My Blog

Apache22 Port di FreeBSD 8.2 Stable

2011-12-15T11:39:00.002+07:00

Kemarin setelah update ke FreeBSD stable 8.2 dan CVsup it coz me trouble.
In da middle on installation i got

/usr/ports/www/apache22/work/httpd-2.2.16/support/htpasswd.c:133: undefined reference to `apr_generate_random_bytes'
*** Error code 1
1 error

it made me frustated, after a day search and following instruction from freebsd forum i got nothing. so i assume that maybe something wrong with the port and i have to fix it.

Here is the solution i've found from the inet to fix a broken port.
It works for me .. :)

# Change into the ports directory
cd /usr/ports/
# First fetch ports index
make fetchindex
# Build the ports database
portsdb -u
# Show out of date ports
pkg_version -l "<"
# Upgrade ports
portupgrade -arR
# Check for stale dependencies
pkgdb -F
# Clean out work directories and delete old distfiles
portsclean -CDD _________________

Next...

2011-11-08T10:48:00.003+07:00

Ternyata banyak sekali aplikasi di OS yg kupake ini yg sangat berguna
tapi aku belum tahu, dan sekarang sudah tahu tambah bingung..
mau yg mana duluan..
baru coba ngoprek openLDAP kok malah macet..
hikss...

belum lagi HAST untuk clustering storage..
uCARP untuk balancingnya..
Wow..
Wow..
Wowowowow...
Speechless...

mengaktifkan log pada mysql

2011-11-04T11:12:00.003+07:00

Buat directory log mysql, misal
mkdir /var/log/mysql
chown mysql:mysql /var/log/mysql

Tambahkan baris berikut pada config file mysql my.cnf

[mysqld_safe]
log-error=/var/log/mysql/error.log

# The MySQL server
[mysqld]
log-error=/var/log/mysql/error.log

restart mysql

Instalasi dan Konfigurasi SYSLOG-NG dengan database MYSQL.

2011-07-02T13:07:00.001+07:00

SYSLOG-NG adalah daemon yang bisa digunakan untuk menggantikan syslogd di FreeBSD atau di Linux yang berfungsi untuk merekam log2 yang ada, baik itu server berbasis linux, bsd ataupun mikrotik ;)
Dengan SYSLOG-NG yang digabung dengan database MySQL maka kita bisa menyimpan semua log secara terpusat dalam satu database, sehingga mudah untuk di manage.

Untuk Web Interface tampilan log saya memakai php-syslog-ng yg bisa di download di http://php-syslog-ng.googlecode.com/files/php-syslog-ng-2.9.8.tgz
Syaratnya server anda sudah ada webserver support php

# cd /usr/local/www
# fetch http://php-syslog-ng.googlecode.com/files/php-syslog-ng-2.9.8.tgz
# tar -xzvf php-syslog-ng-2.9.8.tgz
# chown -R www:www php-syslog-ng
# edit httpd.conf
Alias /log "/usr/local/www/php-syslog-ng/html/"

Options None
AllowOverride None
Order allow,deny
Allow from all

Jika sudah selesai langsung restart webserver dan akses http://ipserver/log
Akan muncul menu instalasi php-syslog, pastikan fitur2 PHP dan file web sudah sesuai (tidak ada warning) klik next, centang konfirmasi, next.
Isikan user root dan password mysql, nama database yang akan digunakan untuk menyimpan log, dan user untuk database dan password (user dan password ini diingat2 yah, karena untuk
konfigurasi syslog servernya),
Misalkan disini
user mysql : syslog
pass mysql : 123abc
nama db : syslogserv

Hilangkan centang dimenu bawah, klik next. next akan muncul :

URL : http://ipserver/log
site : log/ (ingat belakang harus ada backslash)
email : abc@aaaa.com
passwd : syslogadmin

Klik next, akan muncul user : admin passwd: syslogadmin

Selesaaiiii.. hehe untuk web interface sama database doang hehe..

Selanjutnya install via port :
# cd /usr/ports/sysutils/syslog-ng
# make install clean
# cd /usr/local/etc/syslog-ng/
# cp syslog-ng.conf.sample syslog-ng.conf


options { long_hostnames(off); 
   sync(0);
   use_dns(yes);
   use_fqdn(no); };

#
# sources
#
source src { unix-dgram("/var/run/log");
             unix-dgram("/var/run/logpriv" perm(0600));
             internal(); file("/dev/klog"); };

source netsrc { udp(ip("0.0.0.0") port(514));
                tcp(ip("0.0.0.0") port(514)); };

#
# destinations
#
destination messages { file("/var/log/messages"); };
destination security { file("/var/log/security"); };
destination authlog { file("/var/log/auth.log"); };
destination maillog { file("/var/log/maillog"); };
destination lpd-errs { file("/var/log/lpd-errs"); };
destination xferlog { file("/var/log/xferlog"); };
destination cron { file("/var/log/cron"); };
destination debuglog { file("/var/log/debug.log"); };
destination consolelog { file("/var/log/console.log"); };
destination all { file("/var/log/all.log"); };
destination newscrit { file("/var/log/news/news.crit"); };
destination newserr { file("/var/log/news/news.err"); };
destination newsnotice { file("/var/log/news/news.notice"); };
destination slip { file("/var/log/slip.log"); };
destination ppp { file("/var/log/ppp.log"); };
destination console { file("/dev/console"); };
destination allusers { usertty("*"); };
#destination loghost { udp("loghost" port(514)); };
# CISCO Destinations...
destination netlog { file("/var/log/network/$HOST/$YEAR$MONTH$DAY.log" owner(root) group(wheel) perm(0644) create_dirs(yes)); };

destination netsql
                {
                program("/usr/local/bin/mysql --user=syslog --password=123abc syslogserv < /var/log/mysql.pipe");
                pipe ("/var/log/mysql.pipe"
                template ("INSERT INTO syslogserv.logs (host, facility, priority, level, tag, datetime, program, msg) VALUES ('$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$ISODATE', '$PROGRAM', '$MESSAGE' );\n")
                template_escape(yes));
                };

#
# log facility filters
#
filter f_auth { facility(auth); };
filter f_authpriv { facility(authpriv); };
filter f_not_authpriv { not facility(authpriv); };
filter f_console { facility(console); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_ftp { facility(ftp); };
filter f_kern { facility(kern); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_news { facility(news); };
filter f_security { facility(security); };
filter f_user { facility(user); };
filter f_uucp { facility(uucp); };
filter f_local0 { facility(local0); };
filter f_local1 { facility(local1); };
filter f_local2 { facility(local2); };
filter f_local3 { facility(local3); };
filter f_local4 { facility(local4); };
filter f_local5 { facility(local5); };
filter f_local6 { facility(local6); };
filter f_local7 { facility(local7); };

#
# log level filters
#
filter f_emerg { level(emerg); };
filter f_alert { level(alert..emerg); };
filter f_crit { level(crit..emerg); };
filter f_err { level(err..emerg); };
filter f_warning { level(warning..emerg); };
filter f_notice { level(notice..emerg); };
filter f_info { level(info..emerg); };
filter f_debug { level(debug..emerg); };
filter f_is_debug { level(debug); };

#
# program filters
#
filter f_ppp { program("ppp"); };
filter f_slip { program("startslip"); };

#
# host filters
#

# CISCO Filters
filter f_netswitch001 {host("10.1.5.1"); };
filter f_netswitch002 {host("10.1.5.2"); };
filter f_netswitch003 {host("10.1.5.3"); };
filter f_netswitch004 {host("10.1.5.4"); };
filter f_netswitch005 {host("172.16.4.1"); };
filter f_netrouter001 {host("10.1.5.9"); };
filter f_netrouter002 {host("172.16.4.2"); };
filter f_netserver001 {host("server1.example.com"); };
filter f_netserver002 {host("server2.example.com"); };
#
# *.err;kern.warning;auth.notice;mail.crit  /dev/console
#
log { source(src); filter(f_err); destination(console); };
log { source(src); filter(f_kern); filter(f_warning); destination(console); };
log { source(src); filter(f_auth); filter(f_notice); destination(console); };
log { source(src); filter(f_mail); filter(f_crit); destination(console); };

#
# *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages
#
log { source(src); filter(f_notice); filter(f_not_authpriv); destination(messages); };
log { source(src); filter(f_kern); filter(f_debug); destination(messages); };
log { source(src); filter(f_lpr); filter(f_info); destination(messages); };
log { source(src); filter(f_mail); filter(f_crit); destination(messages); };
log { source(src); filter(f_news); filter(f_err); destination(messages); };

#
# security.*      /var/log/security
#
log { source(src); filter(f_security); destination(security); };

#
# auth.info;authpriv.info    /var/log/auth.log
log { source(src); filter(f_auth); filter(f_info); destination(authlog); };
log { source(src); filter(f_authpriv); filter(f_info); destination(authlog); };

#
# mail.info      /var/log/maillog
#
log { source(src); filter(f_mail); filter(f_info); destination(maillog); };

#
# lpr.info      /var/log/lpd-errs
#
log { source(src); filter(f_lpr); filter(f_info); destination(lpd-errs); };

#
# ftp.info      /var/log/xferlog
#
log { source(src); filter(f_ftp); filter(f_info); destination(xferlog); }; 

#
# cron.*      /var/log/cron
#
log { source(src); filter(f_cron); destination(cron); };

#
# *.=debug      /var/log/debug.log
#
log { source(src); filter(f_is_debug); destination(debuglog); };

#
# *.emerg      *
#
log { source(src); filter(f_emerg); destination(allusers); };

#
# !startslip
# *.*       /var/log/slip.log
#
log { source(src); filter(f_slip); destination(slip); };

#
# !ppp
# *.*       /var/log/ppp.log
#
log { source(src); filter(f_ppp); destination(ppp); };

#
# CISCO Program Filters
#
log { source(netsrc); destination(netlog); };
log { source(netsrc); destination(netsql); };

taken from : http://www.freebsdwiki.net/index.php/Syslog-NG_Installation#Installation

# mkfifo /var/log/mysql.pipe
# ee /etc/rc.conf
syslogd_enable="NO"
syslog_ng_enable="YES"
syslogd_program="/usr/local/sbin/syslog-ng"
syslogd_flags=""

Setelah saya cek ternyata field yg digenerate oleh php-syslog ada yg kurang jadi silahkan login ke mysql server dan tambahkan sbb :


CREATE TABLE `logs` (
  `host` varchar(128) default NULL,
  `facility` varchar(10) default NULL,
  `priority` varchar(10) default NULL,
  `level` varchar(10) default NULL,
  `tag` varchar(10) default NULL,
  `datetime` datetime default NULL,
  `program` varchar(15) default NULL,
  `msg` text,
  `seq` bigint(20) unsigned NOT NULL auto_increment,
  `counter` int(11) NOT NULL default '1',
  `fo` datetime default NULL,
  `lo` datetime default NULL,
  PRIMARY KEY  (`seq`),
  KEY `host` (`host`),
  KEY `program` (`program`),
  KEY `datetime` (`datetime`),
  KEY `priority` (`priority`),
  KEY `facility` (`facility`)
) ENGINE=MyISAM AUTO_INCREMENT=9 DEFAULT CHARSET=latin1;

Ok insya Allah sudah finish. Silahkan reboot server anda. Pastikan mysql server jalan dulu baru syslog-ng server.

bersambungg...

Merubah data directory pada mysql server FreeBSD Server

2011-07-01T09:06:00.000+07:00

Secara default, jika kita install mysql server via port maka data-data dari database yang ada dalam mysql server akan tersimpan pada dir /var/db/mysql
Akan merepotkan kalau ternyata partisi /var kita terlalu kecil, sehingga data nambah sedikit aja partisi /var udah penuh.
Ada 2 cara untuk mensiasati hal tsb,
pertama ada merubah letak data directory pada file konfigurasi mysql kita my.cnf.
Hal ini memerlukan perubahan pada file konfigurasi my.cnf
# ee /var/db/mysql/my.cnf
[mysqld]
datadir=/data/mysqlbaru
Create directory tempat data baru disimpan
# mkdir /data/mysqlbaru
merubah owner directory tsb menjadi milik mysql
#chown -R mysql:mysql /data/mysqlbaru
kemudian start mysql
# /usr/local/etc/rc.d/mysql-server start

Cara kedua adalah dengan memindah dan melakukan linking directory mysql.
Detailnya sbb :

matikan server :
# /usr/local/etc/rc.d/mysql-server stop
# cd /var/db
pindahkan directory data mysql ke directory baru yang kapasitasnya lebih lega :
# mv mysql /data
lakukan linking directory
# ln -s /data/mysql /var/db/mysql
start server :
# /usr/local/etc/rc.d/mysql-server start

Block http brute force dengan PF

2011-06-22T14:29:00.004+07:00

Lumayan ada ilmu baru hasil diskusi dengan admin sebelah dan baca manual PF.
Rulenya sbb :

out_if = bce0
table persist
pass quick from 10.10.3.0/29
block quick from

pass in on $int_if proto { tcp } from any to 10.10.7.4 port 80 flags S/SA keep state \
(max-src-conn 2, max-src-conn-rate 5/5, overload flush global)

Penjelasan sbb :
max-src-conn number
Limit the maximum number of simultaneous TCP connections which have completed the 3-way handshake that a single host can make.

max-src-conn-rate number / interval
Limit the rate of new connections to a certain amount per time interval.

Bagi saya yg awam sulit sekali memahami maksudnya, Hiks..
So dicoba aja testing dengan rule diatas saya coba sebagai berikut :

Saya membuka http://10.10.7.4 di 5 tab firefox dan saya reload dalam waktu bersamaan.Dan halaman masih bisa dibuka.
Akan tetapi jika saya buka 6 halaman http://10.10.7.4 dengan browser berbeda maupun browser yg sama maka saya cek :

# pfctl -t bruteforces -Tshow
10.10.7.1

IP saya terjaring dalam rule tsb.

Kemudian rule coba saya ubah
pass in on $int_if proto { tcp } from any to 10.10.7.4 port 80 flags S/SA keep state \
(max-src-conn 1, max-src-conn-rate 5/5, overload flush global)

max-src-conn nya saya set 1 saja.

Saya coba buka http://10.10.7.4 pada 1 tab saja di firefox dan coba buka halaman tsb di chrome.
Alhasil :
# pfctl -t bruteforces -Tshow
10.10.7.1

Saya coba juga buka dengan IP berbeda, ternyata ip ke 2 langsung kena jaring

# pfctl -t bruteforces -Tshow
10.10.7.10

Saya menyimpulkan sbb :
max-src-conn : berapa banyak browser yg akan di launch untuk mengakses web kita ternyata.
Tidak membedakan IP. oh ternyata sekali buka browser dan akses itu dihitung 1 TCP connection hehe..
max-src-conn-rate a/b : dalam b detik berapa a tab yg akan dibuka/direfresh.
ada juga max-src-node : asumsi saya ini melimit berapa banyak ip yg boleh mengakses, tidak disarankan kalau web kita untuk umum.

