Posts

Showing posts from 2006

Back to winter Hiking

Hmmm, winter, snow, mountain, ice... Went hiking yesterday. I really love hiking during winter. I didn't know what kind of weather to expect, so I brought my snowshoes and crampons... I came back after the sunset, using my Petzl lamp. I felt good, alone, with the snow and the nature. In fact, I had the feeling that I wasn't really alone out there. Maybe it's because I was getting closer to myself, or maybe it was something else. Or maybe both. Once I got down, I saw 2 persons, looking for their 17-year-old kid and his girlfriend. I offered my help... I hiked another 2 hours. It wasn't easy because I was becoming tired and it is a bit scary, in the dark, alone, in the woods... but at least I knew I had extra food, water and clothes... and when I got back to my car again, I had a note on my wiper, saying that the kid was back and safe, with thanks and their phone #. So I called them to thank them for letting me know and to let them know that I'm also back an

64-bit

Well, I know 64-bit computing isn't new, but it is new for me. Even though I had 64-bit hardware available, I've always installed 32-bit version of the OS (linux on x86_64). I had to deal with an x86_64 CentOS 3 server and I liked it. It just took some time to figure out how to install 32-bits packages. yum install package.arch (package.i386). Pretty neat! I just can't say anything about the performance as of now.

milter-greylist

Hi, A few words on milter-greylist , especially because the new version (3) is now RC6 and looks pretty stable. What are the features of milter-greylist? Per-domain and per-user settings. Friendly networks whitelisting Multi-MX sync (database is replicated many mail servers if needed) SMTP-AUTH support SPF records: can be configured not to impose GreyListing to messages that are SPF-compliant Access lists with DNSbls This last option is new in version 3. It is very nice: it allows one to configure milter-greylist to impose GreyListing if the source IP is on (configurable) DNS black lists (DNSbls). I've installed it and it decreased the number of messages/day by about 60%. I only had to whitelist one server.

Donations

Hi, Just a little reminder to help open-source project by donating. Almost every project needs funding and it is easy to donate. My latest donations? Mondorescue , CentOS , PfSense , UltraVNC .

PfSense Follow-Up II

Hi, Lasts week, I installed PfSense RELEASE 1.0, and it has been running very smoothly since the install. No more crashes! It's been running for 7 days straight now and I had absolutely no problem with it, except for my VoIP config for static port (see my other PfSense posts). Thanks a lot to the PfSense team! I just upgraded to 1.0.1 now...

UltraVNC SC

Hi, I've been using UltraVNC for a while and while commenting on an article on UnixTutorials , I thought it would be a good idea to share my knowledge. First, I must say that UltraVNC is a free version of VNC that has more features than the free version of RealVNC (thanks for sharing the code, though...). It supports encryption and Active Directory authentication, and a few other nice features. But what I want to talk about today is the Single-Click feature (SC). Very useful... Example situation: One of your client went to a foreign country and he wants to configure the e-mail client of a laptop he borrowed there. VNC is not installed. You can spend an hour telling him over the phone how to configure Outlook or Thunderbird, or just tell him to go to your website, download a single executable, and take control of the PC and configure it. How to proceed: Make sure the VNC (or UltraVNC, for the rest of the text) viewer is loaded on your computer, in listen mode. You can access

Cacti on CentOS4 Quick Howto

Hi, I've been asked to write my How-To on the CentOS Wiki. I don't want to have to manage 2 versions, so here is the link . Sorry for the inconvenience...

Wget

Ah, I do feel good when I solve a complex problem with a simple tool. wget. This time, I wanted to take a backup of the database I have hosted somewhere. The only way to get these databases' backup files is to go the control panel of my hoster, cpanel. Usually, then I think about that, it is too late (as these files are the current databases, so if I just screwed something, these files are useless) I then remembered that wget can send authentication, so I basically use wget in a cronjob that downloads the database files and put them in a folder named after the current day's name. This way, I have 7 days of backup history. I like that :).

New source of DNSBL and ClamAV unofficial DBs

http://www.msrbl.com/ Looks promising.

Unofficial phishing + scam ClamAV database

I'm starting to test this out today: http://www.sanesecurity.com/clamav/index.htm I hope there won't be too many false positives... Anyone using them already?

