Re: Resource consumption.
Hi Chris, I think you might be overlooking the value of the 'nice' shell builtin - try: Indeed. Thanks. Regards Rudi.
Re: Resource consumption.
Hi Chris, I think you might be overlooking the value of the 'nice' shell builtin - try: Indeed. Thanks. Regards Rudi. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Resource consumption.
HI, Thanks Russell, I'm pretty sure I have a cron job analysing apache logs which is consuming too much of the system's resources. So much is spent on Webalizer and Awstats that the web server stops answering requests. CPU time or IO bandwidth? CPU time is what I meant. Sorry I should be more clear The output of `uptime` was something like 2.2 before I manually kill the script and all is OK again. 2.2 should not be a great problem. A machine that has a single CPU and a single hard disk probably won't be giving good performance when it's load average exceeds 2.0, but it should still work. I thought that is the load average went about 1.0 that this was bad and mean you need to do something to help bring the load under 1.0. Even one process of Awstats uses heaps of CPU - over 90%. Maybe I need to create a user account for processing Apache logs and limit CPU consumption with 'ulimit' or something ?? Cheers Rudi.
Re: Resource consumption.
HI, Thanks Russell, I'm pretty sure I have a cron job analysing apache logs which is consuming too much of the system's resources. So much is spent on Webalizer and Awstats that the web server stops answering requests. CPU time or IO bandwidth? CPU time is what I meant. Sorry I should be more clear The output of `uptime` was something like 2.2 before I manually kill the script and all is OK again. 2.2 should not be a great problem. A machine that has a single CPU and a single hard disk probably won't be giving good performance when it's load average exceeds 2.0, but it should still work. I thought that is the load average went about 1.0 that this was bad and mean you need to do something to help bring the load under 1.0. Even one process of Awstats uses heaps of CPU - over 90%. Maybe I need to create a user account for processing Apache logs and limit CPU consumption with 'ulimit' or something ?? Cheers Rudi. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Resource consumption.
Hi, OK sorry I found the answer. Next time I'll try harder before I bother you. I found out about the `wait` command in Bash scripting. I'll try something like: # do webalizer for i in /var/log/apache/access_tmp/*-access_log; do site=`echo $i | sed 's/\/var\/log\/apache\/access_tmp\///'` site=`echo $site | sed 's/-access_log//'` if [ -e /etc/webalizer/$site.webalizer.conf ]; then webalizer -D /var/log/webazolver/dns_cache.db -c \ /etc/webalizer/$site.webalizer.conf; WEB_PID=$!; wait $WEB_PID; fi done Cheers Rudi.
Re: Resource consumption.
Hi, Me again .. I guess what I want to do is have this script execute webalizer once at a time, waiting until webalizer is finshed before starting again. Instead the script fires off many webalizers at once. Sorry I guess my simple bash skills are not up to scratch. I'll head over to tldp.org to see if I can't find the answer. > # do webalizer > for i in /var/log/apache/access_tmp/*-access_log; do > site=`echo $i | sed 's/\/var\/log\/apache\/access_tmp\///'` > site=`echo $site | sed 's/-access_log//'` > if [ -e /etc/webalizer/$site.webalizer.conf ]; > then > webalizer -D /var/log/webazolver/dns_cache.db -c \ > /etc/webalizer/$site.webalizer.conf; > fi > done > Cheers Rudi.
Re: Resource consumption.
Hi, OK sorry I found the answer. Next time I'll try harder before I bother you. I found out about the `wait` command in Bash scripting. I'll try something like: # do webalizer for i in /var/log/apache/access_tmp/*-access_log; do site=`echo $i | sed 's/\/var\/log\/apache\/access_tmp\///'` site=`echo $site | sed 's/-access_log//'` if [ -e /etc/webalizer/$site.webalizer.conf ]; then webalizer -D /var/log/webazolver/dns_cache.db -c \ /etc/webalizer/$site.webalizer.conf; WEB_PID=$!; wait $WEB_PID; fi done Cheers Rudi. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Resource consumption.
Hi, I'm pretty sure I have a cron job analysing apache logs which is consuming too much of the system's resources. So much is spent on Webalizer and Awstats that the web server stops answering requests. The output of `uptime` was something like 2.2 before I manually kill the script and all is OK again. What can I do about this ? Here is my simple bash script: # do webazolver for i in /var/log/apache/access_tmp/*-access_log; do webazolver -N 20 -D /var/log/webazolver/dns_cache.db $i done # do webalizer for i in /var/log/apache/access_tmp/*-access_log; do site=`echo $i | sed 's/\/var\/log\/apache\/access_tmp\///'` site=`echo $site | sed 's/-access_log//'` if [ -e /etc/webalizer/$site.webalizer.conf ]; then webalizer -D /var/log/webazolver/dns_cache.db -c /etc/webalizer/$site.webalizer.conf; fi done It just loops through the apache logs and analyzes them. I even use 'webazolver' to try and help but still grinds down the machine. I currently have this script fire every 4 hours. So the logs are not too big. I'm thinking maybe to add a `sleep 300` or something to the script. Maybe it's better to check if one instance to Webalizer is already running then sleep and try again. Any suggestions. I have about 20 virtual sites on this box and 400 on another. Many thanks Regards Rudi.
