My Blog

instalasi dan sinkronisasi file menggunakan rsync dan ssh

2012-04-24T14:27:00.000+07:00

Tulisan ini sekaligus update tulisan lama saya. Yang sepertinya kurang lengkap :) Disini misal ada 2 Server 10.10.10.14(server) dan 10.10.10.16(backup/mirror). Dan port ssh 22 Langkah2nya sbb : 1. Masuk ke /home di 10.10.10.16 (server backup) Di directory /home inilah nanti file authentifikasi akan disimpan. Dan perintah rsync dijalankan. 2. Ketik ssh-keygen -f loginku -t rsa dan tekan enter. Pada pilihan passwd langsung tekan enter 2x. Dan akan ada 2 file loginku dan loginku.pub 3. Copykan file loginku.pub ke /root/.ssh pada server utama (10.10.10.14) dan rename menjadi authorized_keys2. hasilnya sbb /root/.ssh/authorized_keys2 4. Sekarang coba login dari server backup masuk ke /home dan ketik : ssh -i loginku root@10.10.7.14 -p 22 Jika berhasil maka tanpa passwd harusnya login bisa dilakukan tanpa password. 5. Perintah rsync sbb : /usr/local/bin/rsync -e "ssh -i loginku -l root -p 22" -avz root@10.10.10.14:/home/coba /home/coba sent 188 bytes received 35168 bytes 70712.00 bytes/sec total size is 42515051 speedup is 1202.48 Nah ada satu tips lagi agar lebih secure. Yaitu hanya mengijinkan root untuk login dari ip 10.10.10.16 (server backup saja). Caranya sbb : 1. Tambahkan baris berikut pada /etc/security/access.conf -:root:ALL EXCEPT 10.10.7.16 Perintah diatas adalah mengijinkan semua user untuk login dr ip manapun kecuali untuk root harus login dari 10.10.7.16 2. Tambahkan baris berikut pada /etc/pam.d/sshd account required pam_access.so

Installasi NFS server di SLES

2012-04-21T11:24:00.002+07:00

Instalasi NFS server di SLES 11 SP 1 Jika dari yast : # yast2 # pilih network service # pilih NFS # Setting directory, IP NFS client # Finish Jika dari Zypper # zypper install -y nfs-kernel-server # nano /etc/exports /home 10.10.7.1(rw,sync,no_root_squash) atau bisa juga /home/www 10.10.7.1 10.10.7.22 10.10.7.23 *(fsid=0,crossmnt,ro,root_squash,sync,no_subtree_check) Start daemon # /etc/init.d/rpcbind start # /etc/init.d/nfsserver start Edit startup # chkconfig rpcbind on # chkconfig nfsserver on

Apache22 Port di FreeBSD 8.2 Stable

2011-12-15T11:39:00.002+07:00

Kemarin setelah update ke FreeBSD stable 8.2 dan CVsup it coz me trouble.
In da middle on installation i got

/usr/ports/www/apache22/work/httpd-2.2.16/support/htpasswd.c:133: undefined reference to `apr_generate_random_bytes'
*** Error code 1
1 error

it made me frustated, after a day search and following instruction from freebsd forum i got nothing. so i assume that maybe something wrong with the port and i have to fix it.

Here is the solution i've found from the inet to fix a broken port.
It works for me .. :)

# Change into the ports directory
cd /usr/ports/
# First fetch ports index
make fetchindex
# Build the ports database
portsdb -u
# Show out of date ports
pkg_version -l "<"
# Upgrade ports
portupgrade -arR
# Check for stale dependencies
pkgdb -F
# Clean out work directories and delete old distfiles
portsclean -CDD _________________

Next...

2011-11-08T10:48:00.003+07:00

Ternyata banyak sekali aplikasi di OS yg kupake ini yg sangat berguna
tapi aku belum tahu, dan sekarang sudah tahu tambah bingung..
mau yg mana duluan..
baru coba ngoprek openLDAP kok malah macet..
hikss...

belum lagi HAST untuk clustering storage..
uCARP untuk balancingnya..
Wow..
Wow..
Wowowowow...
Speechless...

mengaktifkan log pada mysql

2011-11-04T11:12:00.003+07:00

Buat directory log mysql, misal
mkdir /var/log/mysql
chown mysql:mysql /var/log/mysql

Tambahkan baris berikut pada config file mysql my.cnf

[mysqld_safe]
log-error=/var/log/mysql/error.log

# The MySQL server
[mysqld]
log-error=/var/log/mysql/error.log

restart mysql

Instalasi dan Konfigurasi SYSLOG-NG dengan database MYSQL.

2011-07-02T13:07:00.001+07:00

SYSLOG-NG adalah daemon yang bisa digunakan untuk menggantikan syslogd di FreeBSD atau di Linux yang berfungsi untuk merekam log2 yang ada, baik itu server berbasis linux, bsd ataupun mikrotik ;)
Dengan SYSLOG-NG yang digabung dengan database MySQL maka kita bisa menyimpan semua log secara terpusat dalam satu database, sehingga mudah untuk di manage.

