i'm facing a problem with vmware community server which stop responding on host server after a few hours running on clock update. To solve the problem we have to edit /etc/vmware/config
and add this :-
host.useFastClock = FALSE
save it then restart vmware
alternatively you can put also in your *.vmx host file
hope this help
Saturday, November 29, 2008
Wednesday, October 1, 2008
Script that can help you free up your memory
used myself on my server.. taken from my best friend
#!/bin/bash
sync &
echo 3 | tee /proc/sys/vm/drop_caches &
better use cron for this
#!/bin/bash
sync &
echo 3 | tee /proc/sys/vm/drop_caches &
better use cron for this
Friday, September 26, 2008
Tweaking DNS cache in Windows XP
i found this registry tweak for dns cache in windows xp but don't really know it works or not... give a try
edit your registry or put in registry file:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters] "CacheHashTableBucketSize"=dword:00000001
"CacheHashTableSize"=dword:00000180
"MaxCacheEntryTtlLimit"=dword:0000fa00 "MaxSOACacheEntryTtlLimit"=dword:0000012d
edit your registry or put in registry file:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters] "CacheHashTableBucketSize"=dword:00000001
"CacheHashTableSize"=dword:00000180
"MaxCacheEntryTtlLimit"=dword:0000fa00 "MaxSOACacheEntryTtlLimit"=dword:0000012d
Tuesday, September 23, 2008
Linux Memory Handling And Performance
I am having performance problems. The memory runs down to where it requires swapping, and then the system is very slow. Using "top" I can see that the memory does not get released after an HDF5 file is closed. It stays in memory until the file is deleted.
The memory usage shown by "top" means total memory used by the system, both kernel and users. The Linux OS, contrary to many other Operating Systems, does not impose an upper limit on Kernel memory. If the kernel needs more memory, it grabs as much as there is physical memory. Output to disk is buffered in kernel memory first, before making its way slowly to disk. If a program is output intensive, it can quickly use up all physical memory. At that point, the whole system is memory starved. Not much gets done until the output data is written to the disks and frees up memory. Therefore, a Linux system can become very inefficient by just one write-intensive application.
This problem is not limited to HDF5 programs. Any write-intensive program can exhibit the same phenomenon. For example, keep "top" running in one window and do the following in another window. You will see the same behavior, assuming you have less than 2GB of memory. If you have more memory, increase the value of count=200 to exceed it.
% dd if=/dev/zero of=junk bs=10MB count=200 #generate a 2000MB file
% # by now top will show not much free memory left.
% rm junk
You will then see a big jump of free memory because the data in the dirty buffers is no longer valid and the memory is free for other use. I believe it's a system problem, not the HDF5 library. I'm just looking for a manual flush that would alleviate my problem.
"Flushing" data means an application is very paranoid of the data integrity and is willing to initiate a real disk write and WAIT until it is finished. It is a requirement of data integrity at the cost of response speed. You can keep telling the system to flush the data out but the data can only move at the limit of the I/O channel. If you want your memory to be freed up sooner, you would have to employ one or more of the following:
- faster disks and faster I/O channel;
- more memory;
- more disks and use stripping;
Wednesday, September 3, 2008
Save bandwidth and time with apt-proxy
If you have more than one box to update or install software with apt on, apt-proxy can save you a lot of time (and bandwidth). It runs on one box, and others are then set up to update through it. Updates are then stored on the apt-proxy box so that any others that also update can do so a lot quicker than getting them from the mirrors. It also releives a bit of the strain on the mirrors you are using. This is how to set up on ubuntu 6.0.6:
Install apt-proxy:
sudo apt-get install apt-proxy
Once installed, configure your apt-proxy config to taste:
sudo vi /etc/apt-proxy/apt-proxy-v2.conf
#This is mine, but you may want to adjust for your mirrors (its also pretty close to default):
address = 192.168.31.190
port = 9999
min_refresh_delay = 1s
timeout = 15
cache_dir = /var/cache/apt-proxy
cleanup_freq = 1d
max_age = 120d
max_versions = 3
[ubuntu]
;; Ubuntu archive
backends = http://gb.archive.ubuntu.com/ubuntu
[ubuntu-security]
;; Ubuntu security updates
backends = http://security.ubuntu.com/ubuntu
Once you have done this, adjust your other boxen so that their /etc/apt/sources.list looks similar to:
deb http://192.168.31.190:9999/ubuntu dapper main restricted universe multiverse
deb-src http://192.168.31.190:9999/ubuntu dapper-security main restricted
deb http://192.168.31.190:9999/ubuntu dapper-security main restricted universe multiverse
One more change needed, on the clients again, edit the /etc/apt/apt.conf file:
#Acquire::http::Proxy "false"; #This needs to be commented in ubuntu.
Acquire::Proxy "false";
After that, just apt-get update as usual, the first box should be the same as normal, but after that, you should see a massive rise in speed for the others doing the same updates.
Note that feisty doesnt have this line, but dapper does, you'll need to adjust depending on your distro (cheers miles!).Friday, August 15, 2008
PLESK: email error : This address no longer accepts mail
i having a problem after upgrading plesk from 8.4 to 8.6 when trying to send to some domain which hosted externally ( MX records pointed to the external address ). After searching and googling i found that this is not an DNS issues but more than qmail configuration itself.
to resolve the problem i have to remove the domain from /var/qmail/control/rcpthosts and /var/qmail/control/virtualdomains.
after that we have to restart the qmail by /etc/init.d/qmail restart
now its working..
to resolve the problem i have to remove the domain from /var/qmail/control/rcpthosts and /var/qmail/control/virtualdomains.
after that we have to restart the qmail by /etc/init.d/qmail restart
now its working..
Sunday, August 10, 2008
Running script after PPP established
Under Fedora Core / RHEL /CentOS Linux you need to create or edit file - /etc/ppp/ip-up.local (Debian / Ubuntu Linux user see below for more information).
There is also a file called /etc/ppp/ip-up and it should not be modified -- make local all changes to /etc/ppp/ip-up.local file only.
Step # 1: Open /etc/ppp/ip-up.local file# vi /etc/ppp/ip-up.local
Step # 2: You can call your shell script - /etc/rapp/logtime.sh or any other program from this file by adding following line:/etc/rapp/logtime.sh
Save and close the file.
Step # 3: Set executable permission
Next set the file executable for the owner:# chmod 700 /etc/ppp/ip-up.local
Then set the file executable for script - /etc/rapp/logtime.sh# chmod +x /etc/rapp/logtime.sh
From now on, the file /etc/ppp/ip-up.local will be executed immediately after the ppp0 interface has been brought up by your dialer.
Debian / Ubuntu Linux
Under Debian / Ubuntu Linux put your script in /etc/ppp/ip-up.d/ directory itself. /etc/ppp/ip-up script is run by the pppd after the link is established. It uses run-parts to run scripts in /etc/ppp/ip-up.d you should create script(s) there.# cp /etc/rapp/logtime.sh /etc/ppp/ip-up.d/
# chmod +x /etc/ppp/ip-up.d/logtime.sh
Saturday, July 26, 2008
Hilang menubar dari excel 2003 ( mungkin boleh diaplikasikan dalam excel version lain )
1. Buka Excel 2003
2. Tekan ALT + F11 untuk akses ke visual basic editor
3. Bina MODULE dari menu INSERT -> MODULE
4. Masukkan arahan ini:-
Sub kawe()
On Error Resume Next
With Application
.DisplayFullScreen = False
.CommandBars("Worksheet Menu Bar").Enabled = True
.CommandBars("Standard").Enabled = True
.CommandBars("Formatting").Enabled = True
.CommandBars("Drawing").Enabled = True
.CommandBars("Borders").Enabled = True
.CommandBars("Chart").Enabled = True
.CommandBars("Control Toolbox").Enabled = True
.CommandBars("External Data").Enabled = True
.CommandBars("Forms").Enabled = True
.CommandBars("Formula Auditing").Enabled = True
.CommandBars("List").Enabled = True
.CommandBars("Picture").Enabled = True
.CommandBars("PivotTable").Enabled = True
.CommandBars("Protection").Enabled = True
.CommandBars("Reviewing").Enabled = True
.CommandBars("Task Pane").Enabled = True
.CommandBars("Text To Speech").Enabled = True
.CommandBars("Visual Basic").Enabled = True
.CommandBars("Watch Window").Enabled = True
.CommandBars("Web").Enabled = True
.CommandBars("Web Art").Enabled = True
End With
On Error GoTo 0
End Sub
5. Dwi-Klik pada Sheet 1 dan masukkan arahan ni
Private Sub Workbook_Activate()
Run "kawe"
End Sub
6. Tekan F5 untuk run micro
7. Ok sekarang menubar sudah keluar dalam View -> Toolbar. Sila buat pilihan pada toolbar tersebut contoh "Standard".
Save file tersebut ( boleh delete selepas ini ) kemudian buka semula excel untuk sahkannya
selamat mencuba!
