Re: a couple of postfix questions
Greetings! On Wed, 8 Dec 2004 14:25:05 +1100 Craig Sanders <[EMAIL PROTECTED]> wrote: > if you ignore really stupid annoyances like the fact that it can't > reject a message at the SMTP level, it *always* accepts and then > bounces it". Current mailstats on my private server (postfix) tell me: Connections total: 7616 User unknown: 1260 RBL-blocked: 1158 other blocked: 700 locally delivered: 692 So 50% of all connections break down (probably portscans) before any SMTP dialogue. Of the remaining other half, I'm blocking 78% due to RBL, user unknown or invalid mail protocol - so very early in SMTP dialogue. If those were accepted (i.e. stored and sent back) I'l fill my postmaster box logs with bounces of those bounces (as they usually use fake sender addresses) in no time. So rejecting already before DATA statement is a *very* good idea. Bye Volker Tanger -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: network monitoring
Greetings! On Sun, 31 Oct 2004 14:17:35 +0100 martin f krafft <[EMAIL PROTECTED]> wrote: > also sprach Andrew Miehs <[EMAIL PROTECTED]> [2004.10.31.0907 +0100]: > > On the one hand, you are happy to install via nfs, but on the > > other hand, you want monitoring done via 'ssh'? > > Well, I agree that NFS is somewhat of a kludge. However, I want SSH > to contact the servers to execute commands to prevent that someone > else just executes them without authenticating. So I'd like to suggest you should have a look at the MoSSHe tool http://www.wyae.de/software/mosshe/ It does monitoring via SSH (key auth) while *NOT* allowing execution of arbitrary commands. The whole system is just consisting of shell scripts and one simple central config file plus simple agents on the servers for in-depth monitoring (load, memory, ...). So it's fast to implement and light on system ressources. Plus you won't need additional IPSec or whatever config on your systems... Bye Volker Tanger ITK Security -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: New Debian net install on a SATA server?
Good Morning! On Mon, 23 Aug 2004 18:33:25 -0600 Nate Duehr <[EMAIL PROTECTED]> wrote: > RAID != Backup!!! > RAID = if you write bad data to one disk, you get it everywhere. > Backup = If you write bad data to a disk, you can roll back to it. Full ack - re-reading my post I found that I missed deleting the first half of the cited mail. My post should have read in short: RAID for backup (1st half)? - NO! Definitely no. Use RSYNC (2nd half) - yes, but (only if) to remote servers Sorry if that lead to confusion... > On Aug 23, 2004, at 7:07 AM, Volker Tanger wrote: > > On Mon, 23 Aug 2004 07:00:37 -0500 "Penbrock" > > <[EMAIL PROTECTED]> wrote: > >>For backups is RAID the best way to go? For this server it is > >>more important to be able to restore the data then to have the > >>system back up and running in seconds. I hear allot of people > >>saying to just make the second drive an image of the first and > >>then run an hourly cron job to copy the/home/ directories? > > > > yes - best locally *AND* to "warm standby" backup servers (placed at > > different locations spread over the campus) that is mirroring the > > data and performing its own backup. > > > > See http://www.mikerubel.org/computers/rsync_snapshots/ for ideas of > > HD-based backup/mirror. Bye Volker Tanger ITK Security -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: New Debian net install on a SATA server?
On Mon, 23 Aug 2004 07:00:37 -0500 "Penbrock" <[EMAIL PROTECTED]> wrote: > For backups is RAID the best way to go? For this server it is > more important to be able to restore the data then to have the > system back up and running in seconds. I hear allot of people > saying to just make the second drive an image of the first and > then run an hourly cron job to copy the/home/ directories? yes - best locally *AND* to "warm standby" backup servers (placed at different locations spread over the campus) that is mirroring the data and performing its own backup. See http://www.mikerubel.org/computers/rsync_snapshots/ for ideas of HD-based backup/mirror. Bye Volker Tanger ITK Security -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Cloning disks with dd and netcat
Greetings!
> > Do you have any kind of BIOS-configurable write/virus protection
> > for that harddisc switched off?
>
> BIOS is ignored nicely once the kernel switched on VM and went into
> protected more...
Yes, I know - but I've encountered hardware where the "100% IDE"
controller could be switched into read-only mode EVEN FOR NON-BIOS
operation. Granted, it was a jumper back then (probably breaker plus
pullup/pulldown for R/W signal line), but that could be done with some
CMOS/Flash setting today, too.
It just strook me odd that root could not write even the first few
bits...
*ahem*
Stop. Different idea.
@David Ross: you wrote you booted from Knoppix. I hope you did use plain
text mode? If you used the X11/KDE desktop you're usually logged in as
"knoppix" or whatever plain/non-root user. And of course you're not
allowed to (write) access the raw device as ordinary user...
Boot in text mode ("knoppix 2") or Ctrl-Alt-1 from X11 into console. Try
again then.
If this does not solve the problem, we'll have to search on.
Bye
Volker Tanger
ITK Security
PS: I've updated my docs accordingly - that's an easily overlooked
stuble block.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Cloning disks with dd and netcat
Greetings! > >Well, doing the partitioning manually, you could RSYNC > >the server instead of DD+NETCATing, which probably is faster and > >fails more gracefully. > > But would mean mucking around with the bootloader, which usually is > the point for doing _complete_ disc-images. True - but DDing a 200GB system disc disc takes quite some time, while manually handling partition+mkfs+lilo plus RSYNCing 1.2GB usually is LOTS faster... Upgrading to servers with newer/bigger discs is also less painful than with imaging. But for mostly uniform hardware or testlabs (with frequent system bashing) it's the leisure-factor that is heavily in favour of DD images, I confess... ;-) Bye Volker Tanger ITK Security -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Cloning disks with dd and netcat
Greetings!
On Tue, 27 Jul 2004 12:12:33 +0200 "David Ross" <[EMAIL PROTECTED]>
wrote:
> tty1[/]# nc -v -w 60 XXX.XXX.XXX.XXX < /dev/null | gzip -dc | dd
> of=/dev/hda bs=512
> imgserver.whatever.co.za [XXX.XXX.XXX.XXX] (?) open
[...]
> hda: read_intr: status=0x59 { DriveReady SeekComplete DataRequest
> Error}
> hda: read_intr: error=0x40 { UncorrectableError }, LBAsect=19528,
> sector=19528
> end_request: I/O error, dev 03:00 (hda), sector 19528
> dd: writing `/dev/hda': Input/output error
> 19529+0 records in
> 19528+0 records out
> 9998336 bytes transferred in 9.226423 seconds (1083663 bytes/sec)
> too many output retries : Broken pipe
[...]
> Obviously the first thing I did was swap the
> harddrive just in case the one in the new pc is faulty, but I get the
> same error.
Obviously the problem is that DD cannot write (for whatever reason) to
/dev/hda - not a single byte.
Do you have any kind of BIOS-configurable write/virus protection
for that harddisc switched off?
What happens if you do the partitioning manually and image the
partitions (/dev/hda1, /dev/hda2, ...) one-by-one instead of the
complete disc? Well, doing the partitioning manually, you could RSYNC
the server instead of DD+NETCATing, which probably is faster and fails
more gracefully.