Membangun Server dari Awal dengan FreeBSD (part1)

2011-03-18T09:56:00.003+07:00

1. Optimasi Kernel
Setelah instalasi yg perlu di perhatikan adalah kompile kernel.
Buang device2 yang tidak diperlukan. eth driver, pcmcia dll.
1. DIsable IPv6
2. DISABLE NFS

Untuk option tambahan mgkn bisa ditambahkan pada kernel sbb :

options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_FORWARD
options IPFIREWALL_DEFAULT_TO_ACCEPT
options DUMMYNET
options IPFILTER
options IPFILTER_LOG

#### PF OPTION ####
device pf
device pflog
device pfsync

2. Setting SSHD
ee /etc/ssh/sshd.config

Port 1234
Protocol 2
MaxAuthTries 2
MaxSessions 8
PermitRootLogin no
#StrictModes yes
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
PermitEmptyPasswords no
UseDNS no
Banner none
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
AllowUsers user1
AllowUsers user2

3. Setting TTYS
# If console is marked "insecure", then init will ask for the root password
# when going to single-user mode.
console none unknown off insecure
#
ttyv0 "/usr/libexec/getty Pc" cons25 on secure
# Virtual terminals
ttyv1 "/usr/libexec/getty Pc" cons25 on secure
ttyv2 "/usr/libexec/getty Pc" cons25 on secure
#ttyv3 "/usr/libexec/getty Pc" cons25 on secure
#ttyv4 "/usr/libexec/getty Pc" cons25 on secure
#ttyv5 "/usr/libexec/getty Pc" cons25 on secure
#ttyv6 "/usr/libexec/getty Pc" cons25 on secure
#ttyv7 "/usr/libexec/getty Pc" cons25 on secure
ttyv8 "/usr/local/bin/xdm -nodaemon" xterm off secure

Saran dari Dru Lavigne sbb :

General Hardening Tips

• restricting ssh access using the AllowUsers keyword in / etc/ssh/sshd_config
• using chflags to set the schg flag on system binaries and configuration files that
don't require modifications
• implementing a file integrity checking system such as tripwire
(http:/ /www.tripwire.com), aide (http:/ /www.cs.tut.fi/~rammer /aide.html)or
implementing your own using mtree
• changing /etc/motd removing the COPYRIGHT notice
• subscribing to the FreeBSD security advisories mailing list
(http:/ /lists.freebsd.org/mailman/listinfo/freebsd- security- notifications)
• reviewing mount(8) to see if any options are applicable to your filesystems
• reviewing your sysctl(8) settings; http:/ /sysctl.enderunix.org/ provides some
helpful descriptions
• reviewing your rc.conf(5) settings
Finally, do:
• read root's emails daily and have a log review action plan

General hardening tips from Dru..

2011-03-18T09:24:00.001+07:00

does this system really need IPv6 support?
• do I really want NFS (and its inherent security risks) on an Internet facing server?
• should I be loading filesystems I'll never use? (e.g. DOS, CD9660)
• do I need SCSI drivers on a non- SCSI system?
• do I need hardware RAID drivers if I'm using software RAID?
• do I really need to load dozens of NIC drivers if I always buy the same brand of NIC?
• do I need PCMCIA or wireless support on a non- laptop system?
• will I be using USB or Firewire?

KERNEL

1. DIsable IPv6
2. DISABLE NFS

There are many tools available to create a custom backup solution, ranging
built- in FreeBSD utilities to third- party software applications available through
ports collection. In a more complex scenario you may wish to investigate:
• bacula http://www.bacula.org
• rsnapshot http://www.rsnapshot.org
• boxbackup http://www.fluffy.co.uk/boxbackup/

General Hardening Tips

• restricting ssh access using the AllowUsers keyword in / etc/ssh/sshd_config
• using chflags to set the schg flag on system binaries and configuration files that
don't require modifications
• implementing a file integrity checking system such as tripwire
(http:/ /www.tripwire.com), aide (http:/ /www.cs.tut.fi/~rammer /aide.html)or
implementing your own using mtree
• changing /etc/motd , adding an ssh banner, and removing the COPYRIGHT notice
• subscribing to the FreeBSD security advisories mailing list
(http:/ /lists.freebsd.org/mailman/listinfo/freebsd- security- notifications)
• reviewing mount(8) to see if any options are applicable to your filesystems
• reviewing your sysctl(8) settings; http:/ /sysctl.enderunix.org/ provides some
helpful descriptions
• reviewing your rc.conf(5) settings
Finally, do:
• read root's emails daily and have a log review action plan

Lusca/cacheboy

2011-03-03T09:27:00.000+07:00

Lagi nyoba cacheboy tapi belum berhasil yang Tproxy karena mesinku amd. Googling nemu artikel berikut. Semoga bermanfaat
Diambil dari : http://hikmah-teknologi.blogspot.com/

LUSCA TPROXY on FREEBSD-7-STABLE
patch kernel:
cd /usr/src
fetch http://squid-proxy-pkg.googlecode.com/files/freebsd-tproxy-sys.patch
path -p0 < freebsd-tproxy-sys.patch

di kernel : /sys/i386/conf/PROXY
options IP_NONLOCALBIND
options IPDIVERT
options IPFIREWALL
options IPFIREWALL_NAT
options IPFIREWALL_VERBOSE
options IPFIREWALL_FORWARD
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IP_NONLOCALBIND
options LIBALIAS

#option tunning for squid
options VFS_AIO
options MAXFILES=262144
options MSGMNB=32768
options MSGMNI=82
options MSGSEG=4096
options MSGSSZ=128
options MSGTQL=2048
options SHMSEG=32
options SHMMNI=256
options SHMMAX=4194304
options SHMALL=16384
makeoptions COPTFLAGS="-O2 -pipe -funroll-loops -ffast-math"
makeoptions NO_MODULES=yes

build kernel
cd /usr/src
make buildkernel KERNCONF=PROXY && make installkernel KERNCONF=PROXY

di /etc/sysctl.conf
net.inet.ip.nonlocalok=1

cp /usr/src/sys/netinet/in.h /usr/include/netinet

install squid
pkg_add -v http://squid-proxy-pkg.googlecode.com/files/lusca-with-tproxy-r14371_3.tbz

di /usr/local/etc/squid/squid.conf

http_port XXX.INTERNAL.IP.XXX:3128 transparent tproxy

# em0 -> External interface (to mikrotik)
# em1 -> Internal interface (to client)

di /etc/ipfw.tproxy
ipfw add fwd 192.168.1.1,3128 tcp from 192.168.1.0/24 to any 80 in via em1 # default rule to transparent proxy
ipfw add fwd 192.168.1.1 tcp from any 80 to 192.168.1.0/24 in via em0 # catch the packets that come back using the clients IPs

di rc.conf
gateway_enable="YES"
ifconfig_em0="192.168.0.1 255.255.255.252"
ifconfig_em1="192.168.1.1 255.255.255.0"
firewall_enable="YES"
firewall_script="/etc/ipfw.tproxy"
firewall_type="open"
firewall_logging="YES"

fsck_y_enable="YES"
background_fsck="NO"

squid_enable="YES"
#disini tidak menggunakan bind taoi dnsmasq

dnsmasq_enable="YES"
dnsmasq_flags="--conf-file=/usr/local/etc/dnsmasq.conf"

dan jangan lupa di router paling atas untuk membuat NAT dan static routes utk ip di bawah proxy

Tproxy

2011-03-02T09:50:00.004+07:00

Back to proxy, especially squid. Eh ada lagi yang namanya cacheboy.
Cacheboy adalah optimasi dari squid stable 2. Menurut pemahaman saya sih cacheboy itu versi moddingnya squid 2 begitulah gampangnya. Nah waktu mencoba instalasi via port ada banyak option yang bisa di enable/disable. Nah berhubung sudah lama gak ngutik squid jadi perlu cari2 lagi fungsi2 option tsb. Antara lain :

1. Delay pool : Fitur ini digunakan untuk limitasi bandwidth
2. AUFS dan COSS : Ini adalah tipe file penyimpanan cache dari squid
3. PF dan IPF transparent : Ini untuk mengaktifkan support PF firewall atau IPF firewall untuk transparent proxy
4. Enable Tproxy : untuk mengaktifkan Tproxy.

Penjelasan Tproxy dari internet sbb :

Transparent Proxy (TProxy)

Tproxy is truly transparent proxy. A transparent proxy or more precisely an interception proxy is the one that becomes transparent to the clients by transparently intercepting the http requests and serving the response, which means the client need not be explicitly configured to use the proxy but they are transparently sent to the proxy without the client's knowledge. Since the interception proxy forwards the request on behalf of the client, the web server see's the source of the request come from the proxy and hence it is not transparent to the web server.

The tproxy feature comes into solving this issue and makes itself transparent to both for the client and the web server. However, the interception and/or tproxy feature requires kernel support and packet redirection feature of the operating system.

Note: To make still more truly transparent, the proxy should be configured not to add any extra headers while forwarding the request and serving the response.

Nha kira2 terjemahannya spt ini.

Tproxy adalah transparent proxy yg sebenar2nya. Transparent proxy atau proxy penangkap adalah proxy yang bekerja dengan menangkap paket http/browsing dari client secara transparan. Dengan kata lain, di sisi client tidak memerlukan adanya konfigurasi pengaktifkan proxy karena secara otomatis dan mau tidak mau akan lewat proxy.

Karena proxy tsb menangkap paket dan melakukan koneksi ke webserver tujuan maka yg dikenali oleh webserver tujuan adalah IP dari proxy bukan dari client.

Fitur dari Tproxy inilah kuncinya, sehingga webserver tujuan mengenali langsung ip client (tentu saja ip public). Fitur ini memerlukan pengaktifan pada kernel dari OS yang dipakai.

Install NTP Server di FreeBSD

2011-03-01T13:55:00.005+07:00

Caranya mudah. Install saja ntp via port
Kemudian
# ee /etc/ntp.conf
server 3.id.pool.ntp.org
server 0.asia.pool.ntp.org
server 2.asia.pool.ntp.or

driftfile /var/db/ntp.drift

Save file /etc/ntp.conf dengan konfigurasi di atas.
Kemudian start service dengan perintah

/etc/rc.d/ntpd start

Kemudian jalankan perintah
ntpdate -d localhost

Jika ada pesan no server bla2. Maka coba tunggu kisaran 10 s/d 15 menit. Dan coba ulangi lagi sampai terjadi sinkronisasi sbb

1 Mar 14:01:36 ntpdate[19223]: step time server localhost offset -225.715219 sec

Jangan lupa untuk membuka port 123 udp.

Angin duduk

2010-11-05T18:19:00.002+07:00

Dapat info penting dari mas chakim yg istrinya kena angin duduk. berikut ini hal2 yang perlu diketahui.
Penyebab :
(1) Sering begadang/pengaruh angin malam
(2) Hobi nahan kentut/boel
(3) Lingkungan/cuaca dingin yang ekstrim dan terus menerus
(4) Telat makan
(5) Masuk angin biasa yang dibiarkan

ciri2nya
(1) rasanya seperti ada yg ngganjel di antara perut+dada
(2) ingin sendawa/kentut tapi susah sekali dan meskipun bisa hampir tidak mengurangi rasa sakit no.1
(3) dibawa duduk/...bungkuk/jalan/bahkan berbaring pun sulit
(4) badan rasanya dingin (bhs jawa: anyep)
Beda sama masuk angin biasa : angin duduk tidak bisa hilang meski sudah dikerokin/minum obat masuk angin/dioles minyak angin yang panas sekalipun

Cara mengatasi :
Sebelumnya olesin perut + dada + pinggang + punggung dengan minyak cap kap*k, bila perlu kerokan, trus masak air, air hangat hasil masak tsb dimasukkan dalam 2 buah botol (botol kaca lebih bagus), botol pertama letakkan di ulu hati atau bagian perut depan tempat angin duduk ga mau keluar, botol kedua diletakkan pada kedua telapak kaki, posisi badan rebah menghadap ke atas, bila perlu pakai jaket + celana training + kaos kaki + selimut tebal, tunggu sampai keringat dingin keluar dan bisa kentut, jika setelah setengah jam tidak kunjung reda, ganti air dalam botol yang udah kurang dingin dengan air hangat baru, dan tempel lagi di tempat spt diatas, semoga bermanfaat, mengingat resiko angin duduk ini adalah meninggal dunia jika terlambat mengatasi (based on a true story)

postfix, sendmail dan php

2010-10-27T10:32:00.002+07:00

Barusan lagi update script untuk checking quota di mysql.
Scriptnya ini menggunakan PHP. Jika ada database yang melebihi quota yang disediakan maka akan di lock dan dikirim email pemberitahuan.
Nah ternyata waktu check quota ada notifikasi error
locking database /usr/sbin/sendmail not found.

Sepertinya error tersebut terjadi karena saya baru migrasi dari sendmail ke postfix.
Ternyata solusinya mudah. Pertama cari dulu binary sendmail

# whereis sendmail
sendmail: /usr/local/sbin/sendmail

Kemudian edit php.ini pada bagian berikut :

sendmail_path = /usr/local/sbin/sendmail -t -i -f noreply@domain.com

restart webserver dan silhakan test kembali..

install eaccelerator di freebsd

2010-07-16T11:45:00.003+07:00

cd /usr/ports/www/eaccelerator

You have installed the eaccelerator package.
Edit /usr/local/etc/php.ini and add:
zend_extension="/usr/local/lib/php/20060613/eaccelerator.so"
Then create the cache directory:
mkdir /tmp/eaccelerator
chown www /tmp/eaccelerator
chmod 0700 /tmp/eaccelerator

u can try to config :
zend_extension="/usr/local/lib/php/20060613/eaccelerator.so"
eaccelerator.shm_size="16"
eaccelerator.cache_dir="/tmp/eaccelerator"
eaccelerator.enable="1"
eaccelerator.optimizer="1"
eaccelerator.check_mtime="1"
eaccelerator.debug="0"
eaccelerator.filter=""
eaccelerator.shm_max="0"
eaccelerator.shm_ttl="0"
eaccelerator.shm_prune_period="0"
eaccelerator.shm_only="0"
eaccelerator.compress="1"
eaccelerator.compress_level="9"

eaccelerator.shm_size
This setting will allow you to control the amount of shared memory eAccelerator should allocate to cache PHP scripts. The number sets the amount of memory in megabytes. Setting this value to 0 will use the default size.

eaccelerator.shm_size

This setting will allow you to control the amount of shared memory eAccelerator should allocate to cache PHP scripts. The number sets the amount of memory in megabytes. Setting this value to 0 will use the default size.

eaccelerator.shm_size = "0"

On Linux the maximum amount of memory a process can allocate is limited by the number set in /proc/sys/kernel/shmmax. Allocating more than this value will result in eAccelerator failing to initialise. The size in this file is given in bytes. You can raise this amount with:

echo value > /proc/sys/kernel/shmmax

Where value is the size in bytes you want to use. This value is reset to the default value evertime you reboot, but you can raise it permanently by adding the amount you need in /etc/sysctl.conf. This is done by adding:

kernel.shmmax = value

eaccelerator.cache_dir

This directory is used for the disk cache. eAccelerator stores precompiled code, session data, content and user entries here. The same data can be stored in shared memory (for quicker access). The default value is “/tmp/eaccelerator”.

eaccelerator.cache_dir = "/tmp/eaccelerator"

This is easy because that directory is easily writable to everyone, and mounted with noexec. However, it isn’t the best because on a lot of systems this directory is cleared on reboot. A better place is /var/cache/eaccelerator. Create the directory and make sure it’s writable to the process eAccelerator runs under.

