Dimdim System Setup & Management Manual

coldwaterphewΔιακομιστές

17 Νοε 2013 (πριν από 3 χρόνια και 7 μήνες)

101 εμφανίσεις

Dimdim System Setup & Management Manual
v2.8



General Notes




All the DimDim files which were modified in this document are backed up on
\
\
MET
-
STORAGE
\
Backups
\
DimDim.
There is a mounted folder on the desktop connected to this share. The
easiest way to bu
ild a new server or restore botched settings is to copy over the files from this share. I have
preserved the working directory structure. If the folder become unmounted:

Go to Places


Network


Windows Network


Workgroup


MET
-
STORAGE


Backups



The DimDim appliance has been given a static IP address of 128.197.101.29 and a hostname of met
-
meet.bu.edu.



The appliance has been configured such that it starts all processes automatically a
nd thus should not have to
be touched after booted.



If any changes are made within the image regarding the DimDim services themselves, the changes will not
apply until after services are restarted. This can be accomplished in two ways:



Restarting the appl
iance



Running a script which restarts the services



/usr/local/dimdim/StartDimdim.sh



If the
IP address of the DimDim server ever changes
, there is a script to update configuration files in:





Config
-
ipaddress.pl <new IP Internal> <port#> <new IP Externa
l>






Generally this will look something like:




sudo /usr/local/dimdim/Config
-
ipaddress.pl 128.197.101.29 80 128.197.101.29



Remote Access




There are two options for remote access.



The VMWare infrastructure client can be used to console into the ap
pliance.



Secure shell (ssh) can be used to gain terminal access.



Ssh access has been limited to the local network (128.197.101.0). If you are not on the network, you
can hop through a system (met
-
vs206.bu.edu for example) which is.



For Windows systems, in
stall a secure shell client such as Putty.



For Linux systems, ssh is installed by default and can be run from a shell.



SSH to met
-
meet.bu.edu and use the met
-
research login. (Root login has been disabled for security
reasons.)



ssh
-
p 2222
-
l met
-
researc
h met
-
meet.bu.edu




After logging in, you can elevate your privileges by spawning a new shell as root:



sudo bash



You will be asked for a password. Use the same password you logged in with.



You will now have access to modify any files you need to.


Upload
ing Files to Appliance




Secure copy (scp) can be used to copy files to/from the appliance.



For Windows systems, install a scp client such as WinSCP.



For Linux systems, scp is installed by default and can be run from a shell.


scp <local_filename>
met
-
research@met
-
meet.bu.edu
:/home/met
-
research/<remote_filename>



SCP to met
-
meet.bu.edu and use the met
-
research login.



Place files in the met
-
research home directory (/home/met
-
research).



Secure shell to applian
ce (or use console) to move file to where you'd like it.


Snapshots / Backups




Snapshots need only be made after changes to the image (passwords changed, modifications to layouts, etc.)
and can be made using the Vmware Infrastructure Client.



As snapshots

are large in size, only two need be kept. Keep the most recent two and delete any older
snapshots. Note that if you deselect the option to save virtual machine memory the image will be much
smaller. There is no need to save the memory.



A clone of the a
ppliance should be made and backed up on a semester basis.



Backups should be stored external to the ESX server.



Snapshots can be restored through the Infrastructure client using the snapshot manager.



Right click on the DimDim VM image and chose Snapshot
-
>Snapshot Manager.



Select the snapshot you wish to revert to and click 'Go to'.



The snapshot will be restored in a matter of seconds. This is all you need to do.


Modifying Passwords for Authorized Users




Edit
/usr/local/dimdim/dimdimPresenter.txt

to cont
ain passwords to be used (not case sensitive, but will
accept special characters).


Creating Symbolic Links for Easier Administration




For files which may require somewhat frequent modification it's easiest to create a link (shortcut) in the
/usr/local/dim
dim directory. To accomplish this, ssh to met
-
meet.bu.edu and then:



cd /usr/local/dimdim



ln
-
s /usr/local/dimdim/ConferenceServer/apache
-
tomcat
-
5.5.17/webapps/dimdim/WEB
-
INF/classes/resources/dimdim.properties



ln
-
s /usr/local/dimdim/ConferenceServer/apac
he
-
tomcat
-
5.5.17/webapps/dimdim/WEB
-
INF/dimdimPresenters.txt



Add in any others that may be useful


Customization Steps Already Taken




Most of the customization modifications are reflected in the backed
up
files located on met
-
storage (as noted
above).



Reco
very can be accomplished by simply copying those files into place on the dimdim appliance.



Changes include:



Removal of an advertisement page that is displayed whenever you enter a conference.



Dimdim configuration options



Modify signin page to allow for pas
sword protection.



Added links to documentation on signin page.



Edited



Modified signing page to display BU specific logos and links


Log Rotation and Cleanup



Install logrotate package



yum install logrotate



Edit configuration file /etc/logrotate.conf



Config
ure logrotate to rotate the log weekly, and keep 4 log files (one months worth).



