tag:blogger.com,1999:blog-86480645509718717842024-03-13T23:19:57.919+02:00The Linux GuruLinux experts, providing Linux systems and servers since 1999. Free Linux help, so please post if you need more infoLinux Guruhttp://www.blogger.com/profile/16994380549730726625noreply@blogger.comBlogger13125tag:blogger.com,1999:blog-8648064550971871784.post-67101644146230480612012-07-20T13:12:00.000+02:002012-07-20T13:18:01.049+02:00Reset or recover password lost or forgotten alcatel OS6850 switchOk, to reset a password, or if you have forgotten your admin password for your switch, do the following steps, and all done<p>
Remember, this clears all users on the switch (NMS) etc.<p>
Connect with putty.exe to the switch, make sure you are connected (press Enter key couple times)<p>
Then reboot and press enter key almost immediately to stop Auto boot<p>
Wait for the message Hit any key to stop autoboot: 0 and hit any key.
Hit any key to stop autoboot: 0 <p>
Then type the following commands <p>
=> fatls ide :1,0 <p>
=> fatls ide :1,0 /network <p>
=> fatdelete ide :1,0 /network/usertable5 OR usertable4 <p>
Now powercycle the switch or type "run miniboot" on the U-Boot; => Reboot or =>boot
Now back switch will be factory default "admin/switch". Please note that you need to recreate all users needed for NMS or loginsLinux Guruhttp://www.blogger.com/profile/16994380549730726625noreply@blogger.com2tag:blogger.com,1999:blog-8648064550971871784.post-66595436949836253722010-06-03T14:46:00.001+02:002010-06-03T14:48:15.614+02:00ACPI: Assume root bridge [\_SB_.PCI0] bus is 0OK, so I have noticed some HP hardware users are having issues installing Linux (different Distro's).<br /><br />The CD would boot and get stuck at <br /><br />ACPI: Assume root bridge [\_SB_.PCI0] bus is 0<br /><br />... but don't cry ....<br /><br />All you do is restart, and when you get the the install promt where you normally just press enter to boot, you type in the following and THEN press enter<br /><br />linux noacpi nodma acpi=off<br /><br />That should do it for majority of you guys...Linux Guruhttp://www.blogger.com/profile/16994380549730726625noreply@blogger.com6tag:blogger.com,1999:blog-8648064550971871784.post-87012509545318022142010-02-17T14:02:00.006+02:002010-02-17T14:39:01.762+02:00SCP or SSH without passwordI have many requests from user on how they can set up a linux server to be able to ssh or scp to another linux server without having to authenticate ( to move data with cron jobs, scripts etc ). This is REALLY so easy you wont believe it, but since you are here... reading this ... I take it is is NOT so easy then hey ;-)<br /><br />Firstly, make sure that you actually have the neccesary routing and firewall rules in place for you to ssh to your destination Linux server. SO log into you server and do a normal ssh session to the other server:<br /><br /><em>ssh </em><a href="mailto:user@server.ip.address"><em>user@server.ip.address</em></a><br /><br />This should prompt you for a username if you have connected before, or ask you (only once) to save the host key details for the server and then ask you for the password. Once this is confirmed, continue reading.<br /><br />OK, so what you need to do is to check the following location to see if you have the following files.<br /><br /><em>cd /root/.ssh</em><br /><em>ls -al</em><br /><br />This should list the following files on your server:<br /><br />-rwx--xr-x 1 user user 601 Jun 3 01:58 authorized_keys<br />-rwx--xr-x 1 user user 668 Jun 11 19:26 id_dsa<br />-rwx--xr-x 1 user user 599 Jun 11 19:26 id_dsa.pub<br />-rwx--xr-x 1 user user 6257 Jan 2 21:04 known_hosts<br /><br /><strong>Should you NOT have the id_dsa files, you need to create them as follows:</strong><br /><br />user@fwsrv ~ $ ssh-keygen -t dsa<br />Generating public/private dsa key pair.<br />Enter file in which to save the key (/home/user/.ssh/id_dsa): # Press 'enter' here<br />Enter passphrase (empty for no passphrase): # Press 'enter' here<br />Enter same passphrase again: # Press 'enter' here<br />Your identification has been saved in /home/user/.ssh/id_dsa.<br />Your public key has been saved in /home/user/.ssh/id_dsa.pub.<br />The key fingerprint is:<br />2f:d4:cb:50:e6:f3:90:f0:0g:68:d6:10:34:eb:1d:5f user@fwsrv<br /><br /><strong>DO NOT enter a password during any of the above steps.