10/22/2012

! LaTeX Error: File `algorithm2e.sty' not found.

During yet another LaTeX project on my MacBook, I added some algorithms to my paper. After checking a couple of examples online, and discussing with a colleage I decided to go with algorithm2e over others such as algorithm, algorithmic, algorithmicx, program and pseudocode[1].

However I got the following error "! LaTeX Error: File `algorithm2e.sty' not found." Since I am using macport, to resolve this I needed to install the texlive-science package by executing sudo port install texlive-science, and all was good again.

References:

  1. http://en.wikibooks.org/wiki/LaTeX/Algorithms_and_Pseudocode

8/17/2012

Using QUT Secure Access Service (SAS) on Ubuntu

QUT SAS allows QUT students and staff remote access to QUT resources securely. Unix and Unix-like operating systems such as Linux are not supported. The instruction on the QUT ITServices are pretty clear [1]. But I have duplicated some of it here for my reference. I tested the configuration on Ubuntu.

Install VPNC
    1. sudo apt-get install vpnc
Download or create the configuration file
The configuration file can be specified on the command line when executing vpnc, or /etc/vpnc/default.conf and /etc/vpnc.conf will be used. If you only using a single VPNC connection, then save the configuration file as /etc/vpnc.conf
Sample configuration file /etc/vpnc.conf. A sample configuration file is provided below. If you do not have a configuration and simple execute vpnc, you can still establish a connection by supplying the correct input at the prompts.
    1. https://secure.qut.edu.au/itservices/qut/qutservices/qutnetwork/qutsas/off-campus.conf
    2. Edit the configuration file to suit your credentials
Connecting and disconnection
Connecting is done by executing the vpnc command. You can explicity specify the configuration file to use at the command line. If no configuration files are specified and the default configuration files (/etc/vpnc.conf and /etc/vpnc/default.conf) are unavailable, then the application will prompt for input.
  1. /usr/sbin/vpnc /home/users/kush/qut-sas.conf #(connect)
  2. /usr/sbin/vpnc-disconnect #(disconnect)
Sample configuration file
IPSec gateway sas.qut.edu.au
IPSec ID qut
IPSec secret qutaccess
# student number
Xauth username nXXXXXXX
# password
Xauth password XXXXXXXX

Reference:
  1. https://secure.qut.edu.au/itservices/qut/qutservices/qutnetwork/qutsas/

8/10/2012

Connecting to OpenVPN from a Mac using Tunnelblink

To connect to an OpenVPN server you need an appropriate OpenVPN client installed to establish the SSL link. For Apple Mac OS X systems, TunnelBlick (http://code.google.com/p/tunnelblick/) is a good graphical user interface. At the time of this blog the current latest stable version of TunnelBlick available was 3.2.7. These instructions were executed on an Apple iMac running Mac OS X 10.7.4. As with all other posts on this blog, the purpose of this post is not to provide a tutorial, but instead to documents the steps taken, for my own benefit.

Download and install Tunnelblink

  1. Download the latest stable version of TunnelBlick (3.2.7).
  2. Click on the downloaded dmg package file to mount it.
  3. Once the Tunnelblink window is open double-click the Tunnelblink.app icon
  4. A warning may be displayed to indicate that the package may be unsafe as it was downloaded, continue by clicking the "Open" button
  5. Enter the system administrator credentials to start the install
  6. Once installation is completed, the installation succeeded window will be displayed, click the "Quit" button
  7. Close the Tunnelblink window, and eject the dmg package
  8. Start the Tunnelblink GUI by going to Applications and clicking Tunnelblink.app
  9. You should see a Tunnelblink icon up the top
The first time you start the Tunnelblink application
  1. A warning may be displayed to indicate that the package may be unsafe as it was downloaded, continue by clicking "Open" button
  2. When prompted, click on the "I have configuration files" button
Setting up the OpenVPN connection
  1. Then click on "OpenVPN Configuration(s)" button
  2. Select the "Create Tunnelblick VPN Configuration" button to generate a configuration based on your OpenVPN configuration files
  3. Take a note of the instructions in the dialog box and Click the "Done" button
  4. You may be prompted for automatic updates
    1. To prevent your system details (although it is anonymous) from being transmitted, uncheck the "Include anonymous system profile" 
    2. Then click on "Check Automatically" button to enable automatic checking of updates
  5. You should have a directory called "Empty Tunnelblick VPN Configuration" on your desktop
  6. Get the CA certificate (ca.crt), your private key (I used MACHINE.key as an example) and certificate (e.g. MACHINE.crt) and your client configuration file (this may be something like client.ovpn or client.conf). These should be provided by your network administrator.
    1. ca.crt
    2. MACHINE.crt
    3. MACHINE.key
    4. client-config.ovpn
  7. Copy or move the files above into the directory on your desktop
  8. Rename the directory into something meaningful with a .tblk extension, e.g. Office-VPN.tblk
  9. When prompted to add the .tblk extension click on the "Add" button, you should see the directory icon change to a Tunnelblink icon
  10. Double-click the renamed directory to install the configuration
  11. When prompted to continue the installation click the "Only Me" button
  12. Enter the system administrator credentials to complete the install
  13. Once installed, click the "OK button"
Changing DNS settings
  1. Right click on the Tunnelblink icon up the top
  2. Select VPN Details, then select the VPN connection you wish to edit, e.g. "Office-VPN"
  3. Select the "Settings" option on the middle of the window
  4. Change the "Set DNS/WINS" option to suit, e.g. You may want to disable DNS changes to be pushed through from the VPN tunnel, thus to use your existing nameserver configuration select "Do not set nameserver"
Connecting to the VPN