Re: Resource consumption.
Hi, Me again .. I guess what I want to do is have this script execute webalizer once at a time, waiting until webalizer is finshed before starting again. Instead the script fires off many webalizers at once. Sorry I guess my simple bash skills are not up to scratch. I'll head over to tldp.org to see if I can't find the answer. > # do webalizer > for i in /var/log/apache/access_tmp/*-access_log; do > site=`echo $i | sed 's/\/var\/log\/apache\/access_tmp\///'` > site=`echo $site | sed 's/-access_log//'` > if [ -e /etc/webalizer/$site.webalizer.conf ]; > then > webalizer -D /var/log/webazolver/dns_cache.db -c \ > /etc/webalizer/$site.webalizer.conf; > fi > done > Cheers Rudi. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Resource consumption.
Hi, I'm pretty sure I have a cron job analysing apache logs which is consuming too much of the system's resources. So much is spent on Webalizer and Awstats that the web server stops answering requests. The output of `uptime` was something like 2.2 before I manually kill the script and all is OK again. What can I do about this ? Here is my simple bash script: # do webazolver for i in /var/log/apache/access_tmp/*-access_log; do webazolver -N 20 -D /var/log/webazolver/dns_cache.db $i done # do webalizer for i in /var/log/apache/access_tmp/*-access_log; do site=`echo $i | sed 's/\/var\/log\/apache\/access_tmp\///'` site=`echo $site | sed 's/-access_log//'` if [ -e /etc/webalizer/$site.webalizer.conf ]; then webalizer -D /var/log/webazolver/dns_cache.db -c /etc/webalizer/$site.webalizer.conf; fi done It just loops through the apache logs and analyzes them. I even use 'webazolver' to try and help but still grinds down the machine. I currently have this script fire every 4 hours. So the logs are not too big. I'm thinking maybe to add a `sleep 300` or something to the script. Maybe it's better to check if one instance to Webalizer is already running then sleep and try again. Any suggestions. I have about 20 virtual sites on this box and 400 on another. Many thanks Regards Rudi. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SSH access restrictions
Hi, Did you try c) already? Did it work effectively? No not yet. Still in research/checking out the options mode. but c) is not OpenSSH right? Correct. Sorry I forgot to mention that is my options list. I've only skimmed over the lisence so far. It will require a closer to make a proper assesment. When I've done that I'll list the options again. Cheers Rudi.
Re: SSH access restrictions
Hi, Did you try c) already? Did it work effectively? No not yet. Still in research/checking out the options mode. but c) is not OpenSSH right? Correct. Sorry I forgot to mention that is my options list. I've only skimmed over the lisence so far. It will require a closer to make a proper assesment. When I've done that I'll list the options again. Cheers Rudi. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SSH access restrictions
Hi, > Our rbash shells don't have access to vi ... or much else! Their > path is set to "/usr/local/lib/rbash-bin/" and that directory has > sym-links to a few selected binaries. > > Still I don't regard the rbash setup as secure. Yes but is sound OK for your needs. In this case I need, or want, to restrict a fully logged in user. So I can offer ftp and ssh access. To sumerize the options I've found so far: a) PAM chroot b) rbash - restricted shell c) SSH2 chroot access. In this case the machine in question is a remote virtual server with only SSH access. So I think c) may be the go. If I had local users I guess a) or b) with a) having stronger security. Regards Rudi.
Re: SSH access restrictions
Hi, Though I'd post something I found on the net about rbash. I haven't tested it yet. [quote] But it's possible to get out from this chroot. woockie_at_twoflower:~$ cd .. rbash: cd: restricted woockie_at_twoflower:~$ vi foo in vi: :set shell=/bin/sh :shell woockie_at_twoflower:~$ cd .. woockie_at_twoflower:/home$ [end quote] It's disappointing if it's that easy. Still if they do get out and misbehave you could catch them with monitoring. For stronger restrictions PAM chroot and http://www.grsecurity.org is a class option. Cheers Rudi.
Re: SSH access restrictions
Hi, > Our rbash shells don't have access to vi ... or much else! Their > path is set to "/usr/local/lib/rbash-bin/" and that directory has > sym-links to a few selected binaries. > > Still I don't regard the rbash setup as secure. Yes but is sound OK for your needs. In this case I need, or want, to restrict a fully logged in user. So I can offer ftp and ssh access. To sumerize the options I've found so far: a) PAM chroot b) rbash - restricted shell c) SSH2 chroot access. In this case the machine in question is a remote virtual server with only SSH access. So I think c) may be the go. If I had local users I guess a) or b) with a) having stronger security. Regards Rudi. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SSH access restrictions
Hi Ian, > We have a set-up that uses "rbash". The client gets "rbash" as a > login shell and his path is preset to a directory that has a few > chosen executables in it. Most interesting. Sounds like it would do just what I want. I'm on to it. > I suspect a determined hacker could get around this, but it > discourages most abusers. We can only try. If they do get out I still try and catch 'em with Firewall rules, hashed log files, Tripwire, Snort packet sniffing/logging. Plus those trusty back ups come in handy sometimes :-) Many thanks, Best regards Rudi.