Virtual Private Servers Pitfalls

It didn't take much time until I found pitfalls with VPSs. Today, I got bit by memory problem. My VPS had 128 MB RAM max. Before installing my usual packages, the memory usage was around 20 MB. Nothing! :). But then I installed my packages, forgot to tweak apache to minimize memory requirement. Installed mysql for cacti, configured cacti... Then, this morning, I realize that many processes were missing on my VPS. Why? I had enabled the yum daily cronjob.... mistake! Do you have an idea of how much memory yum uses? Too much. Tektonic told me that they stopped selling UM0 packages because of that: too many clients having memory problems. I upgraded my plans to UM1. I'm wondering though... how does Vpslink do with the smallest plan, only 64 MB RAM! I can't end this post without adding again how much helpful the folks at Tektonic have been up to now.

Virtual Private Servers

Hi, Time for another knowledge-sharing post. I recently discovered a very good alternative to shared, reseller, or dedicated hosting: A virtual private server (VPS). In fact, a VPS is a virtual machine running, with many other virtual machines (VM). There are many packages, but the cheapest are: Tektonic (Based on Virtuozzo. I own 3 VPS from them. Very, very nice and responsive people. They've been very supportive for me in my beginnings with VPSs. OpenHosting (Based on linux Vserver, fedora core 4 only for now, interesting utility billing system) Vpslink (Based on OpenVZ, the open-source version of Virtuozzo, never tried yet) Tektonic puts limit on outbound bandwidth that can be sometimes harsh. (Unmetered 1 mbps max for the smallest plan (15$/month)). That is more interesting for applications that don't need much outbound traffic (like remote backup, you have an unmetered 100mbps!) or e-mail, which don't really need an instant transfer, but can be problematic for web

Sendmail milters from SnertSoft

This is just a quick post to encourage people to try SnertSoft's excellent anti-spam milters. If you're running a spam-filtering gateway, you may want to try milter-ahead. It checks at the backend mail server if the user exists before accepting the message. Milter-sender is also very interesting, it checks for the existence of the sender's e-mail before accepting the message. Milter-link checks for URL in message bodies againsts URI blacklists. And this one is free! (most are). All the milters' descriptions are here . Anthony, the author, is very kind and offers good support. Have a look at his website . There are many other milters that may help you reduce the load on your spam-filtering system and reduce the number of spams that make it to your user's mailbox!

Syndication

I started using syndication recently. I like the idea of reading the news in Thunderbird instead of having to go to 10 websites. Of course you can read this blog via RSS :). http://lubik.blogspot.com/atom.xml

PfSense follow-up

I have been using PfSense for a month now, so I thought I should post about it... I ran into a few problems that I'd like to share: Unexpected crashes caused by a PSU that was not powerful enough All my devices/computers lost their IP address (DHCP) I solved the first problem using an 1.5A PSU (I was using a 0.8A PSU). It only crashed once since then, but my target is more... 0 (a firewall shouldn't crash). For the second problem, I increased my lease time to 1 week. Logs show nothing about what could have caused this incident (according to the logs, PfSense's DHCP server was still serving clients correctly). NOTE: RC2 is out, I'm trying that right now...

Nagios

I just started playing with Nagios, an open-source monitoring software package (GPL). I used to use monit instead, but there are two limitations of monit that made me switch: It can only do port/protocol checks on remote hosts It has no tolerance setting for check failures (it sends a warning as soon as there is one failure) On the other hand, Nagios has tools that allows a Nagios server to perform "local" checks on remote servers, via the network (check_snmp, check_nt, check_nrpe and check_ssh). It has as side effect that it can monitor Windows servers quite well. The web interface enough for my needs. Note: I'm still using monit for process checks, as Nagios can't do that as well as monit does (monit uses the information in the lockfile to see if the process is still in memory, and uses user-defined commands to restart the process if it is not in memory). Here is how Nagios works, basically: The tools that do the checks are called plugins Objects have to be defi

PfSense

I finally made the switch from m0n0wall to PfSense today. It all went well (PfSense can import the m0n0wall config file directly), except for one thing: After the switch, I didn't have any audio when calling through one of my VoIP provider. I fixed the problem by enabling advanced outbound NAT, and enabling the static port feature for the default rule. I needed that because PF, the packet filter used in PfSense, scrambles automaticallly the source port for more security, but VoIP needs it to be the same port to know what session it is part of. Next step is to enable it only for my Asterisk server and my Vonage ATA, instead of my whole lan. In the end, PfSense is worth the try. I think the VoIP traffic shaping is still not perfect, but it'll probably be fixed before it is released as stable (it is now RC1). Feel free to share your experiences with firewalls :).