2. Tekan ALT + F11 untuk akses ke visual basic editor
3. Bina MODULE dari menu INSERT -> MODULE
4. Masukkan arahan ini:-
Sub kawe()
On Error Resume Next
With Application
.DisplayFullScreen = False
.CommandBars("Worksheet Menu Bar").Enabled = True
.CommandBars("Standard").Enabled = True
.CommandBars("Formatting").Enabled = True
.CommandBars("Drawing").Enabled = True
.CommandBars("Borders").Enabled = True
.CommandBars("Chart").Enabled = True
.CommandBars("Control Toolbox").Enabled = True
.CommandBars("External Data").Enabled = True
.CommandBars("Forms").Enabled = True
.CommandBars("Formula Auditing").Enabled = True
.CommandBars("List").Enabled = True
.CommandBars("Picture").Enabled = True
.CommandBars("PivotTable").Enabled = True
.CommandBars("Protection").Enabled = True
.CommandBars("Reviewing").Enabled = True
.CommandBars("Task Pane").Enabled = True
.CommandBars("Text To Speech").Enabled = True
.CommandBars("Visual Basic").Enabled = True
.CommandBars("Watch Window").Enabled = True
.CommandBars("Web").Enabled = True
.CommandBars("Web Art").Enabled = True
End With
On Error GoTo 0
End Sub
5. Dwi-Klik pada Sheet 1 dan masukkan arahan ni
Private Sub Workbook_Activate()
Run "kawe"
End Sub
6. Tekan F5 untuk run micro
7. Ok sekarang menubar sudah keluar dalam View -> Toolbar. Sila buat pilihan pada toolbar tersebut contoh "Standard".
Save file tersebut ( boleh delete selepas ini ) kemudian buka semula excel untuk sahkannya
selamat mencuba!
Thursday, July 24, 2008
Skrip berguna untuk backup Mysql setiap hari
Skrip ini aku guna kat server aku.. backup mysql setiap hari. Hanya perlu ubah pada bahagian setting sahaja. chmod dan set cron untuk daily run
=========== mula ==============
#!/bin/bash
##### SETTING #####
MYUSER="dbuser"
MYPWD="password"
DB="database"
DIR_PATH="/var/mysql-backup"
FAIL=mybck_$(date +%d-%m-%Y)
###################
#check DIR_PATH
if [ ! -d $DIR_PATH ]
then
mkdir $DIR_PATH
fi
#Running MySQL dump
cd /tmp
mysqldump -c -x --add-drop-table --add-locks --database $DB -u $MYUSER -p$MYPWD > $FAIL.sql
#Compress result
if [ -e $DIR_PATH/mytoday_$(date +%d-)* ]
then
rm -f $DIR_PATH/mytoday_$(date +%d-)*
tar -jcf $DIR_PATH/$FAIL.tgz $FAIL.sql
rm -f $DIR_PATH/latest.tgz
ln -s $DIR_PATH/$FAIL.tgz $DIR_PATH/latest.tgz
else
tar -jcf $DIR_PATH/$FAIL.tgz $FAIL.sql
rm -f $DIR_PATH/latest.tgz
ln -s $DIR_PATH/$FAIL.tgz $DIR_PATH/latest.tgz
fi
rm -f $FAIL.sql
===================== tamat ====================
=========== mula ==============
#!/bin/bash
##### SETTING #####
MYUSER="dbuser"
MYPWD="password"
DB="database"
DIR_PATH="/var/mysql-backup"
FAIL=mybck_$(date +%d-%m-%Y)
###################
#check DIR_PATH
if [ ! -d $DIR_PATH ]
then
mkdir $DIR_PATH
fi
#Running MySQL dump
cd /tmp
mysqldump -c -x --add-drop-table --add-locks --database $DB -u $MYUSER -p$MYPWD > $FAIL.sql
#Compress result
if [ -e $DIR_PATH/mytoday_$(date +%d-)* ]
then
rm -f $DIR_PATH/mytoday_$(date +%d-)*
tar -jcf $DIR_PATH/$FAIL.tgz $FAIL.sql
rm -f $DIR_PATH/latest.tgz
ln -s $DIR_PATH/$FAIL.tgz $DIR_PATH/latest.tgz
else
tar -jcf $DIR_PATH/$FAIL.tgz $FAIL.sql
rm -f $DIR_PATH/latest.tgz
ln -s $DIR_PATH/$FAIL.tgz $DIR_PATH/latest.tgz
fi
rm -f $FAIL.sql
===================== tamat ====================
Monday, July 21, 2008
Lighttpd and AWSTATS
This tutorial will help you get AWStats and Lighttpd working together. AWStats is an excellent log analyzer, and works well with Lighttpd. This tutorial assumes a working installation of Light and PERL.
Step 1. Download and Extract AWStats
Step 3. Configure AWStats
Copy cgi-bin/awstats.model.conf to cgi-bin/awstats.YOURDOMAINNAMEHERE.conf, and open that file in an editor.
Step 1. Download and Extract AWStats
- Download AWStats
- Extract the archive to the web directory on your system, e.g. /var/www/
Step 2. Configure lighttpd.conf
Fire up lighttpd.conf in your favorite editor. Make sure that mod_cgi is in your modules configuration.
server.modules = ( "mod_rewrite", "mod_fastcgi", "mod_status", "mod_cgi", "mod_accesslog" )
Add a separate host entry for your AWStats instance.
$HTTP["host"] =~ "awstats.YOURDOMAINNAMEHERE" {
cgi.assign = (
".pl" => "/usr/bin/perl",
".cgi" => "/usr/bin/perl"
)
server.document-root = "/YOUR_PATH_TO/awstats/wwwroot/"
}
Restart Lighttpd and point your browser to:
http://awstats.YOURDOMAINNAMEHERE/cgi-bin/awstats.plYou should get an error message from AWStats, continue on to Step 3. If you get a 404 error message or Lighttpd didn't start, check your configuration file for syntax errors and correct paths.
Step 3. Configure AWStats
Copy cgi-bin/awstats.model.conf to cgi-bin/awstats.YOURDOMAINNAMEHERE.conf, and open that file in an editor.
- Set the path to your log file
LogFile="/path/to/your/log/file"
- Set your Domain Name
SiteDomain="YOURDOMAINNAMEHERE"
http://awstats.YOURDOMAINNAMEHERE/cgi-bin/
awstats.pl?config=YOURDOMAINNAMEHERE
You can add new configuration files for each site you would like AWStats to parse.
Step 4. Analyze Log Files
To update the stats, run the following command in the cgi-bin directory:
perl awstats.pl -update -config=YOURDOMAINHERE
Friday, July 18, 2008
scp - Linux command line tool to copy files over ssh
scp stands for secure cp (copy), which means that you can copy files across an ssh connection that will be encrypted, and therefore secured.
You can this way copy files from or to a remote server, you can even copy files from one remote server to another remote server, without passing through your PC.