Untuk Web Interface tampilan log saya memakai php-syslog-ng yg bisa di download di http://php-syslog-ng.googlecode.com/files/php-syslog-ng-2.9.8.tgz
Syaratnya server anda sudah ada webserver support php

# cd /usr/local/www
# fetch http://php-syslog-ng.googlecode.com/files/php-syslog-ng-2.9.8.tgz
# tar -xzvf php-syslog-ng-2.9.8.tgz
# chown -R www:www php-syslog-ng
# edit httpd.conf
Alias /log "/usr/local/www/php-syslog-ng/html/"

Options None
AllowOverride None
Order allow,deny
Allow from all

Jika sudah selesai langsung restart webserver dan akses http://ipserver/log
Akan muncul menu instalasi php-syslog, pastikan fitur2 PHP dan file web sudah sesuai (tidak ada warning) klik next, centang konfirmasi, next.
Isikan user root dan password mysql, nama database yang akan digunakan untuk menyimpan log, dan user untuk database dan password (user dan password ini diingat2 yah, karena untuk
konfigurasi syslog servernya),
Misalkan disini
user mysql : syslog
pass mysql : 123abc
nama db : syslogserv

Hilangkan centang dimenu bawah, klik next. next akan muncul :

URL : http://ipserver/log
site : log/ (ingat belakang harus ada backslash)
email : abc@aaaa.com
passwd : syslogadmin

Klik next, akan muncul user : admin passwd: syslogadmin

Selesaaiiii.. hehe untuk web interface sama database doang hehe..

Selanjutnya install via port :
# cd /usr/ports/sysutils/syslog-ng
# make install clean
# cd /usr/local/etc/syslog-ng/
# cp syslog-ng.conf.sample syslog-ng.conf


options { long_hostnames(off); 
   sync(0);
   use_dns(yes);
   use_fqdn(no); };

#
# sources
#
source src { unix-dgram("/var/run/log");
             unix-dgram("/var/run/logpriv" perm(0600));
             internal(); file("/dev/klog"); };

source netsrc { udp(ip("0.0.0.0") port(514));
                tcp(ip("0.0.0.0") port(514)); };

#
# destinations
#
destination messages { file("/var/log/messages"); };
destination security { file("/var/log/security"); };
destination authlog { file("/var/log/auth.log"); };
destination maillog { file("/var/log/maillog"); };
destination lpd-errs { file("/var/log/lpd-errs"); };
destination xferlog { file("/var/log/xferlog"); };
destination cron { file("/var/log/cron"); };
destination debuglog { file("/var/log/debug.log"); };
destination consolelog { file("/var/log/console.log"); };
destination all { file("/var/log/all.log"); };
destination newscrit { file("/var/log/news/news.crit"); };
destination newserr { file("/var/log/news/news.err"); };
destination newsnotice { file("/var/log/news/news.notice"); };
destination slip { file("/var/log/slip.log"); };
destination ppp { file("/var/log/ppp.log"); };
destination console { file("/dev/console"); };
destination allusers { usertty("*"); };
#destination loghost { udp("loghost" port(514)); };
# CISCO Destinations...
destination netlog { file("/var/log/network/$HOST/$YEAR$MONTH$DAY.log" owner(root) group(wheel) perm(0644) create_dirs(yes)); };

destination netsql
                {
                program("/usr/local/bin/mysql --user=syslog --password=123abc syslogserv < /var/log/mysql.pipe");
                pipe ("/var/log/mysql.pipe"
                template ("INSERT INTO syslogserv.logs (host, facility, priority, level, tag, datetime, program, msg) VALUES ('$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$ISODATE', '$PROGRAM', '$MESSAGE' );\n")
                template_escape(yes));
                };

#
# log facility filters
#
filter f_auth { facility(auth); };
filter f_authpriv { facility(authpriv); };
filter f_not_authpriv { not facility(authpriv); };
filter f_console { facility(console); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_ftp { facility(ftp); };
filter f_kern { facility(kern); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_news { facility(news); };
filter f_security { facility(security); };
filter f_user { facility(user); };
filter f_uucp { facility(uucp); };
filter f_local0 { facility(local0); };
filter f_local1 { facility(local1); };
filter f_local2 { facility(local2); };
filter f_local3 { facility(local3); };
filter f_local4 { facility(local4); };
filter f_local5 { facility(local5); };
filter f_local6 { facility(local6); };
filter f_local7 { facility(local7); };

#
# log level filters
#
filter f_emerg { level(emerg); };
filter f_alert { level(alert..emerg); };
filter f_crit { level(crit..emerg); };
filter f_err { level(err..emerg); };
filter f_warning { level(warning..emerg); };
filter f_notice { level(notice..emerg); };
filter f_info { level(info..emerg); };
filter f_debug { level(debug..emerg); };
filter f_is_debug { level(debug); };

#
# program filters
#
filter f_ppp { program("ppp"); };
filter f_slip { program("startslip"); };

#
# host filters
#

# CISCO Filters
filter f_netswitch001 {host("10.1.5.1"); };
filter f_netswitch002 {host("10.1.5.2"); };
filter f_netswitch003 {host("10.1.5.3"); };
filter f_netswitch004 {host("10.1.5.4"); };
filter f_netswitch005 {host("172.16.4.1"); };
filter f_netrouter001 {host("10.1.5.9"); };
filter f_netrouter002 {host("172.16.4.2"); };
filter f_netserver001 {host("server1.example.com"); };
filter f_netserver002 {host("server2.example.com"); };
#
# *.err;kern.warning;auth.notice;mail.crit  /dev/console
#
log { source(src); filter(f_err); destination(console); };
log { source(src); filter(f_kern); filter(f_warning); destination(console); };
log { source(src); filter(f_auth); filter(f_notice); destination(console); };
log { source(src); filter(f_mail); filter(f_crit); destination(console); };

#
# *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages
#
log { source(src); filter(f_notice); filter(f_not_authpriv); destination(messages); };
log { source(src); filter(f_kern); filter(f_debug); destination(messages); };
log { source(src); filter(f_lpr); filter(f_info); destination(messages); };
log { source(src); filter(f_mail); filter(f_crit); destination(messages); };
log { source(src); filter(f_news); filter(f_err); destination(messages); };

#
# security.*      /var/log/security
#
log { source(src); filter(f_security); destination(security); };

#
# auth.info;authpriv.info    /var/log/auth.log
log { source(src); filter(f_auth); filter(f_info); destination(authlog); };
log { source(src); filter(f_authpriv); filter(f_info); destination(authlog); };