A safe bet is making it world writeable, a safer and cleaner way is making the user php runs under (most of the time the same user as apache or lighttpd) the owner and set 0644 permissions.

The lazy way:

mkdir /tmp/eaccelerator
chmod 0777 /tmp/eaccelerator

eaccelerator.enable

With this setting you can enable or disable eAccelerator. This may seem like a pretty stupid setting, but it can be very useful. For example this setting can also be used in the vhost section of the Apache configuration. It allows you to disable eAccelerator for a certian vhost by placing php_admin_value eaccelerator.enable 0 in the vhost section.

Setting this value to “1″ enables eAccelerator, which is also the default value. Setting it to “0″ will disable eAccelerator.

eaccelerator.enable = "1"

eaccelerator.optimizer

Enables or disables the optimizer which may speed up code execution. Setting it “1″ will enable eAccelerator, “0″ disables it. By default the optimizer is enabled. The optimizer will only run when the script is compiled before it’s cached.

eaccelerator.optimizer = "1"

eaccelerator.debug

Enables or disables debug logging. Setting this to 1 will print information to the log file about the cache hits of a file. This is only useful when debugging eAccelerator for bug reports.

eaccelerator.debug = 0

eaccelerator.log_file

Set the log file for eaccelerator. When this option isn’t set then the data will be logged to stderr, when using PHP with Apache these lines will be added to the Apache error log.

eaccelerator.log_file = "/var/log/httpd/eaccelerator_log"

eaccelerator.name_space

When using the user cache api for storing data in shared memory, all keys are prepended by the hostname used for the current request. This hostname equals the ServerName? set in the vhost section of apache. This is done to avoid duplicate keys between vhosts. Sometimes this behaviour is desired to share data between vhosts. When setting this option this namespace is used to prepend to each key. By default this is set to “” which instructs eAccelerator to use the hostname as namespace.

When setting this in the main PHP configuration file this namespace will be used by all vhosts. This value can also be set in the vhost section or even in a .htaccess file to allow sharing of data between only two vhosts.

eaccelerator.name_space = ""

eaccelerator.check_mtime

On every hit eAccelerator will check the modification time of a script to see if it changed and needs to be recompiled. Although this is a lot faster then opening the file and compiling it, this still adds some overhead because a stat call needs to be done every time. This setting allows you to disable this check. The downside of disabling this check is that you need to manually clean the eAccelerator cache when you update a file.

By default this check is enabled.

eaccelerator.check_mtime = "1"

eaccelerator.filter

Determine which PHP files can be cached. You can specify the pattern (for example “*.php *.phtml”) the PHP script filename needs to match. If a pattern starts with “!”, the files that match that pattern are excluded from the cache. Default value is “” which will cache all scripts PHP compiles.

Please note that eaccelerator.filter doesn’t work on a URL basis but rather on the absolute filesystem path, so a filter of !/home* would exclude all scripts in /home from being cached.

Multiple patterns need to be seperated by spaces or tabs, but not commas.

eaccelerator.filter = ""

eaccelerator.shm_max

By default there is no limit on the maximum size a user can put in shared memory with functions like eaccelerator_put, the maximum size is controlled by this setting. This value is the maximum size that can be put in the cache, the size is given in bytes (10240, 10K, 1M). The default value is “0″ which disables the limit.

This setting doesn’t affect the maximum size for a script”’

eaccelerator.shm_max = "0"

eaccelerator.shm_ttl

When eAccelerator doesn’t have enough free shared memory to cache a new script it will remove all scripts from shared memory cache that haven’t been accessed in at least shm_ttl seconds. By default this value is set to “0″ which means that eAccelerator won’t try to remove any old scripts from shared memory.

eaccelerator.shm_ttl = "0"

eaccelerator.shm_prune_period

When eAccelerator doesn’t have enough free shared memory to cache a script it tries to remove old scripts if the previous try was made more then “shm_prune_period” seconds ago. Default value is “0″ which means that eAccelerator won’t try to remove any old script from shared memory.

eaccelerator.shm_prune_period = "0"

eaccelerator.shm_only

Enable or disable caching of compiled scripts on disk. This has no effect on session data and content caching. Default value is “0″ which allows eAccelerator to use disk and shared memory cacche for scripts.

eaccelerator.shm_only = "0"

eaccelerator.compress

When using the eaccelerator_content_* api eAccelerator can compress the content before saving it to memory. By default this is set to “1″, to disable compression set it to “0″.

eaccelerator.compress = "1"

eaccelerator.compress_level

Compression level used for content caching. Default value is “9″ which is the maximum compression level.

eaccelerator.compress_level = "9"

eaccelerator.keys | session | content

These settings control the places eAccelerator may cache user content. Possible values are:

shm_and_disk cache data in shared memory and on disk (default value)
shm cache data in shared memory or on disk if shared memory is full or data size greater then “eaccelerator.shm_max”
shm_only cache data in shared memory
disk_only cache data on disk
none don’t cache data

eaccelerator.keys     = "shm_and_disk"
eaccelerator.sessions = "shm_and_disk"
eaccelerator.content  = "shm_and_disk"

The webinterface

eAccelerator can be managed through a webinterface. From version 0.9.5 this webinterface has been fully implemented in php so the settings have been changed.

taken from : http://techgurulive.com/2009/02/02/how-to-install-and-configure-the-eaccelerator-php-cache-on-apache/

Belum sempat nerjemahin.. ntar aja soale lagi seru coba2

Generate pdf problem

2010-07-14T12:08:00.000+07:00

Pernah mengalami generate file dari script php ke pdf dan tidak berhasil?
padahal jika dilocalhost yg memakai xamp berjalan normal.

Setelah saya cek lebih lanjut ternyata jika record yg digenerate tidak begitu banyak, dibawah 100 record berhasil.
Nah lo, mulai berpikir.. apa mgkn konfigurasi buffer file atau cache file di php.ini nya atau webserver confignya.

Setelah mencoba mengulik2, alhamdulillah ketemu.Ini dia, dengan memory limit 96MB, maka generate 2ribu record berhasil dieksekusi. Tinggal disesuaikan dgn kebutuhan saja.

; Maximum amount of memory a script may consume (128MB)
; http://php.net/memory-limit
memory_limit = 96M

libperl.so not found.

2010-06-26T11:24:00.004+07:00

Snmp tiba2 ngga jalan. errornya gini :
/libexec/ld-elf.so.1: Shared object "libperl.so" not found, required by "libnetsnmphelpers.so.20"

Hmm file library ga nemu pathnya.. kalo ga abis upgrade2 paling yo kedelete..
Solusinya coba cari sbb :

server2# ldd /usr/local/sbin/snmpd
/usr/local/sbin/snmpd:
libnetsnmpagent.so.20 => /usr/local/lib/libnetsnmpagent.so.20 (0x2807e000)
libnetsnmphelpers.so.20 => /usr/local/lib/libnetsnmphelpers.so.20 (0x280b5000)
libnetsnmpmibs.so.20 => /usr/local/lib/libnetsnmpmibs.so.20 (0x280d3000)
libperl.so => /usr/local/lib/libperl.so (0x281b3000)
libm.so.4 => /lib/libm.so.4 (0x282b4000)
libcrypt.so.3 => /lib/libcrypt.so.3 (0x282ca000)
libutil.so.5 => /lib/libutil.so.5 (0x282e2000)
libnetsnmp.so.20 => /usr/local/lib/libnetsnmp.so.20 (0x282ee000)
libkvm.so.3 => /lib/libkvm.so.3 (0x2838d000)
libcrypto.so.4 => /lib/libcrypto.so.4 (0x28394000)
libc.so.6 => /lib/libc.so.6 (0x28487000)
libcrypto.so.7
server2#cp /usr/local/lib/perl5/5.8.9/mach/CORE/libperl.so /usr/local/lib

server2# snmpd
server2# ps ax | grep snmpd
8945 ?? S 0:00.11 snmpd

Alhamdulillah oke..

Disable SELINUX

2010-05-24T10:00:00.000+07:00

Here is the way to disable selinux:

1-Edit /etc/selinux/config and set the SELINUX variable to 'disabled'
2-Use the setenforce command to disable on-the-fly

With solution 1, your changes are permanent but only effective if you reboot the machine.

With solution 2, your changes are NOT permanent but effective immediately.

Hope this clears it up :-).

taken from : http://www.linuxquestions.org

SE Linux

2010-05-07T10:59:00.001+07:00

Install SE Linux

# apt-get install selinux-basics selinux-policy-default
# reboot
# nano /etc/default/rcS
edit FSCKFIX=yes
# nano /etc/cron.daily/mlocate (digunakan agar locate database tidak berjalan terus)
tambahkan exit 0 pd baris ke 2

Jika sudah selesai ketikkan :
# check-selinux-installation
# rm /var/run/motd
# ln -s /etc/motd.baru /etc/motd

Security Linux

2010-05-06T12:02:00.004+07:00

1. Matikan dan buang service2 yang tidak perlu.
bisa install rcconf u/ mengatur startup.
dan apt-get remove packagegakpenting

2. Edit partisi, matikan eksekusi untuk partisi dimana user menaruh data (terutama web server)

3. Ubah file descriptor di sysctl.conf
your file descriptor must be beyond 65535

4. Upgrade ke kernel paling baru.

5. Atur firewall se secure mungkin. Allow port yang diperlukan saja.

6. Atur akses login user.

7. Sebisa mungkin jangan gunakan default port.

8. Disable root login from remote

9. Edit motd.

10. Coba main2 dgn sysctl.conf (beware, resiko ditanggung sendiri).

11. Secure kan service2 dan option pada program yg terinstall, misalnya : my.cnf, php.ini, httpd.conf, ftp.conf, snmpd.conf named.conf

12. Install tool pendukung monitoring :
- snmpd, ifstat, iptraf, snort, lsof, htop, deborphan, mtr, nikto. well why do i forget other tool in this critical moment..

Nanti ditambahkan kalau ada lagi.

Thx to cakri n google. u;re all da best.

mencari Package tidak perlu

2010-05-06T11:29:00.002+07:00

# apt-get install deborphan
# deborphan -sz
# apt-get remove namapackage
atau
# apt-get remove --purge $(deborphan)
atau bisa juga
# orphaner
perintah di atas ada tampilan grafisnya ;)

Cisco2an

2010-04-29T09:58:00.002+07:00

# sh run
# conf term
# int Fastethernet0/1
# [config] ip address 10.10.10.1 255.255.255.240 secondary
# exit
# exit
# copy run start

# sh vlan
# conf term
# int Fastethernet0/1
dst2.. lali..

postingan ini hanya buat nyubie yg belajar cisco tanpa arah

PureFTPd di Linux.

2010-03-31T14:40:00.004+07:00

Hari ini nyoba install via tarball, yg q jadikan eksperimen adalah pureftpd.

1. Download Source
wget http://download.pureftpd.org/pub/pure-ftpd/releases/pure-ftpd-1.0.29.tar.gz
2. Ekstrak
tar -xzvf pure-ftpd-1.0.29.tar.gz
3. masuk ke directory hasil ekstrak
4. ./configure

Nah lo..koq pas configure error. :(
Ternyata compiler gak support, jadi harus install dulu

apt-get install gcc
apt-get install g++

Ulangi lagi deh configurenya, kemudian lanjutkan dgn perintah make && make install

kelanjutannya ada di postingan ini

Bagi yang compile dgn support mysql coba install dulu mysql-devel
apt-get mysql-devel

Install Snmpd..

2010-03-25T11:08:00.002+07:00

Install snmpd cara praktis aja ya..
# apt-get install snmpd (linux)
# pkg_add -rv net-snmpd (fbsd)

Stl itu copy file konfigurasi :
# cp /etc/snmp/snmpd.conf.orig /etc/snmp/snmpd.conf (linux)
# cp /usr/local/share/snmpd/snmpd.conf.example /usr/local/share/snmpd/snmpd.conf (bsd)

Edit /etc/snmp/snmpd.conf :
com2sec local localhost public
com2sec local ipmrtgserver public

Edit /etc/default/snmpd : (freebsd ga perlu proses ini)
remove ip 127.0.0.1

Restart snmp : /etc/init.d/snmpd restart

disable telnet inetd

2010-03-25T10:21:00.002+07:00

Ketik perintah berikut :

# /usr/sbin/update-inetd --disable telnet

Manage startup service

2010-03-25T10:09:00.002+07:00

Untuk meremove service di linux sewaktu startup ada bbrp cara :

1. # update-rc.d -f NAMASERVICE remove
contoh :
# update-rc.d -f exim4 remove

2. Install rrconf
# apt-get install rcconf
tunggu proses selesai, ketik :
# rcconf

Tinggal check/uncheck yg ga perlu aja, kayak msconfig gitu..

Kalo di FreeBSD, tinggal cek aja isi /etc/rc.conf atau cek didirectory /usr/local/etc/rc.d

Wokeh.. selamat berbahagia..

bunuh semua!!

2010-03-19T10:52:00.004+07:00

Cara membunuh/kill semua proses pada suatu daemon adl sbb :

ps -ax | grep "/usr/local/sbin/httpd" | awk '{print $1}' | xargs kill

atau kalau mau lihat process owner idnya

ps -aux | grep "/usr/local/sbin/httpd" | awk '{print $2}' | xargs kill

nb : bedanya cuman di awk row nya aja..

bigmem Vs PAE

2010-03-18T08:49:00.002+07:00

Memory anda lebih dari 4GB? tapi tidak terdeteksi semua?
Apa pasal?

Hal ini dikarenakan OS yg terinstall 32bit dan kernel bigmem (di linux) atau PAE (di FreeBSD) belum diaktifkan.

Untuk FreeBSD ada 2 cara :
1. tambahkan baris berikut di file kernel anda dan compile ulang
options PAE
menambahkan baris tersebut akan menyebabkan beberapa driver tidak disupport, jadi perlu dipertimbangkan apakah driver dipakai atau tidak.

2. Cara kedua adalah dengan cara install ulang dgn ISO AMD64.

Untuk Debian coba langkah berikut.

- Install lshw untuk cek memori real anda
# apt-get install lshw
# lshw -C memory
# dpkg --get-selections | grep bigmem
# apt-get install linux-image-2.6.26.2-686-bigmem

Cek hasil instalasi kernel dgn perintah berikut :
# dpkg --get-selections | grep bigmem
linux-image-2.6.26.2-686-bigmem install

Untuk menu booting lihat dulu
# grep "Debian GNU" /boot/grub/menu.lst | nl -v0

Sesuaikan menu kernel dgn nomer default boot.

mounting...

2010-03-17T22:22:00.002+07:00

kalo tiba2 fbsd ngadat n masuk mountroot, gimana donk ?
1. perhatikan kabel HD yg terpasang apakah sudah di set primary?
2. perhatikan jumper HD, sbg master atau slave wkt instalasi.

Kalau sistem msk single mode dan hanya read only mode. Sedangkan kita butuh ngedit /etc/fstab buat ngedit mount pointnya, caranya sbb :

mount -t ufs rw /dev/ad0s1a / (mounting root, nm partisi sesuiakan)

sunlink

2009-11-26T12:59:00.003+07:00

Sunlink bukan merk sabun cuci maupun shampo..
Sunlink di freebsd digunakan untuk memblok delete permission dgn kata lain smua user tidak bisa menghapus file yg telah di sunlink.

