Summary checklist

Every service on your machine is a potential breakin point. Run this command: nmap localhost and you should see something like this:

% nmap localhost
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1596 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh 
631/tcp    open        ipp                     
6000/tcp   open        X11                     

Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds

you could question if you really need an ssh server running (i.e. do you need to ssh into your laptop). But as long as you're up to date on ssh, you should be fine.

Common example of things you should most likely not have open are: sendmail, smtp, ftp, login, shell, sunrcp, http

Download chkrootkit (or get it from /n/apus/linux/chkrootkit) and run the following programs:

make clean sense            # <-- rebuild the package
./chkrootkit
./chkproc
./ifpromisc
./chklastlog
./chkwtmp
./check_wtmpx

You can run the command (as root)
```
%  rpm -Va > rpm0.log 
and 
```

(linux) Laptops in the Astronomy Department

This page is supposed to help you guide you in making your linux workstation (roaming laptop, workstation in the office or at home) a little more astronomy department friendly. For some things you will need to have root access.

Some of the comments here may be somewhat more specific to a RedHat (5.2/6.0 at the time of this writing), but we will try and avoid being distribution specific. I am also assuming you are somewhat familiar with the tools to configure your machine, but here is outlined what you do. Not why.

Historically Linux machines open on the Internet have often been broken into, mostly because their owners did not properly secure them. Please consult the security tips and links therein how to make your machine less vulnerable to attacks. Be very serious about this, especially if you frequently have your machine "on the net" and escpecially if under a fixed IP. ("don't look for us, we'll find you").

Changing settings in the system files that are listed below normally do not require you to reboot your machine, but often do need you to restart certain daemons. If you don't know them, rebooting is the safest way. (*** need to add which PID's to restart below ***)