#
# mail.info      /var/log/maillog
#
log { source(src); filter(f_mail); filter(f_info); destination(maillog); };

#
# lpr.info      /var/log/lpd-errs
#
log { source(src); filter(f_lpr); filter(f_info); destination(lpd-errs); };

#
# ftp.info      /var/log/xferlog
#
log { source(src); filter(f_ftp); filter(f_info); destination(xferlog); }; 

#
# cron.*      /var/log/cron
#
log { source(src); filter(f_cron); destination(cron); };

#
# *.=debug      /var/log/debug.log
#
log { source(src); filter(f_is_debug); destination(debuglog); };

#
# *.emerg      *
#
log { source(src); filter(f_emerg); destination(allusers); };

#
# !startslip
# *.*       /var/log/slip.log
#
log { source(src); filter(f_slip); destination(slip); };

#
# !ppp
# *.*       /var/log/ppp.log
#
log { source(src); filter(f_ppp); destination(ppp); };

#
# CISCO Program Filters
#
log { source(netsrc); destination(netlog); };
log { source(netsrc); destination(netsql); };

taken from : http://www.freebsdwiki.net/index.php/Syslog-NG_Installation#Installation

# mkfifo /var/log/mysql.pipe
# ee /etc/rc.conf
syslogd_enable="NO"
syslog_ng_enable="YES"
syslogd_program="/usr/local/sbin/syslog-ng"
syslogd_flags=""

Setelah saya cek ternyata field yg digenerate oleh php-syslog ada yg kurang jadi silahkan login ke mysql server dan tambahkan sbb :


CREATE TABLE `logs` (
  `host` varchar(128) default NULL,
  `facility` varchar(10) default NULL,
  `priority` varchar(10) default NULL,
  `level` varchar(10) default NULL,
  `tag` varchar(10) default NULL,
  `datetime` datetime default NULL,
  `program` varchar(15) default NULL,
  `msg` text,
  `seq` bigint(20) unsigned NOT NULL auto_increment,
  `counter` int(11) NOT NULL default '1',
  `fo` datetime default NULL,
  `lo` datetime default NULL,
  PRIMARY KEY  (`seq`),
  KEY `host` (`host`),
  KEY `program` (`program`),
  KEY `datetime` (`datetime`),
  KEY `priority` (`priority`),
  KEY `facility` (`facility`)
) ENGINE=MyISAM AUTO_INCREMENT=9 DEFAULT CHARSET=latin1;

Ok insya Allah sudah finish. Silahkan reboot server anda. Pastikan mysql server jalan dulu baru syslog-ng server.

bersambungg...

Merubah data directory pada mysql server FreeBSD Server

2011-07-01T09:06:00.000+07:00

Secara default, jika kita install mysql server via port maka data-data dari database yang ada dalam mysql server akan tersimpan pada dir /var/db/mysql
Akan merepotkan kalau ternyata partisi /var kita terlalu kecil, sehingga data nambah sedikit aja partisi /var udah penuh.
Ada 2 cara untuk mensiasati hal tsb,
pertama ada merubah letak data directory pada file konfigurasi mysql kita my.cnf.
Hal ini memerlukan perubahan pada file konfigurasi my.cnf
# ee /var/db/mysql/my.cnf
[mysqld]
datadir=/data/mysqlbaru
Create directory tempat data baru disimpan
# mkdir /data/mysqlbaru
merubah owner directory tsb menjadi milik mysql
#chown -R mysql:mysql /data/mysqlbaru
kemudian start mysql
# /usr/local/etc/rc.d/mysql-server start

Cara kedua adalah dengan memindah dan melakukan linking directory mysql.
Detailnya sbb :

matikan server :
# /usr/local/etc/rc.d/mysql-server stop
# cd /var/db
pindahkan directory data mysql ke directory baru yang kapasitasnya lebih lega :
# mv mysql /data
lakukan linking directory
# ln -s /data/mysql /var/db/mysql
start server :
# /usr/local/etc/rc.d/mysql-server start

Block http brute force dengan PF

2011-06-22T14:29:00.004+07:00

Lumayan ada ilmu baru hasil diskusi dengan admin sebelah dan baca manual PF.
Rulenya sbb :

out_if = bce0
table persist
pass quick from 10.10.3.0/29
block quick from

pass in on $int_if proto { tcp } from any to 10.10.7.4 port 80 flags S/SA keep state \
(max-src-conn 2, max-src-conn-rate 5/5, overload flush global)

Penjelasan sbb :
max-src-conn number
Limit the maximum number of simultaneous TCP connections which have completed the 3-way handshake that a single host can make.

max-src-conn-rate number / interval
Limit the rate of new connections to a certain amount per time interval.

Bagi saya yg awam sulit sekali memahami maksudnya, Hiks..
So dicoba aja testing dengan rule diatas saya coba sebagai berikut :

Saya membuka http://10.10.7.4 di 5 tab firefox dan saya reload dalam waktu bersamaan.Dan halaman masih bisa dibuka.
Akan tetapi jika saya buka 6 halaman http://10.10.7.4 dengan browser berbeda maupun browser yg sama maka saya cek :

# pfctl -t bruteforces -Tshow
10.10.7.1

IP saya terjaring dalam rule tsb.

Kemudian rule coba saya ubah
pass in on $int_if proto { tcp } from any to 10.10.7.4 port 80 flags S/SA keep state \
(max-src-conn 1, max-src-conn-rate 5/5, overload flush global)

max-src-conn nya saya set 1 saja.