Re: SSH access restrictions
Hi, Though I'd post something I found on the net about rbash. I haven't tested it yet. [quote] But it's possible to get out from this chroot. woockie_at_twoflower:~$ cd .. rbash: cd: restricted woockie_at_twoflower:~$ vi foo in vi: :set shell=/bin/sh :shell woockie_at_twoflower:~$ cd .. woockie_at_twoflower:/home$ [end quote] It's disappointing if it's that easy. Still if they do get out and misbehave you could catch them with monitoring. For stronger restrictions PAM chroot and http://www.grsecurity.org is a class option. Cheers Rudi. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SSH access restrictions
Hi Ian, > We have a set-up that uses "rbash". The client gets "rbash" as a > login shell and his path is preset to a directory that has a few > chosen executables in it. Most interesting. Sounds like it would do just what I want. I'm on to it. > I suspect a determined hacker could get around this, but it > discourages most abusers. We can only try. If they do get out I still try and catch 'em with Firewall rules, hashed log files, Tripwire, Snort packet sniffing/logging. Plus those trusty back ups come in handy sometimes :-) Many thanks, Best regards Rudi. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SSH access restrictions
Marc, Thanks. http://www.grsecurity.net looks very interesting. Another couple of jobs have popped up which I need to address first so I don't tihink I'll be working on this 'til later in the week. When I do I'll be sure to post an update to the list. Many thanks to you all. It would not be possible to come this far on my own without this list's assistance/advice. Best regards Rudi. Marc Schiffbauer wrote: * Rudi Starcevic schrieb am 19.10.03 um 04:30 Uhr: Thanks Marc, Thanks also to Russel. I did it with pam_chroot which is really nice Great - I'll start looking here. Currently we only really offer FTP access but would like to include SSH access too. I know with the right permissions a user account cannot do any damage but I would just like to prevent these people from snooping around. I want to allow users to be able to SSH in and use things like Postgresql, mysql and cron but not read /etc/passwd or /etc/mail/virtusertable etc. etc. Rudi, additionally you may want to use the grsecurity Kernelpatch which makes chroot() environments a lot more secure. Without this patch it is not too difficult to break out of a chroot. -Marc
Re: SSH access restrictions
Marc, Thanks. http://www.grsecurity.net looks very interesting. Another couple of jobs have popped up which I need to address first so I don't tihink I'll be working on this 'til later in the week. When I do I'll be sure to post an update to the list. Many thanks to you all. It would not be possible to come this far on my own without this list's assistance/advice. Best regards Rudi. Marc Schiffbauer wrote: * Rudi Starcevic schrieb am 19.10.03 um 04:30 Uhr: Thanks Marc, Thanks also to Russel. I did it with pam_chroot which is really nice Great - I'll start looking here. Currently we only really offer FTP access but would like to include SSH access too. I know with the right permissions a user account cannot do any damage but I would just like to prevent these people from snooping around. I want to allow users to be able to SSH in and use things like Postgresql, mysql and cron but not read /etc/passwd or /etc/mail/virtusertable etc. etc. Rudi, additionally you may want to use the grsecurity Kernelpatch which makes chroot() environments a lot more secure. Without this patch it is not too difficult to break out of a chroot. -Marc -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SSH access restrictions
Hi Jason, Let us all know if this works for you, as I (and I think quite a few ppl that run ISPs) would be interested to know if this actually works or not For sure. Will be spending more time on this latter today and will report my success/failures/questions. Cheers Rudi. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SSH access restrictions
Thanks Jason, > Usually you can't... as they have dependency problems. Well I think it may be OK to just use the 'testing' .deb. Why ? Because I just did. It all installed OK without any error's. I just downloaded it and dpkg -i it. I haven't used it yet as I'm still reading the readme but it has successfully put a pam_chroot.so in the /lib/security dir. and libpam-chroot in /usr/share/doc. Finger's crossed it'll work just fine. To be thorough I'll head over to http://www.apt-get.org now. Cheers Rudi. > > Hi, > > > > Just a quick question on libpam-chroot. > > > > This package is not availalbe in 'stable'. > > I've only ever used 'stable'. > > > > It should be OK to grab this package from 'testing' and use it hey ? > > Usually you can't... as they have dependency problems. What you need > is a "backport" to stable... search on Google for one > (http://www.apt-get.org/ is one) and see if anyone has a backport > for it. Hopefully they do... I'd be interested in CHROOT as well. > > I've heard of something called "jailshell" as offered on some control > panels like cPanel, but not sure what it actually is. So I know its > possible... just haven't found a reliable way. Advanced users can probably > figure out ways to break out of the jail, but at least it helps a bit. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SSH access restrictions
Hi, Just a quick question on libpam-chroot. This package is not availalbe in 'stable'. I've only ever used 'stable'. It should be OK to grab this package from 'testing' and use it hey ? Thanks again Regards Rudi. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SSH access restrictions
Thanks Marc, Thanks also to Russel. > I did it with pam_chroot which is really nice Great - I'll start looking here. Currently we only really offer FTP access but would like to include SSH access too. I know with the right permissions a user account cannot do any damage but I would just like to prevent these people from snooping around. I want to allow users to be able to SSH in and use things like Postgresql, mysql and cron but not read /etc/passwd or /etc/mail/virtusertable etc. etc. Many thanks. Best regards Rudi. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
SSH access restrictions
Hi, Is there anyway to resistict a non-root user's shell account ? For example once he/she is logged in is there any way to deny, say, reading the /etc/passwd file ? Can they be restricted like the way a user can be restricted using FTP ? I know I could use a tool like Snort to watch whats going out , for example /etc/passwd, except using SSH because it's encrypted. To my knowledge so far I cannot prevent an SSH user from reading system files. Cheers Rudi. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Automated solutions for a small ISP
Hi, > Idea 1) Write a system which keeps the hosts information (and in > future - user information) in some kind of a database (file, > MySQL or LDAP, probably I'll choose MySQL) and generates configuration > files. Advantages: easy to implement. Disadvantages: limited use. This is the way I do it. I use Postgresql and PHP to store and write config. files. Then the config. file is sent to the remote machine. >> Disadvantages: limited use. How so ? A Relational database can store huge amounts of data. It's simple send a machine some config data. I use both Daemon's and Cron jobs to listen/check for new config data. I like this method and plan to stick with it. Regards Rudi. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Debian-based hosting needed
Hi, You could check out http://www.aktiom.net Haven't used 'em yet but have plans to very soon. Cheers Rudi. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Sendmail or Qmail ? ..