</strong><br /><br />Should you not have the authorized_keys on the destination server, do the following:<br /><br />scp ~/.ssh/id_dsa.pub user@'servername':.ssh/authorized_keys<br /><br /><strong><span style="color:#ff0000;">Only do the above if you DO NOT have the authorized_keys in the destination server as well<br /></span></strong><br />Should you allready have the file, because you need to do this between more than one server, you just need to copy the id_dsa.pub file from server1 to server2 as any file name and then concatinate the file on server2 to the existing file<br /><br />Do this by typing : <em>cat "filename" >> authorized_keys</em><br /><br />This will take the contenst of <em>"filename"</em> and append or add it to the existing file, if you only make a <strong>></strong> sign, you will over ride the whole file so be <span id="SPELLING_ERROR_0" class="blsp-spelling-error">carefull</span> !!<br /><br />Now test the connection by typing <em>ssh server2</em> from <em>server1<br /></em><br /><br /><a href="http://linuxmasterz.blogspot.com"><strong>GO HOME</strong></a>Linux Guruhttp://www.blogger.com/profile/16994380549730726625noreply@blogger.com0tag:blogger.com,1999:blog-8648064550971871784.post-64390605462881880532008-07-28T14:55:00.001+02:002010-02-17T13:31:46.735+02:00squid proxy server - mini howtoSquid proxy servers are a great way to control your inter browsing for your company. In a previous post I have mentioned all the good reasons why you should get one, and in this post I will try and show you and explain to you where and how to do this.<br /><br />You need to edit the main configuration file located under /etc/squid/squid.conf. In this file the following options must / can be used:<br /><br />http_port 8080 - This is where you specify what port the proxy server must listen on. If you go to your Internet explorer to set your proxy and proxy port, this is the port number.<br /><br />cache_mem 64 MB - This line specify the amount of memory that squid can use for caching. There are many theories out there how to calculate, but a good understanding could be obtained from the following criteria: ( from <a href="http://www.devshed.com/">http://www.devshed.com/</a> )<br /><br />x=Size of cache dir in KB (i.e. 6GB=~6,000,000KB) y=Average object size<br />(just use 13KB z=Number of directories per first level directory<br />(((x / y) / 256) / 256) * 2 = # of directories<br />As an example, I use 6GB of each of my 13GB drives, so:<br />6,000,000 / 13 = 461538.5 / 256 = 1802.9 / 256 = 7 * 2 = 14<br />So my cache_dir line would look like this:<br />cache_dir 6000 14 256<br /><br />cache_swap_low 80 - When you set your cache_dir to lets say 2048 Mb or 2 GB, then this value is the low mark for squid to stop rotating or clean out the cache.<br /><br />cache_swap_high 90 - Same as explanation above, but this will tell squid when to start free up old cache when it gets to the set level, and stop when it gets to the percentage of disk size ( 80 percent ).<br /><br />maximum_object_size 1024 KB - This will tell squid not to cache any objects or files larger than 1 MB. It depends on how big the squid server is and how fast you want your cache to be, but also the amount of disk space you have, because you might fill up the space before you know it !<br /><br />minimum_object_size 0 KB - This specify what the minimum size of a file or object is allowed to be, set this to 0 if you don't want to specify anything.<br /><br />maximum_object_size_in_memory 64 KB - This specify the size of an object or file that is allowed to be placed in cache_mem amount of memory, Normally used for fast accees type files for browsing, don't make too high, it will hog the memory pool.<br /><br />cache_dir ufs /var/spool/squid 2048 256 256 - This is where you specify what the disk space or disk space usage is for squid cache on your server. The cache_swap_high and cache_swap_low will look at this value and know when to rotate the cache when it hits the 90 an 80 percent mark.<br /><br />cache_access_log /var/log/squid/access.log - This will tell squid where to write the access details to. You will run your reporting software on this file to see who browsed where on the Internet, amount of bandwidth used etc. You can use the below script file to concatenate the log files each month, so you have a directory will monthly access.log files in them :<br /><br />#!