Saya coba buka http://10.10.7.4 pada 1 tab saja di firefox dan coba buka halaman tsb di chrome.
Alhasil :
# pfctl -t bruteforces -Tshow
10.10.7.1

Saya coba juga buka dengan IP berbeda, ternyata ip ke 2 langsung kena jaring

# pfctl -t bruteforces -Tshow
10.10.7.10

Saya menyimpulkan sbb :
max-src-conn : berapa banyak browser yg akan di launch untuk mengakses web kita ternyata.
Tidak membedakan IP. oh ternyata sekali buka browser dan akses itu dihitung 1 TCP connection hehe..
max-src-conn-rate a/b : dalam b detik berapa a tab yg akan dibuka/direfresh.
ada juga max-src-node : asumsi saya ini melimit berapa banyak ip yg boleh mengakses, tidak disarankan kalau web kita untuk umum.

Membangun Server dari Awal dengan FreeBSD (part1)

2011-03-18T09:56:00.003+07:00

1. Optimasi Kernel
Setelah instalasi yg perlu di perhatikan adalah kompile kernel.
Buang device2 yang tidak diperlukan. eth driver, pcmcia dll.
1. DIsable IPv6
2. DISABLE NFS

Untuk option tambahan mgkn bisa ditambahkan pada kernel sbb :

options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_FORWARD
options IPFIREWALL_DEFAULT_TO_ACCEPT
options DUMMYNET
options IPFILTER
options IPFILTER_LOG

#### PF OPTION ####
device pf
device pflog
device pfsync

2. Setting SSHD
ee /etc/ssh/sshd.config

Port 1234
Protocol 2
MaxAuthTries 2
MaxSessions 8
PermitRootLogin no
#StrictModes yes
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
PermitEmptyPasswords no
UseDNS no
Banner none
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
AllowUsers user1
AllowUsers user2

3. Setting TTYS
# If console is marked "insecure", then init will ask for the root password
# when going to single-user mode.
console none unknown off insecure
#
ttyv0 "/usr/libexec/getty Pc" cons25 on secure
# Virtual terminals
ttyv1 "/usr/libexec/getty Pc" cons25 on secure
ttyv2 "/usr/libexec/getty Pc" cons25 on secure
#ttyv3 "/usr/libexec/getty Pc" cons25 on secure
#ttyv4 "/usr/libexec/getty Pc" cons25 on secure
#ttyv5 "/usr/libexec/getty Pc" cons25 on secure
#ttyv6 "/usr/libexec/getty Pc" cons25 on secure
#ttyv7 "/usr/libexec/getty Pc" cons25 on secure
ttyv8 "/usr/local/bin/xdm -nodaemon" xterm off secure

Saran dari Dru Lavigne sbb :

General Hardening Tips

• restricting ssh access using the AllowUsers keyword in / etc/ssh/sshd_config
• using chflags to set the schg flag on system binaries and configuration files that
don't require modifications
• implementing a file integrity checking system such as tripwire
(http:/ /www.tripwire.com), aide (http:/ /www.cs.tut.fi/~rammer /aide.html)or
implementing your own using mtree
• changing /etc/motd removing the COPYRIGHT notice
• subscribing to the FreeBSD security advisories mailing list
(http:/ /lists.freebsd.org/mailman/listinfo/freebsd- security- notifications)
• reviewing mount(8) to see if any options are applicable to your filesystems
• reviewing your sysctl(8) settings; http:/ /sysctl.enderunix.org/ provides some
helpful descriptions
• reviewing your rc.conf(5) settings
Finally, do:
• read root's emails daily and have a log review action plan

General hardening tips from Dru..

2011-03-18T09:24:00.001+07:00

does this system really need IPv6 support?
• do I really want NFS (and its inherent security risks) on an Internet facing server?
• should I be loading filesystems I'll never use? (e.g. DOS, CD9660)
• do I need SCSI drivers on a non- SCSI system?
• do I need hardware RAID drivers if I'm using software RAID?
• do I really need to load dozens of NIC drivers if I always buy the same brand of NIC?
• do I need PCMCIA or wireless support on a non- laptop system?
• will I be using USB or Firewire?

KERNEL

1. DIsable IPv6
2. DISABLE NFS

There are many tools available to create a custom backup solution, ranging
built- in FreeBSD utilities to third- party software applications available through
ports collection. In a more complex scenario you may wish to investigate:
• bacula http://www.bacula.org
• rsnapshot http://www.rsnapshot.org
• boxbackup http://www.fluffy.co.uk/boxbackup/

General Hardening Tips

• restricting ssh access using the AllowUsers keyword in / etc/ssh/sshd_config
• using chflags to set the schg flag on system binaries and configuration files that
don't require modifications
• implementing a file integrity checking system such as tripwire
(http:/ /www.tripwire.com), aide (http:/ /www.cs.tut.fi/~rammer /aide.html)or
implementing your own using mtree
• changing /etc/motd , adding an ssh banner, and removing the COPYRIGHT notice
• subscribing to the FreeBSD security advisories mailing list
(http:/ /lists.freebsd.org/mailman/listinfo/freebsd- security- notifications)
• reviewing mount(8) to see if any options are applicable to your filesystems
• reviewing your sysctl(8) settings; http:/ /sysctl.enderunix.org/ provides some
helpful descriptions
• reviewing your rc.conf(5) settings
Finally, do:
• read root's emails daily and have a log review action plan

Lusca/cacheboy

2011-03-03T09:27:00.000+07:00

Lagi nyoba cacheboy tapi belum berhasil yang Tproxy karena mesinku amd. Googling nemu artikel berikut. Semoga bermanfaat
Diambil dari : http://hikmah-teknologi.blogspot.com/

LUSCA TPROXY on FREEBSD-7-STABLE
patch kernel:
cd /usr/src
fetch http://squid-proxy-pkg.googlecode.com/files/freebsd-tproxy-sys.patch
path -p0 < freebsd-tproxy-sys.patch

di kernel : /sys/i386/conf/PROXY
options IP_NONLOCALBIND
options IPDIVERT
options IPFIREWALL
options IPFIREWALL_NAT
options IPFIREWALL_VERBOSE
options IPFIREWALL_FORWARD
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IP_NONLOCALBIND
options LIBALIAS