Martin, Very good. More food for thought and consideration. Thanks Regards Rudi. martin f krafft wrote: also sprach Dale E Martin <[EMAIL PROTECTED]> [2003.09.04.1447 +0200]: Has it been covered before on this list? I for one would be interested in elaboration, if there is something technically inferior about exim or postfix to qmail or sendmail? Or politically, I suppose, since much of people's dislike about qmail has more to due with "political" than technical reasons. random notes (these are facts and opinions, please don't flame me): - sendmail and exim are both single setuid binaries. bad. - postfix is the most performant of all four. - qmail has an interesting but possibly confusing configuration paradigm - postfix has the easiest configuration, IMHO. - qmail has a good integration with one of the fastest mailing list servers, ezmlm. - exim is very extensible. - qmail does not come with anything but basic mail transfer stuff. if you want things like tls or sasl, you have to patch. - qmail isn't available as a binary package for Debian. - qmail support includes being flamed by the author - postfix and exim support are available here, and if only be me and dman respectively (note that you have to mention my name in a post if you want me to see it. i am writing my phd and am thus filtering messages to not be flooded) - ralf hildebrandt uses postfix (he's the guru, next to wietse. can't think of any more.
Re: Sendmail or Qmail ? ..
Hi, First thanks to all who have replied. We're all busy so I do appreciate the time taken to tap out a reply message. It's very interesting and in some ways what I expected. There is no right or wrong. Just like programing there is many ways to the top of the mountain. So for me it's come down to a choice of three. a) Sendmail b) Qmail c) Postfix. Well Qmail is out I think - for Religous reasons. See I'm Religous - that's why I use and love Debian ;-) As for Sendmail, well some say it's full of holes but as Eric has noted those bugs get ironed out pronto and apt sorts the rest out ( though I like to compile from source ). Others say it's hard to understand or configure. That's true but if you've read the Sendmail 'Bat' book, which I have, then it's not that complicated at all ( well actually the 200 pages of regular expression's was kinda complicated ). I've looked into Postfix briefly before and will re-examine it. My goal is to maximize security. Postfix is well known to be very secure and stable, some would say it's kinda like an improved Sendmail. So it looks like a choice between two for me: Sendmail or Postfix. I think I'm going to sleep on this one. Again many thanks for your valuable time. Cheers Rudi. > On Thu, 2003-09-04 at 01:43, Rudi Starcevic wrote: > > Hi, > > > > Sorry to bother you all with this repeat question. > > I've have searched around and seen plenty of opinions but I'd like to > > ask again and get the latest from this list. > > > > Sendmail or Qmail ? That is my question. > > Rudi, > I work at an ISP that used to use Qmail, but now uses Sendmail. > There are several reasons why the switch was made, none having > anything to do with the "religion" surrounding either one. The > following is my opinion, illustrated with some examples from my company. > > First, scale is a consideration. Once we began to grow our customer > base, our email volume began to increase dramatically. Qmail queues > everything to disk, so the more mail you do, the more pressure you > put on your disk I/O. The server running Qmail was always blocking > while it tried to keep up with the disk writes. We had to decide > whether to spend huge $$$ on a big-iron server to handle it all, or > to go cheap and modular using some other MTA. We opted for the > latter. We replaced our single mailserver with four mail routing > servers and two mail storage servers, where customer accounts reside. > > Sendmail uses RAM more heavily than Qmail, relieving some of the disk > I/O pressure, and improving performance under heavy loads. In order > to go modular, we needed a directory service to tie it all together (so > that each mail router can reference a system-wide config, and figure > out where the mailbox is). We chose OpenLDAP. At the time (1999), Qmail > did not have LDAP support (correct me if I'm wrong). Sendmail did. > Even if Qmail did have LDAP support then, Sendmail's source was > *much* easier to dig through for the performance tuning we did. > > Sendmail's milter plug-in system has also been invaluable when we > implemented server-side bayesian spam filtering, and as we work on virus > scanning. > > Today we are very happy with our Sendmail installation. Debian and > Sendmail play very happily together, and with our modular setup we > process over 4 million messages a day with over 60,000 mailboxes. > Yes, Sendmail has had several high-profile vulnerabilities, but with > Debian and apt, we were able to stay on top of it with little > difficulty. I can see how Qmail could look attractive to a smaller > site with a less complex setup, but for us, Sendmail was the way to go. > > Regards, > Eric -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Sendmail or Qmail ? ..