/bin/bash<br />############################################################################## #Copyright : LDS - <a href="http://www.lds.za.net/">http://www.lds.za.net/</a><br />#<br /># Variables : ARCHIVE - directory where the SQUID files are archived<br /># : LOGDIREC - location<br /># : SQUIDLOG - SQUID log file name<br />##############################################################################<br />ARCHIVE=/var/log/archive/squid<br />LOGDIREC=/var/log/squid<br />SQUIDLOG=access.logrm $ARCHIVE/$SQUIDLOG -f<br />cp -dp $LOGDIREC/$SQUIDLOG $ARCHIVE/$SQUIDLOG<br />cp /dev/null $LOGDIREC/$SQUIDLOG<br />cd $ARCHIVE<br />mv ./`date +'%Y%m'`.gz ./temp.gz<br />gunzip ./temp.gz<br />(cat ./temp $SQUIDLOG gzip > ./`date +'%Y%m'`.gz) && rm temp mv temp<br />failed-`date +'%Y%m%d'`<br />#<br /># END OF SCRIPT<br />##############<br /><br />ftp_user <a href="mailto:squid@lds.za.net">squid@lds.za.net</a> - This specify the default username to send to Anonymous FTP sites.<br /><br />auth_param basic program /usr/lib/squid/smb_auth -W CORE -U<br />The above line to to send authentication to a Microsoft based authentication server ( normally a domain controller )<br /><br />auth_param basic children 8<br />auth_param basic realm AOSL Proxy Server<br />auth_param basic credentialsttl 2 hours<br /><br />The above line sets options for the Authentication module.<br /><br />client_lifetime 1 hour - This option prevent open connections to hog the squid process ( Internet Explorer browser left open on a PC )<br /><br />half_closed_clients off - This works in conjunction with the above line to kill inactive connections<br /><br />shutdown_lifetime 3 seconds - This option is to speed up the shutdown time when you stop squid.<br /><br />acl password proxy_auth REQUIRED - This option work with the authentication options you have set, this will force authentication when a request comes through.<br /><br />The below options is to have control over which Internal IP's can do anything, which sites are blocked etc.<br /><br />acl openip src "/etc/squid/openip.cfg"<br />acl badsites dstdomain "/etc/squid/badsites.cfg"<br />acl opensites dstdomain "/etc/squid/opensites.cfg"<br />acl restricted_sites dstdomain "/etc/squid/restricted_sites"<br />acl restricted_users proxy_auth "/etc/squid/restricted_users"<br />acl priv_sites dstdomain "/etc/squid/priv_sites"<br />acl priv_users proxy_auth "/etc/squid/priv_users"<br />acl BONYUSERS dst 160.254.119.0/24<br /><br />From the file names at the end ( which you should create ) explains what the file contain and what it will do for you.<br /><br />The below lines is to "activate" the above lines<br /><br />http_access allow BONYUSERS<br />http_access allow openip<br />http_access allow opensites<br />http_access allow restricted_users restricted_sites<br />http_access deny restricted_users<br />http_access allow priv_users priv_sites<br />http_access deny badsites<br />http_access allow password<br /><br />The rest of the configuration files is not much needed, but the short explanation for that config line is given inside the /etc/squid directory.<br /><br />As stated earlier, please post a comment to get more help.Linux Guruhttp://www.blogger.com/profile/16994380549730726625noreply@blogger.com2tag:blogger.com,1999:blog-8648064550971871784.post-87713016641161303512008-07-25T11:45:00.000+02:002008-07-25T12:12:37.415+02:00Sendmail support - sendmailreload scriptI have made this simple script you can use for your mail server when you need to activate any changes you have made to any of the config files inside the /et/mail directory. I know I have made a posting before with the script in it, but this one is a bit better, and this post is dedicated to it ;-)<br /><br />Here is the script:<br /><br />#!/bin/bash<br />MAILDIR="/etc/mail"<br />cd /etc/mail<br />makemap hash $MAILDIR/virtusertable.db < $MAILDIR/virtusertable<br />makemap hash $MAILDIR/mailertable.db < $MAILDIR/mailertable<br />makemap hash $MAILDIR/access.db < $MAILDIR/access<br />makemap hash $MAILDIR/aliases.db < $MAILDIR/aliases<br />makemap hash $MAILDIR/domaintable.db < $MAILDIR/domaintable<br />newaliases > /dev/null 2> /dev/null<br />wait<br />ps auxw grep sendmail grep accepting awk '{print "kill -HUP "$2}' sh<br />echo "Rebuild aliases run now - "`date` >> /var/log/maillog<br /><br /><strong></strong><br />The reason why it is better to use this script is that when you start to get a very busy mail server, with huge amount of mail in the mail queue, you don't want to restart the sendmail service everytime you made a change, rather run this script.Linux Guruhttp://www.blogger.com/profile/16994380549730726625noreply@blogger.com0tag:blogger.com,1999:blog-8648064550971871784.post-40483559656606346242008-07-25T07:19:00.000+02:002008-07-25T12:02:27.516+02:00Sendmail support - aliases fileSendmail use this file to "alias" email to users, groups, script files or even Mailmanagers.