#option tunning for squid
options VFS_AIO
options MAXFILES=262144
options MSGMNB=32768
options MSGMNI=82
options MSGSEG=4096
options MSGSSZ=128
options MSGTQL=2048
options SHMSEG=32
options SHMMNI=256
options SHMMAX=4194304
options SHMALL=16384
makeoptions COPTFLAGS="-O2 -pipe -funroll-loops -ffast-math"
makeoptions NO_MODULES=yes

build kernel
cd /usr/src
make buildkernel KERNCONF=PROXY && make installkernel KERNCONF=PROXY

di /etc/sysctl.conf
net.inet.ip.nonlocalok=1

cp /usr/src/sys/netinet/in.h /usr/include/netinet

install squid
pkg_add -v http://squid-proxy-pkg.googlecode.com/files/lusca-with-tproxy-r14371_3.tbz

di /usr/local/etc/squid/squid.conf

http_port XXX.INTERNAL.IP.XXX:3128 transparent tproxy

# em0 -> External interface (to mikrotik)
# em1 -> Internal interface (to client)

di /etc/ipfw.tproxy
ipfw add fwd 192.168.1.1,3128 tcp from 192.168.1.0/24 to any 80 in via em1 # default rule to transparent proxy
ipfw add fwd 192.168.1.1 tcp from any 80 to 192.168.1.0/24 in via em0 # catch the packets that come back using the clients IPs

di rc.conf
gateway_enable="YES"
ifconfig_em0="192.168.0.1 255.255.255.252"
ifconfig_em1="192.168.1.1 255.255.255.0"
firewall_enable="YES"
firewall_script="/etc/ipfw.tproxy"
firewall_type="open"
firewall_logging="YES"

fsck_y_enable="YES"
background_fsck="NO"

squid_enable="YES"
#disini tidak menggunakan bind taoi dnsmasq

dnsmasq_enable="YES"
dnsmasq_flags="--conf-file=/usr/local/etc/dnsmasq.conf"

dan jangan lupa di router paling atas untuk membuat NAT dan static routes utk ip di bawah proxy

Tproxy

2011-03-02T09:50:00.004+07:00

Back to proxy, especially squid. Eh ada lagi yang namanya cacheboy.
Cacheboy adalah optimasi dari squid stable 2. Menurut pemahaman saya sih cacheboy itu versi moddingnya squid 2 begitulah gampangnya. Nah waktu mencoba instalasi via port ada banyak option yang bisa di enable/disable. Nah berhubung sudah lama gak ngutik squid jadi perlu cari2 lagi fungsi2 option tsb. Antara lain :

1. Delay pool : Fitur ini digunakan untuk limitasi bandwidth
2. AUFS dan COSS : Ini adalah tipe file penyimpanan cache dari squid
3. PF dan IPF transparent : Ini untuk mengaktifkan support PF firewall atau IPF firewall untuk transparent proxy
4. Enable Tproxy : untuk mengaktifkan Tproxy.

Penjelasan Tproxy dari internet sbb :

Transparent Proxy (TProxy)

Tproxy is truly transparent proxy. A transparent proxy or more precisely an interception proxy is the one that becomes transparent to the clients by transparently intercepting the http requests and serving the response, which means the client need not be explicitly configured to use the proxy but they are transparently sent to the proxy without the client's knowledge. Since the interception proxy forwards the request on behalf of the client, the web server see's the source of the request come from the proxy and hence it is not transparent to the web server.

The tproxy feature comes into solving this issue and makes itself transparent to both for the client and the web server. However, the interception and/or tproxy feature requires kernel support and packet redirection feature of the operating system.

Note: To make still more truly transparent, the proxy should be configured not to add any extra headers while forwarding the request and serving the response.

Nha kira2 terjemahannya spt ini.

Tproxy adalah transparent proxy yg sebenar2nya. Transparent proxy atau proxy penangkap adalah proxy yang bekerja dengan menangkap paket http/browsing dari client secara transparan. Dengan kata lain, di sisi client tidak memerlukan adanya konfigurasi pengaktifkan proxy karena secara otomatis dan mau tidak mau akan lewat proxy.

Karena proxy tsb menangkap paket dan melakukan koneksi ke webserver tujuan maka yg dikenali oleh webserver tujuan adalah IP dari proxy bukan dari client.

Fitur dari Tproxy inilah kuncinya, sehingga webserver tujuan mengenali langsung ip client (tentu saja ip public). Fitur ini memerlukan pengaktifan pada kernel dari OS yang dipakai.

Install NTP Server di FreeBSD

2011-03-01T13:55:00.005+07:00

Caranya mudah. Install saja ntp via port
Kemudian
# ee /etc/ntp.conf
server 3.id.pool.ntp.org
server 0.asia.pool.ntp.org
server 2.asia.pool.ntp.or

driftfile /var/db/ntp.drift

Save file /etc/ntp.conf dengan konfigurasi di atas.
Kemudian start service dengan perintah

/etc/rc.d/ntpd start

Kemudian jalankan perintah
ntpdate -d localhost

Jika ada pesan no server bla2. Maka coba tunggu kisaran 10 s/d 15 menit. Dan coba ulangi lagi sampai terjadi sinkronisasi sbb

1 Mar 14:01:36 ntpdate[19223]: step time server localhost offset -225.715219 sec

Jangan lupa untuk membuka port 123 udp.