  1. Once Tunnelblink has been installed and the configuration completed
  2. Right click the Tunnelblink icon up the top
  3. You should see the VPN connection, e.g. "Connect Office-VPN", select it to connect

Disconnecting from the VPN

  1. Once the VPN connection has been established and you wish to disconnect
  2. Right click the Tunnelblink icon up the top
  3. You should see the VPN connection, e.g. "Disconnect Office-VPN", select it to disconnect
Here is a sample client configuration file for reference, substitute the SERVER, PORT and MACHINE as appropriate
client
dev tun
proto udp
remote SERVER PORT
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert MACHINE.crt
key MACHINE.key
comp-lzo
verb 3
; the following lines are needed for Windows Vista, 7 and 8 machines, not needed for Windows XP
route-method exe
route-delay 2


References:

  1. http://code.google.com/p/tunnelblick/

8/08/2012

Installing OpenVPN 2.2 on CentOS 6.3 64bit

This post is just an update of a previous post that used CentOS 5.7 and OpenVPN 2.2 (http://nkush.blogspot.com.au/2011/10/installing-openvpn-22-on-centos-57.html). The basic instructions are the same, however this post uses some newer packages which may have been relocated to new URLs. Again this blog and the posts are mostly for my own reference and not intended as step-by-step instuctions for other systems/network administrators

Install RPMForge or RepoForge as it's now known[1]
  1. wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
  2. rpm -ivh rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
  3. yum update
Install and set-up the OpenVPN Server[2]
  1. yum -y install openvpn 
  2. cd /etc/openvpn/
  3. cp /usr/share/doc/openvpn-*/sample-config-files/server.conf .
  4. mkdir -p /etc/openvpn/easy-rsa/keys
  5. cd /etc/openvpn/easy-rsa
  6. cp -rf /usr/share/doc/openvpn-2.2.0/easy-rsa/2.0/* .
  7. chmod o+x,g+x clean-all, build-* vars whichopensslcnf pkitool inherit-inter list-crl revoke-full sign-req
 Set-up the OpenVPN Server environment, keys and certificates
  1. vi /etc/openvpn/easy-rsa/vars
    1. Also consider setting the key length using KEY_SIZE variable, 1024 is the default 2048 is better, but slows down the TLS, but I am paranoid and use 4096 bit keys
    2. Set the country (KEY_COUNTRY), state (KEY_PROVINCE), locality (KEY_CITY), organisation name (KEY_ORG), and support email (KEY_EMAIL)
    3. I used  PKCS11_MODULE_PATH=/ and a random PIN value
  2. Create a link to the openssl config file as openssl.cnf
    1. ln -s /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf   
  3. Create certificate for the server
    1. ./build-key-server NAME_OF_SERVER
    2. Answer the questions and commit the certificate into the database
  4. Create the Diffie Hellman files
    1. These files are used for the actual key exchange to ensure the confidentiality over an insecure channel. Based on the length of the key used (KEY_SIZE) it may take a while.
    2. ./build-dh
  5. Create the certificate for each client
    1. ./build-key CLIENT
  6. Edit the server configuration file 
    1. vi /etc/openvpn/server.conf
    2. Check/change
      1. local
      2. proto
      3. dev
      4. port
      5. ca
      6. cert
      7. key
      8. dh
      9. max-clients
      10. user
      11. group
      12. log-append
      13. verb
  7. Start everything
    1. /etc/rc.d/init/openvpn start
    2. chkconfig --level 235 openvpn on
Future post may include instructions on configuration of client as well as set-up of firewall rules for specific topologies (time permitting)