Bye
Volker Tanger
ITK Security
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: max requests a celeron web server can handle
Greetings! On Tue, 20 Jul 2004 08:24:12 +0200 Adrian 'Dagurashibanipal' von Bidder <[EMAIL PROTECTED]> wrote: > On Monday 19 July 2004 19.22, Shannon R. wrote: > > I've been googling around for recorded info on how many static files > > per second a [...] Apache web server can serve before it starts > > getting slow. > > (And if it's really just static files, perhaps you may want to change > to one of the simpler, faster web servers if you're really worried > about performance.) If you're looking for a high-performance webserver mainly for static files, others than apache could be quite interesting for you, especially thttpd, mathopd and Zeus - see http://www.acme.com/software/thttpd/benchmarks.html Smaller size and select method instead of (pre)forking spells more free RAM which can then be used for buffering/cacheing, adding to speed (again). Bye Volker Tanger ITK Security -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Squid proxy help
> I was just wondering if you know how I could possibly setup squid so > that it will accept connections from the internet and filter before > they hit a IIS6 hosted intranet. RTFM! http://www.squid-cache.org/Doc/FAQ/FAQ-10.html http://squid.visolve.com/squid/squid24s1/access_controls.htm Bye Volker Tanger ITK Security
Re: Squid proxy help
> I was just wondering if you know how I could possibly setup squid so > that it will accept connections from the internet and filter before > they hit a IIS6 hosted intranet. RTFM! http://www.squid-cache.org/Doc/FAQ/FAQ-10.html http://squid.visolve.com/squid/squid24s1/access_controls.htm Bye Volker Tanger ITK Security -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: OpenVPN auf Debian unstable - wie?
Hallo! [He asked wether someone had experiences with OpenVPN on Debian] On Mon, 19 Apr 2004 12:14:59 +0200 (CEST) [EMAIL PROTECTED] wrote: > wir wollten unsere Server, welche an physikalisch verschiedenen > Standorten stehen, untereinander mit OpenVPN vernetzen. Roadwarrior > Access ist nicht geplant, aber evtl. bald auch einmal denkbar. Hat > schon jemand von euch Erfahrung mit OpenVPN? Wenn ja, wäre ich um ein > bisschen Hilfe sehr dankbar. Works like a charm, but: - create custom kernel (TAP/TUN) - compile OpenVPN from source (no problems) FAQs/Docs are quite sufficient for connecting networks. Beware of using static keys - removing one road warrior means having to reconfigure ALL systems in the VPN. Use certificates instead (see the excellent OpenVPN HowTo). For static key problematics see http://www.cisco.com/warp/public/707/cisco-sn-20040415-grppass.shtml Speaking of: I'm contemplating offering boxed "ETHERNET over IP" VPN router/access devices (i.e. supporting IP, IPX, SNA, full DHCP/BootP, etc. - obviously not using IPSec but OpenVPN) at a target price around 500 EUR. Thought and opinions to me in private mail for not to clobber the list. Thanks Volker Tanger ITK Security
Re: OpenVPN auf Debian unstable - wie?
Hallo! [He asked wether someone had experiences with OpenVPN on Debian] On Mon, 19 Apr 2004 12:14:59 +0200 (CEST) [EMAIL PROTECTED] wrote: > wir wollten unsere Server, welche an physikalisch verschiedenen > Standorten stehen, untereinander mit OpenVPN vernetzen. Roadwarrior > Access ist nicht geplant, aber evtl. bald auch einmal denkbar. Hat > schon jemand von euch Erfahrung mit OpenVPN? Wenn ja, wäre ich um ein > bisschen Hilfe sehr dankbar. Works like a charm, but: - create custom kernel (TAP/TUN) - compile OpenVPN from source (no problems) FAQs/Docs are quite sufficient for connecting networks. Beware of using static keys - removing one road warrior means having to reconfigure ALL systems in the VPN. Use certificates instead (see the excellent OpenVPN HowTo). For static key problematics see http://www.cisco.com/warp/public/707/cisco-sn-20040415-grppass.shtml Speaking of: I'm contemplating offering boxed "ETHERNET over IP" VPN router/access devices (i.e. supporting IP, IPX, SNA, full DHCP/BootP, etc. - obviously not using IPSec but OpenVPN) at a target price around 500 EUR. Thought and opinions to me in private mail for not to clobber the list. Thanks Volker Tanger ITK Security -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Graphical software to control networks
Greetings! On Thu, 15 Apr 2004 15:45:37 +0200 Michelle Konzack <[EMAIL PROTECTED]> wrote: > >> I like to have OpenView under Linux ;-) > Maybe it has its price, but it the right thing to control several - how many systems - how deep (from just PING to complete SNMP and more) - how often The higher any value, the more load on network and NWM system ressources, so beware... > >Nagios as a frontend for the whole lot... > Never I have used the Tools bevore... Have a look at Nagios. Really. We use(d) it very successfully within our managed service group. The grouping feature helps A LOT. For mission criticals the two-stage alerting is nice, too. Web-based it is usable from "anywhere" (client independent). You even can create a "status wall" with a rack/shelf and serveral PCs/monitors, each one showing a different group status page - add one or two beamers für Houston feeling... > But if you have 10 or more Radio-Bridges in Line it is realy hard > to imagine where the Error is. With a graphical tool and a landmap > as Background you see immediatly where the Problem it is. Depending on grouping you can see "onf of the Radio-Bridges RED" or: "something in Alaska YELLOW". A map often is waaay to small for a "real world" environment to see anything. But a (zoomable) map is a standard "can do" in Nagios. > I can set a Landmap as background and set my Controlpoints (Routers, > RadioBridges, Repeaters, DSU's,...) on it. The rest is controlled > via SMTP... I guess you thought of SNMP here... > But curently I have no real concept HOW TO MAKE SUCH GUI, a realy > intuitiv graphical user interface. [...] > We need to code our own stuff and make it better. Have a look at Nagios (http://www.nagios.org/) and Cheops (http://www.marko.net/cheops/) before starting at ZERO again. BigSister (http://bigsister.graeff.com/home.html) and BigBrother are probably a leage below your requirements as they do not offer (IIRC) a grouping that's compact enough. Checks should be highly configurable (ping one router, read nearly all SNMP from the next), should support grouping in configuration (i.e. done once for all 7205's, once for all Sun E450s etc.) and display. Nagios is nice here - again. Have a DEEP look and some hands-on tests with Nagios before rolling your own. I've not tested Cheops, but it looks a bit like what you have in mind, too. Bye Volker Tanger ITK Security
Re: Graphical software to control networks