Angin duduk

2010-11-05T18:19:00.002+07:00

Dapat info penting dari mas chakim yg istrinya kena angin duduk. berikut ini hal2 yang perlu diketahui.
Penyebab :
(1) Sering begadang/pengaruh angin malam
(2) Hobi nahan kentut/boel
(3) Lingkungan/cuaca dingin yang ekstrim dan terus menerus
(4) Telat makan
(5) Masuk angin biasa yang dibiarkan

ciri2nya
(1) rasanya seperti ada yg ngganjel di antara perut+dada
(2) ingin sendawa/kentut tapi susah sekali dan meskipun bisa hampir tidak mengurangi rasa sakit no.1
(3) dibawa duduk/...bungkuk/jalan/bahkan berbaring pun sulit
(4) badan rasanya dingin (bhs jawa: anyep)
Beda sama masuk angin biasa : angin duduk tidak bisa hilang meski sudah dikerokin/minum obat masuk angin/dioles minyak angin yang panas sekalipun

Cara mengatasi :
Sebelumnya olesin perut + dada + pinggang + punggung dengan minyak cap kap*k, bila perlu kerokan, trus masak air, air hangat hasil masak tsb dimasukkan dalam 2 buah botol (botol kaca lebih bagus), botol pertama letakkan di ulu hati atau bagian perut depan tempat angin duduk ga mau keluar, botol kedua diletakkan pada kedua telapak kaki, posisi badan rebah menghadap ke atas, bila perlu pakai jaket + celana training + kaos kaki + selimut tebal, tunggu sampai keringat dingin keluar dan bisa kentut, jika setelah setengah jam tidak kunjung reda, ganti air dalam botol yang udah kurang dingin dengan air hangat baru, dan tempel lagi di tempat spt diatas, semoga bermanfaat, mengingat resiko angin duduk ini adalah meninggal dunia jika terlambat mengatasi (based on a true story)

postfix, sendmail dan php

2010-10-27T10:32:00.002+07:00

Barusan lagi update script untuk checking quota di mysql.
Scriptnya ini menggunakan PHP. Jika ada database yang melebihi quota yang disediakan maka akan di lock dan dikirim email pemberitahuan.
Nah ternyata waktu check quota ada notifikasi error
locking database /usr/sbin/sendmail not found.

Sepertinya error tersebut terjadi karena saya baru migrasi dari sendmail ke postfix.
Ternyata solusinya mudah. Pertama cari dulu binary sendmail

# whereis sendmail
sendmail: /usr/local/sbin/sendmail

Kemudian edit php.ini pada bagian berikut :

sendmail_path = /usr/local/sbin/sendmail -t -i -f noreply@domain.com

restart webserver dan silhakan test kembali..

install eaccelerator di freebsd

2010-07-16T11:45:00.003+07:00

cd /usr/ports/www/eaccelerator

You have installed the eaccelerator package.
Edit /usr/local/etc/php.ini and add:
zend_extension="/usr/local/lib/php/20060613/eaccelerator.so"
Then create the cache directory:
mkdir /tmp/eaccelerator
chown www /tmp/eaccelerator
chmod 0700 /tmp/eaccelerator

u can try to config :
zend_extension="/usr/local/lib/php/20060613/eaccelerator.so"
eaccelerator.shm_size="16"
eaccelerator.cache_dir="/tmp/eaccelerator"
eaccelerator.enable="1"
eaccelerator.optimizer="1"
eaccelerator.check_mtime="1"
eaccelerator.debug="0"
eaccelerator.filter=""
eaccelerator.shm_max="0"
eaccelerator.shm_ttl="0"
eaccelerator.shm_prune_period="0"
eaccelerator.shm_only="0"
eaccelerator.compress="1"
eaccelerator.compress_level="9"

eaccelerator.shm_size
This setting will allow you to control the amount of shared memory eAccelerator should allocate to cache PHP scripts. The number sets the amount of memory in megabytes. Setting this value to 0 will use the default size.

eaccelerator.shm_size

This setting will allow you to control the amount of shared memory eAccelerator should allocate to cache PHP scripts. The number sets the amount of memory in megabytes. Setting this value to 0 will use the default size.

eaccelerator.shm_size = "0"

On Linux the maximum amount of memory a process can allocate is limited by the number set in /proc/sys/kernel/shmmax. Allocating more than this value will result in eAccelerator failing to initialise. The size in this file is given in bytes. You can raise this amount with:

echo value > /proc/sys/kernel/shmmax

Where value is the size in bytes you want to use. This value is reset to the default value evertime you reboot, but you can raise it permanently by adding the amount you need in /etc/sysctl.conf. This is done by adding:

kernel.shmmax = value

eaccelerator.cache_dir

This directory is used for the disk cache. eAccelerator stores precompiled code, session data, content and user entries here. The same data can be stored in shared memory (for quicker access). The default value is “/tmp/eaccelerator”.

eaccelerator.cache_dir = "/tmp/eaccelerator"

This is easy because that directory is easily writable to everyone, and mounted with noexec. However, it isn’t the best because on a lot of systems this directory is cleared on reboot. A better place is /var/cache/eaccelerator. Create the directory and make sure it’s writable to the process eAccelerator runs under.

A safe bet is making it world writeable, a safer and cleaner way is making the user php runs under (most of the time the same user as apache or lighttpd) the owner and set 0644 permissions.

The lazy way:

mkdir /tmp/eaccelerator
chmod 0777 /tmp/eaccelerator

eaccelerator.enable

With this setting you can enable or disable eAccelerator. This may seem like a pretty stupid setting, but it can be very useful. For example this setting can also be used in the vhost section of the Apache configuration. It allows you to disable eAccelerator for a certian vhost by placing php_admin_value eaccelerator.enable 0 in the vhost section.