References
  1. http://wiki.centos.org/AdditionalResources/Repositories/RPMForge/#head-f0c3ecee3dbb407e4eed79a56ec0ae92d1398e01
  2. http://nkush.blogspot.com.au/2011/10/installing-openvpn-22-on-centos-57.htm 

7/26/2012

Change Apple Mac OS X Software Update Service (SUS) address

Apple IU Software Update service allows uses to keep their Mac OS X machines updated with the latest software updates and security patched. In some controlled environments, the update servers are specified in the user profile. Sometimes there may be delays in the server updates, or problems with the local update server and users may desire to connect to Apple's services directly. Here's are some instructions that users may find useful. Please note that to make configuration changes you will need Administrative privileges on your Mac.

Users should also note that where a URL for the update catalog is not specified, network administrators may have implemented transparent update redirection by manipulating DNS entries on a local server for URLs such as; http://swscan.apple.com, http://swquery.apple.com, http://swdownload.apple.com, http://swcdn.apple.com

Check the SUS server settings
To check you current SUS settings, issue the following command from a terminal;
  1. /usr/libexec/PlistBuddy -c Print /Library/Preferences/com.apple.SoftwareUpdate.plist
  2. /usr/libexec/PlistBuddy -c Print ~/Library/Preferences/com.apple.SoftwareUpdate.plist
The above commands would produce an output similar to the following;

Dict {
    LastAttemptSystemVersion = 10.7.2 (11C74)
    LastRecommendedUpdatesAvailable = 0
    RecommendedUpdates = Array {
    }
    CatalogURL = http://XXX.XXX.XXX.XX:8088/index.sucatalog
    LastResultCode = 2
    ScheduleFrequency = 1
    LastUpdatesAvailable = 0
    LastAttemptDate = Thu Jul 26 10:37:51 EST 2012
    LastSuccessfulDate = Thu Jul 26 10:37:51 EST 2012
}

Change the SUS server settings back to Apple's default
Delete the CatalogURL entry by issuing the following command to force the IU software update to connect to Apple's URL

  1. defaults delete /Library/Preferences/com.apple.SoftwareUpdate CatalogURL

To change the SUS server
To change the SUS server to any other value issue the following command from a terminal;
  1. defaults write com.apple.SoftwareUpdate CatalogURL 'http://SERVER:PORT/index.sucatalog'
References
  1. http://support.apple.com/kb/HT3923

7/25/2012

How to install Springer Lecture Notes in Computer Science (LNCS) style for MiKTeK on Windows 7

Following on from my previous post... I had the same issue when working on my Microsoft Windows desktop at home, i.e. got the following error "! LaTeX Error: File `llncs.cls' not found.". So had to download the "llncs2e.zip" file yet again from "http://www.springer.com/computer/lncs?SGWID=0-164-6-793341-0/"
  1. Dowload and extract llncs2e.zip
  2. Create a directory called splncs in C:\Program Files\MiKTeX 2.?\bibtex\bst
  3. Move the extracted file splncs.bst, splncs_srt.bst, and splncs03.bst into the new directory C:\Program Files\MiKTeX 2.9\bibtex\bst\splncs
  4. Move the extracted directory ?? into C:\Program Files\MiKTeX 2.9\tex\latex
  5. Rebuild the filename database by Miktek - Maintenance - Settings, and click on the "Refresh FNDB" button (this may take a while depending on your computer)