Greetings! On Thu, 15 Apr 2004 15:45:37 +0200 Michelle Konzack <[EMAIL PROTECTED]> wrote: > >> I like to have OpenView under Linux ;-) > Maybe it has its price, but it the right thing to control several - how many systems - how deep (from just PING to complete SNMP and more) - how often The higher any value, the more load on network and NWM system ressources, so beware... > >Nagios as a frontend for the whole lot... > Never I have used the Tools bevore... Have a look at Nagios. Really. We use(d) it very successfully within our managed service group. The grouping feature helps A LOT. For mission criticals the two-stage alerting is nice, too. Web-based it is usable from "anywhere" (client independent). You even can create a "status wall" with a rack/shelf and serveral PCs/monitors, each one showing a different group status page - add one or two beamers für Houston feeling... > But if you have 10 or more Radio-Bridges in Line it is realy hard > to imagine where the Error is. With a graphical tool and a landmap > as Background you see immediatly where the Problem it is. Depending on grouping you can see "onf of the Radio-Bridges RED" or: "something in Alaska YELLOW". A map often is waaay to small for a "real world" environment to see anything. But a (zoomable) map is a standard "can do" in Nagios. > I can set a Landmap as background and set my Controlpoints (Routers, > RadioBridges, Repeaters, DSU's,...) on it. The rest is controlled > via SMTP... I guess you thought of SNMP here... > But curently I have no real concept HOW TO MAKE SUCH GUI, a realy > intuitiv graphical user interface. [...] > We need to code our own stuff and make it better. Have a look at Nagios (http://www.nagios.org/) and Cheops (http://www.marko.net/cheops/) before starting at ZERO again. BigSister (http://bigsister.graeff.com/home.html) and BigBrother are probably a leage below your requirements as they do not offer (IIRC) a grouping that's compact enough. Checks should be highly configurable (ping one router, read nearly all SNMP from the next), should support grouping in configuration (i.e. done once for all 7205's, once for all Sun E450s etc.) and display. Nagios is nice here - again. Have a DEEP look and some hands-on tests with Nagios before rolling your own. I've not tested Cheops, but it looks a bit like what you have in mind, too. Bye Volker Tanger ITK Security -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: 3ware Raid 5 and ext3 filesystem
Greetings! On Wed, 24 Mar 2004 12:07:41 +0100 (CET) "Andrew Miehs" <[EMAIL PROTECTED]> wrote: > After mounting the filesystem, and doing my first 'ls -ln' in a > directory with 1000 pictures it takes ages! First guess: you're using Ext2 or Ext3 filesystem type? XFS, JFS and ReiserFS are using BTree (or similar) directory structures that are much faster than the Ext's linear list. Bye Volker Tanger ITK Security Herzlich willkommen vom 18.-24. Maerz 2004 auf unserem CeBIT-Messestand, Halle 13, D 58 - unter dem Motto "DeTeWe- Your connection to the world". Welcome to our CeBIT exhibition stand from the 18th - 24th March 2004, hall 13 - D 58, under the motto "DeTeWe - Your connection to the world".
Re: 3ware Raid 5 and ext3 filesystem
Greetings! On Wed, 24 Mar 2004 12:07:41 +0100 (CET) "Andrew Miehs" <[EMAIL PROTECTED]> wrote: > After mounting the filesystem, and doing my first 'ls -ln' in a > directory with 1000 pictures it takes ages! First guess: you're using Ext2 or Ext3 filesystem type? XFS, JFS and ReiserFS are using BTree (or similar) directory structures that are much faster than the Ext's linear list. Bye Volker Tanger ITK Security Herzlich willkommen vom 18.-24. Maerz 2004 auf unserem CeBIT-Messestand, Halle 13, D 58 - unter dem Motto "DeTeWe- Your connection to the world". Welcome to our CeBIT exhibition stand from the 18th - 24th March 2004, hall 13 - D 58, under the motto "DeTeWe - Your connection to the world". -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: I give up! Postfix keeps relaying
Greetings! On Fri, 12 Mar 2004 11:51:58 -0500 [EMAIL PROTECTED] (Sarwat H) wrote: > Basically, I don't want the server to relay any messages except for > the messages that originate on the server. I've attached my postconf > -n below. > > postconf -n output [...] > So, what am I doing wrong here ? You're missing the SMTP recipient restrictions as in: --8<-- smtpd_recipient_restrictions = permit_sasl_authenticated, reject_maps_rbl, permit_mynetworks, permit_auth_destination, reject maps_rbl_domains = relays.ordb.org, opm.blitzed.org, sbl-xbl.spamhaus.org, dnsbl.sorbs.net # SPAM-Bot discouragement # disconnect after this many errors smtpd_hard_error_limit = 100 # max. simultaneous sessions default_process_limit = 5 # max. junk commands before sleeping smtpd_junk_command_limit = 2 # sleep 50sec after each soft error smtpd_error_sleep_time = 50 # sleep ERR-NR secs after this many errors (> time !) smtpd_soft_error_limit = 50 --8<-- Volker Tanger -- ITK-Security DeTeWe AG & Co. KG Fon +49 30 6104-3307 Fax +49 30 6104-3435 http://www.detewe.de/ Herzlich willkommen vom 18.-24. Maerz 2004 auf unserem CeBIT-Messestand, Halle 13, D 58 - unter dem Motto "DeTeWe- Your connection to the world". Welcome to our CeBIT exhibition stand from the 18th - 24th March 2004, hall 13 - D 58, under the motto "DeTeWe - Your connection to the world".
Re: I give up! Postfix keeps relaying
Greetings! On Fri, 12 Mar 2004 11:51:58 -0500 [EMAIL PROTECTED] (Sarwat H) wrote: > Basically, I don't want the server to relay any messages except for > the messages that originate on the server. I've attached my postconf > -n below. > > postconf -n output [...] > So, what am I doing wrong here ? You're missing the SMTP recipient restrictions as in: --8<-- smtpd_recipient_restrictions = permit_sasl_authenticated, reject_maps_rbl, permit_mynetworks, permit_auth_destination, reject maps_rbl_domains = relays.ordb.org, opm.blitzed.org, sbl-xbl.spamhaus.org, dnsbl.sorbs.net # SPAM-Bot discouragement # disconnect after this many errors smtpd_hard_error_limit = 100 # max. simultaneous sessions default_process_limit = 5 # max. junk commands before sleeping smtpd_junk_command_limit = 2 # sleep 50sec after each soft error smtpd_error_sleep_time = 50 # sleep ERR-NR secs after this many errors (> time !) smtpd_soft_error_limit = 50 --8<-- Volker Tanger -- ITK-Security DeTeWe AG & Co. KG Fon +49 30 6104-3307 Fax +49 30 6104-3435 http://www.detewe.de/ Herzlich willkommen vom 18.-24. Maerz 2004 auf unserem CeBIT-Messestand, Halle 13, D 58 - unter dem Motto "DeTeWe- Your connection to the world". Welcome to our CeBIT exhibition stand from the 18th - 24th March 2004, hall 13 - D 58, under the motto "DeTeWe - Your connection to the world". -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: debian-specific machine cloning
Greetings! On Fri, 23 Jan 2004 10:02:50 -0500 Dale E Martin <[EMAIL PROTECTED]> wrote: > Hello. I maintain a small network of debian machines. I've got one > machine that is kind of "golden" in a sense. It's running stable + > key backports for various tools I need. I thought about writing a > script to take the contents of "dpkg --list" and ram it through > "dpkg-repack" and basically end up with a set of packages representing > everything on this machine - then I can install them on the other > machines that I maintain. But I have to think that this is a solved > problem. Is it? On the golden machine do dpkg --get-selections > golden.txt copy -r /etc/apt/* to the new machine, as well as golden.txt Then do on the new clone apt-get update cat golden.txt | dpkg --set-selections apt-get upgrade That shoud do it. Or try one of the low-level approaches http://wyae.de/docs/img_dd.php http://wyae.de/docs/img_rsync.php Bye Volker Tanger ITK-Security
Re: debian-specific machine cloning
Greetings! On Fri, 23 Jan 2004 10:02:50 -0500 Dale E Martin <[EMAIL PROTECTED]> wrote: > Hello. I maintain a small network of debian machines. I've got one > machine that is kind of "golden" in a sense. It's running stable + > key backports for various tools I need. I thought about writing a > script to take the contents of "dpkg --list" and ram it through > "dpkg-repack" and basically end up with a set of packages representing > everything on this machine - then I can install them on the other > machines that I maintain. But I have to think that this is a solved > problem. Is it? On the golden machine do dpkg --get-selections > golden.txt copy -r /etc/apt/* to the new machine, as well as golden.txt Then do on the new clone apt-get update cat golden.txt | dpkg --set-selections apt-get upgrade That shoud do it. Or try one of the low-level approaches http://wyae.de/docs/img_dd.php http://wyae.de/docs/img_rsync.php Bye Volker Tanger ITK-Security -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Re: Re: ISP / Autorization Required 4 internet connection...