Usage
scp [[user@]from-host:]source-file [[user@]to-host:][destination-file]
Description of options
- from-host
- Is the name or IP of the host where the source file is, this can be omitted if the from-host is the host where you are actually issuing the command
- user
- Is the user which have the right to access the file and directory that is supposed to be copied in the cas of the from-host and the user who has the rights to write in the to-host
- source-file
- Is the file or files that are going to be copied to the destination host, it can be a directory but in that case you need to specify the -r option to copy the contents of the directory
- destination-file
- Is the name that the copied file is going to take in the to-host, if none is given all copied files are going to maintain its names
Options
- -p
- Preserves the modification and access times, as well as the permissions of the source-file in the destination-file
- -q
- Do not display the progress bar
- -r
- Recursive, so it copies the contents of the source-file (directory in this case) recursively
- -v
- Displays debugging messages
Examples
scp *.txt user@remote.server.com:/home/user/
This will copy all files with .txt extension to the directory /home/user in the remote.server.com host
scp -r miguel@10.1.2.2:/home/miguel/ miguel@10.1.2.3:/home/miguel/
This is going to recursively copy all files from miguel's Home directory on 10.1.2.2 host to his Home directory in 10.1.2.3 host.
Note
To use this command you need to have open-ssh installed in the hosts.
The UltraMonkey Solution
Ultra Monkey is a project to create load balanced and highly available services on a local area network using Open Source components on the Linux operating system, including heartbeat and ldirectord from the Linux-HA project.
Configuration example
Now we're going to using UltraMonkey to contruct a highly-available VS/NAT web cluster with two load balancers and three web servers. The topology is illustrated in the following figure. In the example, virtual IP address and gateway IP address are 10.23.8.80 and 172.18.1.254, which are floating between the two load balancers (LD1 and LD2), and the ip addresses of three real servers are 172.18.1.11, 172.18.1.12 and 172.18.1.13 respectively.
The configuration files of UltraMonkey are the same at LD1 and LD2. The configuration files for above examples are as follows:
/etc/ha.d/ha.cf:
logfacility local0
keepalive 2
deadtime 10
warntime 10
initdead 10
nice_failback on
udpport 694
bcast eth1
node ld1
node ld2
/etc/ha.d/haresources:
ld1 IPaddr::10.23.8.80/24/eth1 IPaddr::172.18.1.254/24/\
eth1 ldirectord::ldirectord.cf
/etc/ha.d/ldirectord.cf:
checktimeout=10
checkinterval=2
autoreload=no
logfile="local0"
quiescent=yes
virtual=10.23.8.80:80
fallback=127.0.0.1:80
real=172.18.1.11:80 masq
real=172.18.1.12:80 masq
real=172.18.1.13:80 masq
service=http
request="index.html"
receive="Test Page"
scheduler=wlc
persistent=600
protocol=tcp
checktype=negotiate
Load balancing with a script in linux
When you have two ISPs you may want to make your linux machine balance the load of your internet access, you can use ip route
The package needed for this is iproute, if you are using debian you can install it with
apt-get install iproute
or go to this page and download the source of iproute
Let's use this Load Balance Script which work for Centos, Fedora, Ubuntu, Debian and should work for all distributions.
-----------cut here--------------
#!/bin/bash
#IPs of the def gateways
IP1=192.168.1.1
IP2=192.168.2.1
REDLOCAL=10.1.1.0/24
IPLOCAL=10.1.1.1
# NICs
IF1=eth0
IF2=eth1
ip rule add from $IP1 lookup T1
ip route add $REDLOCAL via $IPLOCAL table T1
ip route add 0/0 via $IP1 table T1
ip route add from $IP2 lookup T2
ip route add $REDLOCAL via $IPLOCAL table T2
ip route add 0/0 via $IP1 table T1
ip route default equalize nexthop via $IP1 dev $IF1 nexthop via $IP2 dev $IF2
--------------cut here ---------------------
that should do the job, off course make the changes on the variables according to your needs.
Wednesday, July 16, 2008
Find and fix weak OpenSSL/OpenSSH keys: Debian-based Linux vulnerability
A recent vulnerability was found in the OpenSSL package as provided by Debian and Debian-based Linux distributions, such as Ubuntu, that broke the effectiveness of the OpenSSL PRNG (Predictable Random Number Generator). This vulnerability caused OpenSSL to generate weak keys for anything relying on OpenSSL, including SSL certificates, OpenSSH keys, and OpenVPN keys. Any OpenSSL-based key generated on a Debian-based system since September 2006 by the openssl, ssh-keygen, or openvpn –keygen commands are vulnerable to this issue.
Debian and Ubuntu have already issued updates that correct the flaw and provide a blacklist of keys known to be weak. Unfortunately, exploits to take advantage of this flaw exist as well. Likewise, while the affected OpenSSL packages are only on Debian and Debian-derived distributions, it could affect other operating systems as well if those keys were generated on a Debian system. For instance, if your system provides SSH access to external users, and one of them created an SSH keypair using Debian or Ubuntu, then your system, or more particularly those user accounts, should be considered compromised, whether it is running Mandriva, Fedora, or even a BSD variant.
The Debian team has provided a tool that can be used to determine if any such weak keys exist on the system, and it can be run by anyone, regardless of whether they use Debian or not. To begin, download the dowkd.pl perl script and use it to test SSH keys of the host system:
$ cd ~/tmp $ curl -O -L http://security.debian.org/project/extra/dowkd/dowkd.pl.gz $ curl -O -L http://security.debian.org/project/extra/dowkd/dowkd.pl.gz.asc $ gpg --keyserver subkeys.pgp.net --recv-keys 02D524BE $ gpg --verify dowkd.pl.gz.asc $ gunzip dowkd.pl.gz $ perl dowkd.pl host localhost This will download the dowkd.pl perl script and also import a Debian security team member’s key from subkeys.pgp.net. If the archive verifies okay with gpg, unarchive it, and then run the script in host-checking mode against the localhost.
If the script detects that the host key is weak, it will indicate such. Next, run the script against user keys on the system:
# perl dowkd.pl user This check should be run as root in order to obtain access to every user’s keys. The script will check the keys and also the authorized_keys file and will alert you if the fingerprint to a remote host indicates a vulnerable key as well. If you wish to check a specific user, append the user name to the command:
# perl dowkd.pl user joe If the script indicates that any keys are weak, they should be removed and regenerated immediately.
More information on exactly what types of keys and how to test them all is available at http://wiki.debian.org/SSLkeys.
Get the PDF version of this tip here.
tips :
to regenerate key for openssh
rm /etc/ssh/ssh_host_*
dpkg-reconfigure openssh-server
see http://wiki.debian.org/SSLkeys for details
Wednesday, June 18, 2008
/lib/modules/2.6.18-6-686/build: No such file or directory.
kalau dapat error ni bila running
#make all
cuba buat :-
aptitude update
aptitude install build-essential module-assistant
m-a update
m-a prepare
#make all
/lib/modules/2.6.18-6-686/build: No such file or directory.
cuba buat :-
aptitude update
aptitude install build-essential module-assistant
m-a update
m-a prepare
Tuesday, June 17, 2008
E: The package avast4server needs to be reinstalled
sudo gedit /var/lib/dpkg/status
in the document find this...
Package: avast4server
Status: deinstall reinstreq half-configured
Priority: extra
Section: alien.....
and change it to...
Package: avast4server
Status: install ok installed
Priority: extra
Section: alien....
Next go to the .deb installation package that you downloaded and open it in archive manager. Extract to your hard disk. You can now browse to these files to find the 'data.tar.gz' file which is another archive. Open this as 'root' and find the file 'avastd' -- it's in the directory (within the archive) called '/./etc/init.d/' As 'root', create in your filesystem a directory called /etc/sysconfig/ and then extract 'avastd' to that directory.
Start Synaptic. It will identify a broken link which is the 'avast4server' package. You can select this to do a 'Complete Removal'
Removal proceeds without error!
Wednesday, June 11, 2008
Sync data between 2 servers with rsync and ssh
Have you ever wanted to know how to easily synchronize the data between multiple servers automatically?
In this article I’ll explain how to setup 2 Linux servers to automatically synchronize data between a specific directory on each server. To do this we will use rsync, ssh key authentication, and a cron job.
Let’s call the 2 servers ‘SOURCESERVER’ and ‘DESTSERVER’ for
SOURCESERVER = Source server (the server we’re connecting from to upload the data)
DESTSERVER = Destination server (the server we’re connecting to receive the data)
Part 1 - Setting up SSH key authentication
First, we need to make sure the DESTSERVER has the ability to use key authentication enabled. Find your sshd configuration file (usually ‘/etc/ssh/sshd_config’) and enable the following options if they are not already set.