Hi, so how does exim compare in all of this? Sorry Jamie - In my case, and my case alone, Exim doesn't compare. There are many very good MTA's out there. For me I know Sendmail - ( I compile from source ). I've heard lots of good things about Qmail to I did consider that one only. Also every Guru I've met in person uses Sendmail. Not that means much but I do admire those Guru's. Thanks al again. It's lookin' like Sendmail for me .. Cheers Rudi. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Sendmail or Qmail ? ..
Hi, >> Why change something thats working perfectly ?? Greg .. Yes that's what I was thinking .. -- but that's what they also said in Nth America 'til the recent blackouts :-( >> And it has no paralell in security (AGES and AGES better than sendmail) Alex .. That's what mostly appeals to me over Sendmail. >> I (and my employer) have picked Sendmail. We make considerable use of a GPL product called MIMEDefang: >> Mark .. Thanks I'll check that one out - Hope to see you in Brisbane at the next meeting, we've met there before ( small world hey ! ) I'll probably be sticking with Sendmail. But for sure even though I've not had problems, touch wood, Security is the only reason I look elsewhere than Sendmail. Many thanks for your time .. Regards Rudi.
Sendmail or Qmail ? ..
Hi, Sorry to bother you all with this repeat question. I've have searched around and seen plenty of opinions but I'd like to ask again and get the latest from this list. Sendmail or Qmail ? That is my question. Currently we use Sendmail. It's worked fine, well actually problem free so better than fine - I've got the Sendmail book and all. However we will be setting up some new email servers soon and I'm considering Qmail. As I hold this list in high regard I'll base my final decision on the feedback I get from this list. At this stage I'm leaning towards sticking with Sendmail but something inside wants to know more about Qmail. If you *had* to pick one of these two which would it be ? Many thanks Best regards Rudi. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Servers with X.
Hi,
I must also need some minimal X packages on the Host machine as
currently the 'xhost' binary is
not even there.
I'm just searching around now. I see there is and 'xbase-client' but no
'xbase-server' packages.
I must have to install X-something on the host/server box so I can at
least use 'xhost'.
I set this machine up more than 18 months ago with as minimal a set up
as I could at that time.
Just a base install with C compilers so I could compile PostgreSQL no X
stuff whatsoever.
Thanks.
Kind regards
Rudi.
Thomas Lamy wrote:
Jeff Waugh wrote:
On Tue, 2003-08-19 at 09:28, Rudi Starcevic wrote:
Is it bad practise to use X on your Debian ISP/Hosting machines ?
Here I have 4 boxes all without X. I've always been of the
impression
X on servers was not good.
It's not a terrible thing to do, unless you forget to
correctly firewall
your machines. :-)
[...]
You don't need to install an X server on the local machine to
use it. If
you install the tcl app, and ssh to the box using X
forwarding (-X), you
can display the program on your own local X server.
[ desktop ] --> [ firewall ] --> [ db-server ]
X server ssh sshno X server
Fully encrypted, secure access to X software on your
db-server, without
running (or even having) a full X server on the machine. :-)
But you need at least xbase-clients (and it's dependants) on your client
machine for X authentication and stuff.
Beside this, I was under the impression that the default X config is _not_
to listen on public interfaces or TCP sockets (not sure on this one). At
least KDE's desktop is by default configured this way.
Thomas
Re: Servers with X.
Thanks Jeff, Yeah I though of X forwarding with SSH but I was under the wrong impression I needed an X server on both machines. Thanks for clearing that up .. Cheers Rudi. Jeff Waugh wrote: On Tue, 2003-08-19 at 09:28, Rudi Starcevic wrote: Is it bad practise to use X on your Debian ISP/Hosting machines ? Here I have 4 boxes all without X. I've always been of the impression X on servers was not good. It's not a terrible thing to do, unless you forget to correctly firewall your machines. :-) I have one box, a database server - PostgreSQL, which has a cool TCL monitoring app. I'm interested in using. This GUI app. monitors server load and running queries etc. I'll need to install X in order to use it - which I'm not sure is such a good idea. You don't need to install an X server on the local machine to use it. If you install the tcl app, and ssh to the box using X forwarding (-X), you can display the program on your own local X server. [ desktop ] --> [ firewall ] --> [ db-server ] X server ssh sshno X server Fully encrypted, secure access to X software on your db-server, without running (or even having) a full X server on the machine. :-) - Jeff
Servers with X.
