These are the steps I took when rebuilding ar0135e0/1, the Patent Server's (ooops, I mean IPN's) 1) outgoing mail gateway, 2) outgoing socks server (used for rftp mostly), 3) outgoing proxy server (used for supercp, since it's not socksified), 4) incoming ssh server, and 5) incoming proxy server. The machine was formerly on a RS/6000 model 530, running AIX 4.2.1 and eNetwork Firewall 3.2.3.0 (formerly known as SNG). A few days after the Memorial Day power down (5-28-2000), its hdisk0 died. The new ar0135e0/1 is on a B50, which has a single, 18GB disk, and a second 10/100 ethernet card. ========================================================================= - Install AIX 4.3.2. - A B50 is defined to NIM as platform = chrp. - Set root's password after the install. - Install latest service. - mount cws:/spdata/sys1/install/aix433/lppsource /mnt - smitty update_all - Establish working environment. - /.profile = export ENV=/.kshrc - /.kshrc = export PATH=$PATH:/local/bin set -o vi export PS1="<$(whoami)@$(hostname -s):"'$PWD> ' alias c='echo \\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n;clear' - /etc/resolv.conf = nameserver 192.168.56.65 search patent.ibm.com patents.ibm.com - Add these 2 lines to /etc/ntp.conf server 192.168.56.65 server 192.168.56.76 uncomment xntp from /etc/rc.tcpip (or chrctcp -a xntpd) and startsrc -s xntp - Create /etc/rc.local #!/bin/ksh quiet='1>/dev/null 2>&1' /usr/sbin/route add -net 9 -netmask 255.0.0.0 192.168.56.252 $quiet /usr/sbin/route add -net 192.168.55 -netmask 255.255.255.0 192.168.56.65 $quiet - Uninstall docsearch crap. - installp -u bos.docsearch.client.com bos.docsearch \ bos.html.en_US.topnav.navigate bos.msg.en_US.docsearch.client.com - Remove the imnadm userid & group from /etc/passwd, /etc/group, /etc/security/user, & /etc/security/group. and the /home/imnadm directory. - Define second ethernet network interface at 204.146.135.135, subnet mask = 255.255.255.192. - Add kurowski & tgiffin userids. - Add kurowski = uid 202 & /home/kurowski. - Add tgriffin = uid 203 & /home/tgriffin. ========================================================================= - Install Program Products, etc. First, mount cws:/spdata/sys1/install/lppsource /mnt - ADSM 3.1.20.7. - Add this line to /usr/lpp/adsm/bin/dsm.opt, SErvername adsmsrv1 - Replace stanza in /usr/lpp/adsm/bin/dsm.sys. Made it SErvername adsmsrv1 COMMmethod TCPip TCPPort 1500 TCPServeraddress adsmsrv1 TCPBuffsize 32 TCPWindowsize 24 Inclexcl /usr/lpp/adsm/bin/inclexcl.dsm ERRORLOGRetention 30 Passwordaccess generate Changingretries 0 Nodename ar0135e1.patent.ibm.com - Create the following /usr/lpp/adsm/bin/inclexcl.dsm exclude /unix exclude /... - SSH 1.2.27 - Create /local filesystem. - /mnt/scripts/dce/mklocallv.sh - zcat /mnt/scripts/dce/local.tar.Z | tar xvf - - Install lsattack & aixcops. - zcat /local/bin/aixcops-lsattack.tar.Z | tar xvf - - Add these lines to /etc/aliases # Aliases to health check distribution list, used by aixcops. healthck: jasper@almaden.ibm.com # Aliases to lsattack distribution list security: jcday@almaden.ibm.com, healthck sendmail -bi Then, to get clean aixcops & lsattack runs, touch /etc/security/failedlogin touch /usr/adm/sulog chsec -f /etc/security/user -s default -a loginretries=5 chsec -f /etc/security/user -s default -a histsize=4 chsec -f /etc/security/user -s default -a maxage=26 chsec -f /etc/security/user -s default -a minalpha=1 chsec -f /etc/security/user -s default -a minother=1 chsec -f /etc/security/user -s default -a minlen=6 