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
If you edit the file be sure to restart sshd afterwards.
# /etc/init.d/sshd restart
Next, on the SOURCESERVER we will create the public / private key pair to be used for authentication with the following command.
# ssh-keygen -t rsa
*Note: Do not enter a passphrase for this, just hit enter when prompted.
This should create 2 files, a public key file and a private key file.
The public key file (usually [homedir]/.ssh/id_rsa.pub) we will upload to the DESTSERVER.
The private key file (usually [homedir]/.ssh/id_rsa) we will keep on the SOURCESERVER.
*Be sure to keep this private key safe. With it anyone will be able to connect to the DESTSERVER that contains the public key.
Now we will plant the public key we created on to the DESTSERVER.
Choose the user account which you will use to connect to on DESTSERVER, we’ll call this user ‘destuser’ for now.
In that account’s home directory, create a ‘.ssh’ subdirectory, and in that directory create a new text file called ‘authorized_keys’. If it already exists, great, use the existing file.
Open the ‘authorized_keys’ file and paste in the contents of the public key you created in the previous step (id_rsa.pub). It should look something like the following
ssh-rsa
Save the file and change the permissions to 600 for the file and 700 for the ‘.ssh’ directory.
Now to test that the keys are working.
From the SOURCESERVER try logging in as normal using ssh to the DESTSERVER.
# ssh destuser@DESTSERVER
If all is working you should not be prompted for a password but instead connected directly to a shell on the DESTSERVER.
Part 2 - Creating the rsync script
Now for the rsync script.
I use a simple script such as the following
——————————————-
#!/bin/bash
SOURCEPATH=’/source/directory’
DESTPATH=’/destination’
DESTHOST=’123.123.123.123′
DESTUSER=’destuser’
LOGFILE=’rsync.log’
echo $’\n\n’ >> $LOGFILE
rsync -av –rsh=ssh $SOURCEPATH $DESTUSER@$DESTHOST:$DESTPATH 2>&1 >> $LOGFILE
echo “Completed at: `/bin/date`” >> $LOGFILE
——————————————-
Copy this file into the home directory of the sourceuser on the SOURCESERVER
and modify the first 4 variables in the file.
SOURCEPATH (Source path to be synced)
DESTPATH (Destination path to be synced)
DESTHOST (Destination IP address or host name)
DESTUSER (User on the destination server)
Save it as something like ‘rsync.sh’
Set the permissions on the file to 700.
# chmod 700 rsync.sh
Now you should be able to run the script, have it connect to the DESTSERVER, and transfer the files all without your interaction.
The script will send all output to the ‘rsync.log’ file specified in the script.
Part 3 - Setting up the cron job
Assuming everything has worked so far all that’s left is to setup a cron job to run the script automatically at a predefined interval.
As the same sourceuser use the ‘crontab’ command to create a new cron job.
# crontab -e
This will open an editor where you can schedule the job.
Enter the following to have the script run once every hour
——————————————-
# Run my rsync script once every hour
0 * * * * /path/to/rsync.sh
——————————————-
Sunday, June 8, 2008
Debian lenny/sid dan VLANs ( cara aku )
emm.. aku kalu ikut teori tu memang tahu pasal VLANs dan kegunaannya.. sbb dah biasa guna kat managed switch dan pernah juga jeling-jeling kat cisco tapi dalam linux? emm tak pernah buat lagi.. apa pun memang blog ni untuk nota aku je.. supaya mudah aku buat rujukan..budak hingusan laa katakan... ok tanak citer lebar meh tgk camna nak buat simple vlans
Senario:-
deb server ( masquerade server )
eth0: xxx.xxx.xxx.xxx ( ip wan )
eth1 : 192.168.1.1/255.255.255.255
eth1 ( vlan1 ) : 100.100.100.1/255.255.255.0
eth1 ( vlan2 ) : 121.1.1.1/255.255.255.0
deb server memang dah dapat online ke internet.. jadi aku nak buat 2 vlan untuk 2 group yang boleh menampung 254 user setiap group. Jadi dengan adanya 2 vlan ini boleh kembangkan network menjadi 508 users.. ramai tu.. nak buat ape banyak tu? hehe ntah laa.. saje je kut..kelebihan vlan adalah untuk asingkan network contoh group makmal komputer, group pejabat, group staf dan lain-lain. VLAN dan IP aliases berfungsi hampir sama tapi berbeza dari sudut struktur. Secara ringkasnya untuk mudah faham VLAN interface adalah clone dari physical interface manakala ip aliases adalah alias kepada physical interface tersebut.. lihat output ini:-
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.255
inet6 addr: fe80::21e:e5ff:fe29:edaf/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:492 (492.0 B)
vlan1 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx
inet addr:121.1.1.1 Bcast:121.1.1.255 Mask:255.255.255.0
inet6 addr: fe80::21e:e5ff:fe29:edaf/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:492 (492.0 B)
eth1:1 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx
inet addr:122.1.1.1 Bcast:122.1.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
ok jom mula..
1. Pastikan eth0 dan eth1 dah up
2. update dulu dan install vlan package
#apt-get update
#apt-get install vlan
siap?
3. edit /etc/network/interfaces
######### VLAN ###############
auto vlan1
iface vlan1 inet static
address 121.1.1.1
netmask 255.255.255.0
network 121.1.1.0
broadcast 121.1.1.255
mtu 1500
vlan_raw_device eth1
up /skrip/vlan1-up
down /skrip/vlan1-down
auto vlan2
iface vlan2 inet static
address 100.100.100.1
netmask 255.255.255.0
network 100.100.100.0
broadcast 100.100.100.255
mtu 1500
vlan_raw_device eth1
up /skrip/vlan2-up
down /skrip/vlan2-down
save dan exit
4. Buat ni
#mkdir /skrip
buat fail /skrip/vlan1-up dan masukkan ni :-
route del -net 121.1.1.0 netmask 255.255.255.0 dev vlan1
route add -net 121.1.1.0 netmask 255.255.255.0 dev eth1
buat fail /skrip/vlan1-down dan masukkan :-
route del -net 121.1.1.0 netmask 255.255.255.0 dev eth1
buat fail /skrip/vlan2-up dan masukkan :-
route del -net 100.100.100.0 netmask 255.255.255.0 dev vlan2
route add -net 100.100.100.0 netmask 255.255.255.0 dev eth1
buat fail /skrip/vlan2-down dan masukkan :-
route del -net 100.100.100.0 netmask 255.255.255.0 dev eth1
#chmod 755 /skrip/vlan*
5. Hehe.. senang je... skrang ni perlu buat masquerade rule pulak.. guna iptables
buat fail /skrip/masq kemudian masukkan ni save dan exit
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -F
iptables -t nat -A POSTROUTING -s 121.1.1.0/24 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 100.100.100.0/24 -j MASQUERADE
#chmod 755 /skrip/masq
untuk jadikan skrip packet forwarding ni running setiap kalu system up perlu masukkan dalam /etc/rc.local
edit /etc/rc.local kemudian masukkan :-
/skrip/masq
save dan exit.. sekarang reboot... APA? tanak reboot yea... ok... buat camni..
#/skrip/masq
#/etc/init.d/networking restart
ok sekarang cuba ifconfig vlan1 dan ifconfig vlan2 dah ada ke? ok kalau dah ada boleh laa configure client utk testing mana2 range ip vlan..
abis dah... goodbye!
