| Friday, October 26, 2007

Siang ini ada yang rikues, server windows dgn apache n phpnya ga mau kalo pake database sql tapi maunya pake ODBC, yaw dah.. apa sich yang engga untuk dikau ? qeqeqe...

Pertama create dsn namenya di ODBC, pilih mdb driver dan select nama databasenya, misal metuek.mdb. Kalau untuk apache yang under unix settingnya gini
# cd /etc
# ee odbc.ini
[test]Description = test
DatabaseDriver = /usr/lib/libmdbodbc.so
Database = /var/www/test.mdb

Sudah? jika sudah re-start dunk apachenya.

Contoh script phpnya krg lebih spt ini niy.
if (!$conn) { exit("Connection Failed: " . $conn); }

$sql="SELECT * FROM customers";
if (!$rs) {
exit("Error in SQL");

echo ;
echo ;
while (odbc_fetch_row($rs))
echo ;
echo ;

delete file by date


find /directory -name "namafile" -mtime +30 xargs rm atau
find /directory -name "namafile" -mtime +30 -type f -exec rm {}\;

Perintah diatas akan mencari file 30 hari n older dan akan menghapusnya.

-mtime n : kondisi True jika isi file modified n days ago.
Type Description
b : A block special device file
c : A character special device file
d : A directory
f : A plain file (SV only)
p : A named pipe (FIFO) (SV only)
l : A symbolic link to a file
s : A socket (BSD only)

Cek Cek ...


Sebagai admin gadungan, yah tugasnya secara rutin ngintip2 log di server.. tapi, koq slalu ada yang kelewatan yah ada yg belom dicek getuh..

akhirnya saya putuskan untuk saya tulis disini aja deh, kebetulan ini u/ mailserver untuk yg lain ga jauh beda..

1. Cek log /var/log/messages, /var/log/maillog n jgn lupa untuk cek dmesg dan auth.log

2. ps -ax, top, trafshow, sockstat -l adalah wajib hukumnya.

3. /var/virusmails harus didelete sisakan aja yang baru2, kali aja ada yg komplen.

# ls -l /var/virusmails/ |wc -l

4. /usr/local/mysql/var juga harus dicek minimal 1 bulan sekali file mysql-bin.xxxxx dan sisakan hanya 1 bulan terakhir saja.

5. /var/amavisd/tmp/.... (log temporary amavis dan clamd) juga harus
didelete setiap minggu (jika ada).

mailbox2 user juga harus dimonitor.


| Friday, October 05, 2007

In case of attacks, you can fiddle up with the following values:

net.inet.tcp.msl (on my machine, 10000. default is 30000)
net.inet.tcp.keepidle (default 10000)
net.inet.tcp.keepintvl (default 7500)
net.inet.tcp/udp.blackhole (turn on for DoS)
net.inet.tcp.tcbhashsize (push up to a reasonable value)


For a better performance, you should mess up with:

kern.ipc.somaxconn (my machine = 4096, default. 128)
kern.maxfiles (65535, 16424 as default)
vfs.vmiodirenable (set to 1, 0 is the default)
net.inet.tcp.sendspace (see tuning(7) for more explanations)
option NMBCLUSTERS in the kernel (check how many clusters you use with netstat -mb -- don't overtune it, on my busiest webservers the number of used clusters never went above 2256, so 8192 should be enough for all servers), and, of course, maxusers. Well, that era has ended. Right now I discovered a
2827/16384/16384 mbuf clusters in use (current/peak/max)
on a webserver, so I'm gonna bump it to 32k. Also, I'm going to reduce the net.inet.tcp.sendspace from 32k to 16k, because the web traffic means a lot of small files. In case you find out you're just about to run out of NMBCLUSTERS (ex. 6301/8100/8704 mbuf clusters in use (current/peak/max) -- on one of my servers), in case of a webserver, and cannot recompile a new kernel with a bumped NMBCLUSTERS, then set KeepAlive to off in your Apache, and this will save you some clusters by removing many FIN_WAIT_2 connections (More here).
kern.ipc.shm_use_phys -- turn to 1 if the main application of your server uses shared memory, it has improved the activity of my web server.
netstat -f inet can give you valuable informations. For example, a lot of connections with Send-Q != 0 means that your server is storing datas into the mbufs, because the uplink is saturated or (more often) the clients are too 'slow' to receive datas. Non-null values for Recv-Q, on the other hand, means that your server is too slow in serving the requests, which increase the number of mbufs for incoming connections.
net.inet.tcp.msl -- take it down from the default 30,000 to something like 10,000 or even less if you notice too many TIME_WAIT connections in netstat -f inet
net.inet.tcp.inflight_enable -- for bandwidth delay limiting (TCP connections). Read more about in tuning(7).