Networking:
most distributions have a front-end program (netcfg, linuxconf, system-control-network, ...) to setup your network:
- Dynamic IP: The department is using DCHP for laptop networking. You also need to have your ethernet hardware address registered before the DHCP server will allow you to access our network. For this just plug in your ethernet card and do:
```
        /sbin/ifconfig | grep HWaddr
        and give Ohlmacher, Sebok or me your HWaddr. (a number like  00:08:74:3A:3F:21 )
```
  (this assumes your card is supported by Linux). For Windows there are two commands, depending on which version. Try winipcfg (Win95/98) or ipconfig (Win NT/2k). On XP i also found this to work: Control Panel -> Network Connection -> LAN (or whichever device) -> Support -> Details. For MacOSX use something like ifconfig en0 and find the ether address.
- Wireless IP: We used to have an old 2Mbit 802.11, but campus is now supporting 802.11b. It uses DHCP, but has cumbersome (for visitors) authentication methods. See my LINUX MAM page, which also has some links for users of more esoteric operating systems.
  There are now some private networks around; depending on the ESSID, you may be able to get access
  - vogelwire (a.k.a. radiolink01.astro.umd.edu) - room 0205 (restricted)
  - mundywire (a.k.a. radiolink02.astro.umd.edu) - room 1207 (restricted)
  - radiolink3 (a.k.a. radiolink03.astro.umd.edu) - room 1256 (open access; check center core)
  - ??? (a.k.a. radiolink04.astro.umd.edu) - room 2337 and/or 2316 (comet group)
  - ??? (a.k.a. radiolink05.astro.umd.edu) - room 1235 (guest room) - wireless turned off.
  - mam (this is the campus Wireless, generally not available for short term visitors) (but see their new guest program
- Fixed IP:
  - hostname: N/A (should be using DHCP now, or negotiate with the staff)
  - domainname: astro.umd.edu
  - netmask: 255.255.254.0 (network: 129.2.14.x and 129.2.15.x)
  - nameservers: (/etc/resolv.conf)
```
        domain astro.umd.edu
        nameserver 129.2.14.2
        nameserver 129.2.14.4
        nameserver 128.8.46.60
```
  RedHat uses a small configuration tool, netcfg, also accessible from the control-panel program, to aid you in filling out these IPs. Here are some example aliases to turn networking on/off in cases where you want to do this manually:
```
    alias netup     '/etc/sysconfig/network-scripts/ifup eth0'
    alias netdown   '/etc/sysconfig/network-scripts/ifdown eth0'
    alias modemup   '/etc/sysconfig/network-scripts/ifup ppp0'
    alias modemdown '/etc/sysconfig/network-scripts/ifdown ppp0'
```
Setting names and IPs for machines that change location can be tricky. Be sure to read the helpful Sendmail Boot-Hang guide if you have trouble booting or receiving email. You can also use my personal eth_configure shell script to reconfigure your networking for a specific site, but you need to make sure all your important network-related scripts are stored in special files, not the Redhat files.
As mentioned above, a better alternative can be DHCP, however, this can be tricky, and not all network dependant settings are often taken care of (printcap, nntp, sendmail, etc.). If you do plan to move your laptop a lot between different locations, check out the eth_configure script that I wrote. (see also netenv for something similar).
Printing:
Certainly sometime in 2006 printing via the old-style lpd and /etc/printcap file has become tricky. The typical behavior would be that instead of a postscript plot, your file would come out as text...... You should wind up with the following kinds of entries in your /etc/printcap file (old-style)
```
    # UMD Astronomy Department printers:
    astro2:lp=:rm=astro2:sd=/var/spool/lpd:rp=ps:lf=/var/log/lpd-errs:
    bima:lp=:rm=bima:sd=/var/spool/lpd:rp=ps:lf=/var/log/lpd-errs:
    bima2:lp=:rm=bima2:sd=/var/spool/lpd:rp=ps:lf=/var/log/lpd-errs:
```
See /etc/printers.conf for the table of (Solaris) printers on which machine they reside. For older versions of redhat (6.2 and below) the printer configuration tool (printtool) is pretty self-explanatory, and will create entries in your /etc/printcap file. Just follow "add" | "remote unix" and add your favorite printer:
```
    Name:               astro2
    Spool directory:    /var/spool/lpd/astro2
    File limit:         0
    Remote host:        earth
    Remote queue:       astro2
    Input filter:       <>
```
The newer distributions (rh7+) come with a tool "printconf-gui", that generates the /etc/printcap file from a database in /etc/alchemist/namespace/printconf (yes, don't ask).
```
    click New 
    click Next
    fill in Queue name [astro2], select Unix Printer (LPD) and click Next
    Server: fill in machine assosiated with the printer [earth.astro.umd.edu]
    Queue:  fill in the proper queue name on that server [astro2]
    Select appropriate printer, Postscript printer is usually OK.
    click Finish
    click Apply (this will build the /etc/printcap file, and restart lpd)
```
Now you're ready to print. Another handy thing is, if you have multiple entries in the printcap file, to select the appropriate one to be the default printer.
Especially for laptops that change location, maintaining pleasant default printers will need some kind of work. Apart from the described standard method, with or without a technique like eth_configure, you can also use a package called rlpr, which allows a simple syntax such as
```
    rlpr --printer=astro2@earth junk.ps
```
Since CUPS is now used in the department, best is to use the IPP service instead of the classic LPD. Use your web-browser to point to e.g. http://gaia.astro.umd.edu:631/printers (use lynx in a unix shell if you're not within the astro subnet). Some sample entries of the Server/Path combination you will need:
```
    hyperion.astro.umd.edu      /printers/bima2
    earth.astro.umd.edu         /printers/astro2
    kuma.astro.umd.edu          /printers/taurus

Note, as we speak (feb 2006) the color printer (tek860) is an exception,
use LPD with server luna and port tek860.
```
NFS mounting: (often a big security risk, use sparingly and with caution)
- /etc/passwd:
  use the same user id in your laptop account; check /etc/passwd on the sun, and use the same user id (the 3rd field in /etc/passwd) on the laptop as on the sun. The username does not *have* to be the same
- nfs export on laptop to allow mounting on solaris:
  - (laptop) /etc/exports: should have something like
```
        /       *.astro.umd.edu(rw)
        /cdrom  *.astro.umd.edu(ro)
        /DOS    *.astro.umd.edu(rw)
```
    Note that you can also replace the '*' with your machine name if you only allow one machine to mount your laptop partitions.
    Warning: older versions of the rcp.mountd program were not secure and allowed for break-ins.