Hi, Is it bad practise to use X on your Debian ISP/Hosting machines ? Here I have 4 boxes all without X. I've always been of the impression X on servers was not good. I have one box, a database server - PostgreSQL, which has a cool TCL monitoring app. I'm interested in using. This GUI app. monitors server load and running queries etc. I'll need to install X in order to use it - which I'm not sure is such a good idea. It's a bummer it's not an ncurses job instead of X. Any thoughts ? Thanks Rudi. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: running two database on the same box
Hi, We have PG and Mysql in production on 2 boxes - no problems. In fact, please forgive me it's not my fault, we have all this on one production box : Postgresql, Mysql, Bind, Sendmail, Perl, PHP, Apache, Coldfusion and Java. Been running smoothly for more than 2 years. Cheers Rudi. Shri Shrikumar wrote: Hi, I just wanted to check if there were any problems running mysql and postgresql together in a production environment. I tried googling with no luck. Any pointers appreciated. Shri
Re: running two database on the same box
Hi, We have PG and Mysql in production on 2 boxes - no problems. In fact, please forgive me it's not my fault, we have all this on one production box : Postgresql, Mysql, Bind, Sendmail, Perl, PHP, Apache, Coldfusion and Java. Been running smoothly for more than 2 years. Cheers Rudi. Shri Shrikumar wrote: Hi, I just wanted to check if there were any problems running mysql and postgresql together in a production environment. I tried googling with no luck. Any pointers appreciated. Shri -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: CGI and PHP Scripts
Anand, Maybe try looking at setting PHP to 'safe mode' Cheers Rudi. Anand Atreya wrote: Hi, I have just recently begun using Debian and am in the process of migrating a FreeBSD 4.4 server over to it. This server had many different users and allowed them to execute CGI and PHP scripts in their public_html folder (or any folder under it) as their own user, not as the user of the webserver, using mod_cgiwrap and mod_phpcgiwrap (from Steven Haryanto). The site where this was located (http://steven.haryan.to/mod_cgiwrap/mod_cgiwrap.html) no longer exists, and in hindsight, it seems as if mod_cgiwrap was not a very secure solution to begin with. Does anybody have any recommendations on how to set up a virtual hosting Apache server such that users can have CGI and PHP scripts execute as themselves, without having to put #!/usr/bin/php at the top of php scripts, and that is completely transparent to the user, also allowing them to place scripts anywhere in their document root? (I have tried using suexec as it is installed with the Debian Apache package, but when I tried to execute a script in a virtual host, not using the www.domain.com/~username address, it did not execute the script, saying it was not in the document root. Does anyone know what the default document root is for the Debian configuration of suexec?) Thanks a lot. -- Anand Atreya
Re: CGI and PHP Scripts
Anand, Maybe try looking at setting PHP to 'safe mode' Cheers Rudi. Anand Atreya wrote: Hi, I have just recently begun using Debian and am in the process of migrating a FreeBSD 4.4 server over to it. This server had many different users and allowed them to execute CGI and PHP scripts in their public_html folder (or any folder under it) as their own user, not as the user of the webserver, using mod_cgiwrap and mod_phpcgiwrap (from Steven Haryanto). The site where this was located (http://steven.haryan.to/mod_cgiwrap/mod_cgiwrap.html) no longer exists, and in hindsight, it seems as if mod_cgiwrap was not a very secure solution to begin with. Does anybody have any recommendations on how to set up a virtual hosting Apache server such that users can have CGI and PHP scripts execute as themselves, without having to put #!/usr/bin/php at the top of php scripts, and that is completely transparent to the user, also allowing them to place scripts anywhere in their document root? (I have tried using suexec as it is installed with the Debian Apache package, but when I tried to execute a script in a virtual host, not using the www.domain.com/~username address, it did not execute the script, saying it was not in the document root. Does anyone know what the default document root is for the Debian configuration of suexec?) Thanks a lot. -- Anand Atreya
Re: HTTP execute
Excellent .. Thanks. Regards Rudi. Achim Schmidt wrote: try this: lynx --source http://my_url/my.php > /dev/null - Achim Am Die, 2003-06-17 um 02.55 schrieb Rudi Starcevic: Hi, I'd like to exeute a php script on Apache via a cron job. All I want to do is execute the file not download it. So far I've tried wget and lynx without the results I'd like. Wget downloads the file and the lynx commnad opens up lynx in a terminal. Any tips ? Thank you kindly Best regards Rudi.
HTTP execute
Hi, I'd like to exeute a php script on Apache via a cron job. All I want to do is execute the file not download it. So far I've tried wget and lynx without the results I'd like. Wget downloads the file and the lynx commnad opens up lynx in a terminal. Any tips ? Thank you kindly Best regards Rudi.
Re: HTTP execute
Excellent .. Thanks. Regards Rudi. Achim Schmidt wrote: try this: lynx --source http://my_url/my.php > /dev/null - Achim Am Die, 2003-06-17 um 02.55 schrieb Rudi Starcevic: Hi, I'd like to exeute a php script on Apache via a cron job. All I want to do is execute the file not download it. So far I've tried wget and lynx without the results I'd like. Wget downloads the file and the lynx commnad opens up lynx in a terminal. Any tips ? Thank you kindly Best regards Rudi.
