• Embed Doc
  • Copy Link
  • Readcast
  • Collections
  • CommentGo Back
Download
For a NIM based clone installation most things are already in place and well configured (which is the idea
behind cloning). In this case, consider it as check list.
Network related services
1. Network configuration
On a 10 Mbps net
smitty - Devices - Communication - Ethernet Adapter - Adapter - Change / Show
Characteristics of an Ethernet Adapter
HARDWARE TRANSMIT queue size
[64]
+#
HARDWARE RECEIVE queue size
[32]
+#
RECEIVE buffer poof size
[384]
+#
Media Speed
10_Half_Duplex
+
On a 100 Mbps net
smitty - Devices - Communication - Ethernet Adapter - Adapter - Change / Show
Characteristics of an Ethernet Adapter
TRANSMIT queue size
[8192]
+#
HARDWARE RECEIVE queue size
[256]
+#
RECEIVE buffer pool size
[384]
+#
Media Speed
Auto_Negotiation
+
Inter-Packet Gap
[96]
+#
Enable ALTERNATE ETHERNET address
no
+
ALTERNATE ETHERNET address
[0x000000000000]
+
Enable Link Polling
no
+
Time interval for Link Polling
[500]
+#
2. IP name and name resolution
smit - Communications Applications and Services - TCP/IP - Minimum
Configuration & Startup
Select your adapter and insert your internet address, e.g.:
* HOSTNAME
[bioxxxx]
* Internet ADDRESS (dotted decimal)
[140.181.yyy.zzz]
Network MASK (dotted decimal)
[255.255.192.0]
* Network INTERFACE
en0
NAMESERVERInternet ADDRESS (dotted decimal)
[140.181.96.29]
DOMAIN Name
[gsi.de]
Default GATEWAY Address

[140.181.96.1]
(dotted decimal or symbolic name)
Your CABLE Type

N/A
+
START Now
yes
+
oto allow multiple name servers the file /etc/resolv.conf should look like
o domain gsi.de
o nameserver
140.181.96.29
o nameserver
140.181.96.11
o nameserver
140.181.96.69
corresponding torzserv1,rzserv2,clri6e.
3./etc/rc.tcpip
Comment out the start ofsnmpd anddpid2.
4./.rhosts
exists to allow root access from some bio and GSI machines. The general format is
5. <machine>.gsi.de root
6. <machine>.gsi.de loadl
Make sure that the root access enabled machines are in that file (copy it over from an already
installed machine).
Time services
1. The file/etc/ntp.conf must contain the entries:

2. server 140.181.96.11
3. server 140.181.96.29
4. #
5. # Drift file. Dieser File muss in einem durch den Daemon beschreibbaren
6. # Verzeichnis sein. Symbolische Links sind nicht erlaubt, da der Daemon
7. # zunaechst einen temporaeren File erzeugt und diesen dann umbenennt.
8. #
9. driftfile /var/etc/ntp.drift

10. In addition:
11.mkdir /var/etc
12.startsrc -s xntpd
13. Do not forget to activate thentp-line in/etc/rc.tcpip.
14. The file/etc/environment should define the correct time zone:
15.TZ=CET-1CED-2,M3.5.0,M10.5.0
Security issues (as of November 2001)
1.chmod o-x /usr/bin/ypcat
2. in the/etc/inetd.conf file:
Disable all services (especiallyttdbserver) exceptftp,telnet,shell andlogin, enable ftp-
logging, change default ftp umask:
3.
4. ftp
stream tcp6
nowait root
/local/bin/tcpd6
ftpd -l -u077
5. telnet stream tcp6
nowait root
/local/bin/tcpd6
telnetd -a
6. shell
stream tcp6
nowait root
/local/bin/tcpd6
rshd
7. login
stream tcp6
nowait root
/local/bin/tcpd6
rlogind
8./etc/inittab
For security reasons several services should be disabled (place a colon (':') at the beginning of a line):

9.
10.:writesrv
11.:imnss
12.:imqss
13.:l2
14.:l3

15.:l4 16.:l5 17.:l6 18.:l7 19.:l8 20.:l9

httpdlite is needed for documentation display, otherwise it should be disabled too.
21. In/etc/rc.local

22.
23.# set network options to improve performance and security
24.echo "Setting network options"
25.# protection against SYN flood attacks
26./usr/sbin/no -o clean_partial_conns=1
27.# protection against ICMP redirects
28./usr/sbin/no -o ipignoreredirects=1
29.# protection against illegal access via source routing
30./usr/sbin/no -o ipsendredirects=0
31./usr/sbin/no -o ipsrcroutesend=0
32./usr/sbin/no -o ipsrcrouteforward=0
33./usr/sbin/no -o ip6srcrouteforward=0
34./usr/sbin/no -o tcp_pmtu_discover=0
35./usr/sbin/no -o udp_pmtu_discover=0

36. Enable logging of all successful logins
1. Create/check/etc/security/authlog:

2.
3. #!/usr/bin/ksh
4. # /etc/security/authlog: syslog all successfull logins
5. /usr/bin/logger -t tsm -p auth.info "$@ logged in from $(/usr/bin/tty)

(${DISPLAY})"
and allow root only:
chmod 700 /etc/security/authlog
6. In /etc/security/login.cfg
7. AUTHLOG:
8.
program = /etc/security/authlog
9. In/etc/security/user
change the auth2 attribute in the default stanza:
10.auth2 = AUTHLOG
11. for logins via CDE/etc/dt/config/Xsession.d/dtlog:

12.#!/usr/bin/ksh
13.# /etc/dt/config/Xsession.d/dtlog: log dtlogins
14./usr/bin/logger -t dtlogin -p auth.info "${LOGNAME} logged in from

(${DISPLAY})"
15. Insyslog.conf on an ordinary bio-machine
16. auth.debug
@biolog
will send login info to the logging machine, currentlybiors6a.
IMPORTANT: do not use this on the logging machine itself, it well generate in infite loop of
syslogs ! Instead, do as described in the next item.
17. Insyslog.conf on the logging machine, currentlybiors6a
of 00

Leave a Comment

You must be to leave a comment.
Submit
Characters: ...
You must be to leave a comment.
Submit
Characters: ...