Firewalling with IPF gave me quite some problems, mostly related to the state table. The customers experienced some broke connections (browser hanging forever when loading up a page), even though the channel was not full (bandwidth-wise). What you can do in a situation like this is play with:

net.inet.ipf.fr_tcpidletimeout=7200 (I like to leave this higher, though, because it kills my idle ssh sessions on the servers as well -- and I hate logging in each other hour or so).
More about this values here.
You can check how many states are active by looking into the output of ipfstat -s (active). I experienced values growing from 0 to approx. 4000 and then 0 again, which meant the state table got full, and was resetted. You can also carefully increment the number of states in '/usr/include/netinet/ip_state.h' (IPSTATE_SIZE and IPSTATE_MAX -- in my case IPSTATE_MAX was set to 4013, which made the table reset like I said before, at a value approx. equal to 4000). You have to set these two values at resonable values (not too high, don't overtune!), they need to be prime values, and IPSTATE_MAX should be approx. 70% of IPSTATE_SIZE. More infos can be found here.
One other thing that one might do is remove any unnecessary 'keep state's from the firewall configuration. For example, Apache communicates with the clients on port 80 exclusively, so if you 'pass all from any to $my_host port = 80', then you don't need keep states.
As about the NAT using IPFilter, you might consider defining LARGE_NAT in src/contrib/ipfilter/ip_nat.h and src/sys/contrib/ipfilter/netinet/ip_nat.h.
One other problem that I had, having the same source, was that FTP transfers of a zillion+ files would just stall from time to time (after about 100 transferred files). Reason was that the state table was becoming full, and was 'cleaned up' by the kernel, which meant lost state. Freeing the unneeded 'keep states' from the firewall rules, and twaking the parameters above made this problem dissapear as well.
A very nice feature of FreeBSD's kernel is also the DEVICE_POLLING kernel option, which basically means that the system will not treat any interrupt coming from the network cards independently, but rather 'poll' the devices at certain intervals of times. That saves a lot of system activity. You might also consider tweaking with the "option HZ", and also enabling 'kern.polling.enable' and 'kenr.polling.user_frac'. Unfortunately, DEVICE_POLLING works only with certain NICs, but I've experienced very good results with the Intel EtherExpress (fxp). You can see the performance on some snapshots of my firewall here.


Special settings:

In order to run ipf and ipfw on the same machine (ipf for firewall, ipfw for traffic shaping), you can do the following:
ipf -f a_file, where a_file contains something like: "pass out quick proto tcp from x.x.x.x to y.y.y.y port = z flags S keep state"
ipfw add pipe 10 ip from x.x.x.x to y.y.y.y
ipfw pipe 10 config bw 10Kbit/s queue 50KBytes


| Tuesday, October 02, 2007

ICMP Internet Control Message Protocol

didesain u/ mengontrol pesan antar router dan antar host.

Sebuah ICMP header mengikuti IP header pada Paket IP, tapi bukan dianggap sbg header layer 4 seperti TCP dan UDP tapi ICMP dianggap sebagai satu kesatuan dari IP.

Here is a picture of the fields an ICMP header adds to an IP
8 16 32 bits
Type Code Checksum
Identifier Sequence number

You'll note that an ICMP header is composed of six fields. Interestingly, the Data field does not contain the actual ICMP "message." Instead, the Type and the Code fields contain numeric values, and each numeric value represents a specific ICMP message. Every ICMP packet must have a Type value, but only some ICMP types have an associated non-zero Code value.