Senario:-
deb server ( masquerade server )
eth0: xxx.xxx.xxx.xxx ( ip wan )
eth1 : 192.168.1.1/255.255.255.255
eth1 ( vlan1 ) : 100.100.100.1/255.255.255.0
eth1 ( vlan2 ) : 121.1.1.1/255.255.255.0
deb server memang dah dapat online ke internet.. jadi aku nak buat 2 vlan untuk 2 group yang boleh menampung 254 user setiap group. Jadi dengan adanya 2 vlan ini boleh kembangkan network menjadi 508 users.. ramai tu.. nak buat ape banyak tu? hehe ntah laa.. saje je kut..kelebihan vlan adalah untuk asingkan network contoh group makmal komputer, group pejabat, group staf dan lain-lain. VLAN dan IP aliases berfungsi hampir sama tapi berbeza dari sudut struktur. Secara ringkasnya untuk mudah faham VLAN interface adalah clone dari physical interface manakala ip aliases adalah alias kepada physical interface tersebut.. lihat output ini:-
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.255
inet6 addr: fe80::21e:e5ff:fe29:edaf/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:492 (492.0 B)
inet addr:121.1.1.1 Bcast:121.1.1.255 Mask:255.255.255.0
inet6 addr: fe80::21e:e5ff:fe29:edaf/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:492 (492.0 B)
eth1:1 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx
inet addr:122.1.1.1 Bcast:122.1.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
ok jom mula..
1. Pastikan eth0 dan eth1 dah up
2. update dulu dan install vlan package
#apt-get update
#apt-get install vlan
siap?
3. edit /etc/network/interfaces
######### VLAN ###############
auto vlan1
iface vlan1 inet static
address 121.1.1.1
netmask 255.255.255.0
network 121.1.1.0
broadcast 121.1.1.255
mtu 1500
vlan_raw_device eth1
up /skrip/vlan1-up
down /skrip/vlan1-down
auto vlan2
iface vlan2 inet static
address 100.100.100.1
netmask 255.255.255.0
network 100.100.100.0
broadcast 100.100.100.255
mtu 1500
vlan_raw_device eth1
up /skrip/vlan2-up
down /skrip/vlan2-down
save dan exit
4. Buat ni
#mkdir /skrip
buat fail /skrip/vlan1-up dan masukkan ni :-
route del -net 121.1.1.0 netmask 255.255.255.0 dev vlan1
route add -net 121.1.1.0 netmask 255.255.255.0 dev eth1
buat fail /skrip/vlan1-down dan masukkan :-
route del -net 121.1.1.0 netmask 255.255.255.0 dev eth1
buat fail /skrip/vlan2-up dan masukkan :-
route del -net 100.100.100.0 netmask 255.255.255.0 dev vlan2
route add -net 100.100.100.0 netmask 255.255.255.0 dev eth1
buat fail /skrip/vlan2-down dan masukkan :-
route del -net 100.100.100.0 netmask 255.255.255.0 dev eth1
#chmod 755 /skrip/vlan*
5. Hehe.. senang je... skrang ni perlu buat masquerade rule pulak.. guna iptables
buat fail /skrip/masq kemudian masukkan ni save dan exit
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -F
iptables -t nat -A POSTROUTING -s 121.1.1.0/24 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 100.100.100.0/24 -j MASQUERADE
#chmod 755 /skrip/masq
untuk jadikan skrip packet forwarding ni running setiap kalu system up perlu masukkan dalam /etc/rc.local
edit /etc/rc.local kemudian masukkan :-
/skrip/masq
save dan exit.. sekarang reboot... APA? tanak reboot yea... ok... buat camni..
#/skrip/masq
#/etc/init.d/networking restart
ok sekarang cuba ifconfig vlan1 dan ifconfig vlan2 dah ada ke? ok kalau dah ada boleh laa configure client utk testing mana2 range ip vlan..
abis dah... goodbye!
Friday, June 6, 2008
Debian Etch Netinstall dan Linksys WMP54G Ver 4.1
hak hak hak.. lagi-lagi pening kepala.. lagi-lagi pening.. aduss.. sakit kepala aku.. aku baru nak up satu pc lama pakai debian netinstall dan cuba nak configure WMP54G ni.. tiba-tiba default kernel 2.6.18 yang mai dengan deb ni tak detect.. tak de dalam dmesg plak.. dah laa gitu.. lspci lak tak de aduss... kat bios ada lak detect network controller.. ingatkan kad aku tu dah mati... sakit wooo... last skali cuba install pciutils.. internet tak de.. dalam cd netinstall pun tak de package tu..teruk... jadi kene pi cari internet.. download pciutils dan wireless-tools debian package.. dapat je install aku buat lspci -v
01:00.0 Network controller: RaLink RT2561/RT61 802.11g PCI
Subsystem: Linksys WMP54G ver 4.1
Flags: bus master, slow devsel, latency 32, IRQ 5
Memory at d4000000 (32-bit, non-prefetchable) [size=32K]
Capabilities: [40] Power Management version 2
jejeje... RaLink tu ape mende? cari kat google.. dapat lee address ni..
http://www.ralinktech.com/ralink/Home/Support/Linux.html
apa lagi.. aku download.. dan make && make install lah... driver yang aku download mestilah yang support model RT2561 .. ni ha RT2501PCI/mPCI/CB(RT61:RT2561/RT2561S/RT2661)
bila dah download tu.. by default script tadi akan tambah alias ra0 rt61 kat /etc/modprobe.conf tapi kat deb.. tak pakai benda tu.. jadi kita kena rename /etc/modprobe.conf ke nama lain... kemudian tambah alias ra0 rt61 dalam /etc/modprobe.d/aliases
pastu?
#depmod -a
#ifconfig ra0
#iwconfig ra0 mode Managed
#iwconfig ra0 essid "korang punye laah"
#dhclient ra0
wa... dapat akhirnya... tapi aku tanak buat skrip.. terus letak benda ni sbg auto bila system up
aku edit /etc/network/interfaces
tambah benda alah ni:-
01:00.0 Network controller: RaLink RT2561/RT61 802.11g PCI
Subsystem: Linksys WMP54G ver 4.1
Flags: bus master, slow devsel, latency 32, IRQ 5
Memory at d4000000 (32-bit, non-prefetchable) [size=32K]
Capabilities: [40] Power Management version 2
jejeje... RaLink tu ape mende? cari kat google.. dapat lee address ni..
http://www.ralinktech.com/ralink/Home/Support/Linux.html
apa lagi.. aku download.. dan make && make install lah... driver yang aku download mestilah yang support model RT2561 .. ni ha RT2501PCI/mPCI/CB(RT61:RT2561/RT2561S/RT2661)
bila dah download tu.. by default script tadi akan tambah alias ra0 rt61 kat /etc/modprobe.conf tapi kat deb.. tak pakai benda tu.. jadi kita kena rename /etc/modprobe.conf ke nama lain... kemudian tambah alias ra0 rt61 dalam /etc/modprobe.d/aliases
pastu?
#depmod -a
#ifconfig ra0
#iwconfig ra0 mode Managed
#iwconfig ra0 essid "korang punye laah"
#dhclient ra0
wa... dapat akhirnya... tapi aku tanak buat skrip.. terus letak benda ni sbg auto bila system up
aku edit /etc/network/interfaces
tambah benda alah ni:-
auto ra0
iface ra0 inet static
address 192.168.1.14
netmask 255.255.255.0
broadcast 192.168.1.255
gateway 192.168.1.254
up \
/sbin/iwconfig ra0 mode Managed && \
/sbin/iwconfig ra0 essid MakKoMakAku
save dan exit lee.. reboot utk test.. dah
dah ilang dah sakit kepala aku.. bye
Tuesday, June 3, 2008
Plesk : Tired of the awful Horde skin?
So, get the WPS Sober theme/skin for Horde which is really nice and more into the "XP" style.
WPS Sober Theme for Horde
To install it:
- extract all the files of the archive to the /usr/share/psa-horde/ directory (! Exctract files directly to that dir, not to /usr/share/psa-horde/wps_sober !)
- if you want your users to use this theme by default, edit the file /etc/psa-horde/horde/prefs.php and check for the line 299 -> put 'wps_sober' in replacement of 'bluewhite'.
That's it! You got a really better-looking skin that won't scare your users.
WPS Sober Theme for Horde
To install it:
- extract all the files of the archive to the /usr/share/psa-horde/ directory (! Exctract files directly to that dir, not to /usr/share/psa-horde/wps_sober !)
- if you want your users to use this theme by default, edit the file /etc/psa-horde/horde/prefs.php and check for the line 299 -> put 'wps_sober' in replacement of 'bluewhite'.
That's it! You got a really better-looking skin that won't scare your users.
