Re: reverse name resolution
I'm sorry I thought the given config had 0/25 in it. It has been a while since I was current on RFC2317 but I think it actually uses the netmask not the remaining bits that the network is on. So in the case of a /25 if you have the lower 128 addresses like the gentlemen who started the tread then it would like like: 0/25.37.247.200.in-addr.arpa but if he had the upper 128 then it would be more like: 128/25.37.247.200.in-addr.arpa vec - Original Message - From: Kilian Krause [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 23, 2004 5:18 PM Subject: Re: reverse name resolution well yes (though there was no notion of the /25 in the given config, so how should i have known).. ;) Assuming it's the inverse of the DNS it should be a 7/0.37.247.200.in-addr.arpa for a /25, right? (as in 32-25=7) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Privacy in virtual hosting environment
- Original Message - From: Fraser Campbell [EMAIL PROTECTED] To: debian-isp@lists.debian.org Sent: Monday, April 07, 2003 7:36 AM Subject: Privacy in virtual hosting environment Hi, Since I'm currently setting up my first shared hosting environment in a few years I'm wondering how to adequately address privacy issues. Good, lots of 'em don't care. I plan to provide python (with and without mod_python), perl (perhaps just CGI) as well as PHP support. Is there any way to prevent people from sourcing things above their document root? My main concern is db passwords stored in config files or scripts. I tried using PHP's ini settings within each vhost to ensure people weren't access directories outside the directory for their vhost but that didn't work because PHP screws it all up and gets mixed up with some vhosts parameters bleeding into others and it generates errors in a seemingly random way. suexec is nice for cgi but still doesn't limit a scripts ability to read files outside the a certain directory. It only enforces permissions. So at first my solution to that was to restrict vhost directories by permissions and have a separate group for each vhost that has the apache user in it and then under that directory, everything is world readable. That way, only the user and apache have access to the primary directory and then standard permissions apply after that. So if suexec is running cgi as one user another can get outside their own vhost directory but no inside anyone elses. e.g. directory, owner, group, perms vhost1,user1, group1-apache, 750 vhost1/htdocs, user1, group1, 755 vhost2,user2, group2-apache, 750 vhost2/htdocs, user2, group2, 755 Well that breaks down as soon as apache is in more than the maximum allowed number of groups per user thus limiting you to that number of vhosts per apache instance. I think with apache2 and the mpm that allows different users for different virtual hosts it should be possible but since apache2 isn't in woody I don't like the idea too much. that's finally what I've resorted to. Even though mpm is experimental I have to use it anyway because it really is the best option..USE THE SOURCE, LUKE..heheh My other thoughts are to run multiple instances of apache wth different uids, an alternative might be to run user mode linux or other virtual environment. Both of these options seem quite resource intensive though and multiple apaches would require an IP for every site (I think). been there done thatvery uglymost secure but very ugly. It is a pain to administer and it is pig on the box. Yes each one requires it's own IP address if you are going to have them all listen on port 80 anyway. What are you guys using? I know some that have switched to web servers like Roxen to help solve this issue and make things more secure. I don't know if PHP will run on stuff like that without running it as a CGI instead of having PHP built-in. I know of admins that have run separate instances of apache like you mention above. vec
Re: Subscriber Management System
Sorry, I had someone else interested in assisting in the development of it so I had removed all specific authentication information from the test site so I could send it to him. Try again, it's working now. I have sent a message to each of the administrators of gcdb requesting enlistment as developers on the project on sourceforge so we can move it forward since it hasn't been updated in almost a year and a half. I tried to contribute my mods once before but never received a response from them. Since that time it's come a long way and now that I have someone else interested in helping out as well, we are going to start our own project on sf if we haven't heard from them within a week. vec - Original Message - From: Gregory Wood [EMAIL PROTECTED] To: Vector [EMAIL PROTECTED]; Debian-ISP [EMAIL PROTECTED] Sent: Monday, February 10, 2003 7:30 AM Subject: Re: Subscriber Management System FYI -- I hit the site and got the following: Warning: Access denied for user: 'gcdb_test_app@localhost' (Using password: YES) in /var/www/www.itpsg.com/htdocs/test/dbint/mysql.php on line 27 Warning: MySQL Connection Failed: Access denied for user: 'gcdb_test_app@localhost' (Using password: YES) in /var/www/www.itpsg.com/htdocs/test/dbint/mysql.php on line 27 Warning: mysql_select_db(): supplied argument is not a valid MySQL-Link resource in /var/www/www.itpsg.com/htdocs/test/dbint/mysql.php on line 28 Need a valid database connection! Greg *** REPLY SEPARATOR *** On 2/5/2003 at 9:58 PM Vector wrote: I have that I have been using that is a *heavily* modified version of the opensource billing system called gcdb. That project is posted on sourceforge and last I checked hadn't been updated since aug 2001. I sent mail to the author letting him know I had a ton of improvements and requested that I become a developer but I never had a response back. It is now getting close to be able to be released again as a new minor version. It also now integrates with verisign payflow for credit card processing. Anyone is welcome to see it or try it out. If you want to see a quick demo I have it setup right now on a test site at: http://www.itpsg.com/test uid: admin pwd: admtst vec - Original Message - From: Charl Matthee [EMAIL PROTECTED] To: Debian-ISP [EMAIL PROTECTED] Sent: Wednesday, February 05, 2003 9:35 PM Subject: Subscriber Management System Hi all, Can any of you give me some recommendations on free/non-free subscriber management systems? Ciao Charl __ [ Charl Matthee ] [ +27-11-721-3800 ] [ Systems Manager ] [ +27-11-405-6508 ] __ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: PHP using suexec
I am running them both and have not yet had performance problems. I stress tested the server before putting it into production and performance was acceptable so I went ahead with it. I don't remember what the metrics were now it's been too long. suexec is particularly handy if you have multiple vhosts or have user home directories that are cgi-enabled so you can keep the users and their programs honest. vec - Original Message - From: Domainbox, Tim Abenath [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, February 06, 2003 4:44 AM Subject: PHP using suexec Hello list, Has anyone experiences running PHP using suexec? All doku's are telling this should not be use to keep the Performance of the Server up, but is this still true for a today's dual XEON Machine? I need to feed about 1,5 Million hits a day, around 30 hits request .php files. [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SCSI or IDE
- Original Message - From: Russell Coker [EMAIL PROTECTED] To: Âàñèë Êîëåâ [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Sunday, November 24, 2002 12:39 PM Subject: Re: SCSI or IDE You can put a lot more disks on a single SCSI controler, than on a IDE controler, and there (afaik, i could be mistaken) two drives on one bus cannot work simultaneously and share the bandwidth (which isn't a problem with SCSI, if you have 160 MB/s bus, and 3 disks that can make about 40MB/s, you can have all 120MB/s) 3ware IDE controllers support up to 12 drives. You won't find many SCSI controllers that can do that and deliver acceptable performance (you won't get good performance unless you have 64bit 66MHz PCI). That is not true. Do a benchmark of two IDE drives on the one cable and you will discover that the performance loss is not very significant. ATA-133 compared to Ultra2 SCSI at 160MB/s is not much difference. S-ATA is coming out now and supports 150MB/s per drive. Ultra2 can't do 160MB/s. Ultra2 is limited to 80MB/s. U160 (or ultra3) can do 160MB/s. And perhaps, yes, Ultra2 vs ATA-133 might be comparable. And U320 is now and can do 320MB/ssuch is and has been the evolution of both standards. And maybe i should say something about the reliability, SCSI disks don't die that often, compared to IDE drives, while being used a lot 24x7. The three biggest causes of data loss that I have seen are: 1) Incompetant administrators. Amen. 2) Heat. Halleluja, Brother! 3) SCSI termination. Huh? I'd honestly have to say this falls into the same category as 1) Incompetant administrators. Get the termination right and it all works just fine, which is now easier than ever since controllers have been able to autoterminate for many many years and now they are building terminators right into the cable. And there are other factors like cable quality and length. It's cerntaily more complicated but again, I feel it's worth it once you know what you are doing. SCSI drives tend to have higher rotational speeds than IDE drives and thus True, and in your first reply on this thread didn't you quote this as one of the primary factors determining speed? produce more heat. Even when IBM was shipping thousands of broken IDE hard yes, fans are our friends! drives (and hundreds of broken SCSI drives which didn't seem to get any press) the data loss caused by defective drives was still far less than any of those three factors. Hmm, yeah, there's crap in both sectors that's for sure. I can't say I've been a huge fan of IBM drives in the past. vec -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SCSI or IDE
