linux virtual server and coda
I'm evalutating a HA architecure based on LVS. Coda fs is a possible choice for distributed files among the real servers. It would be used for generic files, not for the DBMS, of course. Is it an affordable solution? Does anyone have first hand experiences with it? -- Francesco P. Lovergine
Re: phpBB vulnerability exploited
On Mon, Dec 13, 2004 at 01:44:41PM +0200, Boris Pavlov wrote: > > limit with php opendir. make another tmp directory, and set php temp dir, > with all permissions you want. limit the system function, if you don't need > it. they are a per-vhost apache settings, check the manuals. > I run apache using dchroot to avoid the most common problems. Breaking a chroot is possible, but not so easy and it's more difficult within dchroot which _should_ drops privileges properly AFAIK. I do that commonly for hosting services where users can run their own php and cgi scripts. That cannot avoid creating shells services, surely but avoid password cracking, use of cron, access to kernel modules and log files, and so on. -- Francesco P. Lovergine -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Limiting User Commands
On Sun, Nov 07, 2004 at 11:54:40AM -0800, Stephen Le wrote: > On Sun, 7 Nov 2004 14:41:42 -0500, Stephen Gran <[EMAIL PROTECTED]> wrote: > > apt-get remove --purge ftp telnet wget gcc > > rm /usr/bin/ssh /usr/bin/scp > > Unfortunately, I can't do that since I still want some users to be > able to access those commands. I just want to restrict access to those > commands from most users. I could install those utilities into another > directory and set appropriate permissions, but I'd also like system > accounts to be able to use them, which complicates matters... > Why not installing a chroot environment for some users with a limited number of commands available there? -- Francesco P. Lovergine -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: apache & log files
On Fri, Nov 05, 2004 at 09:54:18AM +0100, Wouter Verhelst,,, wrote: > > > > ErrorLog "| mytrickyprog www.mydomain.com" > > Then what's the use? The point was to avoid having ErrorLog directives > per vhost, since that increases the number of open files. > I'm not an expert of apache internals, but I think it does not open a permanent pipe file for each directive, doesn't it? -- Francesco P. Lovergine -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: apache & log files
On Fri, Nov 05, 2004 at 01:35:28AM +1100, Russell Coker wrote: > My clftools package allows you to split and mangle the log files if you have > Apache configured for a single log file... > Uhm, not found in current sid archive -- Francesco P. Lovergine -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: apache & log files
On Fri, Nov 05, 2004 at 09:09:16AM +1100, Craig Sanders wrote: > > For ErrorLog you can pipe to a suitable program which does the same. > > but this doesn't. unless apache has added this feature since i last looked > into this (about six months ago) the "suitable program" has no way of > separating the error logs for each virtual host, because it's just STDERR with > no vhost prefix on each line. > ErrorLog "| mytrickyprog www.mydomain.com" where mytrickyprog simply echos stdin on the right per-domain file or the same log file with the right prefix for each line. Of course you need a different directive for each vhost. A silly implementation would use a perl/sh script to do the thing; a more efficient solution would use a nice tiny C program to do the same. Both are left as exercise to the reader :) -- Francesco P. Lovergine -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: apache & log files
On Wed, Nov 03, 2004 at 11:11:13PM +0100, Marek Podmaka wrote: > Hello, > > I have apache 1.3 webserver hosting about 150 domains (more than 400 > virtual hosts). Now I have separate error log for each domain > (something.sk) and separate combined log for each virtual host (for > example www.abcq.sk and new.abcq.sk). This has many positives for > me: easy to find some data related to each virtual host and that I > can make seaparate statistics for each virtual host. I use awstats. > And now the bad side - the number of open files in each apache > process is more than 500 just for these log files. It's no problem > for now, but with more domains in future it will hit the 1024 per > process limit of open files. > > 3) Or you maybe use some other solution to this problem? > I personally prefer a single CustomLog file with a suitable domain prefix for every domain. That allows a nice grepping to extract information and avoid resources wasting. For ErrorLog you can pipe to a suitable program which does the same. -- Francesco P. Lovergine -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: apt-get upgrade
On Mon, Oct 25, 2004 at 09:20:26AM +1300, Johnno wrote: > > dpkg package is install, any ideas? > One main suggestion: use an appropriate list, you are OT here. -- Francesco P. Lovergine -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Advice for an IP accounting program
On Fri, Oct 15, 2004 at 05:09:02PM +0200, martin f krafft wrote: > also sprach Francesco P. Lovergine <[EMAIL PROTECTED]> [2004.10.15.1702 +0200]: > > The main purpose is identify periodically boxes on an internal private > > network which cause very high traffic, due to worms, virus and so. > > A per-IP simple report a la mrtg could be nice. > > apt-cache search ip accounting > Eh eh, that has been the first thing I tried. Unfortunately the (maybe) best one (ntop) is not in the list. So I suspect apt-cache search is largerly not sufficient for this kind of things. And btw ntop is largerly oversized for the thing. -- Francesco P. Lovergine -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Advice for an IP accounting program
On Fri, Oct 15, 2004 at 04:12:17PM +0100, Gerhard Venter wrote: > > You might like the bandwidthd Debian package which is at > http://fjortis.info/pub/debian/ > Mmm, yes thanks quite near to what I was looking for, ntop is unfortunately too much complicated for a naive user. If you are yet looking for a sponsor I could be that. -- Francesco P. Lovergine -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Advice for an IP accounting program
The main purpose is identify periodically boxes on an internal private network which cause very high traffic, due to worms, virus and so. A per-IP simple report a la mrtg could be nice. -- Francesco P. Lovergine -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