Perintahnya :
# chflags sunlink ojodidel.txt

Untuk menonaktifkan sunlink sbb :

# chflags nosunlink ojodidel.txt

Mengenal beberapa Unix tool.

2009-11-05T10:53:00.000+07:00

1. Sed
Sed adalah stream editor. Pada dasarnya digunakan untuk manipulasi text.

Perintah dasar.

sed [-lrn] [-e 'sedscript'] [file1 file2 ...]

-l : line buffered
-r : extended regex
-n silences default output

Paling males kan baca perintah dasar? soalnya saya blm paham kalau ngga ada contohnya :P.

% echo "Hello there foo" | sed -e 's/foo/bar/'
Hello there bar

nah.. paham kan? perintah diatas dpt digunakan untuk mereplace foo menjadi bar

saya mencoba perintah berikut dan berhasil
# more limit | sed -e 's/fxp1/rl0/' >> limitbaru
perintah diatas adalah membaca file dgn nama limit dan mereplace semua kata yg mengandung fxp1 menjadi rl0 dan hasilnya disimpan dalam file limitbaru

Perintah sed juga bisa berfungsi seperti grep.

% sed -ne '/FreeBSD/p' /etc/motd
FreeBSD 6.2-PRERELEASE (FOO) #0: Sat Nov 11 00:12:52 EST 2006
Welcome to FreeBSD!

Dapat digunakan juga untuk melihat header mail.
% cat mymail \
| sed -ne '/^[A-Za-z0-9]/ { x; /^Received: /{p;}; }; /^[A-Za-z0-9]/!H'
Received: from localhost (localhost [127.0.0.1])
by whitefox.csh.rit.edu (Postfix) with ESMTP id 731F81145C
for ; Sat, 19 May 2007 01:19:30 -0400 (EDT)
Received: from whitefox.csh.rit.edu ([127.0.0.1])
by localhost (whitefox.csh.rit.edu [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id EURHKUeHSrao for ;
Sat, 19 May 2007 01:19:16 -0400 (EDT)

2. cut
Cut digunakan untuk memotong bbrp bagian dr data.

Perintah dasar

cut [-d delim -f range] [-c range] [-b range]

% echo "one,two,three,four" | cut -d"," -f 1,3
one,three

yang tdk bisa dieksekusi oleh cut

% echo "one two three" | cut -d' ' -f 2

% echo "one two three" | awk '{print $2}'
two

3. awk
awk merupakan filter tool pada scripting

Perintah dasar
awk [-F] [awk_script]

awk mempunyai 2 konsep data spyt pd input file yaitu field dan record

record adalah seluruh baris, pemisah antar record adl baris baru

field adalah kata2, pemisahnya adalah spasi atau tab. default pemisahnya adalah spasi tapi bs juga sebuah karakter atau regular expression.

pattern : [condition_expressions] { [action_expressions] }
% fstat | sed -e 1d \
| awk '{a[$1]++} END { for (i in a) { print i, a[i] } }' \
| sort -nk2
smmsp 8
_dhcp 11
www 45
root 328
jls 482

Show file yg tdk kosong
% ls -l | awk '$5 > 0'

Show log antar 10 May dan 20 May
% cat *.log | awk '$1 == "May" && ($2 >= 10 && $2 <= 20)'

Show ip dari perintah host
% host www.google.com | awk '/has address/ { print $4 }'

Sulit sekali memahami perintah awk ini..
Tapi emang powerfull bgt..

4. xarg
xarg digunakan untuk mengambil argumen dan digunakan untuk menjalakan program.

Perintah dasar
xargs [flags] [command [args]]

# delete png file
% find ./i/ -name '*.png' | xargs rm

% cat /tmp/somehosts \
| xargs -P10 -I"HOST" -n1 sh -c 'ssh HOST uptime | sed -e "s/^/HOST: /"'

Tiba2 koq laper.. :(
Sampe sini aja dulu...

Taken : semicomplete.com

cara reset mikrotik

2009-11-03T09:10:00.003+07:00

Teman2 sempat pusing mikirin ada perangkat mikrotik warisan tapi lupa passwordnya. Dari googling ada cara ribet yaitu install ulang OS nya via kabel dan butuh software ini itu [lupa].

Tapi hal itu takkan pernah terjadi setelah nemu postingan di forum berikut :

look above: this little hole is JP1, Stick a screwdriver in it while booting (to short-circuit it) and it will reset the config.

thx a lot to http://forum.mikrotik.com

Cara eksport dan import database mysql di unix based

2009-10-29T09:05:00.004+07:00

Cara untuk eksport database mysql via console bisa dilakukan sbb :

# mysqldump -uusernya -ppasswordnya master > backup.sql

Perintah diatas akan melakukan export data pada database master kedalam file backup.sql

Sedangkan cara untuk import database sbb:

# mysqldump -uusernya -ppasswordnya dbbaru backup.sql

Namun jika database yang di import besar ratusan MB dpt digunakan cara sbb :

# mysql -u root -p
# use dbbaru;
# source /home/aku/backup.sql

Yatta!!.. berhasil.. berhasil.. alhamdulillah...moga2 saja bisa untuk backup database sampe satu GB huehue..

upgrade Freebsd dari release ke stable dengan cvsup

2009-10-28T11:17:00.003+07:00

Berikut langkah2 untuk upgrade Freebsd stable

# whereis cvsup-without-gui
cvsup-without-gui: /usr/ports/net/cvsup-without-gui
# cd /usr/ports/net/cvsup-without-gui
# make install clean

Setelah selesai copy kedua file cvsup ke directory /etc

#cp /usr/share/examples/cvsup/ports-supfile /etc
#cp /usr/share/examples/cvsup/stable-supfile /etc

Edit kedua file tsb dan pada baris
default host=
isi dengan cvsup.freebsd.or.id atau cari server cvsup terdekat

kemudian jalankan perintah
# cd /etc
# cvsup -g -L 2 ports-supfile && cvsup -g -L 2 stable-supfile
# cd /usr/src
# make buildworld
# make buildkernel KERNCONF=namakernel
# make installkernel KERNCONF=namakernel
# shutdown -r now (untuk reboot)
# cd /usr/src
# make installworld
# uname -a

FreeBSD ns1.xxx.xxx.id 7.2-STABLE FreeBSD 7.2-STABLE #0: Wed Oct 28 09:58:36 UTC 2009 ainur@xxx.xxx.id

install apache 22 + SSL

2009-09-08T13:39:00.003+07:00

# cd /usr/ports/www/apache22
# make install clean

# mkdir /usr/local/etc/apache22/ssl.key
# mkdir /usr/local/etc/apache22/ssl.crt
# chmod 0700 /usr/local/etc/apache22/ssl.key
# chmod 0700 /usr/local/etc/apache22/ssl.crt

# cd /root
# openssl genrsa -des3 -out server.key 1024

# openssl req -new -key server.key -out server.csr

# openssl x509 -req -days 365 -in /root/server.csr -signkey /root/server.key -out /root/server.crt

# cp /root/server.key /usr/local/etc/apache22/ssl.key/
# cp /root/server.crt /usr/local/etc/apache22/ssl.crt/

# chmod 0400 /usr/local/etc/apache22/ssl.key/server.key
# chmod 0400 /usr/local/etc/apache22/ssl.crt/server.crt

# cd /usr/local/etc/apache22/extra
# vi httpd-ssl.conf

Isikan httpd-ssl.conf sbb :

Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog builtin

# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
#SSLSessionCache "dbm:/var/run/ssl_scache"
SSLSessionCache "shmcb:/var/run/ssl_scache(512000)"
SSLSessionCacheTimeout 300

# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
SSLMutex "file:/var/run/ssl_mutex"

##
## SSL Virtual Host Context
##

# General setup for the virtual host
DocumentRoot "/usr/local/www/apache22/data"
ServerName www.example.com:443
ServerAdmin you@example.com
ErrorLog "/var/log/httpd-error.log"
TransferLog "/var/log/httpd-access.log"

# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. Keep
# in mind that if you have both an RSA and a DSA certificate you
# can configure both in parallel (to also allow the use of DSA
# ciphers, etc.)
SSLCertificateFile "/usr/local/etc/apache22/ssl.crt/server.crt"
#SSLCertificateFile "/usr/local/etc/apache22/server-dsa.crt"

# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile "/usr/local/etc/apache22/ssl.key/server.key"
#SSLCertificateKeyFile "/usr/local/etc/apache22/server-dsa.key"

# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile "/usr/local/etc/apache22/server-ca.crt"

# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath "/usr/local/etc/apache22/ssl.crt"
#SSLCACertificateFile "/usr/local/etc/apache22/ssl.crt/ca-bundle.crt"

SSLOptions +StdEnvVars

SSLOptions +StdEnvVars

BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog "/var/log/httpd-ssl_request.log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

Supaya tiap kali start apache tdk ditanya password, lakukan sbb :
cd /usr/local/etc/apache22/ssl.key/
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key

pasang hd ke2 d freebsd

2009-08-10T19:00:00.000+07:00

Kemarin hd router utama ko. Manggil bootloader aja trus mandek..
Wah pdhal byk data penting. Akhirnya aq psg aja jadi secondary d fbsdku yg lain. Nah..mslhnya adl msh lom dkenali partisinya. Coba edit fstabnya.

Mengenal dot-file di *NIX system

2009-02-19T22:43:00.001+07:00

Pasti pernah tau kan dot-file. Ya, yang biasanya ada di home directory (/home/namauser).File tersebut adalah file konfigurasi untuk mengatur setting dari program Unix/Linux seperti shell (bash/ksh/sh), vi (file editor) dan aplikasi lainnya.

File konfigurasi untuk sistem *NIX biasanya disimpan di /etc atau di /usr/local/etc. Tiap aplikasi mempunyai format yang unik, user bisa saja meletakkan file konfigurasi tidak sesuai dengan defaultnya tapi ke directory lain. Untuk menyembunyikan file konfigurasi dari listing normal (ls), maka file/directory bisa diprefik (awalan) dot (titik).

Untuk melihat dot-file bisa digunakan perintah ls -a atau kalau di FreeBSD cukup memakai ll atau kalau mau lebih singkat bisa dengan perintah ls -ld .*

diterjemahkan scr bebas dari : www.cyberciti.biz

Instalasi MRTG menggunakan RRDTool di FreeBSD

2009-02-17T09:10:00.004+07:00

MRTG (Multi Router Traffic Grapher) adalah tool yang digunakan untuk menampilkan secara grafis data (traffik) yang telah diambil dari snmp sebuah host. Ehm, gampangnya gini suatu tool agar kita bisa melihat traffik baik itu traffik penggunakan bandwith, penggunaan memory suatu host maupun kinerja processor. Nah si MRTG server ini mengambil datanya lewat SNMP yang sudah terinstall di host yang akan kita capture.

Cara instalasinya mudah saja, jika via port ketik
# cd /usr/ports/net-mgmt/mrtg
# make install clean
Jika via package, ketik saja
# pkg_add -rv mrtg

Setelah instalasi akan muncul /usr/local/etc/mrtg/mrtg.cfg.default, rename saja file tsb menjadi /usr/local/etc/mrtg/mrtg.cfg

WorkDir: /usr/local/www/mrtg/
Options[_]: growright, bits
RunAsDaemon: yes

Target[coba]: 2:public@192.168.2.2:
#perintah di atas adalah mengambil data di interface ke-2 pada host 192.168.2.2
MaxBytes[coba]: 125000
#Batas maksimum yg akan ditampilkan adalah 125000Bytes, alias hampir 1Mbit.
Title[coba]: Traffic Analysis for ADSL
PageTop[coba]: Traffic Analysis for ADSL

Ket :
Saat mrtg dijalankan maka data berupa coba.html (beserta file gambar traffiknya) akan di generate di directory /usr/local/www/mrtg/, jadi di server mrtg juga harus ada webserver untuk menampilkannya. Nah, secara default MRTG akan menggunakan log untuk menyimpan data2 yang diperoleh.

Agar mrtg disimpan dalam database dan interval pengambilan data kurang dari 5 menit (defaultnya kalau pakai default minimal 5 menit), maka saya menggunakan RRDTool.
Caranya :
# /usr/ports/databases/rrdtool
# make install clean
Sedangkan file konfigurasi /usr/local/etc/mrtg/mrtg.cfg, menjadi :

WorkDir: /usr/local/www/mrtg
Options[_]: growright, bits
RunAsDaemon: yes
LogFormat: rrdtool
PathAdd: /usr/local/bin
Refresh: 500
Interval: 2
LogFormat: rrdtool

Target[coba]: 2:public@192.168.2.2:
MaxBytes[coba]: 125000
Title[coba]: Traffic Analysis for ADSL
PageTop[coba]: Traffic Analysis for ADSL

Mudah kan?.. lebih mudah lagi kalau untuk tampilannya anda menggunakan mrtg-rrd.cgi
silahkan disearch ada di google untuk filenya. Dengan file cgi tsb anda ngga usah repot2 ngedit file html anda untuk menampilkan semua grafik mrtg anda..

Selamat mencoba.

Instalasi FreeBSD

2009-01-12T13:48:00.005+07:00

Setelah berkenalan dengan FreeBSD, maka tiba saatnya untuk memikirkan hubungan yang lebih serius, yaitu dengan cara install donkk FreeBSDnya. Jangan cuman baca! tapi coba!
Postingan ini akan membahas minimal instalation untuk server/router dan sebangsanya, bukan untuk desktop. Karena itu GUI tidak saya sertakan.

Persiapan :
1. Seperangkat PC (CPU, keyboard dan monitor).
2. CD ISO FreeBSD (terserah versi berapa, karena instalasi hampir sama tiap versi).

Tahap instalasi :
1. Pasang HD dengan mode Primary master dan Boot dari CD.
2. Lakukan booting dan tunggu sampai keluar menu instalasi FreeBSD
3. Tekan enter atau tunggu 10 detik untuk Boot dengan FreeBSD.
4. Muncul menu select country, pilih US dengan menekan space/enter
5. Muncul mode instalasi, pilih custom dan akan muncul banyak menu
6. Pilih "Allocate disk" untuk melakukan partisi HD.
Pada sesi ini kita bisa membagi ruang HD kita sesuai keinginan. Apakah semua akan dipartisi ke freebsd (ufs) ataukah mau dibagi2, misalnya mau install Windows juga dalam satu HD tersebut. Dlm case ini penulis memilih menggunakan seleuruh HD dengan menghapus semua pastisi yg ada (tekan d) kemudian pilih "a" untuk mematisi seluruh HD ke ufs. Jika selesai tekan q untuk keluar dari FDISK partition editor.
7. Setelah itu pilih Standart, karena saya tidak menggunakan boot manager (hanya ada satu OS saja).
8. Setelah itu akan kembali ke menu custom installation (no. 5)
9. Pilih "Label"
Pada sesi ini, kita akan melakukan labelling pada partisi kita yang secara utuh disebut /dev/ad0. Yang harus kita lakukan adalah membagi partisi freebsd yang ada ke dalam beberapa slice yaitu :
a. / (besarnya dikasih 512MB saja cukup)
b. swap (2 kali memori, kali memorinya 64MB kasih 128MB)
c. /var (kasih 512MB atau 1GB cukup)
d. /usr (sisa HD, minimal 2GB)
cara untuk create a s/d d dengan cara tekan "c", masukkan besar sizenya misal : 128MB, pilih FS. Untuk swap (point b) pilih menu swap. Setelah selesai tekan "q".
Sebenarnya ada cara mudahnya, yaitu dengan cara menekan "a", maka partisi akan dibagi secara otomatis oleh sistem, dan tinggal tekan "q" untuk menyimpan setting.
10. Setelah selesai akan kembali ke menu custom install (no. 5)
11. Pilih "Distribution"
Selanjutnya akan muncul banyak pilihan, pilih "minimal" dengan menekan space. Kemudian lanjutkan dengan memilih "Custom"
- pilih "ports" (digunakan untuk memudahkan instalasi software lain.
- pilih "src" -> pilih "sys" (dengan menekan space). kembali ke menu paling atas tekan "exit", lakukan exit lagi sampai anda kembali ke menu custom installation (nomer 5).
12. Pilih media, pilih dari cd
13. Pilih commit dan biarkan proses instalasi sampai selesai.