Sunday, June 1, 2008
SAMBA - mudah dan sering lupa
aiyaaaa... aku lupa laaa pulak pasal samba.. lama tak buat..tapi tak kisah.. paling senang nak buat sambal ni kene tumbukcili sama itu mempelam.. pasti best.. tapi tu sambal.. ni SAMBA.. korang carik laa sendiri apa benda tu..
untuk samba share.. paling mudah dan paling senang...
1) Mesti jadi 'root'
2) apt-get install samba-common smbclient smbfs samba ( ni utk debian. lain distro ko install je janji dapat jalan )
3) create user
#adduser mamat
4) smbpasswd -a mamat ( masukkan password utk samba.. nak tukar passwd lain pun boleh.. )
5) pico /etc/samba/smbusers ( create file baru ) masukkan ni :-
mamat = "mamat"
kemudian save dan exit
6) pico /etc/samba/smb.conf
ok di sini ada 4 perkara korang kene buat security = user map username = /etc/samba/smbusers
bawah share [homes] tukarkan writeable = yes
save dan exit
7) restart samba
beres... skrg ni user boleh akses ke home shared masing-masing dengan memasukkan password tersebut.. ok.. tq
err... macammana nak akses ke share tu? alamakkkkkkkkkkkkkkkk...... korang ni pun satu laaa.. pakai windows kan?heh.. kalau tak pakai windows memang korang tak tanye dah camtu.. pakai windows.. ko pegi kat my computer taip ni je
\\ip-server-ko
kalau dari linux... pakai mount -t smbfs -o username=mamat,password=apaapeje //server-ko /mnt/serveraku
bukak /mnt/serveraku utk tgk file... tq
untuk samba share.. paling mudah dan paling senang...
1) Mesti jadi 'root'
2) apt-get install samba-common smbclient smbfs samba ( ni utk debian. lain distro ko install je janji dapat jalan )
3) create user
#adduser mamat
4) smbpasswd -a mamat ( masukkan password utk samba.. nak tukar passwd lain pun boleh.. )
5) pico /etc/samba/smbusers ( create file baru ) masukkan ni :-
mamat = "mamat"
kemudian save dan exit
6) pico /etc/samba/smb.conf
ok di sini ada 4 perkara korang kene buat security = user map username = /etc/samba/smbusers
bawah share [homes] tukarkan writeable = yes
save dan exit
7) restart samba
beres... skrg ni user boleh akses ke home shared masing-masing dengan memasukkan password tersebut.. ok.. tq
err... macammana nak akses ke share tu? alamakkkkkkkkkkkkkkkk...... korang ni pun satu laaa.. pakai windows kan?heh.. kalau tak pakai windows memang korang tak tanye dah camtu.. pakai windows.. ko pegi kat my computer taip ni je
\\ip-server-ko
kalau dari linux... pakai mount -t smbfs -o username=mamat,password=apaapeje //server-ko /mnt/serveraku
bukak /mnt/serveraku utk tgk file... tq
Saturday, May 31, 2008
Delete Files Older Than x Days on Linux
The find utility on linux allows you to pass in a bunch of interesting arguments, including one to execute another command on each file. We'll use this in order to figure out what files are older than a certain number of days, and then use the rm command to delete them.
Command Syntax
find /path/to/files* -mtime +5 -exec rm {} \;
Note that there are spaces between rm, {}, and \;
Explanation
- The first argument is the path to the files. This can be a path, a directory, or a wildcard as in the example above. I would recommend using the full path, and make sure that you run the command without the exec rm to make sure you are getting the right results.
- The second argument, -mtime, is used to specify the number of days old that the file is. If you enter +5, it will find files older than 5 days.
- The third argument, -exec, allows you to pass in a command such as rm. The {} \; at the end is required to end the command.
This should work on Ubuntu, Suse, Redhat, or pretty much any version of linux.
ProFtpd
ProFTPD is a secure (as secure as an insecure protocol can be), simple, and easily configured FTP Server.
This document covers the creation of a secure, multiuser FTP Server. This document does not attempt to explain every directive available for the proftpd.conf file. This document does not attempt to explain how to start and stop the ProFTPD daemon as this process varies based on what *nix / BSD Distribution you are running the daemon on. This article does assume general familiarity with *nix / BSD system administration such as adding users, setting user passwords, creating directories, etc.
Before we start; the title of this article is a bit of a misnomer since FTP in its self is an insecure protocol due to the fact that it does not encrypt usernames, passwords, or data. If you require a totally secure method of transferrring files, I suggest that you look into SCP, which is an extension to the SSH (Secure Shell) Protocol.
Premise
We will be working with three "levels" of security to secure our server. Our first layer of "security" is to jail all FTP users in a chroot jail. Luckily, ProFTPD provides a built-in facility for this purpose. Our second layer of protection needed for a "secure" FTP Server is to deny a valid shell to the FTP users. Our third layer of security is to notuse account names for real users as FTP accounts, this is irrelevant in the scope of this tutorial because because we will be setting up FTP users with invalid shells.
I : Preparing the System
To deny a valid shell to the FTP users, the /etc/shells file will need to be edited. This file contains all the valid FTP shells. We want to add an executable that does nothing to this file so we can assign this â€Å“nothing†executable to the FTP users so that they have no shell if they break out of the chrooot jail.
Add the following line to /etc/shells:
/bin/false
(/bin/false) does nothing – check out the man page if you wish.
We also want to secure the directory where we will be storing the FTP Server's files, create a new group using whichever tool you normally use and call it ftp-users.
II : Create The FTP File Area
Decide on a base (root) directory where you wish to keep all the uploaded and downloadable files for your FTP Server. In this document, I will refer to this directory as /ftproot. Create the following directory structure below it.
/ftproot/upload
/ftproot/download
Next, set the permissions on the ftp directory structure.
chown -R ftp.ftpusers /ftproot
chmod -R 770 /ftproot
III: Create FTP Users
We already know why it is not a good idea to use valid user accounts for FTP. So let's create some FTP users.
Using whatever tool you normally use to create users, create some special FTP accounts. I suggest that you use the useradd tool instead of adduser as useradd does not create a home directory unless you specify it (we do not want to create standard home directories for the FTP users). I use the following format for ftp user names.
Ftp. For example, John Doe's FTP account would be ftpjd (I will use ftpjd as an example FTP account for the rest of this document)
If you accidentally created a home directory (/home/ftpjd) for the FTP user, delete it now.
Next, we want to give the user an invalid shell, put him or her in the ftp-users group, add a comment to the user's file that identifies the user as an FTP user, and change his or her home directory to the root directory of our FTP server. Edit the /etc/passwd file OR use the usermod tool as in the example below.
usermod -c FTP -d /ftproot -g ftp-users -s /bin/false ftpjd
IV: Configure ProFTPD
First, we will set the chroot jailing. The chroot jailing in ProFTPD works with the home directory that is set for the user in /etc/passwd. Since we changed all of our FTP users' home directories to /ftproot, they will all start off jailed in /ftproot when they log in to our FTP server. Configuring the chroot jail inProFTPD is as simple as adding the following line to your /etc/proftpd.conf file somewhere in the first half of the file.
#Jail all users
DefaultRoot ~
Next, we will add permissions directives for our FTP directory structure. Add the following to the end of your /etc/proftpd.conf file.
Umask 022 022
AllowOverwrite off
DenyAll
Umask 022 022
AllowOverwrite off
DenyAll
Umask 022 022
AllowOverwrite on
AllowAll
The directives above set the server to read only in all directories except the upload directory. This allows the admin to control which files are made public. For more detailed information on these directives, please see the ProFTPD documentation.
Start up your ProFTPD Daemon and you finished.
V : A Working ProFTPD Configuration
I have bolded some of the important directives in the example configuration that this document does not cover that you should look up in the ProFTPD documentation.
# ProFTPD for "EXAMPLE" FTP Server
ServerIdent on "Please enter your username and password. Anonymous logins are disabled.
ServerName EXAMPLE
ServerType inetd
ServerAdmin Private@whatever.net
DeferWelcome on
ShowDotFiles off
ShowSymlinks off
MultilineRFC2228 on
DefaultServer on
AllowOverwrite on
MaxClients 10
MaxClientsPerHost 1 "You are already logged on once."