RFC 1700 contains the possible values for each ICMP type and code; I've summarized these into the following table:
Type Name Code(s)
0 Echo reply 0 - none
1 Unassigned
2 Unassigned
3 Destination unreachable 0 - Net unreachable
1 - Host unreachable
2 - Protocol unreachable
3 - Port unreachable
4 - Fragmentation needed and DF bit set
5 - Source route failed
6 - Destination network unknown
7 - Destination host unknown
8 - Source host isolated
9 - Communication with destination network is administratively prohibited
10 - Communication with destination host is administratively prohibited
11 - Destination network unreachable for TOS
12 - Destination host unreachable for TOS
4 Source quench 0 - none
5 Redirect 0 - Redirect datagram for the network
1 - Redirect datagram for the host
2 - Redirect datagram for the TOS and network
3 - Redirect datagram for the TOS and host
6 Alternate host address 0 - Alternate address for host
7 Unassigned
8 Echo 0 - None
9 Router advertisement 0 - None
10 Router selection 0 - None
11 Time Exceeded 0 - Time to live exceeded in transit
1 - Fragment reassembly time exceeded
12 Parameter problem 0 - Pointer indicates the error
1 - Missing a required option
2 - Bad length
13 Timestamp 0 - None
14 Timestamp reply 0 - None
15 Information request 0 - None
16 Information reply 0 - None
17 Address mask request 0 - None
18 Address mask reply 0 - None
19 Reserved (for security)
20-29 Reserved (for robustness experiment)
30 Traceroute
31 Datagram conversion error
32 Mobile host redirect
33 IPv6 where-are-you
34 IPv6 I-am-here
35 Mobile registration request
36 Mobile registration reply
37-255 Reserved

You'll note that the ICMP types that do have associated codes use the Code field to further explain the message value in the Type field. For example, ICMP Type 3 represents "destination unreachable." There can be many reasons why a destination is unreachable; accordingly, every ICMP Type 3 packet will also use one of the codes to explain why the destination was unreachable.

In our dump file, packets 4-9 contained ICMP information. These packets were created right after ARP had determined the destination MAC address and just before the TCP 3-way handshake. Let's take a look at packets 4 and 5:

tcpshow < dump

Packet 4
TIME: 10:25:28.608640 (0.000355)
LINK: 00:00:B4:3C:56:40 -> 00:50:BA:DE:36:33 type=IP
IP: -> hlen=20 TOS=00 dgramlen=84 id=0010
MF/DF=0/0 frag=0 TTL=255 proto=ICMP cksum=A796
ICMP: echo-request cksum=169F
DATA: ....:_.:6....
..................... !"#$%&'()*+,-./01234567
Packet 5
TIME: 10:25:28.608722 (0.000082)
LINK: 00:50:BA:DE:36:33 -> 00:00:B4:3C:56:40 type=IP
IP: -> hlen=20 TOS=00 dgramlen=84 id=9551
MF/DF=0/0 frag=0 TTL=255 proto=ICMP cksum=1255
ICMP: echo-reply cksum=1E9F
DATA: ....:_.:6....
..................... !"#$%&'()*+,-./01234567

Notice that these are normal IP packets with the expected IP header fields. Immediately following the IP header is the ICMP header which is followed by some strange-looking data. The tcpshow utility did not show all of the ICMP fields, but you can see that Packet No. 4 was an echo-request and Packet No. 5 was an echo-reply. If we look up these names in the chart, we'll see that Packet 4 contains an ICMP Type 8 Code 0 message, and Packet 5 contains an ICMP Type 0 Code 0 message.

Let's look at these same packets using Ethereal. Because Ethereal is so verbose, I'll just show the frame number and the ICMP header:

Also in FreeBSD Basics:

Fun with Xorg

Sharing Internet Connections

Building a Desktop Firewall

Using DesktopBSD

Using PC-BSD

more etherdump

more etherdump

Frame 4 (98 on wire, 98 captured)
Internet Control Message Protocol
Type: 8 (Echo (ping) request)
Code: 0
Checksum: 0x169f (correct)
Identifier: 0xdd00
Sequence number: 00:00
Data (56 bytes)

0 3a5f a23a 36c3 0600 0809 0a0b 0c0d 0e0f :_.:6...........
10 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f ................
20 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f !"#$%&'()*+,-./
30 3031 3233 3435 3637 01234567

Frame 5 (98 on wire, 98 captured)
Internet Control Message Protocol
Type: 0 (Echo (ping) reply)
Code: 0
Checksum: 0x1e9f (correct)
Identifier: 0xdd00
Sequence number: 00:00
Data (56 bytes)

0 3a5f a23a 36c3 0600 0809 0a0b 0c0d 0e0f :_.:6...........
10 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f ................
20 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f !"#$%&'()*+,-./
30 3031 3233 3435 3637 01234567

Notice that Ethereal interprets all of the ICMP fields, including the Type and Code numbers. It also indicates the name of the utility that issued these ICMP packets -- before TCP initiated its 3-way handshake, three "ping" packets were sent out to verify connectivity between my telnet client and the telnet server. The first ping packet contained the echo-request and it was followed by the desired echo-reply.