7/24/2012

Springer Lecture Notes in Computer Science (LNCS) style

When working on a recent paper for a conference, I was required to produce it using the Spring Lecture Notes in Computer Science (LNCS) style. Being naive, I assumed TeX would automatically download the required package... unfortunately I got the following error "LaTeX Error: File `llncs.cls' not found." So I had to install the class manually. Here are the instructions for installing it on Mac OS X for latex from macport.
  1. Download the llncs2e.zip package from the Springer website [1]
  2. Unzip the file into the tex-live distribution location for macport, i.e. /opt/local/share/texmf-texlive-dist/tex/latex
  3. Rebuild the ls-R databases using TeX by executing sudo texhash
  4. To get the bibliography style setup, change directory by using cd /opt/local/share/texmf-texlive-dist/bibtex/bst
  5. Make a directory to hold the style sudo mkdir splncs; cd splncs
  6. Either copy or link the files sudo ln -s ../../../tex/latex/llncs2e/*.bst .
TexLive
If you are using a variant of TexLive such as MacTex, then you can copy the style files (*.bst) into "/usr/local/texlive/2012/texmf-dist/bibtex/bst/splncs" and the tex files into "/usr/local/texlive/2012/texmf-dist/tex/latex/llncs" and finally to update the ls-R database use "sudo /usr/local/texlive/2012/bin/x86_64-darwin/texhash"


Makefile
My Makefile now run without issues. Here's a copy of my Makefile

PROJ=paper


OS := $(shell uname -s)

.PHONY: all pdf clean read 

all: pdf

pdf: $(PROJ).tex
 pdflatex $(PROJ)
 bibtex $(PROJ)
 pdflatex $(PROJ)
 pdflatex $(PROJ)

diff: $(PROJ)-original.tex
 latexdiff $(PROJ)-original.tex $(PROJ).tex > $(PROJ)-diff.tex
 pdflatex $(PROJ)-diff
 bibtex $(PROJ)-diff
 pdflatex $(PROJ)-diff
 pdflatex $(PROJ)-diff

readdiff:
ifeq ($(OS), windows32)
 start ${PROJ}-diff.pdf
endif
ifeq ($(OS), Darwin)
 open -a /Applications/Preview.app/Contents/MacOS/Preview ${PROJ}-diff.pdf
endif
ifeq ($(OS), Linux)
 acroread ${PROJ}-diff.pdf
endif

read:
ifeq ($(OS), windows32)
 start ${PROJ}.pdf
endif
ifeq ($(OS), Darwin)
 open -a /Applications/Preview.app/Contents/MacOS/Preview ${PROJ}.pdf
endif
ifeq ($(OS), Linux)
 acroread ${PROJ}.pdf
endif

clean:
 rm -f ${PROJ}.ps ${PROJ}.pdf ${PROJ}.log ${PROJ}.aux ${PROJ}.out ${PROJ}.dvi ${PROJ}.bbl ${PROJ}.blg ${PROJ}.toc 

cleandiff:
 rm -f ${PROJ}-diff.ps ${PROJ}-diff.pdf ${PROJ}-diff.log ${PROJ}-diff.aux ${PROJ}-diff.out ${PROJ}-diff.dvi ${PROJ}-diff.bbl ${PROJ}-diff.blg ${PROJ}-diff.toc 

References
  1. http://www.springer.com/computer/lncs/lncs+authors?SGWID=0-40209-0-0-0

7/20/2012

My ant build.xml file

I am doing some development work using Java and am using ant to build my code. Decided to post a copy of the build.xml file here... sorry about the formatting


<project name="TODO-PROJ-NAME" basedir="." default="main">
    <property name="username"    value="TODO-USERNAME"/>
    <property name="proj.name"   value="TODO-PROJ-NAME"/>
    <property name="proj.ver"    value="TODO-VER"/>
    <property name="proj.owner"  value="TODO-COPYRIGHT"/>

    <tstamp>
        <format property="TODAY" pattern="yyyy-MM-dd HH:mm:ss" />
    </tstamp>
    
    <property name="src.dir"     value="src"/>
    <property name="build.dir"   value="bin"/>
    <property name="lib.dir"     value="lib"/>
    <property name="classes.dir" value="${build.dir}/classes"/>
    <property name="jar.dir"     value="${build.dir}/jar"/>
    <property name="javadoc.dir"     value="${build.dir}/javadoc"/>

    <property name="main-class"  value="fj.com.kush.ui.TODO-PROJ"/>

    <path id="project.classpath">
 <fileset dir="${lib.dir}">
  <include name="*.jar"/>
 </fileset>
        <pathelement path="${classes.dir}"/>
    </path>


    <target name="clean">
        <delete dir="${build.dir}"/>
        <delete>
            <fileset dir="." includes="**/*~" defaultexcludes="false"/>
        </delete>     
    </target>