- Original Message - From: Russell Coker [EMAIL PROTECTED] To: Emilio Brambilla [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Sunday, November 24, 2002 1:14 PM Subject: Re: SCSI or IDE Organizations such as CERN are using IDE disks for multi-terabyte arrays. I've heard google uses IDE as well. Of course, they come in a huge cluster of cheap workstations, not as a mass storage system. In an attempt to answer the original question: As you can see here there is somewhat of a religious war going on. I don't much care about the specifics of the religion. I have always gone with what worked best for me which in my case has been SCSI. If you have a tight budget, I'm sure you can find an IDE solution that will do you just fine. If you have a fat budget, try them both and then sell off the one like the least and chalk it up to a learning experience. vec -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: DNS servers
What about different views, e.g. for internal vs external networks. vec - Original Message - From: Russell Coker [EMAIL PROTECTED] To: Debian ISP [EMAIL PROTECTED] Sent: Tuesday, November 19, 2002 7:34 AM Subject: DNS servers I've just started playing with nsd, it appears very promising. It offers authoritative serving only (only primary and secondary no caching or proxying). It uses a database for all primary zones (fast startup). It seems to have been designed for security and reliability. It has basic compatability with BIND zone files, although I suspect that it may not handle bad zone files as well (so you just have to get them right ;). I'm thinking of putting it on some of my servers in the near future. So this leaves DNS caching as the only reason for BIND. Is there a DNS server that does caching better than BIND? -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: DNS servers
What about different views, e.g. for internal vs external networks. vec - Original Message - From: Russell Coker [EMAIL PROTECTED] To: Debian ISP debian-isp@lists.debian.org Sent: Tuesday, November 19, 2002 7:34 AM Subject: DNS servers I've just started playing with nsd, it appears very promising. It offers authoritative serving only (only primary and secondary no caching or proxying). It uses a database for all primary zones (fast startup). It seems to have been designed for security and reliability. It has basic compatability with BIND zone files, although I suspect that it may not handle bad zone files as well (so you just have to get them right ;). I'm thinking of putting it on some of my servers in the near future. So this leaves DNS caching as the only reason for BIND. Is there a DNS server that does caching better than BIND? -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: failure notice (about relays.osirusoft.com)
Take it somewhere else please, like news.admin.mail-abuse or whatever that newsgroup is that has a bunch of posers claiming not to be from SPEWS and other fascist BLs. Apparently that newsgroups is specifically used for this kind of thing. No, seriously though, take it somewhere else. You are not only generating noise on the isp list, you are doing it on the user list as well which makes it twice as bad. vec - Original Message - From: John W. M. Stevens [EMAIL PROTECTED] To: Jason Lim [EMAIL PROTECTED] Cc: John W. M. Stevens [EMAIL PROTECTED]; debian-isp@lists.debian.org; debian-user@lists.debian.org Sent: Sunday, August 18, 2002 12:00 PM Subject: Re: failure notice (about relays.osirusoft.com) On Sun, Aug 18, 2002 at 05:27:00PM +1000, Jason Lim wrote: What I call a resolution method are those used by ORDB.org, SPAMCOP.net, VISI.com, and plenty of other ones. Around all day . . . Which means, quite simply, that iAdvantage hosts spammers, and refuses to remove them. If you'd go the newgroup that Joe Jared tells you to go to in his listing, you'd see the so called large amount of complaints about iAdvantage. Have you actually looked? Yes. you can visit the militany NANAE newsgroup for resolution, but if you take a look at the messages there ugh... swearing at each other, threats, etc. Take a look for yourself. Been there. Seen it. There are two sides to this issue, and when you put 'em both on the same news group, you'd better expect flames, especially when they are so totally diametrically opposed. This only supports my previous statment that telling people