<br />With a standard Linux installation, this file is for some reason located in the /etc directory and not in the /etc/mail directory like the rest of the email configuration files.<br /><br />I believe it is best to keep all the email configuration files in one directory, so I suggest you MOVE the /etc/aliases and the /etc/aliases.db files into the /etc/mail directory. Once you have done this, you MUST edit the /etc/mail/sendmail.cf file and change the location where sedmail is looking for the alias file. so you need to edit /etc/mail/sedmail.cf and look for the line:<br /><br />" O AliasFile=/etc/aliases "<br /><br />Change this line to read the following:<br /><br />"O AliasFile=/etc/mail/aliases"<br /><br />Write and quit the file, and again do a " service sendmail reload " or just run that sendmailreload script I have posted previously.<br /><br />Lets look at the contents and the uses for the aliases file.<br /><br />Option 1:<br /><br />If you need to forward mail to more than one mailbox, example is sales, then you would use the aliases file. Inside the virtusertable file, you will state that <a href="mailto:sales@lds.za.net">sales@lds.za.net</a> goes to user account lin001.<br /><br />Then in the aliases file, you will have the following line to forward the mail to 4 other users as well, even external mail account, the following is the exact line:<br /><br />lin001: user1, user2, user3, <a href="mailto:bill@gates.com">bill@gates.com</a><br />or<br /><a href="mailto:sales@lds.za.net">sales@lds.za.net</a>: user1, user2, user3, <a href="mailto:bill@gates.com">bill@gates.com</a><br /><br />Option 2:<br /><br />If you need to forward mail for a specific user to himself and someone else, because he is on leave, then you would do the following.<br /><br /><a href="mailto:jdoe@lds.za.net">jdoe@lds.za.net</a>: \jdoe, user2<br /><br />The \ in front of the username prevents the mail from looping that that user. Since the virtusertable already relay the mail to that user, you will create a loop of mail to that user by sending it to them again in the alias file.<br /><br />Option 3:<br /><br />You need to run a script file when someone sends an email to your server, almost like list managers, but normally used to send someone a legal disclaimer or something. The following line in the aliases file must be used.<br /><br /><a href="mailto:disclaimer@lds.za.net">disclaimer@lds.za.net</a>: /path/to/script/file<br /><br />Option 4:<br /><br />The MD is going oversee on a business trip, and wants his email forwarded somewhere else, or to the branch where he is going, do the following.<br /><br /><a href="mailto:ltrovald@lds.za.net">ltrovald@lds.za.net</a>: <a href="mailto:ltrovald@usa.lds.za.net">ltrovald@usa.lds.za.net</a><br /><br />This will forward all mail to another mail address as specified.<br /><br />Option 5:<br /><br />The MD wants his mail to be kept on the server AND sent to the other email address as well, then do the following:<br /><br /><a href="mailto:ltrovald@lds.za.net">ltrovald@lds.za.net</a>: \ltrovald, <a href="mailto:ltrovald@usa.lds.za.net">ltrovald@usa.lds.za.net</a><br /><br /><br />Remember to write a quit the /etc/mail/aliases file, and run the following command before reloading sendmail<br /><br />makemap hash /etc/mail/aliases.db < /etc/mail/access<br />service sendmail reload<br /><br />That is it, please post comments if you need more help.Linux Guruhttp://www.blogger.com/profile/16994380549730726625noreply@blogger.com1tag:blogger.com,1999:blog-8648064550971871784.post-55449941611571407772008-07-24T15:07:00.000+02:002008-07-25T12:03:54.741+02:00Sendmail support - mailertable fileSendmail use this file to forward mail for a domain itself as a whole to another host on the Internet or inside your network. Let say you have an internal exchange server, and the Linux server acts as a gateway on the internet, you can send all your email to the Linux server ( MX records ) and from there forward the mail internal to your exchange server.