Packets 6 and 7 contained the next echo-request/echo-reply pair. These packets were identical, except they both contained a sequence number of 01:00, instead of the sequence number of 00:00 you saw in Packets 4 and 5. Packets 8 and 9 contained the last echo-request/echo-reply pair and both shared a sequence number of 02:00. However, all six packets contained the same Identifier value of 0xdd00; this means that they were all issued from the same ping command.

To summarize, whenever you run the ping utility, you will send out ICMP Type 8 Code 0 packets. Each packet will have the same identifier, but every packet's sequence number will be increased by 1. If you have connectivity to the other host, you should receive back ICMP Type 0 Code 0 packets with the same identifier. If you don't receive all the packets back in sequence, you don't have a very reliable connection.

You've probably used the ping utility yourself to test the connection between two hosts running TCP/IP; you may have not known that ping uses ICMP. Here is an interesting article on ping by the author of the utility.

The traceroute utility is another utility that uses ICMP messages, but its usage is different from that of the ping utility. When you type traceroute hostname, three UDP packets are sent out with a TTL (time to live) value of 1. These three packets will arrive at the router closest to you which will decrease the TTL by one, meaning the TTL will now be 0. When routers notice a TTL of 0, they respond by sending an ICMP packet of Type 11 Code 0, or "time exceeded" as "time to live exceeded in transit." The traceroute utility will make note of the IP address of the router that sent back the three ICMP packets, calculate the time it took to receive each of the packets, then send out three more UDP packets, this time with a TTL of 2.

Because these packets have a TTL of 2, ICMP packets should be returned by the router that is two hops away from you. Once these packets are received and noted, traceroute sends out three more packets with a TTL of 3. The traceroute utility will continue this pattern until you either reach your final destination or you've gone through the default maximum of 30 routers. The results will be sent to your screen like so:

traceroute www.freebsd.org

traceroute to freefall.freebsd.org (, 30 hops max, 40 byte packets
1 ( 33.137 ms 110.654 ms 52.307 ms
2 d226-12-1.home.cgocable.net ( 15.413 ms 36.285 ms 12.538 ms
3 cgowave-0-158.cgocable.net ( 13.857 ms 14.130 ms 16.433 ms
4 cgowave-busy-core.cgocable.net ( 15.304 ms 15.470 ms 14.940 ms
5 cgowave-0-202.cgocable.net ( 16.681 ms 14.324 ms 16.357 ms
6 ( 16.066 ms 15.919 ms 17.318 ms
7 c1-pos8-0.bflony1.home.net ( 18.234 ms 18.063 ms 19.266 ms
8 c1-pos1-0.hrfrct1.home.net ( 27.590 ms 25.213 ms 48.447 ms
9 c1-pos3-0.nycmny1.home.net ( 32.722 ms 29.405 ms 29.724 ms
10 ibr02-p1-0.jrcy01.exodus.net ( 31.728 ms 48.891 ms 29.017 ms
11 bbr02-g4-0.jrcy01.exodus.net ( 37.117 ms 37.070 ms 62.180 ms
12 bbr01-p2-0.okbr01.exodus.net ( 59.707 ms 40.090 ms 39.422 ms
13 bbr02-p3-0.sttl01.exodus.net ( 142.048 ms 101.184 ms 86.259 ms
14 bbr01-g5-0.sttl01.exodus.net ( 83.362 ms 83.433 ms 83.103 ms
15 bbr01-p1-0.tkwl01.exodus.net ( 85.309 ms 123.174 ms 83.753 ms
16 bbr01-p4-0.sntc05.exodus.net ( 88.995 ms 90.207 ms 88.723 ms
17 dcr01-g2-0.sntc05.exodus.net ( 109.213 ms 90.418 ms 90.458 ms
18 g2-1.bas1-m.sc5.yahoo.com ( 170.210 ms 164.354 ms 281.053 ms
19 freefall.freebsd.org ( 91.146 ms 88.509 ms 91.049 ms

Note that the traceroute utility numbered each hop, gave the name and IP address of the associated router, and recorded the time it took to receive an ICMP response to each of the three UDP packets that were sent to each router.