    <target name="compile">
        <mkdir dir="${classes.dir}"/>
 <javac destdir="${classes.dir}" includeantruntime="false" debug="true" debuglevel="lines, vars, and source">
  <src path="${src.dir}"/>
  <classpath refid="project.classpath"/>
 </javac>
    </target>


    <target name="javadoc">
        <mkdir dir="${javadoc.dir}"/>
 <javadoc destdir="${javadoc.dir}">
                <fileset dir="${src.dir}"/>
        </javadoc>
    </target>


    <target name="release" depends="jar, javadoc" description="make a new release of the project"/>


    <target name="copy.properties">
 <mkdir dir="${classes.dir}"/>

 <patternset id="properties.files">
  <include name="**/*.properties"/>
 </patternset>

 <copy todir="${classes.dir}">
  <fileset dir="${src.dir}">
   <patternset refid="properties.files"/>
  </fileset>
 </copy>
    </target>


    <target name="jar" depends="compile,copy.properties">
        <mkdir dir="${jar.dir}"/>
 <jar destfile="${jar.dir}/${ant.project.name}.jar" basedir="${classes.dir}">
            <manifest>
  <attribute name="Implementation-Title" value="${proj.name}"/>
  <attribute name="Implementation-Version" value="${proj.ver}"/>
  <attribute name="Implementation-Vendor" value="${proj.owner}"/>
                <attribute name="Main-Class" value="${main-class}"/>
  <attribute name="Built-By" value="${username}"/>
  <attribute name="Built-Date" value="${TODAY}"/>
  <attribute name="Class-Path" value="./"/>
            </manifest>
        </jar>
    </target>


    <target name="run" depends="jar">
        <java jar="${jar.dir}/${ant.project.name}.jar" fork="true"/>
    </target>


    <target name="clean-build" depends="clean,jar"/>


    <target name="main" depends="clean,run"/>
</project>

5/08/2012

Microsoft Windows Server 2003 for Small Business Server Microsoft Exchange Mail Store unmounts

At 08:59hrs this morning I got a call from a customer who was unable to receive e-mail. Logging into their server I discovered that there were indeed messages stuck in the Local Delivery queue. I checked the Application event logs and found the following event log

Event Type: Error

Event Source: MSExchangeSA
Event Category: MAPI Session 
Event ID: 9175
Date: 8/05/2012
Time: 9:12:31 AM
User: N/A
Computer: ***DELETED***
Description:
The MAPI call 'OpenMsgStore' failed with the following error: 
The attempt to log on to the Microsoft Exchange Server computer has failed.
The MAPI provider failed.
Microsoft Exchange Server Information Store
ID no: 8004011d-0512-00000000 


For more information, click http://www.microsoft.com/contentredirect.asp.

Further investigation led to an un-mounted mail store.It was relatively easy to re-mount the store, however the support link at http://support.microsoft.com/kb/896143 leads me to think it may not be so easy all the time. After getting the service back up and running, I re-visited the logs to find that the event started at approximately 23:22hrs last night, and was preceded by the following message;


Event Type: Error
Event Source: MSExchangeSA
Event Category: Monitoring 
Event ID: 1005
Date: 7/05/2012
Time: 11:22:24 PM
User: N/A
Computer: ***DELETED***
Description:
Unexpected error <<0xc1050000 - The attempt to log on to the Microsoft Exchange Server computer has failed. The MAPI provider failed. Microsoft Exchange Server Information Store ID no: 8004011d-0512-00000000>> occurred. 


For more information, click http://www.microsoft.com/contentredirect.asp.


The support link at http://support.microsoft.com/kb/888179 did not provide much assistance in resolving the issue permanently, but I did check the allocated space and size of the mail store and the available space on disk and they were all OK.

5/07/2012

I had to do some maintenance work on a Linux based server

I had to do some maintenance work on a Linux based server. It was mainly just archiving some files around and updating packages and configurations. However, as part of the maintenance I took the opportunity to put in some simple technical security controls in place and documented some of them here for my reference.