<br /><br />The mailertable file can also be used to send an entire domain to one local user by doing:<br /><br />domainname.com local:username<br /><br />The virtusertable file can do the same as the above, by adding a line in the virtusertable file like:<br /><br />@domainname.com username<br /><br />The syntax to use in the mailertable file to send a domain email to another host, is done with the following example:<br /><br />domainname.com smtp:[internalserver.domain.com]<br /><br />That is it, again like always, send me your comments or questions so we can make this better for you !Linux Guruhttp://www.blogger.com/profile/16994380549730726625noreply@blogger.com4tag:blogger.com,1999:blog-8648064550971871784.post-60540185104112352332008-07-24T13:14:00.000+02:002008-07-25T12:03:37.212+02:00Sendmail support - virtusertable fileSendmail use this file to do mail routing between all the domains that is on your mail server. How do you think sendmail cope with all the support@ or sales@ email addresses for all the domains. This file and the aliases file are used to group and relay the email addresses to the correct user on the mail server. There is 5 ways to distributing the mail in this file, which I will show examples for ;-)<br /><br />Edit this file by typing : " vi /etc/mail/virtusertable "<br /><br />Inside this file, you need to do the config as follow:<br /><br /># BEGIN<br /><br /><a href="mailto:webmaster@lds.za.net">webmaster@lds.za.net</a> ldsuser1<br /><a href="mailto:smith@lds.za.net">smith@lds.za.net</a> jsmith<br /><a href="mailto:gbates@lds.za.net">gbates@lds.za.net</a> ldsuser2<br /><br /># Domain linuxhelp.za.net<br /><br /><a href="mailto:webmaster@linuxhelp.za.net">webmaster@linuxhelp.za.net</a> lin001<br /><a href="mailto:smith@linuxhelp.za.net">smith@linuxhelp.za.net</a> lin002<br /><a href="mailto:gbates@linuxhelp.za.net">gbates@linuxhelp.za.net</a> lin003<br /><br /># END<br /><br />As you can see from this example file, we tried to show that you can have exactly the same email address or name for each domain name, and this shows you how you route it to the different users on the system. to create a email user on a Linux server, use the following command, we will use the username lin001 as example:<br /><br />" useradd -d /home/lin001 -s /bin/false -c "Linuxhelp mail user" -g mail lin001 "<br /><br />This will create a user without bash access, so this is a safe way of adding mail users. The -d option is the home directory location, this will NOT move the pop3 mailbox from /var/spool/mail to /home/lin001.<br /><br />The -s option specify the shell access, the reason why we use /bin/false is to prevent a mail user with a simple password to have bash access which will lead to security problems.<br /><br />The -c option is to add a comment line in the /etc/passwd file to identify a username, this works great to find any suspicious users that could have been created by a hacker<br /><br />again, just reload sendmail after you have made the changes, or use the sendmailreload script I have made.Linux Guruhttp://www.blogger.com/profile/16994380549730726625noreply@blogger.com0tag:blogger.com,1999:blog-8648064550971871784.post-40555095677377396752008-07-24T12:19:00.000+02:002008-07-25T12:04:25.226+02:00Sendmail support - local-host-names fileThis file is very simple, and does nothing else besides specifying what domains names is hosted on the server. Any domain name found in this file, will expect to find entries in the virtusertable file as well. If you have only one domain on this server, then you will have your domain in this file, and in the relay-domains file, and only users set up in the /etc/passwd file.<br /><br />simply edit the file and add your domain name by issuing the command:<br /><br />" vi /etc/mail/virtusertable"<br /><br />Inside this file , add only your domain name like<br /><br />lds.za.net<br />google.com<br />linuxhelp.za.net<br /><br />write and save the file, and that is it. Add all the domain names you add here into the /etc/mail/relay-domains file as well. you will see that by default the relay-domains file does not exist, so just create it ;-)<br /><br />That is all I can say about that file ;-)Linux Guruhttp://www.blogger.com/profile/16994380549730726625noreply@blogger.com1tag:blogger.com,1999:blog-8648064550971871784.post-59332502335400571202008-07-24T11:18:00.001+02:002008-07-24T11:56:13.496+02:00Sendmail Support and InstallationMy favorite SMTP mail program of all time is Sendmail. This was obviously the first Linux SMTP MTA that I have used, and I still do. There are many more MTA's out there, but this one is mine ;-)<br /><br /><br />Ok, once you have installed a brand new Linux server, the standard sendmail installation is secure enough not to allow anyone or any other network besides the localhost to send any email. You will see when you do a " netstat -anop grep LIST " that sendmail is running on port 25 on 127.0.0.1. This is perfect since in the old day people will forget that they have not secured their sendmail installations, and become a SPAM host for the Internet.