Greetings! > I use MS-ISA Server, but I don't know what is the NTLM > authentication scheme... Microsoft insisted on inventin their own HTTP protocol, including an authentication method where the client (browser) authenticates with WinNT-Domain credentials against the web server (IIS/ISA) without user interaction, breaking completely with standards and compatible only within pure Microsoft installations (up to now - the new Mozilla is said to support it maybe). They call it feature, I call it bug. You'll have to configure your ISA (basically the renamed MS-Proxy, which basically is an IIS plugin) to accept NTLM *and* basic authentication methods - or not to authenticate at all. That option is hidden somewhere in a submenu, so happy hunting... Bye Volker Tanger ITK-Security
Re: Re: Re: ISP / Autorization Required 4 internet connection...
Greetings! > I use MS-ISA Server, but I don't know what is the NTLM > authentication scheme... Microsoft insisted on inventin their own HTTP protocol, including an authentication method where the client (browser) authenticates with WinNT-Domain credentials against the web server (IIS/ISA) without user interaction, breaking completely with standards and compatible only within pure Microsoft installations (up to now - the new Mozilla is said to support it maybe). They call it feature, I call it bug. You'll have to configure your ISA (basically the renamed MS-Proxy, which basically is an IIS plugin) to accept NTLM *and* basic authentication methods - or not to authenticate at all. That option is hidden somewhere in a submenu, so happy hunting... Bye Volker Tanger ITK-Security -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SOP for debian isp/corporate server...
Greetings! On Tue, 20 Jan 2004 21:55:37 +0530 prasad <[EMAIL PROTECTED]> wrote: > As many of you must have experienced, there are usual SOPs for setting > up non-bloated, secure bare-bones Servers with respective OSs eg for > solaris. > Is there SOP for debian, if not, I guess this list is better poised to > produce one. Any links, pointers... I have googled, but didn't find > any old message, SPO = Standards of Practice? If so, see at http://www.debian.org/doc/user-manuals#securing http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html A bare Debian install is pretty much stripped down (<50MB iirc), so not overly much bloat here. > One of the reasons I have found, one company took > a policy decision to not deploy to linux servers some time back, is > becuse these rapidly moving distros like RH with insecure preinstalled > bloat, was causing major maintainance & security hasle. Well, with the current release timescale being ~2 years (3.0 was released 2002-07-19) I won't call Debian "rapidly moving"... Maintenance is - as always - minimum hassle with Debian. :-) Bye Volker Tanger ITK-Security
Re: SOP for debian isp/corporate server...
Greetings! On Tue, 20 Jan 2004 21:55:37 +0530 prasad <[EMAIL PROTECTED]> wrote: > As many of you must have experienced, there are usual SOPs for setting > up non-bloated, secure bare-bones Servers with respective OSs eg for > solaris. > Is there SOP for debian, if not, I guess this list is better poised to > produce one. Any links, pointers... I have googled, but didn't find > any old message, SPO = Standards of Practice? If so, see at http://www.debian.org/doc/user-manuals#securing http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html A bare Debian install is pretty much stripped down (<50MB iirc), so not overly much bloat here. > One of the reasons I have found, one company took > a policy decision to not deploy to linux servers some time back, is > becuse these rapidly moving distros like RH with insecure preinstalled > bloat, was causing major maintainance & security hasle. Well, with the current release timescale being ~2 years (3.0 was released 2002-07-19) I won't call Debian "rapidly moving"... Maintenance is - as always - minimum hassle with Debian. :-) Bye Volker Tanger ITK-Security -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ISP / Autorization Required 4 internet connection...
Greetings! On Tue, 20 Jan 2004 14:39:32 +0100 (CET) [EMAIL PROTECTED] wrote: > I have problem with internet connection in Knoppix (latest v.). I > configured the network card, entered the proxy server, but mozilla > says that proxy needs to be autorized and it couldn't fullfill my > request or something like that. I could not connect even my > communicator in WinXp cause of due proxy autorization data. Where > should I look 4 the auth. info? In WinXP i can only browsee the > websites. In Knoppix I pinged my adress, the another lan adres, > server, isp, and all with response exept hosts like google.com or > yahoo.com. Please help! If you're using MS Proxy oer MS-ISA Server, that will be (if configured default or on Microsoft suggestion) to use NTLM authentication scheme. The latter is said to be supported with Mozilla 1.6 as being the very first one after MS-IE. What do the headers of the proxy's answer packet tell about the auth scheme? Bye Volker Tanger ITK-Security
Re: ISP / Autorization Required 4 internet connection...
Greetings! On Tue, 20 Jan 2004 14:39:32 +0100 (CET) [EMAIL PROTECTED] wrote: > I have problem with internet connection in Knoppix (latest v.). I > configured the network card, entered the proxy server, but mozilla > says that proxy needs to be autorized and it couldn't fullfill my > request or something like that. I could not connect even my > communicator in WinXp cause of due proxy autorization data. Where > should I look 4 the auth. info? In WinXP i can only browsee the > websites. In Knoppix I pinged my adress, the another lan adres, > server, isp, and all with response exept hosts like google.com or > yahoo.com. Please help! If you're using MS Proxy oer MS-ISA Server, that will be (if configured default or on Microsoft suggestion) to use NTLM authentication scheme. The latter is said to be supported with Mozilla 1.6 as being the very first one after MS-IE. What do the headers of the proxy's answer packet tell about the auth scheme? Bye Volker Tanger ITK-Security -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: remote system monitor
Greetings! On Thu, 23 Oct 2003 16:32:53 +0200 Filippo Basso <[EMAIL PROTECTED]> wrote: > I want to make some tests with an old webserver, and my laptop, and > want to use a not too complex agent, but with some graphical analisys > on parameter like cpu/memory/disk and something that can ask apache, > qmail,... Nice is also to raise alarms on certain conditions... [...] > Now I'm looking at Nagios, and I've to say that it's really nice!!! I > can attach some my plugin in C++ or bash, and it keep a graphical > snapshoot of what's happening... http://www.wyae.de/software/aslrules/ (alas, as soon as the server is repaired *grrr*) You'll have to adapt it to your disk layout etc, but the basics should be there. Bye Volker Tanger ITK-Security
Re: remote system monitor
Greetings! On Thu, 23 Oct 2003 16:32:53 +0200 Filippo Basso <[EMAIL PROTECTED]> wrote: > I want to make some tests with an old webserver, and my laptop, and > want to use a not too complex agent, but with some graphical analisys > on parameter like cpu/memory/disk and something that can ask apache, > qmail,... Nice is also to raise alarms on certain conditions... [...] > Now I'm looking at Nagios, and I've to say that it's really nice!!! I > can attach some my plugin in C++ or bash, and it keep a graphical > snapshoot of what's happening... http://www.wyae.de/software/aslrules/ (alas, as soon as the server is repaired *grrr*) You'll have to adapt it to your disk layout etc, but the basics should be there. Bye Volker Tanger ITK-Security -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ISP bandwidth/traffic shaper advice?