Setting this value to “1″ enables eAccelerator, which is also the default value. Setting it to “0″ will disable eAccelerator.

eaccelerator.enable = "1"

eaccelerator.optimizer

Enables or disables the optimizer which may speed up code execution. Setting it “1″ will enable eAccelerator, “0″ disables it. By default the optimizer is enabled. The optimizer will only run when the script is compiled before it’s cached.

eaccelerator.optimizer = "1"

eaccelerator.debug

Enables or disables debug logging. Setting this to 1 will print information to the log file about the cache hits of a file. This is only useful when debugging eAccelerator for bug reports.

eaccelerator.debug = 0

eaccelerator.log_file

Set the log file for eaccelerator. When this option isn’t set then the data will be logged to stderr, when using PHP with Apache these lines will be added to the Apache error log.

eaccelerator.log_file = "/var/log/httpd/eaccelerator_log"

eaccelerator.name_space

When using the user cache api for storing data in shared memory, all keys are prepended by the hostname used for the current request. This hostname equals the ServerName? set in the vhost section of apache. This is done to avoid duplicate keys between vhosts. Sometimes this behaviour is desired to share data between vhosts. When setting this option this namespace is used to prepend to each key. By default this is set to “” which instructs eAccelerator to use the hostname as namespace.

When setting this in the main PHP configuration file this namespace will be used by all vhosts. This value can also be set in the vhost section or even in a .htaccess file to allow sharing of data between only two vhosts.

eaccelerator.name_space = ""

eaccelerator.check_mtime

On every hit eAccelerator will check the modification time of a script to see if it changed and needs to be recompiled. Although this is a lot faster then opening the file and compiling it, this still adds some overhead because a stat call needs to be done every time. This setting allows you to disable this check. The downside of disabling this check is that you need to manually clean the eAccelerator cache when you update a file.

By default this check is enabled.

eaccelerator.check_mtime = "1"

eaccelerator.filter

Determine which PHP files can be cached. You can specify the pattern (for example “*.php *.phtml”) the PHP script filename needs to match. If a pattern starts with “!”, the files that match that pattern are excluded from the cache. Default value is “” which will cache all scripts PHP compiles.

Please note that eaccelerator.filter doesn’t work on a URL basis but rather on the absolute filesystem path, so a filter of !/home* would exclude all scripts in /home from being cached.

Multiple patterns need to be seperated by spaces or tabs, but not commas.

eaccelerator.filter = ""

eaccelerator.shm_max

By default there is no limit on the maximum size a user can put in shared memory with functions like eaccelerator_put, the maximum size is controlled by this setting. This value is the maximum size that can be put in the cache, the size is given in bytes (10240, 10K, 1M). The default value is “0″ which disables the limit.

This setting doesn’t affect the maximum size for a script”’

eaccelerator.shm_max = "0"

eaccelerator.shm_ttl

When eAccelerator doesn’t have enough free shared memory to cache a new script it will remove all scripts from shared memory cache that haven’t been accessed in at least shm_ttl seconds. By default this value is set to “0″ which means that eAccelerator won’t try to remove any old scripts from shared memory.

eaccelerator.shm_ttl = "0"

eaccelerator.shm_prune_period

When eAccelerator doesn’t have enough free shared memory to cache a script it tries to remove old scripts if the previous try was made more then “shm_prune_period” seconds ago. Default value is “0″ which means that eAccelerator won’t try to remove any old script from shared memory.

eaccelerator.shm_prune_period = "0"

eaccelerator.shm_only

Enable or disable caching of compiled scripts on disk. This has no effect on session data and content caching. Default value is “0″ which allows eAccelerator to use disk and shared memory cacche for scripts.

eaccelerator.shm_only = "0"

eaccelerator.compress

When using the eaccelerator_content_* api eAccelerator can compress the content before saving it to memory. By default this is set to “1″, to disable compression set it to “0″.

eaccelerator.compress = "1"

eaccelerator.compress_level

Compression level used for content caching. Default value is “9″ which is the maximum compression level.

eaccelerator.compress_level = "9"

eaccelerator.keys | session | content

These settings control the places eAccelerator may cache user content. Possible values are:

shm_and_disk cache data in shared memory and on disk (default value)
shm cache data in shared memory or on disk if shared memory is full or data size greater then “eaccelerator.shm_max”
shm_only cache data in shared memory
disk_only cache data on disk
none don’t cache data

eaccelerator.keys     = "shm_and_disk"
eaccelerator.sessions = "shm_and_disk"
eaccelerator.content  = "shm_and_disk"

The webinterface

eAccelerator can be managed through a webinterface. From version 0.9.5 this webinterface has been fully implemented in php so the settings have been changed.

taken from : http://techgurulive.com/2009/02/02/how-to-install-and-configure-the-eaccelerator-php-cache-on-apache/

Belum sempat nerjemahin.. ntar aja soale lagi seru coba2

Generate pdf problem

2010-07-14T12:08:00.000+07:00

Pernah mengalami generate file dari script php ke pdf dan tidak berhasil?
padahal jika dilocalhost yg memakai xamp berjalan normal.

Setelah saya cek lebih lanjut ternyata jika record yg digenerate tidak begitu banyak, dibawah 100 record berhasil.
Nah lo, mulai berpikir.. apa mgkn konfigurasi buffer file atau cache file di php.ini nya atau webserver confignya.

Setelah mencoba mengulik2, alhamdulillah ketemu.Ini dia, dengan memory limit 96MB, maka generate 2ribu record berhasil dieksekusi. Tinggal disesuaikan dgn kebutuhan saja.

; Maximum amount of memory a script may consume (128MB)
; http://php.net/memory-limit
memory_limit = 96M

libperl.so not found.