<br /><br /><br />SO the first step is to change the listen IP from 127.0.0.1 to either 0.0.0.0 or your IP of your server. To do this, you need to edit the sendmail.cf and make the following changes:<br /><br /><br />" vi /etc/mail/sendmail.cf "<br /><br />Inside this file, look for the line that looks like this:<br /><br /><br />"O DaemonPortOptions=Port=smtp,Addr=127.0.0.1, Name=MTA"<br /><br /><br />Now, what you need to do it to change the MTA agent to listen on 0.0.0.0 and not just the localhost ip 127.0.0.1, so change the line to:<br /><br /><br />"O DaemonPortOptions=Port=smtp,Addr=0.0.0.0, Name=MTA"<br /><br /><br />Once you have done this, create a file called " relay-domains " in the /etc/mail directory, and in this file you need to put your domain name and the first 3 octets of your IP range like example 192.168.0 , just that<br /><br /><br />Then you can issue the following command to activate your changes:<br /><br /><br />" service sendmail reload "<br /><br /><br />You will see that the MAT now listen on 0.0.0.0:25 and by adding your domain name and IP range to that relay-domains file, you will be able to start using your mail server.<br /><br /><br />Below is a script I have written which you can use to activate new changes " on-the'fly" without having to restart sendmail. If you have a sendmail server you use in an ISP environment, you don't want to restart sendmail all the time, you will run into issues. See script below:<br /><br />#!/bin/bash<br />cd /etc/mail<br />makemap hash virtusertable.db < virtusertable<br />makemap hash mailertable.db < mailertable<br />makemap hash access.db < access<br />newaliases > /dev/null 2> /dev/null<br />wait<br />ps auxw grep sendmail grep accepting awk '{print "kill -HUP "$2}' sh<br />echo "Rebuild aliases run now - "`date` >> /var/log/maillog<br /><br />Call this file “sendmailreload” or something, make the file executable by typing " chmod 755 sendmailreload" and place the file under /usr/sbin.<br /><br />I will add more pages for sendmail from here, each page dedicated to each file sendmail uses like local-host-names , mailertable etc.Linux Guruhttp://www.blogger.com/profile/16994380549730726625noreply@blogger.com0tag:blogger.com,1999:blog-8648064550971871784.post-8384635596436373872008-07-23T15:15:00.001+02:002008-07-25T12:05:12.057+02:00Securing your company with Linux firewallsIf you do not have a firewall for your company as yet ... well just get one now ! The Internet is just not the safe place it used to be you know;-)<br /><br />Firewall do 1000 % more than they used to do in the good old day. Firewall are used as VOIP servers, VPN servers, VPN end-tunnel-servers, hosting servers, Authentication servers, RAS server etc etc.<br /><br />The first reason to get a firewall is to protect your internal computer network from the outside world. Your data can be stolen, company information can be stolen, financial documents can be stolen, identify theft or even your customer data can be stolen, and if that comes out, pick your favourite holiday destination and flee the country.<br /><br />You have different kind of Attacks on the Internet , too many to mention, but the most well known types are DoS attacked, port scans, sniffers, eavedrops, bots, irc clients, Spam host, open relays etc. By securing your network and ensuring that you keep track of any exploits on software ( you can have a secure firewall, but if your firewall allowed port 80 traffic, and your IIS server is exploitable, your firewall is useless to this attack). If you are still running a Bind version prior to July 2008 release, it is time to upgrade.<br /><br />Your normal services that a firewall will not close down, is normally port 80 ( web server ) port 53 ( dns server ) port 25 ( smtp mail server ) port 110,143 ( email services ). While you can have all the best rules for your firewall, but your firewall is hosting your DNS as well, and some hacker exploits your bind software, they will take FULL control over your server. Now think about this, give a hacker full access to your Firewall, and give him a couple of hours, and you will have the worst business day ever. SO maybe it is time that you show the threats to you Financial clowns, and tell them to always give IT the lowest budget, and explain that a firewall should do nothing else besides firewalling. If you had your DNS separate from your Firewall, the risk is 100 % less.