files you need to.
Upload
ing Files to Appliance
Secure copy (scp) can be used to copy files to/from the appliance.
For Windows systems, install a scp client such as WinSCP.
For Linux systems, scp is installed by default and can be run from a shell.
scp <local_filename>
met
-
research@met
-
meet.bu.edu
:/home/met
-
research/<remote_filename>
SCP to met
-
meet.bu.edu and use the met
-
research login.
Place files in the met
-
research home directory (/home/met
-
research).
Secure shell to applian
ce (or use console) to move file to where you'd like it.
Snapshots / Backups
Snapshots need only be made after changes to the image (passwords changed, modifications to layouts, etc.)
and can be made using the Vmware Infrastructure Client.
As snapshots
are large in size, only two need be kept. Keep the most recent two and delete any older
snapshots. Note that if you deselect the option to save virtual machine memory the image will be much
smaller. There is no need to save the memory.
A clone of the a
ppliance should be made and backed up on a semester basis.
Backups should be stored external to the ESX server.
Snapshots can be restored through the Infrastructure client using the snapshot manager.
◦
Right click on the DimDim VM image and chose Snapshot
-
>Snapshot Manager.
◦
Select the snapshot you wish to revert to and click 'Go to'.
◦
The snapshot will be restored in a matter of seconds. This is all you need to do.
Modifying Passwords for Authorized Users
Edit
/usr/local/dimdim/dimdimPresenter.txt
to cont
ain passwords to be used (not case sensitive, but will
accept special characters).
Creating Symbolic Links for Easier Administration
For files which may require somewhat frequent modification it's easiest to create a link (shortcut) in the
/usr/local/dim
dim directory. To accomplish this, ssh to met
-
meet.bu.edu and then:
cd /usr/local/dimdim
ln
-
s /usr/local/dimdim/ConferenceServer/apache
-
tomcat
-
5.5.17/webapps/dimdim/WEB
-
INF/classes/resources/dimdim.properties
ln
-
s /usr/local/dimdim/ConferenceServer/apac
he
-
tomcat
-
5.5.17/webapps/dimdim/WEB
-
INF/dimdimPresenters.txt
Add in any others that may be useful
Customization Steps Already Taken
Most of the customization modifications are reflected in the backed
up
files located on met
-
storage (as noted
above).
Reco
very can be accomplished by simply copying those files into place on the dimdim appliance.
Changes include:
◦
Removal of an advertisement page that is displayed whenever you enter a conference.
◦
Dimdim configuration options
◦
Modify signin page to allow for pas
sword protection.
◦
Added links to documentation on signin page.
◦
Edited
◦
Modified signing page to display BU specific logos and links
Log Rotation and Cleanup
Install logrotate package
◦
yum install logrotate
Edit configuration file /etc/logrotate.conf
◦
Config
ure logrotate to rotate the log weekly, and keep 4 log files (one months worth).
◦
Create new section:
/usr/local/dimdim/nginx/logs/access.log{
rotate 4
weekly
endscript
}
Create file to run logrotate in cron
■
Edit /etc/cron.weekly/logrotate
#!/bin/sh
/usr/sbin/logrotate /etc/logrotate.conf
EXITVALUE=$?
if [ $EXITVALUE != 0 ]; then
/usr/bin/logger
-
t logrotate "ALERT exited abnormally with [$EXITVALUE]"
fi
exit 0
Cleanup old log files from screensharing on a weekly basis:
◦
Ad
d in this line to logrotate:
rm /usr/local/dimdim/DTP3/Reflector/etc/log/*.log
Stop DimDim at 1am and start again at 6am
Edit /etc/crontab and add these lines
00 1 * * * * root /usr/local/dimdim/StopDimdim.sh
00 6 * * * * root /usr/local/dimdim/Star
tDimdim.sh
Historical Logging Feature
Create directory /usr/local/dimdim/stats
Create a file testLog.sh
#!/bin/bash
echo
-
e "DimDim Historical Log Generated on `date
-
u`:
\
n
\
n"
df
-
h / | grep %
echo
-
e "
\
n
\
nSSH Login Attempts:
\
n"
cat /var/log/se
cure | grep Accepted | awk '{print $1,$2,$3,$9,$11}' | sort | uniq
echo
-
e "
\
nDimDim Conference Starts:
\
n"
grep '"GET /dimdim/StartNewConferenceCheck.action' /usr/local/dimdim/nginx/logs/access.log | awk '{print
substr($4,2),"
\
t",$1,"
\
t",substr($7,ind
ex($7,"confKey="),(index($7,"&confName")
-
index($7,"confKey="))),"
\
t","PW=",substr($7,index($7,"&email=")+7,(index($7,"&presenterAV")
-
index($7,"&email=")
-
7)),"
\
t",$9,$10}' | sed 's/%20/ /g' | sed 's/200 69/FAIL/g' | sed 's/200 .*/SUCCESS/g'
echo
-
e "
\
nDimDim Conference Joins:
\
n"
grep '"GET /dimdim/JoinConference.action' /usr/local/dimdim/nginx/logs/access.log |awk '{print
substr($4,2),"
\
t",$1, "
\
t",substr($7,index($7,"confKey="),(index($7,"&osType")
-
index($7,"confKey="))),"
\
t",substr($7,index($7,"o
sType="),(index($7,"&browserType")
-
index($7,"osType="))),"
\
t",substr($7,index($7,"browserType="),(index($7,"&browserVersion")
-
index($7,"browserType=")))}'
Change permissions on testLog.sh
chmod ug+x testLog.sh
Add to Logrotate weekly cron job so tha
t it runs just before it.
