System Administration

System Administration information

(see also latest version howto and version notes)

ssh root@my.server.tld
 
###########################################################
##postgres
yum install postgresql postgresql-server postgresql-server postgresql-contrib
chkconfig --level 235 postgresql on
service postgresql start
vim /var/lib/pgsql/data/pg_hba.conf
#    127.0.0.1/32 password
vim /var/lib/pgsql/data/postgresql.conf
#    maintenance_work_mem=128000
#    autovacuum = on
service postgresql restart
su postgres
pgsql -U postgres
CREATE LANGAUGE plpgsql;
CREATE DATABASE noodledb WITH ENCODING = 'UNICODE';
create user noodleuser with superuser password 'some long password';
GRANT ALL PRIVILEGES ON DATABASE noodledb to noodleuser;
\q
exit
 
###########################################################
##java (get an updated url from java.sun.com)
cd /opt
wget 'http://javadl.oracle.com/webapps/download/AutoDL?BundleId=207765' -O jre.tar.gz
tar -zxf jre.tar.gz
rm -f jre.tar.gz
 
###########################################################
##7z
#    you can use yum-priorities and rpmforge or you can do it from source
yum install p7zip p7zip-plugins
#    you might need to make a link from 7z to 7z[ar] for "which 7z" to work
 
###########################################################
##Noodle
wget somewhere/Noodle.tar.gz
tar -xvvf ./Noodle.tar.gz
cd ./noodle
#      take note of your available ram and java location
./configure

sudo -i
apt update
apt -y upgrade
apt -y dist-upgrade
apt install -y postgresql-contrib tree p7zip-full sysstat catdoc antiword html2text unrtf libid3-tools ffmpeg openjdk-8-jre poppler-utils unzip
cd /opt
tar -xf ./Noodle.tar.gz
cd ./Noodle
su postgres -c 'cd ~/;psql --file /opt/Noodle/init.sql'
./configure
mv noodle.daemon /etc/init.d/noodle
update-rc.d noodle defaults
service noodle start

(see also howto get a new version of PGSQL )

sudo -i
apt-get install -y postgresql-9.3 postgresql-contrib-9.3 default-jre p7zip-full screen
cd /opt
tar -xf ./Noodle.tar.gz
cd ./Noodle
echo "host all all 127.0.0.1/32 password" >> /etc/postgresql/9.3/main/pg_hba.conf
service postgres start
su postgres -c 'cd ~/;psql --file /opt/Noodle/init.sql'
./configure
mv noodle.daemon /etc/init.d/noodle
service noodle start
update-rc.d noodle defaults

Stronger SSL Encryption can be achieved by doing the following:

  • Upgrade your operating system
  • Upgrade Java
  • Upgrade Noodle
  • Set crypto.policy=unlimited in $JRE_HOME/jre/lib/security/java.security
    • Get JCE if it was not included with your JDK/JRE
  • Limit Protocols and Ciphers in multiserver.conf
    • Best of 2018

      • Connection.CM_1.Protocols[] = TLSv1.3
      • Connection.CM_1.Ciphers[] = TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384
    • For Windows 7 compatibility add;
      • Connection.CM_1.Protocols[] = TLSv1.2
      • Connection.CM_1.Ciphers[] = TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
        TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
        TLS_AES_256_GCM_SHA384
  • Add a CAA record to your DNS.

The available ciphers and protocols are listed on http://DOMAIN.TLD/Check.po?admin=now
Test at ssllabs.

TLSv1.3 is available on JRE11

Windows

  • Updating Java can require a Windows restart to complete and be functional.
  • Select a Java build.
  • If the major version number is upgraded, be sure to edit intranet.bat accordingly.

Make sure Noodle is not running if/while you uninstall old Java versions.
Noodle Service restart required.

How to prevent emails (memo, reminder, auto-notification, notification, subscription) from Noodle from being marked as spam.

If you are hosted by Vialect and are using mail.vialect.net in the SMTP settings half of it is already taken care of:

  • If using SPF add our mail server, then verify with.
    • Lin
      dig sub.domain.tld TXT | grep spf
    • Win
      nslookup -type=TXT sub.domain.tld | findstr spf
  • If using Google mail client add a filter (to add a tag) for anything with your Noodle domain name in it.

If hosting Noodle on your own server or using your own SMTP server, additionally:

  • Whitelist the Noodle server (Postfix, Spamassassin, Exchange)
  • Use authentication in the Noodle setting
    • [user:pass@]domain.tld[:port][,protocol]

Another option is to use something like noreply@vialect.com in the "Send system emails from" system setting.

Restarting Noodle service

  • Microsoft
    • sc stop noodle
    • sc start noodle
  • Linux like sysvinit/Upstart
    • service noodle restart
  • Linux like Systemd
    • systemctl restart noodle
  • Linux like launchd
    • launchctl unload /System/Library/LaunchDaemons/noodle.plist
    • launchctl load /System/Library/LaunchDaemons/noodle.plist
  • Linux like SMF
    • svcadm restart noodle

  1. Make sure the port you want to use is not already in use:
    • Linux-like systems
      • netstat -ln | grep ":80 "
    • Microsoft
      • netstat -na | findstr ":80"
  2. Edit the text file cfg/multiserver.conf in the Noodle Home directory changing the line "Connection.CM_0.Port = 80" to an available port.
  3. Remember to update the OS and network firewalls.
  4. restart the Noodle service
  5. Update the Noodle setting “System Tools > Settings > URL for Noodle”

Microsoft Windows runs http.sys on port 80 by default. Disable http.sys by running these 2 commands:

  1. sc config http start= disabled
  2. net stop http /y

Or if you want to use both you can bind them to different IPs:

  1. http.sys IP (netsh http add iplisten ipaddress=192.168.0.101)
  2. Noodle IP (Connection.CM_0.BindAddress = 192.168.0.100)

LAN security options for the server:

  • Whole disk encription (prevents bypassing security by reading the disk with another computer).
  • Dedicated server (reduces exploitable surface area).
  • Linux OS (protects from Windows malware).
  • Firewall blocking all but ssh and the Noodle http[s] ports (reduces exploitable surface area).
  • ssh keys (prevents password guessing on ssh).

LAN security options on a network, listed from most to least secure:

  1. Network not (even indirectly) connected to the internet.
  2. Network with no Microsoft Windows devices only indirectly connected to the internet:
    • Encrypted VPN or better yet a ssh tunnel (use with keys will prevent MITMA from a spoofed wifi or an untrusted ISP or government).
    • Anonymity networks like tor can be used, optionally with ssl or ssh (in practice will prevent anyone, including governments, from knowing what server a user is talking to).
  3. Network only indirectly connected to the internet.
  4. Public network with a firewall or NAT port forwarding blocking all but one port.
  5. Public network.