RequireValidShell off
TimeoutNoTransfer 20
TimeoutStalled 10
TimeoutLogin 20
TimeoutIdle 1200
RootLogin off
UseFtpUsers off
Port 21
MaxInstances 30
ExtendedLog /var/log/ftp.log auth,all
LsDefaultOptions "-l"
DenyFilter \*.*/
# Set the user and group that the server normally runs at.
User ftp
Group ftp-users
# Lock users into the ftproot directory
DefaultRoot ~
Umask 022 022
AllowOverwrite off
DenyAll
Umask 022 022
AllowOverwrite off
DenyAll
Umask 022 022
AllowOverwrite on
AllowAll
This document covers the creation of a secure, multiuser FTP Server. This document does not attempt to explain every directive available for the proftpd.conf file. This document does not attempt to explain how to start and stop the ProFTPD daemon as this process varies based on what *nix / BSD Distribution you are running the daemon on. This article does assume general familiarity with *nix / BSD system administration such as adding users, setting user passwords, creating directories, etc.
Before we start; the title of this article is a bit of a misnomer since FTP in its self is an insecure protocol due to the fact that it does not encrypt usernames, passwords, or data. If you require a totally secure method of transferrring files, I suggest that you look into SCP, which is an extension to the SSH (Secure Shell) Protocol.
Premise
We will be working with three "levels" of security to secure our server. Our first layer of "security" is to jail all FTP users in a chroot jail. Luckily, ProFTPD provides a built-in facility for this purpose. Our second layer of protection needed for a "secure" FTP Server is to deny a valid shell to the FTP users. Our third layer of security is to notuse account names for real users as FTP accounts, this is irrelevant in the scope of this tutorial because because we will be setting up FTP users with invalid shells.
I : Preparing the System
To deny a valid shell to the FTP users, the /etc/shells file will need to be edited. This file contains all the valid FTP shells. We want to add an executable that does nothing to this file so we can assign this â€Å“nothing†executable to the FTP users so that they have no shell if they break out of the chrooot jail.
Add the following line to /etc/shells:
/bin/false
(/bin/false) does nothing – check out the man page if you wish.
We also want to secure the directory where we will be storing the FTP Server's files, create a new group using whichever tool you normally use and call it ftp-users.
II : Create The FTP File Area
Decide on a base (root) directory where you wish to keep all the uploaded and downloadable files for your FTP Server. In this document, I will refer to this directory as /ftproot. Create the following directory structure below it.
/ftproot/upload
/ftproot/download
Next, set the permissions on the ftp directory structure.
chown -R ftp.ftpusers /ftproot
chmod -R 770 /ftproot
III: Create FTP Users
We already know why it is not a good idea to use valid user accounts for FTP. So let's create some FTP users.
Using whatever tool you normally use to create users, create some special FTP accounts. I suggest that you use the useradd tool instead of adduser as useradd does not create a home directory unless you specify it (we do not want to create standard home directories for the FTP users). I use the following format for ftp user names.
Ftp
If you accidentally created a home directory (/home/ftpjd) for the FTP user, delete it now.
Next, we want to give the user an invalid shell, put him or her in the ftp-users group, add a comment to the user's file that identifies the user as an FTP user, and change his or her home directory to the root directory of our FTP server. Edit the /etc/passwd file OR use the usermod tool as in the example below.
usermod -c FTP -d /ftproot -g ftp-users -s /bin/false ftpjd
IV: Configure ProFTPD
First, we will set the chroot jailing. The chroot jailing in ProFTPD works with the home directory that is set for the user in /etc/passwd. Since we changed all of our FTP users' home directories to /ftproot, they will all start off jailed in /ftproot when they log in to our FTP server. Configuring the chroot jail inProFTPD is as simple as adding the following line to your /etc/proftpd.conf file somewhere in the first half of the file.
#Jail all users
DefaultRoot ~
Next, we will add permissions directives for our FTP directory structure. Add the following to the end of your /etc/proftpd.conf file.
Umask 022 022
AllowOverwrite off
DenyAll
Umask 022 022
AllowOverwrite off
DenyAll
Umask 022 022
AllowOverwrite on
AllowAll
The directives above set the server to read only in all directories except the upload directory. This allows the admin to control which files are made public. For more detailed information on these directives, please see the ProFTPD documentation.
Start up your ProFTPD Daemon and you finished.
V : A Working ProFTPD Configuration
I have bolded some of the important directives in the example configuration that this document does not cover that you should look up in the ProFTPD documentation.
# ProFTPD for "EXAMPLE" FTP Server
ServerIdent on "Please enter your username and password. Anonymous logins are disabled.
ServerName EXAMPLE
ServerType inetd
ServerAdmin Private@whatever.net
DeferWelcome on
ShowDotFiles off
ShowSymlinks off
MultilineRFC2228 on
DefaultServer on
AllowOverwrite on
MaxClients 10
MaxClientsPerHost 1 "You are already logged on once."
RequireValidShell off
TimeoutNoTransfer 20
TimeoutStalled 10
TimeoutLogin 20
TimeoutIdle 1200
RootLogin off
UseFtpUsers off
Port 21
MaxInstances 30
ExtendedLog /var/log/ftp.log auth,all
LsDefaultOptions "-l"
DenyFilter \*.*/
# Set the user and group that the server normally runs at.
User ftp
Group ftp-users
# Lock users into the ftproot directory
DefaultRoot ~
Umask 022 022
AllowOverwrite off
DenyAll
Umask 022 022
AllowOverwrite off
DenyAll
Umask 022 022
AllowOverwrite on
AllowAll
Email Alert on ssh root access
Want to be notified instantly when someone logs into your server as root? No problem, check out this nice tutorial on email notification for root logins. Keeping track of who logs into your server and when is very important, especially when you're dealing with the super user account. We recommend that you use an email address not hosted on the server your sending the alert from.
So lets get started!
1. Login to your server and su to root, I know the irony!
2. cd /root
3. pico .bashrc
4. Scroll to the end of the file then add the following:
echo 'ALERT - Root Shell Access (YourserverName) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d"(" -f2 | cut -d")" -f1`" you@yourdomain.com
Replace YourServerName with the handle for your actual server
Replace you@yourdomain.com with your actual email address
5. Crtl + X then Y
Now logout of SSH, close the connection and log back in! You should receive an email address of the root login alert a few minutes afterwards.
So lets get started!
1. Login to your server and su to root, I know the irony!
2. cd /root
3. pico .bashrc
4. Scroll to the end of the file then add the following:
echo 'ALERT - Root Shell Access (YourserverName) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d"(" -f2 | cut -d")" -f1`" you@yourdomain.com
Replace YourServerName with the handle for your actual server
Replace you@yourdomain.com with your actual email address
5. Crtl + X then Y
Now logout of SSH, close the connection and log back in! You should receive an email address of the root login alert a few minutes afterwards.
Tuesday, May 27, 2008
squid log : error:unsupported-request-method
masukkan dalam squid.conf
pilihan method:
OPTIONS, PROPFIND, GET, REPORT,
MKACTIVITY, PROPPATCH, PUT, CHECKOUT, MKCOL,
MOVE, COPY, DELETE, LOCK, UNLOCK, MERGE
contoh:
extension_methods GET PUT REPORT MKACTIVITY
pastu reload macam biasa...
squid -k reconfigure
Sunday, April 27, 2008
Cari file dan content
aku sering lupa benda kecil2 camni...
nak cari file dan extension
find /mnt/win/backup/mp3 -type f -name "*inta*.mp3" >> /ice/skbj.lst
cari kandungan dalam file
grep apaapaaje *
@
grep "apa apa aje" *
@
grep apaapaaje */*
cari file
which
@
locate
nak cari file dan extension
find /mnt/win/backup/mp3 -type f -name "*inta*.mp3" >> /ice/skbj.lst
cari kandungan dalam file
grep apaapaaje *
@
grep "apa apa aje" *
@
grep apaapaaje */*
cari file
which
@
locate
Thursday, April 17, 2008
Another VLANs Guide on Debian
Suppose you have a layer 2 switch with support for 802.1q, and want to route traffic from one VLAN to another VLAN you can use a linux box for that.