chsec -f /etc/security/user -s default -a mindiff=1 chsec -f /etc/security/user -s default -a maxrepeats=2 chmod 600 /.rhosts Also, insert these lines in the /etc/motd file. * IBM Business Use Statement: * * IBM's internal systems must be only used for conducting * * IBM's business or for purposes authorized by IBM management. * * Use is subject to audit at any time by IBM management. * * * * Highest Classification of Data allowed on this system is * * UNCLASSIFIED * - Add these lines to root's crontab, # 30 2 * * * /local/bin/adsm.backup # Hourly run the lockdown script to insure we stay secure. 18 * * * * /local/bin/lockdown.sh -quiet >> /tmp/lockdown.log # # Nightly resynch if need be, the /local/bin file system. 41 2 * * * /local/bin/resynch.local.bin.sh > /dev/null 2>&1 # # Run aixcops monthly & lsattack (quietly, thus the wrapper) nightly. 0 1 28 * * /aixcops/src/aixcops -e -b error -f /aixcops/src/umask.filter -m healthck -d -v 2>&1 >/dev/null 0 3 * * * /usr/lss/lsattack/lsattack-wrapper # # Remove old files, that is, not referenced in 30 days from known temp areas. 0 2 * * * find /tmp -atime +30 -exec rm -f {} \\; 2>/dev/null 0 2 * * * find /var/tmp -atime +30 -exec rm -f {} \\; 2>/dev/null - Fix /etc/inittab. Remove these lines, - adsmsmext:2:wait:/etc/rc.adsmhsm > /dev/console 2>&1 # ADSM SpaceMan - qdaemon:2:wait:/usr/bin/startsrc -sqdaemon - uprintfd:2:respawn:/usr/sbin/uprintfd - pmd:2:wait:/usr/bin/pmd > /dev/console 2>&1 # Start PM daemon And add this line, - rclocal:2:wait:/etc/rc.local > /dev/console 2>&1 ========================================================================= - Install IBM eNetwork Firewall 3.2.3.1. - Install prerequisite software, Java, Netscape, and X11.base.lib - Java - Installed from the latest I had, which was Java-1.1.8. - First install all from /mnt/PROD/Java-1.1.8 - Then smitty update_all from /mnt to pick up all the latest fixes. Gets Java.rte.bin for example, up to 1.1.8.6. The problem with doing it this way is, the install of the eNetwork Firewall code, still doesn't "see" Java.rte. I had to scramble to find an old 1.1.2 version of Java, uninstall Java 1.1.8, and install Java 1.1.2. Later on, after the firewall code gets loaded, I think I can update Java if I want. - Netscape - Got the latest Netscape from http://w3.ibm.com/netscape which was 4.73. Untar'd it at /spdata/sys1/install/aix433/lppsource/PROD/Netscape_4.73 - mount cws:/spdata/sys1/install/aix433/lppsource /mnt - mkdir -p /usr/local/netscape - cd /mnt/PROD/Netscape_4.73 - ./ns-install The problem with doing it this way is, it doesn't update the ODM so that the installp/lslpp command can "see" that Navigator is indeed installed. You need to get the AIX installp image of Netscape. There was one at /mnt/PROD/SNG-3.1. The problem with that one is, it also needed X11.base.rte, X11.motif.lib, & X11.motif.mwm installed, which sucked in 13 other X11 things. - X11.base.lib also sucked in 5 other X11 things, and a bos.msg. - While I'm at it, installing all these X11 things, I might as well "fix" the fact that ssh doesn't tunnel X things out, 'cause it can't find the xauth program, which is in the X11.apps.config fileset. - Finally, I can install eNetwork Firewall 3.2.3.1. The 4 components to install are FW.base, FW.cfgcli, FW.libraries, & FW.report. - First, make backup copies of /etc via cp -pRh /etc /etc.orig - Then, go for it. Install the firewall code (gulp!). - Recover from some of the "hardening" the firewall code does. - Restore /etc/rc.local line in /etc/inittab. - Reenable