HTTP execute
Hi, I'd like to exeute a php script on Apache via a cron job. All I want to do is execute the file not download it. So far I've tried wget and lynx without the results I'd like. Wget downloads the file and the lynx commnad opens up lynx in a terminal. Any tips ? Thank you kindly Best regards Rudi. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Max. File Size
Achim, Thanks for your reply, How can I see the maximum file size allowed ? I'd like to know what's the largest file I can create and/or if I can increase/decrease this size. Thanking you .. Best Regards Rudi. Achim Schmidt wrote: Hi, this means your system can handle a maximum of 8192 file-handles at one time. - Achim Am Mon, 2003-06-02 um 06.56 schrieb Rudi Starcevic: Hi, cat /proc/sys/fs/file-max 8192 Is that how I can see what the current max file size is for my system ? If so is that saying ? 8192 what ? Thanks Rudi.
Max. File Size
Hi, cat /proc/sys/fs/file-max 8192 Is that how I can see what the current max file size is for my system ? If so is that saying ? 8192 what ? Thanks Rudi. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Remove Large File
Hi, I have a file I've created which appears to be too large for my ext2 filesystem. The file I created is a large text file which is a Postgresql database backup. I now know when dumping large databases to pipe the dump command to something like 'split' so that the resulting output file is split into smaller chunks. However before I was aware of this I created a file which is too large to handle. I want to remove this file but am getting this error message: rm: cannot remove `camper.dump20020116': Value too large for defined data type So I'm kinda stuck. I can't access the file whatsoever. Even the file size doesn't appear for me. Any idea's on how I can delete this file ? Thanks Rudi. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Max. File Size
Achim, Thanks for your reply, How can I see the maximum file size allowed ? I'd like to know what's the largest file I can create and/or if I can increase/decrease this size. Thanking you .. Best Regards Rudi. Achim Schmidt wrote: Hi, this means your system can handle a maximum of 8192 file-handles at one time. - Achim Am Mon, 2003-06-02 um 06.56 schrieb Rudi Starcevic: Hi, cat /proc/sys/fs/file-max 8192 Is that how I can see what the current max file size is for my system ? If so is that saying ? 8192 what ? Thanks Rudi.
Max. File Size
Hi, cat /proc/sys/fs/file-max 8192 Is that how I can see what the current max file size is for my system ? If so is that saying ? 8192 what ? Thanks Rudi.
Remove Large File
Hi, I have a file I've created which appears to be too large for my ext2 filesystem. The file I created is a large text file which is a Postgresql database backup. I now know when dumping large databases to pipe the dump command to something like 'split' so that the resulting output file is split into smaller chunks. However before I was aware of this I created a file which is too large to handle. I want to remove this file but am getting this error message: rm: cannot remove `camper.dump20020116': Value too large for defined data type So I'm kinda stuck. I can't access the file whatsoever. Even the file size doesn't appear for me. Any idea's on how I can delete this file ? Thanks Rudi.
Simple Firewall
Hi, I'm learning about iptables as soon I'll be required to fill this role at work. At home I've been learning about firewalling with iptables. For my home network I have this simple set of rules I'm wondering is OK or needs improvement. My LAN is one gateway box and one laptop - pretty simple. Below you will see 4 sets of rules. Do you think there satisfactory ? I use eth0 on the LAN and ppp0 for web access. I have my rules based on the device used instead of IP and use the 'state' argument quiet freely. Thank you kindly - I very much appreciate your words and time. Kind regards Rudi. # MASQUERADING / NAT RULES for LAN for my laptop to surf the web # postrouting rule (NAT) iptables --table nat --append POSTROUTING -o ppp+ -j MASQUERADE # FORWARDING RULES for LAN -- for my laptop to surf the web # forwading outbound iptables --append FORWARD --in-interface eth0 --out-interface ppp0 -j ACCEPT # forwarding inbound # iptables --append FORWARD --in-interface ppp0 --out-interface eth0 -j ACCEPT iptables --append FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT # INPUT and OUTPUT for LAN for my laptop to connect to the gateway box ( ssh,ftp,http etc ) iptables --append INPUT --in-interface eth0 -j ACCEPT iptables --append OUTPUT --out-interface eth0 -j ACCEPT # INPUT and OUTPUT for this BOX - so I can use things like wget from the gateway box. iptables --append INPUT -m state --state RELATED,ESTABLISHED --in-interface ppp0 -j ACCEPT iptables --append OUTPUT --out-interface ppp0 -j ACCEPT # enable ftp from this box /sbin/insmod /lib/modules/2.4.18/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o
Simple Firewall
Hi, I'm learning about iptables as soon I'll be required to fill this role at work. At home I've been learning about firewalling with iptables. For my home network I have this simple set of rules I'm wondering is OK or needs improvement. My LAN is one gateway box and one laptop - pretty simple. Below you will see 4 sets of rules. Do you think there satisfactory ? I use eth0 on the LAN and ppp0 for web access. I have my rules based on the device used instead of IP and use the 'state' argument quiet freely. Thank you kindly - I very much appreciate your words and time. Kind regards Rudi. # MASQUERADING / NAT RULES for LAN for my laptop to surf the web # postrouting rule (NAT) iptables --table nat --append POSTROUTING -o ppp+ -j MASQUERADE # FORWARDING RULES for LAN -- for my laptop to surf the web # forwading outbound iptables --append FORWARD --in-interface eth0 --out-interface ppp0 -j ACCEPT # forwarding inbound # iptables --append FORWARD --in-interface ppp0 --out-interface eth0 -j ACCEPT iptables --append FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT # INPUT and OUTPUT for LAN for my laptop to connect to the gateway box ( ssh,ftp,http etc ) iptables --append INPUT --in-interface eth0 -j ACCEPT iptables --append OUTPUT --out-interface eth0 -j ACCEPT # INPUT and OUTPUT for this BOX - so I can use things like wget from the gateway box. iptables --append INPUT -m state --state RELATED,ESTABLISHED --in-interface ppp0 -j ACCEPT iptables --append OUTPUT --out-interface ppp0 -j ACCEPT # enable ftp from this box /sbin/insmod /lib/modules/2.4.18/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Apache to rewrite or not ..