VLAN is Virtual Lan and it is created with equipments such as switches that support the 802.1q protocol, which manage to insert a 'tag' in the ethernet frame, this tag identifies the VLAN to which a packet belongs.
If you have two VLANs in a switch is like having physically two switches, as the packets from one does not pass to the other, if you need to pass traffic from one to another VLAN you will a layer 3 switch, and enable the internal virtual router, but you can do that with a Linux Box, this way.
#apt-get install vlan
-- this is to install the vlan software --
#modprobe 8021q
-- This is to load the 802.1q module --
#vconfig add eth0 2
#vconfig add eth0 3
-- Creating two vlans over the eth0 interface --
#ifconfig eth0 0.0.0.0 up
-- To make only the VLAN interfaces to have traffic, be sure you have the eth0 up or you will see no traffic at all
#ifconfig eth0.2 10.1.1.1 broadcast 10.1.1.255 netmask 255.255.255.0 up
#ifconfig eth0.3 10.1.2.1 broadcast 10.1.2.255 netmask 255.255.255.0 up
-- Assume you have this two VLANs 1 is 10.1.1.0/24 and the second is 10.1.2.0/24 and you want traffic between them --
Now you have this done, configure your one of your switch ports to belong to VLAN 2 and 3 at the same time, and connect your linux box to that port.
#echo 1 > /proc/sys/net/ipv4/ip_forward
-- To enable packet forwarding on the linux router --
#route add -net 10.1.1.0 netmask 255.255.255.0 gw eth0.2
#route add -net 10.1.2.0 netmask 255.255.255.0 gw eth0.3
That should be all.If you want to see what is happening you can use Ethereal on your linux and will get a graphic like this
http://jaws.go2linux.org/pics/Screenshot-vlan.png
VLAN is Virtual Lan and it is created with equipments such as switches that support the 802.1q protocol, which manage to insert a 'tag' in the ethernet frame, this tag identifies the VLAN to which a packet belongs.
If you have two VLANs in a switch is like having physically two switches, as the packets from one does not pass to the other, if you need to pass traffic from one to another VLAN you will a layer 3 switch, and enable the internal virtual router, but you can do that with a Linux Box, this way.
#apt-get install vlan
-- this is to install the vlan software --
#modprobe 8021q
-- This is to load the 802.1q module --
#vconfig add eth0 2
#vconfig add eth0 3
-- Creating two vlans over the eth0 interface --
#ifconfig eth0 0.0.0.0 up
-- To make only the VLAN interfaces to have traffic, be sure you have the eth0 up or you will see no traffic at all
#ifconfig eth0.2 10.1.1.1 broadcast 10.1.1.255 netmask 255.255.255.0 up
#ifconfig eth0.3 10.1.2.1 broadcast 10.1.2.255 netmask 255.255.255.0 up
-- Assume you have this two VLANs 1 is 10.1.1.0/24 and the second is 10.1.2.0/24 and you want traffic between them --
Now you have this done, configure your one of your switch ports to belong to VLAN 2 and 3 at the same time, and connect your linux box to that port.
#echo 1 > /proc/sys/net/ipv4/ip_forward
-- To enable packet forwarding on the linux router --
#route add -net 10.1.1.0 netmask 255.255.255.0 gw eth0.2
#route add -net 10.1.2.0 netmask 255.255.255.0 gw eth0.3
That should be all.If you want to see what is happening you can use Ethereal on your linux and will get a graphic like this
http://jaws.go2linux.org/pics/Screenshot-vlan.png
VLAN configuration on Ubuntu (Debian)
Here is a quick guide how to enable VLANs on Ubuntu or Debian box.
VLANs on Linux will work with the most of the modern ethernet adapters. Frankly speaking I have not came across of adapter it would not work with.I presume that you use standard kernel shipped with Ubuntu. However, if you use a custom built kernel make sure VLAN support is enabled in it.
In this example I want my computer to connect to vlan4,vlan5 and vlan101. My default gateway is in vlan101. And I have only one ethernet interface eth0.
Note: If you want to connect to only one VLAN or you have many network interfaces it is possible to do as well.
OK, now how to do this:
1. Install VLAN package on your computer:
sudo apt-get install vlan
2. Edit your /etc/network/interfaces file so it would contain the following:
# The loopback network interface
auto lo
iface lo inet loopback
# This is a list of hotpluggable network interfaces.
# They will be activated automatically by the hotplug subsystem.
auto vlan4
auto vlan5
auto vlan101
# VLAN 4
iface vlan4 inet static
address 192.168.0.8
netmask 255.255.255.192
network 192.168.0.0
broadcast 192.168.0.63
mtu 1500
vlan_raw_device eth0
# VLAN 5
iface vlan5 inet static
address 10.0.111.8
netmask 255.255.255.0
network 10.0.111.0
broadcast 10.0.111.255
mtu 1500
vlan_raw_device eth0
# VLAN 101
iface vlan101 inet static
address 172.12.101.8
netmask 255.255.255.0
network 172.12.101.0
broadcast 172.12.101.255
gateway 172.12.101.1
mtu 1500
vlan_raw_device eth0
Note: You have to replace my IP addresses, network maskes and gateway IP address with your own.
3. Make sure that switch interface you are connected to configured with respective VLANs.
4. Restart your network interface:
sudo /etc/init.d/networking restart
You should see something like:
Set name-type for VLAN subsystem. Should be visible in /proc/net/vlan/config
Added VLAN with VID == 4 to IF -:eth0:-
Set name-type for VLAN subsystem. Should be visible in /proc/net/vlan/config
Added VLAN with VID == 5 to IF -:eth0:-
Set name-type for VLAN subsystem. Should be visible in /proc/net/vlan/config
Added VLAN with VID == 101 to IF -:eth0:-
And this is it. Nice and easy. Happy VLANing!
VLANs on Linux will work with the most of the modern ethernet adapters. Frankly speaking I have not came across of adapter it would not work with.I presume that you use standard kernel shipped with Ubuntu. However, if you use a custom built kernel make sure VLAN support is enabled in it.
In this example I want my computer to connect to vlan4,vlan5 and vlan101. My default gateway is in vlan101. And I have only one ethernet interface eth0.
Note: If you want to connect to only one VLAN or you have many network interfaces it is possible to do as well.
OK, now how to do this:
1. Install VLAN package on your computer:
sudo apt-get install vlan
2. Edit your /etc/network/interfaces file so it would contain the following:
# The loopback network interface
auto lo
iface lo inet loopback
# This is a list of hotpluggable network interfaces.
# They will be activated automatically by the hotplug subsystem.
auto vlan4
auto vlan5
auto vlan101
# VLAN 4
iface vlan4 inet static
address 192.168.0.8
netmask 255.255.255.192
network 192.168.0.0
broadcast 192.168.0.63
mtu 1500
vlan_raw_device eth0
# VLAN 5
iface vlan5 inet static
address 10.0.111.8
netmask 255.255.255.0
network 10.0.111.0
broadcast 10.0.111.255
mtu 1500
vlan_raw_device eth0
# VLAN 101
iface vlan101 inet static
address 172.12.101.8
netmask 255.255.255.0
network 172.12.101.0
broadcast 172.12.101.255
gateway 172.12.101.1
mtu 1500
vlan_raw_device eth0
Note: You have to replace my IP addresses, network maskes and gateway IP address with your own.
3. Make sure that switch interface you are connected to configured with respective VLANs.
4. Restart your network interface:
sudo /etc/init.d/networking restart
You should see something like:
Set name-type for VLAN subsystem. Should be visible in /proc/net/vlan/config
Added VLAN with VID == 4 to IF -:eth0:-
Set name-type for VLAN subsystem. Should be visible in /proc/net/vlan/config
Added VLAN with VID == 5 to IF -:eth0:-
Set name-type for VLAN subsystem. Should be visible in /proc/net/vlan/config
Added VLAN with VID == 101 to IF -:eth0:-
And this is it. Nice and easy. Happy VLANing!
Subscribe to:
Comments (Atom)