Setelah selesai instalasi, anda akan ditanya apakah akan kembali ke menu utama, pilih saja tidak dan keluarkan cd dari cdrom dan bootinglah dari HD.

Jika kesulitan dengan langkah instalasi ini, maka anda bisa memilih standar pada langkah 4. Disitu menu akan muncul berurutan tanpa select2 menu.

Kesimpulan :
Untuk instalasi sebenarnya ada 5 tahap utama :
1. Boot dari CD
2. Partisi hardisk
3. Partisi slice (membuat / (baca : root), swap, /usr dan /var)
4. Memilih apa saja yang akan di install
5. Proses Instalasi

Mudah kan? kan?... jangan keder dulu.. dicoba dulu deh. pasti mudah!
Bagi yang udah praktek dari postingan ini kasih komen ya? berhasil apa ngga..
Kali aja bisa sharing2.. ^_*

Pakai FreeBSD, merdeka jinjit wess!!...

Pengenalan FreeBSD

2009-01-12T11:57:00.003+07:00

FreeBSD merupakan sistem operasi bertipe Unix yang diturunkan dari UNIX AT&T lewat cabang Berkeley Software Distribution (BSD) yaitu sistem operasi 386BSD dan 4.4BSD.

Selain FreeBSD, OS lain yang berbasis BSD adalah NetBSD dan OpenBSD. Perbedaan dari ketiga OS tersebut simplenya seperti ini. Dilihat dari kelebihannya.

1. FreeBSD : mendukung byk 3rd party software dng semboyan "ready to serve".
2. OpenBSD : menitikberatkan pd security, dgn slogan canggihnya "secure by default".
3. NetBSD : Mendukung banyak hardware dan berbagai arsitektur.

Untuk sejarah lengkapnya bisa dibaca disini

Karena berbasis UNIX maka perintah-perintah dasarnya juga tidak jauh berbeda dengan Linux ataupun OS berbasis UNIX lainnya. Bagi yang telah menguasai Linux akan lebih mudah menguasai Freebsd, tapi buat yang belum bisa sama sekali jangan kecil hati. FreeBSD mudah koq..

FreeBSD lebih cocok dijadikan server daripada desktop. Untuk tampilan grafisnya ada X-Windows, support juga KDE dan GNOME.

Bagi yang ingin menginstall untuk desktop ada PCBSD, DragonFLY dan untuk versi livecd nya ada Freesbie.

Keuntungan memakai freebsd sebagai server ada buwanyakk sekali, diantaranya mudah, gratis(bisa di download langsung dr www.freebsd.org), secure, powerfull, mendukung patch dan update, disertai port dan package u/ memudahkan install software lain, disertai firewall, dan ada team yang akan selalu develop OS FreeBSD. Selain itu masih banyak kelebihan lainnya, tinggal di google aja! Banyak koq situs besar yang menggunakan FreeBSD, al : yahoo, sony japan, apache dll.
Selain itu freebsd juga digunakan sebagai OS di berbagai perangkat seperti Cisco, juniper, Apple dan NetApp.

demam test akhir 2008

2009-01-07T16:52:00.004+07:00

Akhir tahun 2008 merupakan bulan-bulan dimana penerimaan cpns di berbagai lembaga secara serentak. Dari yang universitas, pemerintahan, pemerintahan dan kuburan (kalau yang ini namanya Calon Pegawai Negeri Surga).

Dan sudah bisa ditebak, peserta ujiannya membludak. cukup bisa diambil kesimpulan kalo begitu banyak pengangguran di negeri yg terkenal akan produksi demo dan korupsi ini. Dari sekian banyak saya berpartisipasi sebanyak tiga kali dengan asas luber jurdil :P.

Bagi yang belum pernah mengikuti, sekedar info aja ujiannya meliputi test tulis TPU (test pengetahuan umum) yang memuat soal tentang sejarah, PPKN, Tata negara, Pancasila dan UUD. Sedangkan tes bakat skolastik meliputi ujian logika dan matematika, kemampuan membaca, bahasa inggris, tes kematangan dan sebangsa itu lah.
Sedangkan bagi lembaga yang mengadakan 2 kali penyaringan (kayak iklan minyak goreng aja..), test yang kedua adalah test tulis bidang yang diambil serta tes praktek. Untuk dosen tes prakteknya membuat RPP dan praktek mengajar.

Gagal = menyesal ?

2008-11-14T12:43:00.002+07:00

Apakah kau sedih kalau gagal dan menyesali segala sesuatu yang menyebabkan kegagalan itu?
Aku?
If u ask me, then i would say : There's always a bit unhappiness, but regret?.
what's a regret actually?. For me i don't think that i would regret on something, even actually i would. I always say to myself that there's no point in regretting.
I would rather say "Ganbare ..", i'll do my best to the next.

My friend's word will always console me "kesempatan tidak hanya datang sekali tapi berkali-kali.." hehehe..

Yoshh...

Firewall dan konsepnya di BSD

2008-10-09T09:53:00.001+07:00

Firewall merupakan fasilitas yang memungkinkan kita melakukan filter pada incoming dan outgoing traffik. Firewall bisa jadi memiliki lebih dari satu rule/aturan, rule ini dapat diterapkan untuk memeriksa karakterstik dari paket, jenis protokol, source & destination host serta source & destination port.

Apa keuntungan memakai firewall?
- Melindungi aplikasi, service dan komputer dari paket2 yang tidak diinginkan.
- Membatasi/memblok akses tertentu ke internet
- Melakukan masquarading atau lebih dikenal dgn NAT

Konsep firewall
Ada 2 cara untuk membuat rule : inclusive dan exclusive.

Exclusive firewall : mengijinkan seluruh traffik kecuali traffik yg cocok dgn rule yg telah dipasang.
Inclusive firewall : mengijinkan traffik yang cocok dengan rule yg telah dipasang dan memblok selain itu.

Security dpt ditingkatkan dgn “stateful firewall”. Dgn sebuah stateful firewall, firewall akan terus memantau jalur mana yg terbuka melalui firewall dan hanya akan melewatkan traffik melalui jalur yang cocok dengan jalur yg ada atau membuka sebuah jalur baru.

Ada beberapa pilihan firewall di FreeBSD :
1. IPFW (ipfirewall)
2. IPF (ipfilter)
3. PF (packet filter) - merupakan firewall bawaan openbsd yg telah di port ke FreeBSD mulai versi 5.3

Bahasan mengenai masing2 firewall akan dilanjutkan pada posting berikutnya...

Nonton beskop

2008-10-08T18:19:00.003+07:00

Kata arek2 malang, ga ada tuh yg namanya bioskop.. adanya beskop..
Ntar abis isya mo refreshing, setelah dapat kompor dari om Dedi ples udah baca bukunya Laskar pelangi, mupeng deh pgn liat. Puasa kmr udah diajak si sama temen2, cuman males.
Nah sekarang mumpung badan pegel linux dan otak agak anget2 kuku, lets goo...!!

Happy Ied Fitri

2008-09-26T07:34:00.004+07:00

Selamat hari raya ied Fitri.
Minal Aidzin Wal Faidzin.
Mohon maaf lahir dan batin.

round robin vs loadbalance part 1

2008-09-20T19:51:00.002+07:00

Hari ini hari yang melelahkan, setelah seharian muter2 dan merubah router u/ memanage beberapa link yang sebelumnya memakai metode loadbalace memakai OS mikrotik terpaksa harus migrasi ke metode round robin dengan OS Freebsd.

Masih bingung apa itu load balance, round robin, robin hood.. dll :P. Berikut sedikit kutipan yg saya ambil dari blognya Pak Jay

Dua koneksi
Permasalahan umumnya muncul di sini, saat sebuah router mempunyai dua koneksi ke internet (sama atau berbeda ISP-nya). Default gateway di router tetap hanya bisa satu, ditambah pun yang bekerja tetap hanya satu. Jadi misal router NAT anda terhubung ke ISP A melalui interface A dan gateway A dan ke ISP B melalui interface B dan gateway B, dan default gateway ke ISP A, maka trafik downlink hanya akan datang dari ISP A saja. Begitu juga sebaliknya jika dipasang default gateway ke ISP B.
Bagaimana menyelesaikan permasalahan tersebut?
Konsep utamanya adalah source-address routing. Source-address routing ibaratnya anda dicegat di persimpangan oleh polisi dan polisi menanyakan “anda dari mana?” dan anda akan ditunjukkan ke jalur yang tepat.

Pada router NAT (atau router pada umumnya), source-address secara default tidak dibaca, tidak dipertimbangkan. Jadi pada kasus di atas karena default gateway ke ISP A maka NAT akan meneruskan paket sebagai paket yang pergi dari IP address interface A (yang otomatis akan mendapat downlink dari ISP A ke interface A dan diteruskan ke jaringan dalam).

Dalam jaringan yang lebih besar (bukan NAT), source-address yang melewati network lain disebut sebagai transit (di-handle dengan protokol BGP oleh ISP). Contoh praktis misalnya anda membeli bandwidth yang turun dari satelit melalui DVB, namun koneksi uplink menggunakan jalur terestrial (dial-up, leased-line atau fixed-wireless). Dalam kasus ini paket inisiasi koneksi harus menjadi source-address network downlink DVB, agar bandwidth downlink dari internet mengarah DVB receiver, bukan ke jalur terestrial.
Di lingkungan Linux, pengaturan source-address bisa dilakukan oleh iproute2. Iproute2 akan bekerja sebelum diteruskan ke table routing. Misal kita mengatur dua segmen LAN internal agar satu segmen menjadi source-address A dan satu segmen lainnya menjadi source-address B, agar kedua koneksi ke ISP terutilisasi bersamaan.

Penerapan utilisasi dua koneksi tersebut bisa mengambil tiga konsep, yaitu round-robin, loadbalance atau failover.

1. Round-robin
Misalkan anda mempunyai tiga koneksi internet di satu router NAT, koneksi pertama di sebut Batman, koneksi kedua disebut Baskin dan koneksi ketiga disebut Williams, maka konsep round-robin adalah sang Robin akan selalu berpindah-pindah secara berurutan mengambil source-address (bukan random). Misal ada satu TCP session dari komputer di jaringan internal, maka koneksi TCP tersebut tetap di source-address pertama hingga sesi TCP selesai (menjadi Batman & Robin). Saat TCP session Batman & Robin tersebut belum selesai, ada ada request koneksi baru dari jaringan, maka sang Robin akan mengambil source-address koneksi berikutnya, menjadi Baskin & Robin. Dan seterusnya sang Robin akan me-round-round setiap koneksi tanpa memperhatikan penuh atau tidaknya salah satu koneksi.

Pasti anda sedang pusing membaca kalimat di atas, atau sedang tertawa terbahak-bahak.

2. Loadbalance
Konsep loadbalance mirip dengan konsep round-robin di atas, hanya saja sang Robin dipaksa melihat utilisasi ketiga koneksi tersebut di atas. Misalkan koneksi Batman & Robin serta Baskin & Robin sudah penuh, maka koneksi yang dipilih yang lebih kosong, dan koneksi yang diambil menjadi Robin Williams. Request koneksi berikutnya kembali sang Robin harus melihat dulu utilisasi koneksi yang ada, apakah ia harus menjadi Batman & Robin, Baskin & Robin atau Robin Williams, agar semua utilisasi koneksi seimbang, balance.

3. Failover
Konsep fail-over bisa disebut sebagai backup otomatis. Misalkan kapasitas link terbesar adalah link Batman, dan link Baskin lebih kecil. Kedua koneksi tersebut terpasang online, namun koneksi tetap di satu link Batman & Robin, sehingga pada saat link Batman jatuh koneksi akan berpindah otomatis ke link Baskin, menjadi Baskin & Robin hingga link Batman up kembali.

Nah setelah saya implementasikan, ternyata gampangnya gini. Anggap saja kita punya 2 jalur ke internet, jika menggunakan metode :
1. round robin : maka koneksi ke internet akan memakai kedua jalur tersebut secara bergantian, jadi kedua link akan terpakai hampir sama besar.
2. loadbalance : maka koneksi ke internet akan memakai jalur 1, baru setelah jalur satu penuh maka jalur ke 2 bisa digunakan.

Nah,.. dengan kebutuhan yang ada saat ini ternyata lebih cocok menggunakan metode round robin, koneksi jadi lebih wuzz wuzz..

Setting Router
Install minimal FreeBSD (penulis menggunakan FreeBSD 6.3) dgn memilih sys pada option src dan tambahkan port untuk memudahkan instalasi 3rd party software.

Aktifkan PF, IPFW, dan IPFILTER (sebenarnya PF cukup, tapi tidak ada salahnya install fitur2 tsb u/ kebutuhan2 ttt), sshd, enable_gateway.

Install mtr, ifstat, net-snmpd & mrtg, tcptrack, trafshow, lynx, apache, kesemuanya adalah tool u/ monitoring.. sangat2 berguna.

Sementara itu dulu, detailnya instalasi step by step nya akan saya bahas next aja.. skr meski baru jam 8 lebih dah capek beratttt...cawwww!...

Linux lagi

2008-08-29T18:24:00.005+07:00

Berikut beberapa istilah yang sering digunakan di linux, beberapa istilah berikut juga sering digunakan di unix based OS.

Kernel The kernel is a program that constitutes the central core of a computer operating system. It has complete control over everything that occurs in the system.

kernel can be contrasted with a shell (such as bash, csh or ksh in Unix-like operating systems), which is the outermost part of an operating system and a program that interacts with user commands. The kernel itself does not interact directly with the user, but rather interacts with the shell and other programs as well as with the hardware devices on the system, including the processor (also called the central processing unit or CPU), memory and disk drives

file system?

a file system (sometimes written filesystem) is the way in which files are named and where they are placed logically for storage and retrieval. The DOS, Windows, OS/2, Macintosh, and UNIX-based operating systems all have file systems in which files are placed somewhere in a hierarchical (tree) structure. A file is placed in a directory (folder in Windows) or subdirectory at the desired place in the tree structure.

File systems specify conventions for naming files. These conventions include the maximum number of characters in a name, which characters can be used, and, in some systems, how long the file name suffix can be. A file system also includes a format for specifying the path to a file through the structure of directories.

what is mutiuser?

computer systems that support two or more simultaneous users. All mainframes and minicomputers are multi-user systems, but most personal computers and workstations are not. Another term for multi-user is time sharing.

what is GUI?