Create new section:




/usr/local/dimdim/nginx/logs/access.log{




rotate 4




weekly




endscript



}




Create file to run logrotate in cron



Edit /etc/cron.weekly/logrotate




#!/bin/sh



/usr/sbin/logrotate /etc/logrotate.conf



EXITVALUE=$?



if [ $EXITVALUE != 0 ]; then





/usr/bin/logger
-
t logrotate "ALERT exited abnormally with [$EXITVALUE]"



fi



exit 0




Cleanup old log files from screensharing on a weekly basis:




Ad
d in this line to logrotate:


rm /usr/local/dimdim/DTP3/Reflector/etc/log/*.log



Stop DimDim at 1am and start again at 6am




Edit /etc/crontab and add these lines



00 1 * * * * root /usr/local/dimdim/StopDimdim.sh


00 6 * * * * root /usr/local/dimdim/Star
tDimdim.sh


Historical Logging Feature




Create directory /usr/local/dimdim/stats



Create a file testLog.sh


#!/bin/bash



echo
-
e "DimDim Historical Log Generated on `date
-
u`:
\
n
\
n"



df
-
h / | grep %



echo
-
e "
\
n
\
nSSH Login Attempts:
\
n"



cat /var/log/se
cure | grep Accepted | awk '{print $1,$2,$3,$9,$11}' | sort | uniq



echo
-
e "
\
nDimDim Conference Starts:
\
n"



grep '"GET /dimdim/StartNewConferenceCheck.action' /usr/local/dimdim/nginx/logs/access.log | awk '{print
substr($4,2),"
\
t",$1,"
\
t",substr($7,ind
ex($7,"confKey="),(index($7,"&confName")
-

index($7,"confKey="))),"
\
t","PW=",substr($7,index($7,"&email=")+7,(index($7,"&presenterAV")
-

index($7,"&email=")
-
7)),"
\
t",$9,$10}' | sed 's/%20/ /g' | sed 's/200 69/FAIL/g' | sed 's/200 .*/SUCCESS/g'



echo
-
e "
\
nDimDim Conference Joins:
\
n"



grep '"GET /dimdim/JoinConference.action' /usr/local/dimdim/nginx/logs/access.log |awk '{print
substr($4,2),"
\
t",$1, "
\
t",substr($7,index($7,"confKey="),(index($7,"&osType")
-

index($7,"confKey="))),"
\
t",substr($7,index($7,"o
sType="),(index($7,"&browserType")
-

index($7,"osType="))),"
\
t",substr($7,index($7,"browserType="),(index($7,"&browserVersion")
-

index($7,"browserType=")))}'




Change permissions on testLog.sh


chmod ug+x testLog.sh




Add to Logrotate weekly cron job so tha
t it runs just before it.


Edit /etc/cron.weekly/logrotate and add in (just after #!/bin/sh)


/usr/local/dimdim/stats/testLog.sh | /bin/mail
-
s "Dimdim Weekly Historical Logging"
mmhelp@bu.edu



Hardening Steps Already
Taken




All these steps must be taken as root


sudo bash




Make root password more difficult (password dimdimrootAdm1n)




Create local user met
-
research (password MetErtUser09)




Add met
-
research to sudoers file


visudo




Restrict ssh access to met
-
research use
r only


vi /etc/ssh/sshd_config




Add line



AllowUsers

met
-
research




Modify line



PermitRootLogin no




Run sshd on a non
-
standard port


vi /etc/ssh/sshd_config



Modify line



Port 2222




Restrict ssh access to local subnet only


/sbin/iptables
-
A INP
UT
--
source 128.197.101.0/24
-
p tcp
--
dport 2222
-
j ACCEPT //allow your subnet


/sbin/iptables
-
A INPUT
-
p tcp
--
dport 2222
-
j DROP //Block all other access




Block mDNS port as we found it to be a vulnerability


iptables
-
A INPUT
-
p udp
--
dport 5353
-
j DRO
P




Save iptables rules so that they persist on reboot


/etc/init.d/iptables save




Integrity checking of file system



Install and configure Aide package




1. Login to met
-
meet.bu.edu and run




sudo yum install aide




2. Edit configuration file and add

in excluded directories:




sudo vi /etc/aide.conf




Add these lines:




!/usr/local/dimdim/nginx



!/usr/local/dimdim/red5



!/usr/local/dimdim/ConferenceServer/apache
-
tomcat
-
5.5.17/logs



!/usr/local/dimdim/CobrowsingManager/logs



!/usr/local/dimdim/M
ediaserver



!/usr/local/dimdim/CobrowsingManager/archive/cob/content



!/usr/local/dimdim/DTP3/Reflector



!/var/log



!/usr/local/dimdim/ConferenceServer/apache
-
tomcat
-
5.5.17/work/Catalina/localhost





Comment out (prepent # to the line) any other lines

in the file which contain /var/log




3. Initialize or Update Database




/usr/sbin/aide
--
init




4. Copy initial database to current database




cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz




5. Run a trial check




/usr/sbin/aide
--
chec
k




6. Set up Aide to run on a weekly basis through cron. Send reports to met meet support.






Create a file in /etc/cron.weekly/ called aide.cron, with the following contents:




#!/bin/bash



/usr/sbin/aide
--
check | /bin/mail
-
s "Weekly Aide Data"
mmhelp@bu.edu




Secure admin page so that only local subnet can access it



Edit /usr/local/dimdim/nginx/conf/nginx.conf and add this section anywhere under http{



location /dimdim/jsp/admin {




proxy_pass http://127.0.0.1:40000;





allow 127.0.0.1/3
2;





allow 128.197.101.0/24;





deny all;




}


In Case of Failure




At the moment if the ESX fails and we lose the DimDim image, we need to rebuild it.



See steps at beginning of guide to map to the backup location.



The VMWare appliance can be reloaded from the backup on MET
-
STORAGE (Under Backup/DimDim/ESX
Appliance).



Once it is reloaded the major changes can be put into place by copying over the files from the Backup File
Structure also on MET
-
STORAGE.



The rest of

the changes (log rotation and hardening) can be accomplished by following the steps earlier in this
guide.