2010-06-26T11:24:00.004+07:00

Snmp tiba2 ngga jalan. errornya gini :
/libexec/ld-elf.so.1: Shared object "libperl.so" not found, required by "libnetsnmphelpers.so.20"

Hmm file library ga nemu pathnya.. kalo ga abis upgrade2 paling yo kedelete..
Solusinya coba cari sbb :

server2# ldd /usr/local/sbin/snmpd
/usr/local/sbin/snmpd:
libnetsnmpagent.so.20 => /usr/local/lib/libnetsnmpagent.so.20 (0x2807e000)
libnetsnmphelpers.so.20 => /usr/local/lib/libnetsnmphelpers.so.20 (0x280b5000)
libnetsnmpmibs.so.20 => /usr/local/lib/libnetsnmpmibs.so.20 (0x280d3000)
libperl.so => /usr/local/lib/libperl.so (0x281b3000)
libm.so.4 => /lib/libm.so.4 (0x282b4000)
libcrypt.so.3 => /lib/libcrypt.so.3 (0x282ca000)
libutil.so.5 => /lib/libutil.so.5 (0x282e2000)
libnetsnmp.so.20 => /usr/local/lib/libnetsnmp.so.20 (0x282ee000)
libkvm.so.3 => /lib/libkvm.so.3 (0x2838d000)
libcrypto.so.4 => /lib/libcrypto.so.4 (0x28394000)
libc.so.6 => /lib/libc.so.6 (0x28487000)
libcrypto.so.7
server2#cp /usr/local/lib/perl5/5.8.9/mach/CORE/libperl.so /usr/local/lib

server2# snmpd
server2# ps ax | grep snmpd
8945 ?? S 0:00.11 snmpd

Alhamdulillah oke..

Disable SELINUX

2010-05-24T10:00:00.000+07:00

Here is the way to disable selinux:

1-Edit /etc/selinux/config and set the SELINUX variable to 'disabled'
2-Use the setenforce command to disable on-the-fly

With solution 1, your changes are permanent but only effective if you reboot the machine.

With solution 2, your changes are NOT permanent but effective immediately.

Hope this clears it up :-).

taken from : http://www.linuxquestions.org

SE Linux

2010-05-07T10:59:00.001+07:00

Install SE Linux

# apt-get install selinux-basics selinux-policy-default
# reboot
# nano /etc/default/rcS
edit FSCKFIX=yes
# nano /etc/cron.daily/mlocate (digunakan agar locate database tidak berjalan terus)
tambahkan exit 0 pd baris ke 2

Jika sudah selesai ketikkan :
# check-selinux-installation
# rm /var/run/motd
# ln -s /etc/motd.baru /etc/motd

Security Linux

2010-05-06T12:02:00.004+07:00

1. Matikan dan buang service2 yang tidak perlu.
bisa install rcconf u/ mengatur startup.
dan apt-get remove packagegakpenting

2. Edit partisi, matikan eksekusi untuk partisi dimana user menaruh data (terutama web server)

3. Ubah file descriptor di sysctl.conf
your file descriptor must be beyond 65535

4. Upgrade ke kernel paling baru.

5. Atur firewall se secure mungkin. Allow port yang diperlukan saja.

6. Atur akses login user.

7. Sebisa mungkin jangan gunakan default port.

8. Disable root login from remote

9. Edit motd.

10. Coba main2 dgn sysctl.conf (beware, resiko ditanggung sendiri).

11. Secure kan service2 dan option pada program yg terinstall, misalnya : my.cnf, php.ini, httpd.conf, ftp.conf, snmpd.conf named.conf

12. Install tool pendukung monitoring :
- snmpd, ifstat, iptraf, snort, lsof, htop, deborphan, mtr, nikto. well why do i forget other tool in this critical moment..

Nanti ditambahkan kalau ada lagi.

Thx to cakri n google. u;re all da best.

mencari Package tidak perlu

2010-05-06T11:29:00.002+07:00

# apt-get install deborphan
# deborphan -sz
# apt-get remove namapackage
atau
# apt-get remove --purge $(deborphan)
atau bisa juga
# orphaner
perintah di atas ada tampilan grafisnya ;)

Cisco2an

2010-04-29T09:58:00.002+07:00

# sh run
# conf term
# int Fastethernet0/1
# [config] ip address 10.10.10.1 255.255.255.240 secondary
# exit
# exit
# copy run start

# sh vlan
# conf term
# int Fastethernet0/1
dst2.. lali..

postingan ini hanya buat nyubie yg belajar cisco tanpa arah

PureFTPd di Linux.

2010-03-31T14:40:00.004+07:00

Hari ini nyoba install via tarball, yg q jadikan eksperimen adalah pureftpd.

1. Download Source
wget http://download.pureftpd.org/pub/pure-ftpd/releases/pure-ftpd-1.0.29.tar.gz
2. Ekstrak
tar -xzvf pure-ftpd-1.0.29.tar.gz
3. masuk ke directory hasil ekstrak
4. ./configure

Nah lo..koq pas configure error. :(
Ternyata compiler gak support, jadi harus install dulu

apt-get install gcc
apt-get install g++

Ulangi lagi deh configurenya, kemudian lanjutkan dgn perintah make && make install

kelanjutannya ada di postingan ini

Bagi yang compile dgn support mysql coba install dulu mysql-devel
apt-get mysql-devel

Install Snmpd..

2010-03-25T11:08:00.002+07:00

Install snmpd cara praktis aja ya..
# apt-get install snmpd (linux)
# pkg_add -rv net-snmpd (fbsd)

Stl itu copy file konfigurasi :
# cp /etc/snmp/snmpd.conf.orig /etc/snmp/snmpd.conf (linux)
# cp /usr/local/share/snmpd/snmpd.conf.example /usr/local/share/snmpd/snmpd.conf (bsd)

Edit /etc/snmp/snmpd.conf :
com2sec local localhost public
com2sec local ipmrtgserver public

Edit /etc/default/snmpd : (freebsd ga perlu proses ini)
remove ip 127.0.0.1

Restart snmp : /etc/init.d/snmpd restart