A graphical user interface (GUI) is a human-computer interface (i.e., a way for humans to interact with computers) that uses windows, icons and menus and which can be manipulated by a mouse (and often to a limited extent by a keyboard as well).

GUIs stand in sharp contrast to command line interfaces (CLIs), which use only text and are accessed solely by a keyboard. The most familiar example of a CLI to many people is MS-DOS. Another example is Linux when it is used in console mode (i.e., the entire screen shows text only).

Linux filesystem types?

minix, ext, ext2, ext3, xia, msdos, umsdos, vfat, proc, nfs, iso9660, hpfs, sysv, smb, ncpfs

what is fdisk?

The program Microsoft operating systems MS-DOS and non-NT versions of Windows use to create partitions on hard drives. Technically, the program is called fdisk.exe. It uses a text-based interface. Windows 95b first added support for FAT-32 partitions into fdisk. Before that it only supported partitions up to 2 GB using FAT-16. This is also a slang term for wiping a drive out completely, as in "I'm going to F-Disk this drive if Windows crashes one more time!" There are several non-Microsoft equivalents to fdisk, but all serve similar purposes--to allow partitioning of hard disk drives.

what is shell in linux?

A shell is a program that provides the traditional, text-only user interface for Unix-like operating systems. Its primary function is to read commands that are typed into a console (i.e., an all-text display mode) or terminal window (an all-text window) in a GUI (graphical user interface) and then execute (i.e., run) them.

The term shell derives its name from the fact that it is an outer layer of an operating system. A shell is an interface between the user and the internal parts of the operating system (at the very core of which is the kernel).

what is lilo?

Lilo means last in last out . LILO is a versatile boot loader for Linux. It does not depend on a specific file system, can boot Linux kernel images from floppy disks and hard disks, and can even boot other operating systems. One of up to sixteen differernt images can be selected at boot time. Various parameters, such as the root device, can be set indepenantly for each kernel. LILO can even be used as the master boot record.

What is Grub?

Grand Unified Bootloader (GRUB)” .A small software utility that loads and manages multiple operating systems (and their variants).

Where Is the Latest Kernel Version on the Internet?

The easiest way to update your kernel is to get the update directly from the distribution which you are running.
If you need or want to configure and compile your own kernel, the web page at http://www.kernel.org/ lists the current versions of the development and production kernels.

What is FSCK?

fsck - check and repair a Linux file system.
fsck is used to check and optionally repair one or more Linux file systems. filesys can be a device name (e.g. /dev/hdc1, /dev/sdb2), a mount point (e.g. /, /usr, /home), or an ext2 label or UUID specifier (e.g.UUID=8868abf6-88c5-4a83-98b8-bfc24057f7bd or LABEL=root). Normally, the fsck program will try to handle filesystems on different physical disk drives in parallel to reduce the total amount of time needed to check all of the filesystems.

If no filesystems are specified on the command line, and the -A option is not specified, fsck will default to checking filesystems in /etc/fstab serially. This is equivalent to the -As options.

what is partition?

A partition is a section of a hard disk. When you format a hard disk, you can usually choose the number of partitions you want. The computer will recognize each partition as a separate disk, and each will show up under "My Computer" (Windows) or on the desktop (Macintosh).

What is a boot loader?

Most simply, a boot loader loads the operating system. When your machine loads its operating system, the BIOS reads the first 512 bytes of your bootable media (which is known as the master boot record, or MBR). You can store the boot record of only one operating system in a single MBR, so a problem becomes apparent when you require multiple operating systems. Hence the need for more flexible boot loaders.

The master boot record itself holds two things -- either some of or all of the boot loader program and the partition table (which holds information regarding how the rest of the media is split up into partitions). When the BIOS loads, it looks for data stored in the first sector of the hard drive, the MBR; using the data stored in the MBR, the BIOS activates the boot loader.

What is PAM?
(Pluggable Authentication Modules) A programming interface that enables third-party security methods to be used in Unix. For example, smart cards, Kerberos and RSA technologies can be integrated with various Unix functions such as rlogin, telnet and ftp.

What is default shell in linux?
Most of the Linux Distributions default shell is bash shell

sek males nerjemahno

Cerita skripsi

2008-08-29T17:25:00.004+07:00

Sejarah skripsiku dimulai dengan pertanyaan2 setengah penting ke para dosen yang kutemui. Pak skripsinya koq di perpus rata2 coding sih? emang yg networking atau yg sejenis gtu gak boleh tah?. La memangnya kamu maunya apa?. Aku mulai berorasi semangat 45 mengutarakan ide2ku. Tapi...... koq dosennya kayaknya ga respon, apa bukan bidangnya atau gimana ya. -sigh-

Walhasil aku memutar otak, mutar stang, belok kanan, rem depan, gas poll. Cling! aku baru ingat kalau beberapa waktu lalu udah install FTP server memakai PureFTPD dan databasenya kan pakai mysql.

Tring2.. ;;)
Tercetus ide u/ membuat sistem informasi yg mengelola seluruh data pelanggan FTP hosting mulai dari data account, data pembayaran, data pelanggan, paket FTP, reset password dll.. Pokok intinya manajemen pelanggan ftp hosting lah. Bayangin aja kayak sistem untuk mengelola account di rapidshare atau gudang upload gtu... cieh.. sok mboisnya diriku.

Akhirnya gerilya dimulai, melalui jalan berliku-liku tapi lewat tol hehe..
Judul skripsiku mungkin kurang mbois ya.. Sistem Informasi Administrasi Pelanggan FTP Hosting...dst2..

Alhamdulillah sudah diuji dan yudisium tanggal 16 Agustus kemarin sudah diketik oleh sayuti melik dan disahkan atas nama bangsa indonesia.. Soekarno Hatta..ralat2!! pemirsa.. diuji oleh dosen2 kampusku lah dan disahkan oleh kampus kalo aq LULUS.

Tapi.. ijasah masih belum ditangan.. harus bayar 750K u/ ambil ijasah, itu uang wisuda dan tetek bengeknya.. cedih..bokek..

Debian Overview

2008-08-22T08:46:00.002+07:00

Debian merupakan salah satu distro (distibution) dari Linux. Linux merupakan sebuah Free OS berbasis Unix yang ditemukan oleh Linus T.

Linux mempunyai 4 komponen utama :
1. Kernel
2. Managemen File
3. GUI
4. Multi user

Debian ditemukan th 1993 oleh Ian Murdock, mahasiswa Purdue University, yang menulis the Debian Manifesto yang disebut sebagai kreasi distro linux u/ dimantain scr open dengan semangat Linux dan GNU. Nama debian diambil dari nama Ian dan nama pacarnya Debra yang akhirnya dimekso2kan menjadi debian.

Debian terbaru adalah etch (saat penulis posting tulisan ini). Sebelum etch ada sarge,woody,potato dll. Penamaan tersebut merupakan code untuk versi debian agar mudah diingat, misalnya untuk sarge (debian 3.1), woody untuk debian 3.0 dll. Kalau di freebsd penamaanya ya udah langsung aja sebut freebsd 5.4, freebsd 7.0 dst tidak ada codename2.

Untuk hardware2 yang didukung oleh debian bisa dilihat di sini

Sekian dulu untuk postingan kali ini. Postingan selanjutnya insya Allah masih tentang debian juga.

Artikel di terjemahkan secara bebas oleh penulis dari : http://debianhelp.co.uk/

Mencari tahu distribusi (distro) Linux box

2008-08-20T16:51:00.002+07:00

Sebenarnya udah agak lama aku nyari perintah di linux untuk mengetahui jenis ditro yang digunakan, karena beda dengan freebsd yg kalau di uname -a langsung deh kliatan freebsd versi brapa stable atau release dll. coba nih bandingkan

uname -a pada FreeBSD :

FreeBSD 6.2-RELEASE-p1 #0: Tue Feb 27 17:40:07 WIT 2007 root@gateway.net:/usr/src/sys/i386/compile/ROUTER i386

uname -a pada pada unknown linux box :

Linux cobanet 2.6.21.5-smp #2 SMP Tue Jun 19 14:58:11 CDT 2007 i686 Intel(R) Pentium(R) D CPU 2.66GHz GenuineIntel GNU/Linux

Nah kan.. bagi saya yang kurang familier dengan linux apalagi versi kernel2nya.. susah juga.

Setelah tanya sini situ, ternyata bisa dicoba dengan cara
# more /etc/issue

Tapi pada linux box yg saya test keluarnya gini :

root@cobanet:~# more /etc/issue
Welcome to \s \r (\l)

Saya masih penasaran, akhirnya googling dannnnn alhamdulillah ketemu scriptnya, ini nih scriptnya :

#!/bin/ksh

system=`uname -s| tr 'A-Z' 'a-z'`

cputype=`uname -m`

for rfile in \
SuSE-release \
redhat-release \
redhat_version \
gentoo-release \
fedora-release \
turbolinux-release \
mandrake-release \
mandrakelinux-release \
debian_version \
debian_release \
knoppix-version \
yellowdog-release \
slackware-version \
slackware-release \
conectiva-release \
mandriva-release \
immunix-release \
tinysofa-release \
trustix-release \
adamantix_version \
yoper-release \
arch-release \
libranet_version \
va-release \
; do
if [ -r /etc/$rfile ] ; then
distro=$(echo $rfile | \
tr 'A-Z' 'a-z' | \
sed -e 's/[_-]$release\|version$$//')
if [ "$distro" = "va" ] ; then distro=va-linux; fi
break
fi
done

case "$distro" in
suse)
if grep -q Enterprise /etc/SuSE-release ; then
release=SLES
version=$(egrep 'VERSION' /etc/SuSE-release | \
sed -e 's/ *VERSION *= *//')-pl$(egrep 'PATCHLEVEL' \
/etc/SuSE-release | sed -e 's/ *PATCHLEVEL *= *//')
else
release=SuSE
version=$(egrep 'VERSION' /etc/SuSE-release | \
sed -e 's/ *VERSION *= *//')
fi
;;
redhat)
# First part of red hat release is everything before 'release'
release=$(sed -e 's/ release.*$//' /etc/redhat-release | \
sed -e 's/[^A-Z]//g')
# Second part of red hat release is numbers after 'release'
version=$( sed -e 's/^.* release//' /etc/redhat-release | \
sed -e 's/[^0-9]//g' | \
sed -e 's/$[0-9]$$[0-9]$/\1.\2/g')
;;
esac

# CPU info from /proc/cpuinfo
set -A model_info \
$(grep 'model name' /proc/cpuinfo | \
uniq | \
tr 'A-Z' 'a-z' | \
perl -wn -e \
's/\s*model\s*name\s*:\s*//go; s/$(tm|r)$//go; s/\s*(processor|cpu)//go; print;')
cpuvendor=${model_info[0]}
cpumodel=${model_info[1]}
cpuspeed=${model_info[2]}

# GLIBC info:
glibc=$(rpm -qv glibc|uniq)

printf "$system $cputype $cpumodel $distro $release-$version $glibc $cpuvendor $cpuspeed\n"

iklan odol...

2008-08-13T17:06:00.002+07:00

Tau kan iklan odol *ups sebut merk*, maksud saya iklan pasta gigi yang ada gelembung2 di pasar dan akhirnya cowok n ceweknya ketemu. Nah, saya suka lagunya :P.
Mirip2 sama lagunya coldplay yang ini, mantap!. Coldplay, grup musik yang saya suka setelah scorpions ^_^. Sementara ini scorpion numero uno, dan coldplay number one. loh?? :P

Lights go out and I can't be saved
Tides that I tried to swim against
You've put me down upon my knees
Oh I beg, I beg and plead (singing)
Come out of things unsaid, shoot an apple off my head (and a)
Trouble that can't be named, tigers waiting to be tamed (singing)
You are, you are

Confusion never stops, closing walls and ticking clocks (gonna)
Come back and take you home, I could not stop, that you now know (singing)
Come out upon my seas, curse missed opportunities (am I)
A part of the cure, or am I part of the disease (singing)

You are [x6]
And nothing else compares
Oh no nothing else compares
And nothing else compares

You are [continues in background]
Home, home, where I wanted to go [x4]

Lo kan.. La konn...

2008-07-23T18:32:00.001+07:00

La kon seneng tah dike'i wong terus-terusan?
Gak pingin tah ngeke'i wong?

Tambah HD di FReeBSD

2008-06-16T18:40:00.002+07:00

Ceritanya berawal dari instalasi server yang menggunakan 2HD. Kedua HD merk sigit tsb terpasang di IDE 1, sbg juragan dan pembantu alias master n slave.
Di FreeBSD dikenal sbg ad0 dan ad1. ad0 saya install OS FreeBSD sedangkan ad0 tidak ada OS nya, hanya partisi data saja.

Jreng.. jreng.. takdir berkata lain, baru semalam dipasang ternyata ngadat hihi..
setelah cek sana sini sono ternyata HD satunya gak berezzz. Untung aja hd yg tak partisi sbg data, bukan OS e.. lek OS e lak ndomblong aq nginstall maneh... :P

Akhirnya pasang HD baru, tp HD yg kedua gak tak jadiin pembantu. Smua tak jadiin master biar adil. Nah.. berhubung HD pengganti ini partisinya masih NTFS, maka perlu qta partisi ulang, dilabel trus di mount biar terbaca di OS ku.
Begini loh caranya yg cepet :

- ketik sysinstall u/ FreeBSD versi 6 ke atas, untuk v.5 kebawah ketik /stand/sysinstall.
- pilih configure - partition
- delete semua partisi (d) - ketik a - ketik w, kalau ada komentar pilih yes aja wes - ketik q untuk finish
- untuk pilihan instalasi MBR, pilih "none".
- pilih label
- ketik c - jika ingin dijadikan satu partisi jangan edit angka yg ada - kemudian pilih "file system" ketikkan nama mount pointnya, misal : /data
ketik w - pilih "yes"
- ketik q untuk finish

Nah, belum selesai kare di /etc/fstab belum ada mounting pointnya :P
tinggal tambahkan aja :
# Device Mountpoint FStype Options Dump Pass#
/dev/ad2s1d /data ufs rw 2 2

Selesai.

Untuk mode text ada juga caranya :

# fdisk -BI /dev/ad2
# bsdlabel -w -B ad2s1d
# bsdlabel ad2s1d
# newfs /dev/ad2s1d
# bsdlabel -e ad2s1d
# mount /dev/ad2s1d /data

Jgn lupa tambahkan mountingnya di /etc/fstab

^___^

Samba tidak hanya di Brazil :P

2008-06-07T21:13:00.000+07:00

Siapa bilang samba itu khas brazil? buktinya di sini ada samba terasi.. samba goreng ati :P.

Bismillah, kita mulai buat sambal..