  - (solaris) /etc/vfstab: should have something like
```
        taurusp:/         -            /taurusp/root    nfs     -       no      -
        taurusp:/DOS      -            /taurusp/dos     nfs     -       no      -
        taurusp:/cdrom    -            /taurusp/cdrom   nfs     -       no      -
```
    where "taurusp" is the name of the laptop. Also be sure to create the directories /taurusp/root, /taurusp/dos, /taurusp/cdrom (all as root).
- nfs export on solaris, so you can mount them on linux
  - Add lines line the following to you /etc/fstab file on the laptop:
```
    # At UMD:
    # if you're not in /local/etc/hostlist
    #    make sure you're in /etc/hosts.equiv, by editing /etc/hosts.share
    #    and executing       'cd /etc/dfs; sh dfstab'
    #    which will create a new /etc/dfs/sharetab
    #    You can then 'mount -f nfs machine:/disk /disk' on your linux laptop


    apus:/apus  /apus   nfs     defaults,noauto,user 0 0
    apus:/lma2  /lma2   nfs     defaults,noauto,user 0 0
```
  - Make sure the machine 'apus' will know that your laptop is a valid department machine. If not, you need to become root on your solaris desktop and follow the instructions above, or ask Ohlmacher/Sebok to setup your machine as a proper dept. machine. Adding 'user' and 'noauto' are useful, as you can then mount as normal user, and the laptop won't mount it at boot time.
astromake: astronomical software, canned and packaged for you to run on the laptop. Some packages we cannot export publicly, see files in /n/apus/linux (e.g. sm, ssh, xv etc.) or if you get your own astromake CD on /cdrom it will be on there too.
synchronize directories between laptop and desktop:
- rsync (uses differences, probably only useful for text files) (see Ted Ruegsegger's rsync help file)
- rdist
- CODA
- unison
but we have not made an internal decision on which we are going to do use. Probably rdist for the time being, maybe CODE on the longer term.
X-windows
- startx will start X windows,
- /etc/X11/XF86Config-4 is the file that controls resolutions, virtual sizes and bit-depths etc. (formerly called XF86Config for versions 3.x and below)
- Laptop Presentation Tips (how to get the darn external LCD to work)
Security:
An important issue
- (sep 1998) UMLUG has a Security Working Group, to establish secure linux machine on the UM campus network. I've started to assemble some links and references for the upcoming whitepaper we are creating.
- Use ssh/scp, not telnet/rlogin/rcp/ftp (they are all insecure). Also ssh with -C compresses your link, which is great for running pine over a slow phone link.
- Use one of the Java SSH Clients to connect to the campus network if you need to check email this way.
PPP dialup:
Although doesn't really fit on this page, it's an FAQ here. If you like experimenting, you can use my PPP dialup scripts. They use the old (3.4 and earlier) slackware method (ppp-on/ppp-off). I have a tkppp wrapper around these scripts, which one day (just ask me) I will include with these scripts. It's very useful if you switch ISPs a lot.
It contains various old and new UMD dialup, ricochet, erols, clarknet and other ISPs that I've been working with. But you should really look at one of the following:
- UMD Dial-in instructions
- Daniel Friedman's pppdial WWW page.
- Jerome Johnson's instructions to setup UMCPs PPP dialup from within RedHat, for Astronomy use the improved instructions
- PPP-HOWTO
We can't say it enough, make sure you use ssh and scp instead of telnet/rlogin/ftp. Not only are these programs more secure, by using the -C flag you compressed the connection, and for running interactive editors and mail clients like pine this makes a BIG difference in speed and interactive response.
Of course I haven't used PPP in ages, thanks to various broadbands available locally.
SAMBA:
Although it doesn't really fit in this page, you may decide to share your linux environment with other inferior ones, e.g. at home, but maybe even a machine in the astronomy department. The SAMBA server might be the way to go. Assuming your distribution has installed this for you, here are some reminders what to look out for:
- /etc/smb.conf: make sure your workgroup is the same, and fill out the obvious entries in the otherwise somewhat self-documenting configuration file.
- mounting a drive cannot be done via an entry in /etc/fstab, but a user program is needed, for example:
```
        smbmount //CLIENT/c      /client/c 
```
  will mount the "C" drive from a machine called CLIENT to your /client/c mount point. The smbmount may not be available through samba, but another package.
- Make sure on your DOS/WIN client you have
  - use the same Workgroup name as your linux buddy:
    (Control Panel | Network | Identification)
  - made the C drive shareable; use
```
            "My Computer" | "C" | File | Sharing
```
    to turn that on.
  - make sure that in "Start | Settings | Control Panel | Network" you have added the following entries:
    - TCP/IP
    - File & Printer sharing for Microsoft Networks
    - Client for Microsoft Networks
- Unresolved issues:
  - in windows: Cannot have multiple hardware configurations with the same hardware but different network setups???
  - in redhat: how can one have different gateway with different network setups? (a "cheap" solution is to have different ethernet cards at different locations :-)
IP forwarding: useful if you want to front your machine as a gateway to other machines in your house, be it linux or windows.
- make sure your kernel as all the appropriate IP forwarding and masquerading turned on. Otherwise recompile your kernel. There is af nice IP Masquerade mini HOWTO on this.
- get the IP forwarding package, and add something like the following commands to your startup: (kernel 2.2 uses ipchains, and the commands are different)
```
        # this assumes you've got masquerading turned on
        # and are using a local network 192.168.1.x w/ netmask 255.255.255.0
        ipfwadm -F -p deny
        ipfwadm -F -a masquerade -S 192.168.1.0/24 -D 0.0.0.0/0
        # depending on kernel config, you may need to add a few of these:
        insmod ip_masq_ftp
```
  Kernel modules to aid masquerading live in /lib/modules/*/ipv4
VPN: it can be very useful to masquerade yourself at home as if you have an IP at umd.edu, e.g. you can use library subcriptions that way. To install VPN, see this UMLUG link
Miscellaneous:
- Josh' Linux Guide, an excellent guide to Linux.
- AFS (UMLUG should have links to AFS client software for linux)
- Campus Help Desk FAQ
- BIMA Software Support Page and astro.umd.edu software
- Linux laptops and presentations: some tips on getting that darn thing to work
- 802.11b Wireless networking on campus (MAM)
- Colas XFree Modeline Generator
Some useful general linux links:

Peter Teuben (last modified: )