On Wed, 22 Oct 2003 11:55:59 +0200 "R.M. Evers" <[EMAIL PROTECTED]>
wrote:
> doing this, i would like to add a traffic shaper to our configuration.
[...]
> 'bridge' using either debian w/ qos or freebsd w/ dummynet. i would
> prefer to do this with debian, because i know nothing of bsd, and do
> practically everything with debian since it's my favorite dist.
For traffic shaping with IPtables/netfilter see
http://lartc.org/howto/
http://www.docum.org/
Bye
Volker Tanger
ITK-Security
Re: ISP bandwidth/traffic shaper advice?
On Wed, 22 Oct 2003 11:55:59 +0200 "R.M. Evers" <[EMAIL PROTECTED]>
wrote:
> doing this, i would like to add a traffic shaper to our configuration.
[...]
> 'bridge' using either debian w/ qos or freebsd w/ dummynet. i would
> prefer to do this with debian, because i know nothing of bsd, and do
> practically everything with debian since it's my favorite dist.
For traffic shaping with IPtables/netfilter see
http://lartc.org/howto/
http://www.docum.org/
Bye
Volker Tanger
ITK-Security
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Debian-based hosting needed
Greetings! On Wed, 17 Sep 2003 12:30:43 +0100 Antony Gelberg <[EMAIL PROTECTED]> wrote: > Obviously I am a big Debian fan, however all the > server hosting companies I can find are using RedHat or that Sun sh*t. > Can anyone recommend a company? I've got a Debian Virtual Server from http://www.greatnet.de/ Performance and price are very okay. Service (the few instances I had contact with) is extremely short-worded/brief, but competent and helpful once you got over the fact that you don't get longish explanations but the distilled response right to the point. Another one is http://vd-server.de/ (virtual server here, too) - no personal experience here. Another option would be housing of your own hardware or reinstallation of a dedicated server at hoster (e.g. as described in Linux Magazine http://www.linux-magazin.de/Artikel/ausgabe/2002/11/) Bye Volker Tanger -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Count traffic
Greetings! On Wed, 13 Aug 2003 10:59:22 +0200 Teun Vink <[EMAIL PROTECTED]> wrote: > > > I'm searching a solution to count in- and outgoing traffic for > > > each virtual user (domain). Our boxes are running Apache, Proftpd > > > and qmail. Does anybody know some good working GPLed software/tool > > > to do one of these tasks. > And how would that work with _virtual_ servers? Evaluate the Apache logs? It's quite easy with a little bit of scripting - the number of (outgoing) bytes usually is the last field. Depending on your virtual domain setup you either have to simply add the according field(usually #9, the last one) - else set up logging to include the virtual host's name and add dependend on that. I'm not sure on how easy "just accounting" that is with prepackaged log analyzers. As for incoming you won't have proper metrics in the logs (correction please, if I'ver overseen something) - to get an approximate weighted accounting you probably should go with something like in-bytes per VHost = i-bytes total / requests total * requests VHost Bye Volker Tanger -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Watchdog Program
On Wed, 6 Aug 2003 12:39:29 +0200 Stephane Bortzmeyer <[EMAIL PROTECTED]> wrote: > > you could try BigBrother (http://bb4.com/) > > Heavily non-free. ...because of which it has a (GPLed) Big Sister http://bigsister.graeff.com/home.html Bye Volker Tanger -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: netsaint-neat errors
Greetings! On Wed, 23 Jul 2003 15:29:37 +0100 Gavin Hamill <[EMAIL PROTECTED]> wrote: > Netsaint itself is working well, but I'd like to make use of the > graphical editor, however when I browse to > http://hostname/cgi-bin/netsaint/neat.cgi I'm told: > > ERROR - could not load the config files /etc/netsaint/hosts.cfg > /etc/netsaint/plugins-auto.cfg /etc/netsaint/command.cfg I guess NEAT is trying to open the files in R/W mode - which will fail as the web server process UID probably is WWW-DATA, but all files are -rw-r--r-- and owned by ROOT. Try CHOWNing the files to WWW-DATA > pod:~# ls -l /etc/netsaint/ > total 104 > -rw-r--r--1 netsaint root 490 Apr 11 2002 command.cfg > -rw-r--r--1 netsaint root21373 Jul 21 17:13 hosts.cfg > -rw-r-1 root www-data 28 Jul 21 15:22 htpasswd.users > -rw-r--r--1 root root 1948 Apr 6 2002 index.html > -rw-r--r--1 root root 2302 Apr 6 2002 main.html > drwxr-xr-x2 root root 4096 Jul 21 17:27 neat > -rw-r--r--1 root root19900 Jul 21 15:22 netsaint.cfg Bye Volker Tanger -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Traffic Accounting
Greetings! On Mon, 21 Jul 2003 10:20:05 +0200 Thomas Lamy <[EMAIL PROTECTED]> wrote: > Don't use it. I've been through many open source and self-made IP > accounting tools, and using tcpdump is not what one would like. It > gets really messy on high throughput. "Messy" as in higher load than IPtables or as in packet drops - or how? Can you hint me at some ressources (URLs) on this? Thanks a lot for your input Volker Tanger PS: TrafAn was a quick-shot designed to give a rough estimate on intra-network protocol usage e.g. plugged into a SPAN-port of a switch. So using it for accounting is more a by-product... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Traffic Accounting
Greetings! On 19 Jul 2003 23:35:08 +0300 kgb <[EMAIL PROTECTED]> wrote: > Which is best way for traffic accounting i use ipac-ng but i don't > like it anymore because it make my system under high load. If you don't want to mess around with IPtables just to do traffic accounting, you could try http://wyae.de/software/trafan/ which works even from a third machine - just plug in and be happy. I do not have any experiences with high load scenarios, though. Bye Volker Tanger -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firewall on compac flash
Greetings! On Fri, 23 May 2003 14:48:27 +0200 "debian-isp" <[EMAIL PROTECTED]> wrote: > We are just considering if we should try to set up our firewall on a > Rackmountsystem with only Compac flash card and onboard cpu. Which > would reduce a least the possibility of a harddisk crash, and would > provide an easy possiblity to swap cards when there is a problem. The > compac flash card (available also with 512MB is acting like a > harddisk... Any experience with that kind of hardware ? Main problem with flash cards is the limited number of write cycles. This may not be THAT much of a problem with config and even less with the software. One thing, though, often overseen: where do you put the logs? A firewall without logs looses a *LOT* of its practical value. Bye Volker Tanger IT-Security discon gmbh DeTeWe AG & Co. KG Fon +49 30 6104-3307 Fax +49 30 6104-3435 http://www.detewe.de/ -- --- Besuchen Sie unsere neuen Internet-Seiten http://www.detewe.de . Neues Highlight: Wunschproduktberater fuer den Home & Office-Bereich. Visit our new Internet Pages on http://www.detewe.de . Our Highlight: Online Product Adviser for Home & Office. (Currently available in German only)
Re: Using hash directories
Greetings! On Fri, 23 May 2003 10:24:33 +0200 Emmanuel Lacour <[EMAIL PROTECTED]> wrote: > I would like to understand why some softwares such as postfix or squid > uses hash of directories like: > > a/a/ > b/a/ > d/a/darmond > > for their spools. Quite a number of filesystems still do linear search when trying to access a file. So accessing the mailbox for Zacharias Zulu (zzulu) among 20.000 users will give the OS probably 19.998 filenames too look up before finding the correct one. Personal (negative) record due to this effect was 3,5 seconds to access a file (of quite some thousands) an on old MS-Dos/FAT harddisc - under 386ish hardware, so not THAT shabby... Newer filesystems (ReiserFS, probably JFS and XFS too (not checked)) use BTree or similar techniques to reduce lookups to the order of log(N) instead of N. So if using a classic filesystem creating such a directory tree will mimick a number of hierarchies of a tree search thus saving quite some file access time. But with new file systems they will come with a slight access time penalty compared to a flat hierarchy. Bye Volker Tanger -- --- Besuchen Sie unsere neuen Internet-Seiten http://www.detewe.de . Neues Highlight: Wunschproduktberater fuer den Home & Office-Bereich. Visit our new Internet Pages on http://www.detewe.de . Our Highlight: Online Product Adviser for Home & Office. (Currently available in German only)
Re: sendmail or qmail or what?