The ping and traceroute utilities are the most common utilities used by users that involve the ICMP protocol. However, there is another ICMP type that you should be aware of as it can affect network performance if there are routers between you and your final destination.

When I captured the packets involved in the telnet session, both the telnet client and the telnet server were cabled onto the same LAN and none of the packets had to pass through a router. During the TCP 3-way handshake, each host indicated the maximum segment size (MSS) it was capable of receiving. The tcpshow utility did not interpret this data, but it can be seen using Ethereal:

more etherdump

Frame 10 (60 on wire, 60 captured)
Internet Protocol
Source: biko (
Destination: genisis (
Transmission Control Protocol, Src Port: blackjack (1025), Dst Port: telnet (23), Seq: 3205630181, Ack: 0
Source port: blackjack (1025)
Destination port: telnet (23)
Sequence number: 3205630181
Header length: 24 bytes
Flags: 0x0002 (SYN)
Window size: 16384
Checksum: 0x7814
Options: (4 bytes)
Maximum segment size: 1460 bytes

Frame 11 (58 on wire, 58 captured)
Internet Protocol
Source: genisis (
Destination: biko (
Transmission Control Protocol, Src Port: telnet (23), Dst Port: blackjack (1025), Seq: 1746119590, Ack: 3205630182
Source port: telnet (23)
Destination port: blackjack (1025)
Sequence number: 1746119590
Acknowledgement number: 3205630182
Header length: 24 bytes
Flags: 0x0012 (SYN, ACK)
Window size: 17520
Checksum: 0x5fd9
Options: (4 bytes)
Maximum segment size: 1460 bytes

Because both computers were cabled onto the same LAN, they both understood and agreed upon a MSS of 1,460 bytes. Note that this is a maximum "segment" size, meaning a segment of data without including the extra bytes needed for the headers and frame. In this example, both hosts agreed that they wouldn't send a segment of data that was bigger than a 1,460-byte chunk.

What would happen if these two same hosts were not on the same LAN and their packets had to pass through a network that could only accept frames with a maximum transmission unit (MTU) size of 576 bytes? Because the two end hosts had already agreed upon a segment size of 1,460 bytes, they would be creating their IP packets accordingly. When these IP packets arrive at the router, which is cabled to the network with the smaller MTU, it will have to re-package every packet into smaller segments that will fit into the smaller size frames of that network. The destination host will then have to reassemble all of the fragmented packets back into the original agreed-upon sized segment. This creates more work and definitely slows things down.

To help prevent this, TCP uses something called Path-MTU Discovery. TCP will send out IP packets using the agreed MSS size, but will set the DF (don't fragment) bit to 1. If this packet is received by a router that needs to fragment the packet so that it will fit over a network that uses smaller-sized frames, the router will respond with an ICMP Type 3 Code 4 packet which translates to "destination unreachable as fragmentation needed" and "DF bit set." When the host receives this ICMP packet, it knows that it needs to start sending smaller packets.

You can read more about Path-MTU Discovery here.

The last ICMP type I'd like to cover is Source Quench, or ICMP Type 4 Code 0. This message is sent whenever a router is being overwhelmed by packets. It basically tells the host to slow down the rate it is sending packets so it can have a chance to deal with the packets it has already received. This is an important message -- if the host does not slow down its transmission rate, the router will run out of buffer space to store packets and will have to start throwing packets away. Every packet that is thrown away will have to be re-transmitted which will make the original situation worse.

The ICMP types we've covered do have implications when you start creating packet filter rules on your FreeBSD system. Next week, we will start looking at creating these rules, I'd like to summarize the ICMP types and codes that we'll need to be mindful of:
ICMP Type Code Used By
0 0 Ping
3 4 Path-MTU Discovery
4 0 Source Quench
8 0 Ping
11 0 traceroute

Dru Lavigne is a network and systems administrator, IT instructor, author and international speaker. She has over a decade of experience administering and teaching Netware, Microsoft, Cisco, Checkpoint, SCO, Solaris, Linux, and BSD systems. A prolific author, she pens the popular FreeBSD Basics column for O'Reilly and is author of BSD Hacks and The Best of FreeBSD Basics.