Edit /etc/cron.weekly/logrotate and add in (just after #!/bin/sh)
/usr/local/dimdim/stats/testLog.sh | /bin/mail
-
s "Dimdim Weekly Historical Logging"
mmhelp@bu.edu
Hardening Steps Already
Taken
All these steps must be taken as root
sudo bash
Make root password more difficult (password dimdimrootAdm1n)
Create local user met
-
research (password MetErtUser09)
Add met
-
research to sudoers file
visudo
Restrict ssh access to met
-
research use
r only
vi /etc/ssh/sshd_config
Add line
AllowUsers
met
-
research
Modify line
PermitRootLogin no
Run sshd on a non
-
standard port
vi /etc/ssh/sshd_config
Modify line
Port 2222
Restrict ssh access to local subnet only
/sbin/iptables
-
A INP
UT
--
source 128.197.101.0/24
-
p tcp
--
dport 2222
-
j ACCEPT //allow your subnet
/sbin/iptables
-
A INPUT
-
p tcp
--
dport 2222
-
j DROP //Block all other access
Block mDNS port as we found it to be a vulnerability
iptables
-
A INPUT
-
p udp
--
dport 5353
-
j DRO
P
Save iptables rules so that they persist on reboot
/etc/init.d/iptables save
Integrity checking of file system
Install and configure Aide package
1. Login to met
-
meet.bu.edu and run
sudo yum install aide
2. Edit configuration file and add
in excluded directories:
sudo vi /etc/aide.conf
Add these lines:
!/usr/local/dimdim/nginx
!/usr/local/dimdim/red5
!/usr/local/dimdim/ConferenceServer/apache
-
tomcat
-
5.5.17/logs
!/usr/local/dimdim/CobrowsingManager/logs
!/usr/local/dimdim/M
ediaserver
!/usr/local/dimdim/CobrowsingManager/archive/cob/content
!/usr/local/dimdim/DTP3/Reflector
!/var/log
!/usr/local/dimdim/ConferenceServer/apache
-
tomcat
-
5.5.17/work/Catalina/localhost
Comment out (prepent # to the line) any other lines
in the file which contain /var/log
3. Initialize or Update Database
/usr/sbin/aide
--
init
4. Copy initial database to current database
cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
5. Run a trial check
/usr/sbin/aide
--
chec
k
6. Set up Aide to run on a weekly basis through cron. Send reports to met meet support.
Create a file in /etc/cron.weekly/ called aide.cron, with the following contents:
#!/bin/bash
/usr/sbin/aide
--
check | /bin/mail
-
s "Weekly Aide Data"
mmhelp@bu.edu
Secure admin page so that only local subnet can access it
◦
Edit /usr/local/dimdim/nginx/conf/nginx.conf and add this section anywhere under http{
location /dimdim/jsp/admin {
proxy_pass http://127.0.0.1:40000;
allow 127.0.0.1/3
2;
allow 128.197.101.0/24;
deny all;
}
In Case of Failure
At the moment if the ESX fails and we lose the DimDim image, we need to rebuild it.
See steps at beginning of guide to map to the backup location.
The VMWare appliance can be reloaded from the backup on MET
-
STORAGE (Under Backup/DimDim/ESX
Appliance).
Once it is reloaded the major changes can be put into place by copying over the files from the Backup File
Structure also on MET
-
STORAGE.
The rest of
the changes (log rotation and hardening) can be accomplished by following the steps earlier in this
guide.
Enter the password to open this PDF file:
File name:
-
File size:
-
Title:
-
Author:
-
Subject:
-
Keywords:
-
Creation Date:
-
Modification Date:
-
Creator:
-
PDF Producer:
-
PDF Version:
-
Page Count:
-
Preparing document for printing…
0%
Σχόλια 0
Συνδεθείτε για να κοινοποιήσετε σχόλιο