Greetings! On Wed, 21 May 2003 18:40:36 +0200 Franz Georg Köhler <[EMAIL PROTECTED]> wrote: > > I?m setting up a mail server, I ?d like to hear opinions about which > > one is better. > > It depends on your personal preferences. > > I favor exim: http://www.exim.org/ . Main question: what do you want/need? For a pure satellite hub you can be quite well of with SSMTP. What is your metric (for "best")? Flexibility, available addins, security, easy to configure, or what? For a brief comparison of the most common ones: http://www.geocities.com/mailsoftware42/ Well, that's the MTA side - what about the client part. Do you need POP or IMAP? Both? LDAP access? What spool design, etc. There are (again) loads of agents available. Again: what is your metric for "best"? Bye Volker Tanger -- Besuchen Sie unsere neuen Internet-Seiten http://www.detewe.de Neues Highlight: Wunschproduktberater fuer den Home & Office-Bereich. Visit our new Internet Pages on http://www.detewe.de Our Highlight: Online Product Adviser for Home & Office. (Currently available in German only)
Re: 1 or more network cards
Greetings! On Wed, 21 May 2003 11:40:06 +1000 Glenn Hocking <[EMAIL PROTECTED]> wrote: > Has anyone put any thought and testing whether it is better to have > one network card with multiple IP assigned or 2-3 net cards with > separate IP numbers. > Actual specs, The cards are all 10/100 Intel's connected to the net > via a 10mb/s ethernet with direct public IPs. The secondary IPs are > private local addresses for local backup and maintenance. As you mention public and private IP space: physical separation enables you to recognize and fight address spoofing. With IPtables you simply use the -i option to define the valid interfaces. That won't be possible if you use only one card. Plus searching for errors will be easier: you can ping the inside interface - so that card's okay. If you can reach the outside card, that one is okay, too. If you still get nothing through, your iptables config is hosed. If you only have one card, it'll be much more difficult. As will be sniffing in respective networks. NAT-issues come to mind, that will be very difficult to debug when using only one card. Bye Volker Tanger -- --- Besuchen Sie unsere neuen Internet-Seiten http://www.detewe.de . Neues Highlight: Wunschproduktberater fuer den Home & Office-Bereich. Visit our new Internet Pages on http://www.detewe.de . Our Highlight: Online Product Adviser for Home & Office. (Currently available in German only)
Re: Collecting stats for different servers
Greetings! > ++ 21/03/03 14:44 +0200 - Gideon Oosthuysen: > > >I would like to collect statistics like uptime / system load / disk > >usage / memory usage on all my different > >servers and display it on my webserver is there any program i can use > >for that ? For displaying you can use Nagios (NetSaint - http://www.nagios.org/). For data collection you can use the supplied plugins or write them yourself e.g. via SSH as http://www.wyae.de/software/aslcheck/ does. Bye Volker Tanger IT-Security discon gmbh DeTeWe AG & Co. KG Fon +49 30 6104-3307 Fax +49 30 6104-3435 http://www.detewe.de/ -- --- Besuchen Sie unsere neuen Internet-Seiten http://www.detewe.de . Neues Highlight: Wunschproduktberater fuer den Home & Office-Bereich. Visit our new Internet Pages on http://www.detewe.de . Our Highlight: Online Product Adviser for Home & Office. (Currently available in German only)
Re: Collecting stats for different servers
Greetings! > ++ 21/03/03 14:44 +0200 - Gideon Oosthuysen: > > >I would like to collect statistics like uptime / system load / disk > >usage / memory usage on all my different > >servers and display it on my webserver is there any program i can use > >for that ? For displaying you can use Nagios (NetSaint - http://www.nagios.org/). For data collection you can use the supplied plugins or write them yourself e.g. via SSH as http://www.wyae.de/software/aslcheck/ does. Bye Volker Tanger IT-Security discon gmbh DeTeWe AG & Co. KG Fon +49 30 6104-3307 Fax +49 30 6104-3435 http://www.detewe.de/ -- --- Besuchen Sie unsere neuen Internet-Seiten http://www.detewe.de . Neues Highlight: Wunschproduktberater fuer den Home & Office-Bereich. Visit our new Internet Pages on http://www.detewe.de . Our Highlight: Online Product Adviser for Home & Office. (Currently available in German only) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: load balancing(2)
Greetings! On Thu, 13 Mar 2003 17:26:21 +0100 Andrew Miehs <[EMAIL PROTECTED]> wrote: > On Thu, Mar 13, 2003 at 04:47:47PM +0100, Volker Tanger wrote: > > For incoming the firewalls simply use DNS Round-Robin on the FW > > members which have to be listed as primary/master servers for the > > domain in question. This way you are independent on network > > mechanics. > > > > If you use round robin DNS, you will have the problem that 50% of your > traffic will disappear, when provider 1 goes down. Yes, you could try > and fix this with changing TTLs, but its messy, and browers, and other > DNS servers which are not in your control, may cache things, even > though they shouldnt. Yes - but is it not the run-of-the-mill DNS-round-robin as you might know it. In the root DNS servers both servers (i.e. via the two provider lines) are listed as equal masters. So if one line goes down, the remaining DNS server still can be queried, which of course lists only the IP addresses of the working line. As the DNS sits on the FW cluster, the FW tweaks its DNS-round-robin according to current line availability and capacity. But yes, you are right: DNS caches, usually a good thing, will render that failover mechanism useless. So basically "only" the ones with advanced infrastructure (esp. big business customers) will suffer failures. Bye Volker Tanger IT-Security Consulting -- discon gmbh Wrangelstraße 100 D-10997 Berlin Telefon (030) 6104-3307 Telefax (030) 6104-3435 [EMAIL PROTECTED] http://www.discon.de/
Re: load balancing(2)