Hi, In my apache error log we have alot of request's for i) default.ida and ii) cmd.exe In Linux this appears to be pretty much harmless - I think. It is however annoying and I'm wondering whether or not to do anything about it. I think all I can really do is use mod_rewrite to send these request to another page, like a friendly page which tell's the hacker where to go ;-) Is this my only option ? Maybe it's best to do nothing and not risk upsetting / provoking the hacker to try even harder to get in. Should I mod_rewite or do nothing ? Thanks Kind regards Rudi.
Apache to rewrite or not ..
Hi, In my apache error log we have alot of request's for i) default.ida and ii) cmd.exe In Linux this appears to be pretty much harmless - I think. It is however annoying and I'm wondering whether or not to do anything about it. I think all I can really do is use mod_rewrite to send these request to another page, like a friendly page which tell's the hacker where to go ;-) Is this my only option ? Maybe it's best to do nothing and not risk upsetting / provoking the hacker to try even harder to get in. Should I mod_rewite or do nothing ? Thanks Kind regards Rudi. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: mod_log_sql? also missing: mod_throttle
Jeremy, I tried "apt-cache search thorttle" and got nothing try throttle instead of thorttle Cheers Jeremy Zawodny wrote: On Fri, Mar 28, 2003 at 01:07:23AM +0100, Peter Holm wrote: ... also missing: mod_throttle... don?t you isp-guys use these essential modules? ok, mod_throttle found, but major problems with mod_log_sql... Really? I tried "apt-cache search thorttle" and got nothing. Jeremy
Re: mod_log_sql? also missing: mod_throttle
Jeremy, I tried "apt-cache search thorttle" and got nothing try throttle instead of thorttle Cheers Jeremy Zawodny wrote: On Fri, Mar 28, 2003 at 01:07:23AM +0100, Peter Holm wrote: ... also missing: mod_throttle... don?t you isp-guys use these essential modules? ok, mod_throttle found, but major problems with mod_log_sql... Really? I tried "apt-cache search thorttle" and got nothing. Jeremy -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bandwidth monitoring
Hi Fraser, For monitoring bandwidth we write scripts which read the logs for apache, ftp and smtp. The extracted data is then inserted into a postgresql database. You can then do all sorts of SQL to analyze the data. As users approach their limits they are emailed to notify them. If the user's go over their quota the bytes are added up and added onto the users accounts. We've written these scripts in Perl but in future I plan on using PHP as a scripting language to do this. Hope this helps. Regards Rudi. Fraser Campbell wrote: Hi, When installing servers in a colocated environment what do people suggest for monitoring bandwidth used by virtual hosts on that server? Traffic will be http, https and smtp. I'm hoping this can be accomplished without dedicating an IP to each host/domain (with the exception of https of course). Thanks, Fraser -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: File too large ??
Hi Jeremey, Thanks for your reply. I just got back in after the weekend. I have the system output to the questions you've asked. I hope this sheds some light I'm still not sure as to why I'm getting the error, No this is not under NFS. I didn't install the system but I know it's Potato with an upgraded Kernel. uname -mpsr Linux 2.4.18 i686 unknown dpkg -l fileutils Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad) ||/ Name VersionDescription +++-==-==- ii fileutils 4.0l-8 GNU file management utilities. mv --version mv (GNU fileutils) 4.0l Written by Mike Parker, David MacKenzie, and Jim Meyering. Copyright (C) 1999 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Thanks kindly Best Regards Rudi. Jeremy C. Reed wrote: On Fri, 17 Jan 2003, Rudi Starcevic wrote: mv camper.dump20020116 camper_bak/ The error I get is :: mv: camper.dump20020116: Value too large for defined data type Maybe you are using 32-bit software instead of using 64-bit. Maybe you need to use newer fileutils package. Also, make sure your kernel supports big files too. What does the following tell us? uname -mpsr dpkg -l fileutils mv --version Or is this under NFS? Jeremy C. Reed echo 'G014AE824B0-07CC?/JJFFFI?D64CB>D=3C427=>;>6HI2> tr /-_ :\ Sc-y./ | sed swxw`uname`w -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
File too large ??
Hi, After doing a database backup ( postgresql :: pg_dump ) on a database I'm unable to access the file. My command is simply 'mv' :: mv camper.dump20020116 camper_bak/ The error I get is :: mv: camper.dump20020116: Value too large for defined data type Strange. It seems to be saying the file I created is too large to handle. I'm using Debian 2.2. Do you know where I've gone wrong ?? What can I do to fix this ?? I just want to dump one of my databases, move it to a back up dir. then make changes to the running database. Thank you kindly Regards Jason -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