# cd /usr/ports/net/samba
# make install clean
# cd /usr/ports/security/samba-vscan (saya pakai clamd)
# make install clean

File konfigurasi samba ada di /usr/local/etc/smb.conf
Mari kita edit file konfigurasinya :

log file = /var/log/samba/log.%m
log file = /var/log/Samba-%m.log

[global]
workgroup = grupkerjo
security = share
server string = Data Server
#local master = yes
#os level = 65
#domain master = yes
#preferred master = yes
#null passwords = no
#hide unreadable = yes
hide dot files = yes

[data]
comment = Iki loh mek komentar, gak ngaruh opo².. sumpah!
browseable = yes
writable = yes
path = /data/home/
security = USER
encrypt passwords = yes
smb passwd file = /usr/local/etc/samba/smbpasswd
username map = /etc/passwd

[umum]
comment = %h Shared Public Directory
path = /data/umum/
force directory mode = 0777
force create mode = 0777
force group = nobody
force user = nobody
public = yes
writeable = yes
read only = no
vfs object = vscan-clamav
vscan-kavp: config-file = /usr/local/etc/samba-vscan/vscan-clamav.conf

Ket :
Jika kita mengakses server samba, anggap saja ipnya 10.11.12.13, maka akan ada 2 folder yaitu data dan umum. Untuk umum bisa diakses tanpa ada login, sedangkan u folder data akan muncul login.

Cara create login adalah dgn adduser di OS, misalkan usernamenya runia.
Lanjutkan dengan create login tsb u/ samba.
# smbpasswd -a runia

Nahh.. selanjutnya adalah pengalaman yg simple tapi sebel :))
Ceritanya, dari windows itu kalau mau ngakses ke folder samba yg kita kasih password kan usernamenya selalu default dgn login sewaktu kita masuk windows..(biasanya sih Guest).

Untuk meyiasatinya, akses folder kita - klik kanan - map work drive. NAH! klik pada pilihan "login as different user". Masukkan login kita, misal runia disertai passwordnya...

Selamat mencoba.. dan selamat tidur.. aku ngantukk

Instalasi squidguard

2008-04-04T14:31:00.001+07:00

Install BerkeleyDB

cd /downloads
fetch http://www.sleepycat.com/update/snapshot/db-4.0.14.tar.gz
tar xzvf db-4.3.28.NC.tar.gz
cd db-4.3.28.NC
cd build_unix
../dist/configure --prefix=/usr/local/BerkeleyDB
make
make install
cd ..
cd ..
cd /usr/local/BerkeleyDB/lib
cp * /usr/local/lib
cd /usr/local/BerkeleyDB/include
cp * /usr/local/include

fetch http://www.squidguard.org/squidGuard-1.2.0.tar.gz
tar -xzvf squidGuard-1.2.0.tar.gz
cd squidGuard-1.2.0
./configure
make
make test
make install

buat directory
/usr/local/squidGuard/log
cd /usr/local/squidGuar/
fetch http://squidguard.mesd.k12.or.us/blacklists.tgz
tar -xzvf blacklist.tgz
mv blacklist db
chown -R squid:squid db

buat file
ee /usr/local/squidGuard/squidguard.conf

dbhome /usr/local/squidGuard/db
logdir /usr/local/squidGuard/log
dest ads {
domainlist ads/domains
urllist ads/urls
}

dest drugs {
domainlist drugs/domains
urllist drugs/urls
}

dest gambling {
domainlist gambling/domains
urllist gambling/urls
}

dest hacking {
domainlist hacking/domains
urllist hacking/urls
}

dest porn {
domainlist porn/domains
urllist porn/urls
}

dest redirector {
domainlist redirector/domains
urllist redirector/urls
}

dest spyware {
domainlist spyware/domains
urllist spyware/urls
}

dest violence {
domainlist violance/domains
urllist violance/urls
}

dest white {
domainlist white/domains
urllist white/urls
}

acl {
default {
pass white !ads !drugs !gambling !hacking !porn !redirector !spyware !violence all
redirect http://localhost/block.html
}
}

Tambahkan baris berikut pada squid.conf
redirect_program /usr/local/bin/squidGuard -c /usr/local/squidGuard/squidguard.conf

Jalankan squidguard
/usr/local/bin/squidGuard -c /usr/local/squidGuard/squidguard.conf
dan restart squid
/squid/sbin/squid -k reconfigure

Don't be sad.. be optimist!

2008-03-26T18:41:00.004+07:00

Ia berkata : "Ya Tuhanku, sesungguhnya tulangku telah lemah dan kepalaku telah ditumbuhi uban, dan aku belum pernah kecewa dalam berdo'a kepada Engkau, ya Tuhanku. (QS : 19:4)

Kekuatan sebuah do'a dan keyakinan akan pertolongan dari Tuhan yang Maha memiliki dan Maha berkehendak adalah bukti tawakal seorang hamba. Seperti kutipan do'a nabi Zakariya di atas. Semoga dapat kita ambil hikmahnya dan yakinlah bahwa setiap masalah pasti ada jalan keluarnya. Kalo ngga ada yah bisa pakai tangga darurat yang ada plangnya EXIT itu lohh.. :P..

copy file otomatis

2008-03-25T12:53:00.003+07:00

Barusan iseng2 bantu teman bikin script pengcopyan file dgn kondisi tertentu. Berikut scriptnya :

# ee /etc/duplikat
cd /home/rahma/coba
lastfile=$(ls -rt | egrep -v '^d' | tail -20)
for file in $lastfile
do
echo $file
cp $file /home/rahma/coba2
done

Script diatas adalah script yang akan menjalankan duplikasi 20 file terbaru dari folder coba ke folder coba2.
Tinggal di pasang di crontab dan dijalankan sesuai dengan waktu yang diinginkan ^^.

Injury Time

2008-03-07T06:14:00.001+07:00

Besok hari terakhir jadi orang kantoran...
Yup, saya resign, setelah disana lumayan lama.
Waktu bilang ke ortu, It's OK! asalkan kuliahku cepat selesai ^^.
Malah bapak sempat bilang, nanti kalau sudah dpt ijasah suruh memperdalam bhs inggris n cari beasiswa ke LN. Bapak yang aneh..:P harusnya kan disuruh cepat² nikah, koq malah suruh sekolah lagi. But gpp sich, kalau sama Allah dikasih kesempatan pasti kuwujudkan impianmu pak! I'll try my best for you two!

Bye.. bye my opis.. banyak suka.. banyak duka.. banyak pengalaman dan pelajaran disana...Bye bye nokia 2255, bye wireless.. bye meja pojok dekat jendela ^_^

Saatnya memulai yang baru dengan lebih baik. BISMILLAH....

Captive portal dgn apache-ssl & chillispot

2008-03-06T21:14:00.000+07:00

Postingan ini repost, berhubung yang dulu belum selesai dan kebetulan ada teman yang lagi pusing² mau nyoba captive portal ini. Kita mulai aja ya,.. *baca bismillah*

SESI KONFIGURASI HARDWARE

# ee /usr/src/sys/i386/conf/kernelku

Edit file kernelku, untuk firewall terserah tapi untuk device tun wajib, fadhu ain!

options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_FORWARD
options IPFILTER
options IPDIVERT (jika natnya nanti menggunakan NATD)
options DUMMYNET
options TCP_DROP_SYNFIN
device tun

simpan dan building kernel
# config kernelku
Kernel build directory is ../compile/kernelku
Don't forget to do a ``make depend''
# cd ../compile/kernelku
# make depend && make && make install && reboot

Ok, urusan kernel selesai, pastikan kita memiliki 2 NIC. Untuk NIC yang terhubung ke internet silahkan diconfig, sedangkan untuk yang terhubung ke AP(Wireless device) jangan diberi ip. Berikut contohnya :

# ifconfig
rl0: flags=8802 mtu 1500 options=8 ether 00:0e:2e:cb:3c:bb media: Ethernet autoselect
media: Ethernet autoselect (100baseTX ) status: active

xl0: flags=8843 mtu 1500 options=9 inet 203.134.232.20 netmask 0xffffffc0 broadcast 203.134.232.63 inet6 fe80::2b0:d0ff:fe4b:af9%xl0 prefixlen 64 scopeid 0x2 ether 00:b0:d0:4b:0a:f9 media: Ethernet autoselect (100baseTX ) status: active

Untuk AP (Access Point) setting saja ssidnya, Modenya mode Access Point dan IPnya terserah (ip defaultnya ga masalah) yang penting client bisa konek ke AP kita. jangan aktifkan dhcpnya karena nanti chilli yang akan memberi ip ke client yang konek.

SESI MUMETISASI

Ok Urusan hardwarenya selesai, sekarang mulai proses instalasi software2 yang dibutuhkan :

download source file openssl openssl-0.9.8e dan ekstrak
./config
make && make test && make install

download source file apache httpd-2.2.3 dan ekstrak
./configure --prefix=/usr/local/apache --enable-ssl --with-ssl=/usr/local/ssl
make && make install

Untuk mengaktifkan ssl di httpd bisa di link ini http://www.dev411.com/wiki/Installing_Apache2_SSL

Untuk instalasi radius, ikuti petunjuk di postingan saya yang ini (mysql harus terinstall ya)

download source file chillispot-1.0 dan ekstrak
./configure
make && make install

# ee /usr/local/apache/conf/httpd.conf (setting directory cgi & ssl saya sbb:)
ScriptAlias /cgi-bin/ "/usr/local/apache/cgi-bin/"
Include conf/extra/httpd-ssl.conf

# ee /usr/local/apache/conf/extra/httpd-ssl.conf
Listen 443
DocumentRoot "/data"
ServerName 192.168.182.1
ServerAdmin noc.spin.net.id
SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key

# cp /usr/local/share/chillispot/hotspotlogin.cgi /usr/local/www/cgi-bin/
# cp /usr/local/share/chillispot/chilli.conf /etc/chilli.conf

Saya anggap instalasi freeradius dan mysqlnya sudah terinstall dan berhasil.
Untuk chilli, konfigurasinya ada di /etc/chilli.conf, setting sbb :
net 192.168.182.0/24
dynip 192.168.182.0/24
statip 192.168.182.0/24
dns1 203.134.239.153
dns2 203.134.232.3
radiuslisten 203.134.232.20
radiusserver1 203.134.232.35 (ip dimana radius server terinstall)
radiusserver2 203.134.232.35 (ip dimana radius server terinstall)
radiusauthport 1812
radiusacctport 1813

# TAG: radiussecret
# Radius shared secret for both servers
# For all installations you should modify this tag.
radiussecret testing123
# password radius ada di /usr/local/etc/raddb/clients.conf

dhcpif rl0
# nama interface yang terhubung ke wireless device

# Universal access method (UAM) parameters
uamserver https://192.168.182.1/cgi-bin/hotspotlogin.cgi
uamhomepage http://192.168.182.1/welcome.html
uamsecret ht2eb8ej6s4et3rg1ulp
uamport 3990
uamallowed 192.168.182.1,203.134.232.20,203.134.232.35,203.134.232.3,203.134.239.153

# ee /usr/local/apache/cgi-bin/hotspotlogin.cgi
$uamsecret = "ht2eb8ej6s4et3rg1ulp";
$userpassword=1;

Uam secret pada chilli.conf dan hotspotlogin.cgi harus sama.
Untuk directory web saya terletak di /data dan saya create welcome.html disana dengan isi sbb :

Click Here For Login

Aktifkan ipnat di /etc/defaults/rc.conf kemudian tambahkan baris berikut di file konfigurasi ipnatnya.
# ee /etc/ipnat.rules
map rl0 192.168.182.0/24 -> 203.134.232.20/32

OK, jika sudah selesai semua, jalankan chillinya sbb :
# chilli --fg -c /etc/chilli.conf &
Hasil ifconfig sbb :

rl0: flags=8843 mtu 1500
options=8
inet 0.0.0.0 netmask 0xff000000 broadcast 0.255.255.255
inet6 fe80::20e:2eff:fecb:3cbb%rl0 prefixlen 64 scopeid 0x1
ether 00:0e:2e:cb:3c:bb
media: Ethernet autoselect (100baseTX )
status: active

xl0: flags=8843 mtu 1500
options=9
inet 203.134.232.20 netmask 0xffffffc0 broadcast 203.134.232.63
inet6 fe80::2b0:d0ff:fe4b:af9%xl0 prefixlen 64 scopeid 0x2
ether 00:b0:d0:4b:0a:f9
media: Ethernet autoselect (100baseTX )
status: active

tun0: flags=8051 mtu 1500
inet6 fe80::20e:2eff:fecb:3cbb%tun0 prefixlen 64 scopeid 0x4
inet 192.168.182.1 --> 192.168.182.1 netmask 0xffffff00
Opened by PID 42197

Selamat mencoba dan jangan menyerah ya.. saya juga butuh berhari-hari koq nguplek² ini dan alhamdulillah berhasil.. tapi akhirnya ngga dipakai... asem! :P

Dari Outlook Express menuju Thunder Bird

2008-03-05T20:03:00.000+07:00

Berhubung ada suatu hal, maka saya harus migrasi semua mail² saya yang sekarang ini pakai Outlook Xpress ke Thunder Bird. Emailnya buwanyakkk bok.. ribuan deh.. maklum email dari jaman gak enak dulu sampai jaman tambah ga enak masih ada..

Setelah coba mencoba.. lagi.. kau mencoba... *koq jadi lagu dangdut?*
Ternyata cara paling mudah adalah dengan cukup mengcopy folder dimana database email disimpan (.dbx) oleh OE dan mengimportnya ke TB.

Letak folder di OE bisa dicek dengan cara klik tool - option - pada tab maintenance - nahh disitu ada store folder kan? ya disitu letaknya... Kalau TBnya di lain PC tinggal copy aja isi folder tsb dan paste ke PC tujuan. Selanjutnya buka TB klik menu tool - import - pilih mail - pilih OE dan arahkan ke folder dimana database email berada - klik Ok..

Selesai deh... kalau email kamu ribuan ya tinggal aja ngopi² dulu :P.

Innodb di mysql

2008-03-05T14:42:00.000+07:00

Innodb?
Saya juga barusan tahu koq, berikut ini kutipan mengenai innodb (diambil dari sini & tambahan untuk setting di mysql ver 5 saya yg terinstall di FreeBSD 5.4).

Tipe database di MySQL secara default adalah MyIsam, selain itu mysql juga mendukung untuk tipe database InnoDB dan BerkeleyDB. Database tipe InnoBD supports transactions, row-level locking, dan foreign keys. Membuat tabel tipe InnoDB sama saja dengan MyISAM, cuma ada sedikit perbedaan pada tipe ENGINE yang digunakan.
Contohnya:
CREATE TABLE parent (id INT NOT NULL, PRIMARY KEY (id)) ENGINE=INNODB;
CREATE TABLE child (id INT, parent_id INT, INDEX par_ind (parent_id), FOREIGN KEY (parent_id) REFERENCES parent(id) ON DELETE CASCADE) ENGINE=INNODB;

jika tidak menuliskan ENGINE=INNODB maka tipe tabel yang terbentuk adalah MyISAM.
ON DELETE CASCADE maksudnya apabila ada record di tabel parent yang dihapus maka pada tabel child record yang terkait dengan record parent akan ikut terhapus juga.Terdapat berbagai macam option-option lainnya seperti : ON DELETE RESTRICT, ON UPDATE CASCADE, dll yang bisa digunakan sesuai kebutuhan database.