Greetings! On Thu, 13 Mar 2003 17:26:21 +0100 Andrew Miehs <[EMAIL PROTECTED]> wrote: > On Thu, Mar 13, 2003 at 04:47:47PM +0100, Volker Tanger wrote: > > For incoming the firewalls simply use DNS Round-Robin on the FW > > members which have to be listed as primary/master servers for the > > domain in question. This way you are independent on network > > mechanics. > > > > If you use round robin DNS, you will have the problem that 50% of your > traffic will disappear, when provider 1 goes down. Yes, you could try > and fix this with changing TTLs, but its messy, and browers, and other > DNS servers which are not in your control, may cache things, even > though they shouldnt. Yes - but is it not the run-of-the-mill DNS-round-robin as you might know it. In the root DNS servers both servers (i.e. via the two provider lines) are listed as equal masters. So if one line goes down, the remaining DNS server still can be queried, which of course lists only the IP addresses of the working line. As the DNS sits on the FW cluster, the FW tweaks its DNS-round-robin according to current line availability and capacity. But yes, you are right: DNS caches, usually a good thing, will render that failover mechanism useless. So basically "only" the ones with advanced infrastructure (esp. big business customers) will suffer failures. Bye Volker Tanger IT-Security Consulting -- discon gmbh Wrangelstraße 100 D-10997 Berlin Telefon (030) 6104-3307 Telefax (030) 6104-3435 [EMAIL PROTECTED] http://www.discon.de/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: load balancing(2)
Greetings! On Thu, 13 Mar 2003 15:52:24 +0100 Andrew Miehs <[EMAIL PROTECTED]> wrote: > If two, this will start getting more complicated. You will need to > look into using BGP. As you are asking this question, I assume that > you havent had much experience with BGP, and would recommend asking > your provider for help. Providers can sometimes be a bit picky with > offering customers BGP feeds, Well, (expensive, proprietary) solutions like from Rainfinity offer that without routing protocols. For outgoing they use the(ir) firewall cluster's ability to do load balancing and use different default routes on each of the firewall cluster's machines. As soon as one outgoing line life-check indicates a problem, all cluster members witch their gates to the good line(s). For incoming the firewalls simply use DNS Round-Robin on the FW members which have to be listed as primary/master servers for the domain in question. This way you are independent on network mechanics. The FW cluster sandwiched between switches (redundancy/failover necessary here, too?) will be placed at "" below. > > network 1_ internet connection 1 > > \ _/ > > / \_ internet connection 2 > > network 2 How to do that with Debian? A redirector is placed at "". Simple outgoing HA first part: the internal network(s) use the redirector as default gate. That one does health checks of the internet connection. As soon as there is a problem, it switches it's default gate to the other one. Simple outgoing HA second part: replace the single redirector PC with a (failover) cluster e.g. LVS. Simple outgoing HA (3) with some load balancing: you'll need a cluster of two or more redirectors for this. Network 1 uses clustermember1's (primary yet clustered) IP Address as default gateway, network 2 the one of clustermember2. Disadvantage is that you'll have to rely on manually tuning the networks and network members to achieve acceptable results. All this is available as run-off-the-mill software. I did not check back, but isn't there policy based routing for Linux somewhere out there? If so, you could implement that on the cluster instead of switching default gates. Does anyone know referneces/pointers? Bye Volker Tanger IT-Security Consulting -- discon gmbh Wrangelstraße 100 D-10997 Berlin Telefon (030) 6104-3307 Telefax (030) 6104-3435 [EMAIL PROTECTED] http://www.discon.de/
Re: load balancing(2)
Greetings! On Thu, 13 Mar 2003 15:52:24 +0100 Andrew Miehs <[EMAIL PROTECTED]> wrote: > If two, this will start getting more complicated. You will need to > look into using BGP. As you are asking this question, I assume that > you havent had much experience with BGP, and would recommend asking > your provider for help. Providers can sometimes be a bit picky with > offering customers BGP feeds, Well, (expensive, proprietary) solutions like from Rainfinity offer that without routing protocols. For outgoing they use the(ir) firewall cluster's ability to do load balancing and use different default routes on each of the firewall cluster's machines. As soon as one outgoing line life-check indicates a problem, all cluster members witch their gates to the good line(s). For incoming the firewalls simply use DNS Round-Robin on the FW members which have to be listed as primary/master servers for the domain in question. This way you are independent on network mechanics. The FW cluster sandwiched between switches (redundancy/failover necessary here, too?) will be placed at "" below. > > network 1_ internet connection 1 > > \ _/ > > / \_ internet connection 2 > > network 2 How to do that with Debian? A redirector is placed at "". Simple outgoing HA first part: the internal network(s) use the redirector as default gate. That one does health checks of the internet connection. As soon as there is a problem, it switches it's default gate to the other one. Simple outgoing HA second part: replace the single redirector PC with a (failover) cluster e.g. LVS. Simple outgoing HA (3) with some load balancing: you'll need a cluster of two or more redirectors for this. Network 1 uses clustermember1's (primary yet clustered) IP Address as default gateway, network 2 the one of clustermember2. Disadvantage is that you'll have to rely on manually tuning the networks and network members to achieve acceptable results. All this is available as run-off-the-mill software. I did not check back, but isn't there policy based routing for Linux somewhere out there? If so, you could implement that on the cluster instead of switching default gates. Does anyone know referneces/pointers? Bye Volker Tanger IT-Security Consulting -- discon gmbh Wrangelstraße 100 D-10997 Berlin Telefon (030) 6104-3307 Telefax (030) 6104-3435 [EMAIL PROTECTED] http://www.discon.de/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: UPS sharing
Greetings! On Tue, 11 Mar 2003 09:47:25 +0200 "Craig" <[EMAIL PROTECTED]> wrote: > I was wondering if its possible to have 2 Debian boxes sharing > a single UPS ? Its a 650Pro - made by APC. Depending on the boxes 650 VA might be a bit small/underpowered. Standard office PCs (no fancy/overclocked CPU or graphics, single HD) should be okay, heavy servers (multi-CPU, double/triple powersupply, RAIDs, ...) definitely not. In-between: depends. Power consumption considerations aside you probably will want to have your boxes shut down cleanly in case of power failure. One possibility is to shut down the "slave" via network (see apcupsd docs for this) - or use multiple serial cables. For this APC recommends one of their multi-port repeaters. Adventurous people might grab a soldering iron and try to simply y-cable the signal lines. Beware: this will not work at all in"smart" signaling mode and is not supported by APC Corp. Bye Volker Tanger IT-Security Consulting -- discon gmbh Wrangelstraße 100 D-10997 Berlin Telefon (030) 6104-3307 Telefax (030) 6104-3435 [EMAIL PROTECTED] http://www.discon.de/
Re: UPS sharing