<br /><br />Get some comments coming in, and I will give some more advice or rules even if you need.Linux Guruhttp://www.blogger.com/profile/16994380549730726625noreply@blogger.com0tag:blogger.com,1999:blog-8648064550971871784.post-81643767288793947572008-07-23T14:56:00.000+02:002008-07-25T12:06:23.646+02:00Saving money with Proxy serversOK ... here in South Africa we still do not have the right people in charge of our Telecommunications department (ICASA), so we are one of the most expensive broadband countries in the world!<br /><br />Keeping this in mind, we need to find ways to ensure we use the small caps we have per month to the best way we know. Now this can be done in numerous ways, all with the help of a Linux server you should add between your router and your network.<br /><br />The main things to look at that will save you money, is to implement a Linux Proxy server to do the following things for you:<br /><br />1.) Set up a browsing report system, where you can pull a report each month to see exactly who those clowns on the network is that keep downloading heaps of data which is not work related. This will have an immediate impact on saving , since they now know you are watching them ... very closely...<br /><br />2.) Set up a proper caching server to cache all the bandwidth eating things like videos, pictures and file on frequently accessed sites. This will prevent the situation where each user accessing cnn.com fetching files from the site directly. many files will be drawn from the cache directory on your server, saving you on bandwidth usage! You will see the amount of cached data when you run a report mention in step one.<br /><br />3.) Set up authentication for browsing. This is a must to have, since each user must log on to browse, which will eliminate those users or kids or friends that is not allowed on your company network in the first place !. This authentication can be done on the server itself with a simple htaccess file or you can authenticate from your AD even. To maintain this solution is as easy as hating Robert Mugabe. Period.<br /><br />4.) Install a content management program or options in your Squid proxy server. What you can achieve with this is simple, add a list of sites you want to deny access to like video sites, mp3 sites, blogging sites ( not this one ;-) or any other sites you know is not work related, and obviously no need for anyone to go there while at the office. I LOVE Youtube, but having Youtube open on the company network is just asking to fill up your ADSL cap in 3 days time. Block sites like facebook as well, time spent on these sites is as scary as seeing Amy Whinehouse these days.<br /><br />5.) Implement a bandwidth management device or simple use delay pools that is build in squid proxy server. What this will do is prevent users actually browsing at top speeds. Let say you have a 4MB ADSL line but you only want to let your users browse at a maximum of a 1 MB ADSL line, you can do it with delay pools. On a happy business hours day, you can download at 75 K /sec which will hammer your line. By limiting all browsing users to a 1 MB line, the obvious saving will happen.<br /><br />Now if you need any additional information, let me know.Linux Guruhttp://www.blogger.com/profile/16994380549730726625noreply@blogger.com0tag:blogger.com,1999:blog-8648064550971871784.post-7973372693085355272008-07-23T14:11:00.000+02:002008-07-23T14:17:22.778+02:00Dedicated Linux Help and supportWell well... It is about time that I make this available to the outside world ! As you know ( I hope ) Linux is free for all, and I am sure it will for ever stay that way. The problem is no everyone knows how to use this beast, so in the spirit of Linux being Open Source, I will make my knowledge Open source as well, by posting it here.<br /><br />I will try and cover as much of Advance Linux (Server environment) as I can, and hopefully you can use this as a good platform to work from. I am an IT Manager by profession, and I am the Head of IT outsourcing as well. I have installed, maintained and created hundreds of Linux network in my lifetime, all of them still running.<br /><br />It is all about installing Linux right the first time, take no short cuts and SECURE your server, since there are so VERY advance Linux users out there ( normally 12 years old ) that can't wait to hack your box, and use it as a bot server, spam, rootkit server etc. If you visit here often, tell all your friends, still will hopefully grow to a very useful Linux support site ! Till later !Linux Guruhttp://www.blogger.com/profile/16994380549730726625noreply@blogger.com1