to go to NANAE for so-called resolution is a farce. Not a farce. Have you ever listened to a really heated debate in any Western legislative body? Heated, is a mild term. Such forums are always nasty, heated, and difficult. You are making a cultural mistake. blars, like selward, lists entire net blocks. As I said, I find this far to fanatical for my personal taste. Shall I remind you that OSIRUSOFT is blocking entire net blocks? Where did you get this information? As far as I know, that isn't the case, but as always, I'll look at anything. Oh, and shall I remind *YOU* that I agreed to switch to visi for a week? And already, I'm getting three times the spam I was. A large chunk of traffic from HK, in fact. And if I continue the way I am going (dropping MTA IP addresses into my personal block list as the junk arrives), I'll have blocked about 22 percent of HK's biggest ISP's in a months time. and also Joe Jared's own personal list. It is Joe Jared's own personal list that is the problem . . . A problem for . . . who? You, personally? Shouldn't that be a problem for you as well? No. Why? Except for this short discussion with you, I have no need or interest in any of the Amazing Offers! sent to me from Asia, and no correspondents there. If I did, I would white list the one, particular address used by that correspondent. You are using a list that is contrived by a single person, including his own biased opinions, etc. Are there any other kind? Every organization is simply the combined biased opinions of it's leaders/perception management personnel. Are you willing to let your orgainization's communications be controlled by a single person's biased opinions? Osirusoft, even when I used their list, did not control my communications. *I* do. I chose their list, I chose to try an experiment where I replaced osirusoft with visi, and at the rate I'm getting new spam now, I'll be choosing to switch back to osirusoft after this week is out. As I said, I FULLY SUPPORT blocking of abused open relays (ala ORDB and many others), and individual IPs (ala Spamcop and many others), but not the full blocking of netblocks or countries (ala Blars, xslwerard, osirusoft, etc.). Oh, I agree. Which is why if you can show me some proof that osirusoft blocks entire netblocks because of the actions of a single *SEPARABLE* entity (the separable entity is an important point), I'll probably have to find a way to white list parts of osirusoft's list if/when I go back to 'em. There are plenty of good RBLs to use... see So far, after following you suggestion, my spam intake rate has jumped hugely. http://www.declude.com/JunkMail/Support/ip4r.htm for a big list. It's not as if osirusoft is your only option ... No, they are not my only option. But they've been the best I've tried so far. why you defend them so much eludes me, especially with so many better lists out there. Because the others out there *AREN'T* better! For my needs (except for you, I have no need to receive any email from Asia, and after you get sick of trying to convert me, I'll be back to none), blocking most of Asia has worked to reduce my spam, while not costing me any communications I want or need. Why you
Re: Mass installation procedure for Debian?
Why do people still compile the drivers in to a kernel? This makes your kernel application specific and not re-usable for anyone else with a different setup. Why not use initrd and a modular kernel? Because it makes for one lean and mean system.
which radius server?
Just wondering if there are any good open source and free radius servers out there to use that work well on debian and what others are using to do radius with their ISP's. Thanks, vector
which radius server?
Just wondering if there are any good open source and free radius servers out there to use that work well on debian and what others are using to do radius with their ISP's. Thanks, vector
Re: Webmail - considerations...
http://packages.debian.org/testing/libs/libc-client4.7.html The above is a c client library for imap written by the University of Washington (not sure, but I don't think that package is the latest version but you can get the source from UW if you want). vector - Original Message - From: Jeremy Lunn [EMAIL PROTECTED] To: Przemyslaw Wegrzyn [EMAIL PROTECTED] Cc: Russell Coker [EMAIL PROTECTED]; debian-isp@lists.debian.org; recipient list not shown: ;; Sent: Tuesday, June 12, 2001 7:03 AM Subject: Re: Webmail - considerations... On Tue, Jun 12, 2001 at 02:59:00PM +0200, Przemyslaw Wegrzyn wrote: Of course, I know... But our middle-tier will be developed using C++ , AFAIK. That's why I asked about c-client library... I would be pretty surprised if there is no c library for IMAP as well. -- Jeremy Lunn Melbourne, Australia -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