Greetings! On Tue, 11 Mar 2003 09:47:25 +0200 "Craig" <[EMAIL PROTECTED]> wrote: > I was wondering if its possible to have 2 Debian boxes sharing > a single UPS ? Its a 650Pro - made by APC. Depending on the boxes 650 VA might be a bit small/underpowered. Standard office PCs (no fancy/overclocked CPU or graphics, single HD) should be okay, heavy servers (multi-CPU, double/triple powersupply, RAIDs, ...) definitely not. In-between: depends. Power consumption considerations aside you probably will want to have your boxes shut down cleanly in case of power failure. One possibility is to shut down the "slave" via network (see apcupsd docs for this) - or use multiple serial cables. For this APC recommends one of their multi-port repeaters. Adventurous people might grab a soldering iron and try to simply y-cable the signal lines. Beware: this will not work at all in"smart" signaling mode and is not supported by APC Corp. Bye Volker Tanger IT-Security Consulting -- discon gmbh Wrangelstraße 100 D-10997 Berlin Telefon (030) 6104-3307 Telefax (030) 6104-3435 [EMAIL PROTECTED] http://www.discon.de/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Routing with Linux
Greetings! On Thu, 06 Mar 2003 14:38:08 +0100 "Uwe A. P. Wuerdinger" <[EMAIL PROTECTED]> wrote: > > Depens on the harware. > We got 750 mbits on a single box with a 2 channel intel gigabit card > (Intel PRO/1000 MT Dual Port (64bit/66MHZ PCI) in a Fujits-Siemens > PRIMERGY L200 with 2 Intel PIII (1.40 GHZ) and 2 GB SDRAM. The important fact is the "(64bit/66MHZ PCI)" part - as standard PCI ([EMAIL PROTECTED]) will not transfer much more than 1Gbit/s. So two Gbit/s cards on the same Standard PCI bus would only let ~500Mbit/s pass (half-duplex). Even the fast+wide PCI barely is just fast enough for a full Gbit/s line run full-duplex. Bye Volker Tanger IT-Security Consulting -- discon gmbh Wrangelstraße 100 D-10997 Berlin Telefon (030) 6104-3307 Telefax (030) 6104-3461 [EMAIL PROTECTED] http://www.discon.de/
Re: Routing with Linux
Greetings! On Thu, 06 Mar 2003 14:38:08 +0100 "Uwe A. P. Wuerdinger" <[EMAIL PROTECTED]> wrote: > > Depens on the harware. > We got 750 mbits on a single box with a 2 channel intel gigabit card > (Intel PRO/1000 MT Dual Port (64bit/66MHZ PCI) in a Fujits-Siemens > PRIMERGY L200 with 2 Intel PIII (1.40 GHZ) and 2 GB SDRAM. The important fact is the "(64bit/66MHZ PCI)" part - as standard PCI ([EMAIL PROTECTED]) will not transfer much more than 1Gbit/s. So two Gbit/s cards on the same Standard PCI bus would only let ~500Mbit/s pass (half-duplex). Even the fast+wide PCI barely is just fast enough for a full Gbit/s line run full-duplex. Bye Volker Tanger IT-Security Consulting -- discon gmbh Wrangelstraße 100 D-10997 Berlin Telefon (030) 6104-3307 Telefax (030) 6104-3461 [EMAIL PROTECTED] http://www.discon.de/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Gaming server
Greetings! Vinai Kopp wrote: On Mon, Jan 20, 2003 at 10:15:44AM -0500, Todd Charron wrote: I was wondering if any of you have any experience running a game server under Debian. Also wondering if you know the CPU/memory/bandwidth requirements of such a project. Thanks, The hardware is a PII 266, 196 MB Ram, the connection is 1.5 MBit down- and 192 Kbit upstream. It manages the load great (loadavage always below 80%). I've seen smaller machines handling hundreds of users simultaneously okay - and the main game process often was running nice'd down behind extensive number crunching. Okay, maybe you did not think of a (text-based) MUD/MUSH when asking about a "game server"... ;-) Bye Volker Volker Tanger IT-Security Consulting -- discon gmbh Wrangelstraße 100 D-10997 Berlin fon+49 30 6104-3307 fax+49 30 6104-3461 [EMAIL PROTECTED] http://www.discon.de/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Debian Backup Server
Good morning! [EMAIL PROTECTED] wrote: Can anybody pls help me on how to have a full back up of a Mail Server (Running on Debian and Exim) ... I want to have a full backup of the mail Server on a different drive with all the users and directory permissions the same with the original server. "man tar" - you probably don't have the same hardware on your backup server in case of emergency: tar cvf /backup/file+dir.tar --preserve --numeric-owner \ /etc/exim* /etc/passwd /etc/shadow \ /var/spool/mail/ /var/spool/exim/ Bye Volker Tanger IT-Security Consulting -- discon gmbh Wrangelstraße 100 D-10997 Berlin fon+49 30 6104-3307 fax+49 30 6104-3461 [EMAIL PROTECTED] http://www.discon.de/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: File system checker
Greetings! Edward Tjin Liep Shie wrote: I am looking for a script/tool that check if my filesystem is getting full of is full.. ? df - see the man page for options. For a sample usage in scripting surveillance see the main shell script from http://www.wyae.de/software/aslcheck/ Bye Volker Volker Tanger IT-Security Consulting -- discon gmbh Wrangelstraße 100 D-10997 Berlin fon+49 30 6104-3307 fax+49 30 6104-3461 [EMAIL PROTECTED] http://www.discon.de/
Re: File system checker
Greetings!
Edward Tjin Liep Shie wrote:
>
> I am looking for a script/tool that check if my filesystem is getting
> full of is full.. ?
df - see the man page for options.
For a sample usage in scripting surveillance see the main shell script
from http://www.wyae.de/software/aslcheck/
Bye
Volker
Volker Tanger
IT-Security Consulting
--
discon gmbh
Wrangelstraße 100
D-10997 Berlin
fon+49 30 6104-3307
fax+49 30 6104-3461
[EMAIL PROTECTED]
http://www.discon.de/
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: multiple webcams via one linux box
Greetings! Bernie Berg wrote: Hi, I have a project that could potentialy have 85 webcams. [...] > You can get a usb adabpter to input them into a computer. Ummm, anyone have luck linking 85 usb webcams into one linux box? Anyother sugestions? USB has a device number limit per bus - and a cable length limit: specifications limit it to 3m (9ft) max - usually recommended is to keep the length below half of it. Unless you need realtime video I'd suggest you get small video cams (possible to get them for ~200$ each), relay them via a remote (i.e. computer) controlled switch box and feed them into a standard video-in card (e.g. BTT-based). I've seen switch boxes supporting up to 8 video-ins controlled via parallel port - so you probably will have to build your own controller box. Using the parallel port and a number of layered TTL b2d-decoders to trigger a transistor-boosted relais for each input building that box should not be too complicated. Bye Volker Tanger IT-Security Consulting -- discon gmbh Wrangelstraße 100 D-10997 Berlin fon+49 30 6104-3307 fax+49 30 6104-3461 [EMAIL PROTECTED] http://www.discon.de/