remote logins for root (rlogin = true in /etc/security/user). - Also change root's SYSTEM statement from NONE to compat so it prompts you for a password when you login. - Uncomment sshdfail line in /etc/inetd.conf. - Turn off ipforwarding, both in /etc/rc.net and now via no -o ipforwarding=0. - Install lastest fixes, to fix message catalog problem, most easily seen by doing a fwlistadptr command. If the message says junk about a pager, then it's using the wrong message catalog. I got the lastest from fixdist, which brought all the FW.* filesets up to the 3.2.3.1 level. Now fwlistadptr returns a sane message. - Identify secure & non-secure networks. - fwmksec 192.168.56.135 (FYI, fwrmsec removes it) - Set up firewall logging. - Add these lines to /etc/syslog.conf. - local4.debug /var/adm/sng/logs/fwreg_l4.log - local1.debug /var/adm/sng/logs/fwmon_l1.log - mail.debug /var/adm/mailstuff - Created a 2GB file system at /var/adm/sng, and mounted it. - mkdir /var/adm/sng/logs - touch /var/adm/sng/logs/fwreg_l4.log - touch /var/adm/sng/logs/fwmon_l1.log - Restore previous firewall configuration files. It appears that all the Firewall configuration files are in the /etc/security directory and the important, user-customized ones are - fwrules.cfg = All defined rules, eg FaxToP56 - fwservices.cfg = All defined services, eg PingOk - fwconns.cfg = All defined connections, eg Nv24ToFw - fwobjects.cfg = All defined objects, eg CW - fwsocks.cfg = Some kind of socks config file? I dunno. - fwfilters.cfg = The readable version of the firewall rules - fwpolicy.cfg = A 1-byte, new line file. (Is this really needed?) I copied all 7 files to /etc/security & attempted to activate the rules with a "fwfilter cmd=update" command, but got root is not authorized to logon to the firewall in host mode. Ha! I've seen that before, just a few days ago. Changed root's fwlogonmode line in /etc/security/user from "3" to just 3, without the double-quotes. Then I got root does not have authorization for the following functional\ group: Traffic Control. Also in /etc/security/user, changed root's fwadmmask line, again taking out the double-quotes around -1. - Fix outgoing proxy on port 8080. - Uncomment the starting up of the phttpd daemon in /etc/rc.tcpip. - Start /usr/sbin/phttpd now. - Fix outgoing mail. - Comment the starting up of the fwmaild daemon in /etc/rc.tcpip. - Uncomment the starting up of the sendmail daemon in /etc/rc.tcpip, so that it will start at boot time. - Kill /usr/sbin/phttpd. - Start sendmail now via, startsrc -s sendmail -a "-bd -q30m" ========================================================================= - Firewall Log File Management - Modify /etc/security/logmgmt.cfg - Add these lines to root's crontab. # # Log Management - At midnight each night, perform the log function # of the Firewall's log management program. Then at 2 am, run the # archive function. See the /etc/security/logmgmt.cfg file for the # details of what data we keep and for how long. 0 0 * * * /usr/bin/fwlogmgmt -l 0 2 * * * /usr/bin/fwlogmgmt -a ========================================================================= After all this, an oslevel -l 4.3.3.0 command shows these downlevel filesets, causing an oslevel command to show just 4.3.0.0. Fileset Actual Level Maintenance Level ----------------------------------------------------------------------------- Java.rte.Dt 1.1.2.0 1.1.8.0 Java.rte.bin 1.1.2.0 1.1.8.0 Java.rte.classes 1.1.2.0 1.1.8.0 Java.rte.lib 1.1.2.0 1.1.8.0 bos.rte.libs 4.3.0.0 4.3.3.0