MySQL Database
There was a MySQL server running that was only needed for the local host, but a "netstat -ltn" indicated that it was not bound to any specific IP, i.e. listening on 0.0.0.0, so I bound it to the localhost IP of 127.0.0.1 by editing the /etc/my.cnf file using the entry bind-address=127.0.0.1

vi /etc/my.cnf
bind-address=127.0.0.1

RKHunter Rootkit Anti-malware
I installed the new version of rkhunter and modified the configuration file to suit.

yum install rkhunter
vi /etc/rkhunter.conf
PKGMGR=RPM
ENABLE_TESTS="all"
DISABLE_TESTS="none"
SCAN_MODE_DEV=THOROUGH 
rkhunter --propupd --update --check --sk -l
vi /etc/rkhunter.conf
ALLOWHIDDENDIR=
ALLOWDEVFILE=

IPTables Firewall
Strangely enough there was no firewall configured on the host, so I quickly knocked up an script and saved it. Here's a snippet of the script that simply resets the rules, sets the default policies to drop and allows all local communications. There are additional parts that allow specific traffic through, but I have not put this up here to obscure the services and IP addresses being used.

#!/bin/bash

#
# Global script variables
#

# Commands
IPTABLES=/sbin/iptables

# Network interfaces and addresses
LOOP_IFACE=lo
LAN=192.168.100.0/24
LAN_ADDR=192.168.100.201
LAN_IFACE=eth0

# Port numbers
NAMED_PORT=53
NETFLOW_PORT=9996
NTP_PORT=123
PRIV_PORTS=1:1024
SMB_PORTS=137:139
SSHD_PORT=4022
UNPRIV_PORTS=1025:65535


#
# Manage kernel parameters
#

echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/ip_forward


#
# Configure default table policies
#

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP


#
# Initialise tables - flush rules, remove chains, zero counts
#

$IPTABLES -F
$IPTABLES -F -t mangle
$IPTABLES -F -t nat

$IPTABLES -X
$IPTABLES -X -t mangle
$IPTABLES -X -t nat

$IPTABLES -Z


#
# Allow all local loopback traffic
#

$IPTABLES -A INPUT -i $LOOP_IFACE -j ACCEPT
$IPTABLES -A OUTPUT -o $LOOP_IFACE -j ACCEPT


#
# Allow all traffic that is part of a related or established connection in
#

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


#
# Politely reject SMB traffic
#

$IPTABLES -A INPUT -i $LAN_IFACE -p tcp --dport $SMB_PORTS -j REJECT
$IPTABLES -A INPUT -i $LAN_IFACE -p udp --dport $SMB_PORTS -j REJECT


#
# Allow icmp pings
#

$IPTABLES -A INPUT -i $LAN_IFACE -s $LAN -d $LAN_ADDR -p icmp --icmp-type echo-request -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $LAN_IFACE -s $LAN_ADDR -d $LAN -p icmp --icmp-type echo-reply -m state --state ESTABLISHED,RELATED -j ACCEPT


#
# *** DELETED SERVICES SPECIFIC RULES TO IMPLEMENT SECURITY BY OBSCURITY ***
# 


#
# Debugging - log all other traffic *** DO NOT USE IN PRODUCTION ENVIRONMENT ***
#
#
#$IPTABLES -A INPUT -i $LAN_IFACE -j LOG --log-prefix "rc.firewall "
#


ClamAV Anti-virus
ClamAV is an open source anti-virus software for Linux. I installed this using the yum package manager and configured the AV to scan daily, and used freshclam to ensure that the virus definitions are updated hourly.
yum install clamav clamd clamav-db

vi /etc/cron.hourly/freshclam
#!/bin/bash
/usr/bin/freshclam --quiet -l /var/log/clamav/freshclam.log

vi /etc/cron.daily/clamscan
#!/bin/bash
/usr/bin/clamscan -r / --exclude-dir=/proc --quiet --infected --log=/var/log/clamd/clamscan

Fail2Ban Intrusion Prevention
fail2ban is an interesting intrusion prevention system that parses system logs to dynamically update firewall rules to stop potential intrusion attempts. It supports several other mechanism, but I was only interested in the firewall and SSH access


yum install fail2ban
vi /etc/ssh/sshd_config
SyslogFacility LOCAL5
LogLevel INFO

vi /etc/syslog.conf
local5.info                                     /var/log/sshd/sshd.log

vi /etc/fail2ban/jail.conf
[ssh-iptables]
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=*DELTED*, sender=*DELETED*]
logpath  = /var/log/sshd/sshd.log
maxretry = 2


Legal notices
The client wanted some legal notices and disclaimers on the host for various reasons, one of them being to notify employees that their usage was being monitored. I stuck the disclaimer from their legal department (it looked pretty generic though) into /etc/issue and created a link from /etc/issue.net to it.