SquidGuard

Hi, I played with SquidGuard in the past few days to control what users can access on the net and when. Is it quite a great package, as it did what I needed to do. That is basically how it works: You can define Time Spaces You can define source groups (hosts or networks, or IP addresses ranges, or users) You can define destination groups (domains, urls, regex) Finally, you define acls with all those parameters You can add blacklists to the mix I have recommendations for people who would like to try squidguard: Don't forget that SquidGuard is a redirector, if you don't configure a redirect URL, it will do not block anything Check all the logs You need to know that when SquidGuard encounters a problem (config or else), it goes into emergency mode, in with it does nothing (nothing is blocked) I suggest you avoid using the webmin module. I can't tell it is 100% sure you'll have trouble with it, but I lost many hours because of it. If I can find some time eventually,

Exchange Replacement : Scalix

I was looking for a way to satisfy a group of users who were used to work with Microsoft Exchange, but are familiar with the performance and reliability of Linux, and would like to save money in the process of getting their own collaborative server. I had a list of potential replacement packages: Kolab Open-xchange Scalix OSMER Opengroupware Egroupware Horde Gordano @mail Bynari Kerio Zimbra Which one is the best? I can't tell... Which one won? Well, Scalix. Why? Because of native Outlook connectivity(note: you have to install a free software on your Windows PC, free for up to 25 users Ease of installation No database required Very nice (AJAX-based) webmail interface We're still testing it, so I'll keep you posted on the results.

Skinks!

Image
Recently, I (re)discovered a very nice lizard species: Skinks. In fact, I knew blue-tongued skinks, and I discovered prehensile skinks. Prehensile are especially nice, since they have a prehensile tail, their tail can support the weight of the lizard. Here is a picture of a magnificent one (see left): I really think it is the ideal lizard: Vegetarian or omnivore (many people don't like feeding their pet with live insects), and very calm. I wish I could beed them, but I don't think it is realistic. They cost about 200$ each, and it requires a lot of time and care. I can just hope that skink reproduction will raise in my area.

Asterisk VoIP

Image
I now have a PBX at home, based on Asterisk, and it is amazing... It is incredible the quantity and quality of features that it includes. I really love it. I've been helped by someone who works with that all day long, but I'm getting more and more comfortable at configuring it and the related hardware (IP phones, ATAs). Hopefully, I'll be completely able to install Asterisk servers on my own.

Another Lizard!

Image
... Ornate climber. Or maybe is it a blue-eyed crested climber... Not sure. It doesn't have a name yet, so please feel free to send me ideas. It is a male. I think I'll call him Brutus.

Got published!

Hey! Insecure Mag just published an article I wrote some time ago for them about MailScanner and server-side spam and virus filtering. You can read it in the new issue (1.5). Have fun, and... your comments are welcome!

Greylisting - Francais

Je considérais le Greylisting comme un sujet assez important pour traduire mon article sur ce mécanisme anti-spam: Voici une explication du "Greylisting", un mécanisme très efficace contre les spams: Basé sur des " triplets " (adresse de courriel de l'expéditeur, adresse de courriel du destinataire, adresse IP du serveur d'origine). Quand un serveur recoit une connexion SMTP d'un autre serveur, il vérifie le triplet. Si le triplet est connu, le message continue son chemin. Sinon, le serveur refusera la connexion à l'aide d'un message SMTP 450 (échec temporaire), donc disant au serveur d'origine: Je ne peux accepter le message présentement, veuillez revenir plus tard. La plupart des serveurs de courriel respectent cette règle ( RFC821 ) et ré-essayent une connexion quelques minutes plus tard (Microsoft Exchange et Hotmail: normalement 1 minute, Yahoo: ~5, Sendmail: ~7, Postfix: ~1, Exim: ~3). Les délais sont normalement minimes, si perce