Untuk mengaktifkan innodb, edit file /etc/my.conf dan pada sesi innodb sbb :
# Uncomment the following if you are using
InnoDB tablesinnodb_data_home_dir = /usr/local/mysql/var/
innodb_data_file_path = ibdata1:10M:autoextend
innodb_log_group_home_dir = /usr/local/mysql/var/
innodb_log_arch_dir = /usr/local/mysql/var/
# You can set .._buffer_pool_size up to 50 - 80 %
# of RAM but beware of setting memory usage too high
innodb_buffer_pool_size = 16M
innodb_additional_mem_pool_size = 2M
# Set .._log_file_size to 25 % of buffer pool size
innodb_log_file_size = 5M
innodb_log_buffer_size = 8M
innodb_flush_log_at_trx_commit = 1
innodb_lock_wait_timeout = 50

OK, save dan restart mysqlnya.
Done.. done.. minum dulu ahh.. hauss..

Kesalahan kecil yang FATAL

2008-02-25T08:51:00.001+07:00

Namanya manusia ga luput dari kesalahan, lalai dan teledor. Dan akibatnya macam², tak jarang kesalahan kecilpun bisa berakibat fatal. Bayangin aja misalnya dokter salah tulis dikit aja ngasih resep, atau diagnosa bisa berakibat kematian kan..

Ok, kita ngga akan bahas medis karna gw ga ngeri sekali sama. Gw cuman mau nulis kesalahan kecil gue yang berakibat fatal meski ga sampe menyebabkan kematian *sigh*

Sore kemarin server gw loadnya beraaattt banget... seperti seorang pemuda yang naik BMW tapi mangku gajah lampung! Segera saja otakku yang mungkin sama dgn otak manusia indonesia yang jarang digunakan karena takut aus mulai terasah.
Tiba2 saja saya sudah login di gateway server² dan mulai mengallow ip tertentu yang diijinkan untuk ngakses server dan mulai mendeny ip2 yang tidak dibutuhkan untuk mengurangi load server gw yang sedang mangku gajah duduk..
Crap!
Ada rule yang salah saat ngetikkan baris2 perintah firewall...
Jadinya gateway ga bisa saya akses dan server yang lain juga sama kecuali server yg diduduki gajah tadi.

Help.. tasukete kudasai!..
Gatewaynya jauh di ibukota negara banjir nan macet 924 km darisini.
Harus call teman dulu disana, setelah proses yang mendebarkan bin menyebalkan bisa juga terhubung dan dia harus menempuh lebih dari 30 menit untuk sampai dan cangkruk di consolenya.
Oh baru cobaan gini aja gw dah bingung setengah hidup, ya maklum wong gatewaynya u/ beberapa server maha penting.

Finally smua bisa diatasi *ya jelas wong emang rulenya simple tapi mematikan*
Server yang lambreta ternyata karena ada salah satu cust. yang ngabis2in resource servernya, so smtr saya suspend dulu.
Report juga udah kukirim, report yang apa adanya tanpa bumbu² sedikitpun. Rangkaian kejadian dari awal sampai akhir sampai main effect kutulis disertai perasaan nano-nano seorang kuli yang sedang berkecamuk di dada. yah mo gmn lagi emang salah saya jadi tinggal siap2 konsekuensinya aja..

Hikmah yang bisa diambil :
1. Terkadang dengan cobaan sedikit saja, manusia sudah merasa merana. Terkadang makian sampai keluar, seakan lupa kalau nikmat yang telah diterima begitu banyak sampai tidak bisa dihitung bahkan walau jari gajah lampung ikut serta juga ga bakal cukup untuk ngitung. Kalkulator bisa jadi akan buffer overflow kalau kita maksa ngitung.

2. Jika melakukan sesuatu yang harus cepat selesai, dan cukup merepotkan. Biasakan untuk menenangkan diri dan konsentrasi penuh dan jangan lupa bismillah.

3. Usahakan ruangan cukup kondusif, tidak ada teman yang mengganggu, suara atau hal² kurang penting lainnya.

2008-02-22T10:19:00.000+07:00

dns1 named[1376]: client 125.162.42.67#64136: update 'swisscontact.or.id/IN' denied

I keep getting log messages like the following. Why?
Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied
A:
Someone is trying to update your DNS data using the RFC2136 Dynamic Update protocol. Windows 2000 machines have a habit of sending dynamic update requests to DNS servers without being specifically configured to do so. If the update requests are coming from a Windows 2000 machine, see http://support.microsoft.com/support/kb/articles/q246/8/04.asp for information about how to turn them off.

DNS - named: ignoring out-of-zone data

2008-02-22T09:29:00.000+07:00

Pake BIND? dan mengalami error sbb :

named[375]: master/domain.org:11: ignoring out-of-zone data ns2.mine.net.id

sama donk :P

Awalnya sih saya kira ada kesalahan di zone filenya. Tapi setelah diamati dalam tempo yang sesingkat²nya koq smua btul? ada apa ini.. ada apa.. :p
Saya coba query dari luar bisa u/ domain yg ada errornya tadi, dicek dari situs2 u/ cek dns juga ketemu tuh record²nya.

Akhirnya saya biarkan saja, toh sepertinya ngga ngaruh..
Sampai dengan pagi ini ada imel dari bos, nemuin log itu suruh nyari kenapa..
sebernaya gw juga bingung krn cari2 di google juga ga nemu, kalo nemu pun semua berkaitan dgn penulisan zone yang salah..

Ndilalah koq ada eror tambahan root. server bla bla.. duh sayang log e ilang :(
Gak pakai pikir lama, iseng² berhadiah tak coba replace named.rootnya

# dig @a.root-servers.net . ns > named.root
# rndc reload

Hurray.. thx god.. gw liat di log dah bersih sih.. n di query jg lancaarrr.. muach...

Ups.. jgn senang dulu.. ada cobaan lain.. muncul error ini nih di log, banyak lagi..

Feb 22 09:36:46 dns1 named[1376]: client IP#57305: RFC 1918 response from Internet for 3.0.168.192.in-addr.arpa

Untungya di FAQ ada :

Q: What does "RFC 1918 response from Internet for 0.0.0.10.IN-ADDR.ARPA"
mean?
A:
If the IN-ADDR.ARPA name covered refers to a internal address
space you are using then you have failed to follow RFC 1918 usage rules and are
leaking queries to the Internet. You should establish your own zones for these
addresses to prevent you querying the Internet's name servers for these
addresses. Please see http://as112.net/ for details of the problems you are causing
and the counter measures that have had to be deployed.
If you are not using
these private addresses then a client has queried for them. You can just ignore
the messages, get the offending client to stop sending you these messages as
they are most probably leaking them or setup your own zones empty zones to serve
answers to these queries.
zone "10.IN-ADDR.ARPA" {
type master;
file
"empty";
};
zone "16.172.IN-ADDR.ARPA" {
type master;
file
"empty";
};
...
zone "31.172.IN-ADDR.ARPA" {
type master;
file
"empty";
};
zone "168.192.IN-ADDR.ARPA" {
type master;
file
"empty";
};
empty:
@ 10800 IN SOA .
. (
1 3600 1200 604800 10800 )
@ 10800 IN NS
.

Hahaha.. bahasa inggris canggih gtu.. yang jelas dnsku ga dipake u/ query ip lokal, so spt saran di atas aku tambahin zone2 tsb.. trus reload deh.

Reset Root Password Debian VS FreeBSD

2008-02-16T14:32:00.000+07:00

Semalam udah semangat 456789 mau nyoba debian yang udah lama tak terjamah tangan halusku, tapi tak dinyana aku lupa password rootnya ^^. Untung jam 11an nak ibnu bisa dikontak, secara dia biasa bersentuhan dgn mbak debby ini :P. *tenkiu yo le*

Berikut langkahnya, boot loadernya pakai grub nih bukan lilo and stich :P.

1. Waktu boot pilih "recory mode" dan tekan c.
2. Selanjutnya akan ada 4 pilihan, dan arahkan kursor pada pilihan yang ada tulisannya kernel bla2, pokoknya paling panjang sendiri deh, kemudian tekan e.
3. Tambahkan "init=/bin/bash" pada akhir baris dan tekan enter. Voila, udah masuk single mode.
4. ketikkan "mount -o remount, rw /"
5. ketik passwd, isikan password yang baru
6. kemudian ubah akses ke readonly "mount -o remount, ro /"
7. Selesai dan reboot deh..

Kalau di freebsd langkahnya lebih mudah,
1. Waktu boot, pada boot menu tekan angka 3
2. mount -a
3. ketik passwd dan isikan password baru dan reboot

Untuk freebsd ada pilihan untuk tetap prompt password walaupun kita masuk di single mode, bisa di cek /etc/ttys dan ubah pilihan secure menjadi insecure. Itu kalo qta admin paranoid n menjamin kalo qta ga bakalan lupa password kita :p.
Kalo di debian belum tahu sih gmn caranya, tapi kata si ibnu sih di linux yg versi baru u/ single modenya udah diprompt password juga.

LSOF (list open files)

2008-02-15T13:51:00.001+07:00

Siang ini makan siang ditemani seporsi mie ayam bakso ples artikel lsof but tanpa teh botol s*sro. Langsung install aja deh, drpd lupa n banyak kerjaan, installnya juga via jalur xpress :P

# cd /usr/ports/sysutils/lsof
# make install clean
# rehash

Lsof merupakan utility yang hampir mirip dengan netstat -an tapi mungkin lebih lengkap kali ya, karena qta juga bisa melihat file2 yang sedang dijalakan apa saja oleh suatu program, mulai dr binary file, library dan file2 yang berhubungan dengan program yg sedang berjalan.. la wong namanya aja "List open files" ker..

ok lanjut...

# lsof -l
perintah ini akan memperlihatkan smuaaa list prog yang sedang berjalan, sengaja ga dicapture hasilnya (panjang bokkk)

# lsof -c named
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
named 89535 named cwd VDIR 4,12 512 16662 /chroot/named/conf
named 89535 named rtd VDIR 4,12 512 16656 /chroot/named
named 89535 named jld VDIR 4,12 512 16656 /chroot/named
named 89535 named txt VREG 4,17 3507739 7774967 /usr/local/sbin/named
named 89535 named txt VREG 4,12 142236 16549 /libexec/ld-elf.so.1
named 89535 named txt VREG 4,12 1017456 8301 /lib/libcrypto.so.3
named 89535 named txt VREG 4,12 884716 8280 /lib/libc.so.5
named 89535 named 0u VCHR 2,2 0t0 7 /dev/null
named 89535 named 1u VCHR 2,2 0t0 7 /dev/null
named 89535 named 2u VCHR 2,2 0t0 7 /dev/null
named 89535 named 3u unix 0xc40a0000 0t0 ->0xc181a288
named 89535 named 4u VCHR 2,2 0t0 7 /dev/null
named 89535 named 5r VCHR 248,0 0t0 16 /dev/random
named 89535 named 22u IPv4 0xc3f980b4 0t0 UDP *:54519

lengkap kan? kalau ga mau panjang2 atau mau lihat file apa yg dijalankan tinggal ketik
# lsof -a -d cwd -c named
named 89535 named cwd VDIR 4,12 512 16662 /chroot/named/conf

kalau mau lihat pakai port berapa ya tinggal
# lsof -a -c named | grep "*:"
named 89535 named 22u IPv4 0xc3f980b4 0t0 UDP *:54519

Sep kan? lumayan bisa lihat service yang berjalan apa aja, n dikill aja kalo gak penting, bikin server berat, makan bw or samting else..

Huekz.. abis makan mie koq rasanya mual.. kayaknya mie/pentol nya byk msgnya niy, oh nooo saya skr ga bisa kena msg.. ora tawar jeesss...

backup antar server

2008-01-30T10:37:00.000+07:00

rsync adalah utility u/ memindah2 file/sinkronisasi file.
Kata manualnya sih rsync bisa digunakan sbb :

1. for copying local files. This is invoked when neither source nor destination path contains a : separator
2. for copying from the local machine to a remote machine using a remote shell program as the transport (such as rsh or ssh). This is invoked when the destination path contains a single : separator.
3. for copying from a remote machine to the local machine using a remote shell program. This is invoked when the source contains a : separator.
4. for copying from a remote rsync server to the local machine. This is invoked when the source path contains a :: separator or a rsync:// URL.
5. for copying from the local machine to a remote rsync server. This is invoked when the destination path contains a :: separator.
6. for listing files on a remote machine. This is done the same way as rsync transfers except that you leave off the local destination.

So, yuk mari kita buktikan.

Anggap saja server utama ipnya 10.10.10.75 dan server backupipnya 10.10.10.60
Nah rsync modenya nanti pakai yang over ssh.

Login ke 10.10.10.60, di directory /home ketik :
# ssh-keygen -f qlogin -t rsa
untuk password langsung enter saja, perintah ini akan mengenerate private (qlogin) dan public key (qlogin.pub)

Selanjutnya copykan qlogin.pub ke server 10.10.10.75 di directory homeuser/.ssh dan rename menjadi authorized_keys2, spt ini nih hasilnya : /home/rahma/.ssh/authorized_keys2

Kita tes, sukses ga login ssh scr otomatis..
Login ke 10.10.10.60, masuk ke directory dimana qlogin berada dan ketik
# ssh -i qlogin rahma@10.10.10.75

OK, setelah sshnya lantjar djaja, tinggal install rsyncnya.. (spt biasa wes.. ndak usah dijelasin yak :P)...

Nah untuk perintah sinkronisasi/backup filenya spt ini :
masuk ke dir dimana qlogin (private keynya berada), kebetulan punyaku di /home
# cd /home
# /usr/local/rsync/bin/rsync -e "ssh -i qlogin -l rahma -p 2223" -avz rahma@10.10.10.75:/home/www /home/BACKUP75/

sent 1636 bytes received 2421838595 bytes 3734526.19 bytes/sectotal size is 2421962606 speedup is 1.00

SMTP Auth auxprop dengan Postfix

2008-01-29T13:55:00.001+07:00

# cd /usr/local/mysql/lib/mysql/
# cp * /usr/local/lib
# cd /usr/local/mysql/include/
# cp * /usr/local/include/

Download cyrus-sasl-2.1.19 dan patchnya, kemudian ekstrak dan lakukan patching

# cd /cyrus-sasl-2.1.19
# patch -p1 < ../cyrus-sasl-2.1.19-checkpw.c+sql.c.patch. # ./configure --enable-static --enable-shared --enable-sql --with-mysql=/usr/local/mysql --enable-login --disable-otp --disable-ntlm # make && make install # ln -s /usr/local/lib/sasl2 /usr/lib/sasl2 # cd /usr/local/lib/sasl2 # cp *sql* /lib/ # vi /usr/local/lib/sasl2/smtpd.conf pwcheck_method: auxprop auxprop_plugin: sql sql_engine: mysql mech_list: DIGEST-MD5 CRAM-MD5 PLAIN LOGIN sql_engine: mysql sql_hostnames: localhost sql_user: dbmail sql_passwd: s3cr3t sql_database: dbmail sql_verbose: yes sql_select: SELECT passwd FROM dbmail_users WHERE userid = '%u@%r' # cd postfix-2.4.5 # make tidy
# make makefiles CCARGS="-DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/usr/local/include/sasl" AUXLIBS="-L/usr/local/lib/ -lsasl2" atau
# make makefiles CCARGS="-DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/usr/local/include/sasl -DHAS_MYSQL -I/usr/local/mysql/include/mysql" AUXLIBS="-L/usr/local/lib/ -lsasl2 -L/usr/local/mysql/ -lmysqlclient -lz -lm"

# make install

tambahkan baris berikut pada /etc/postfix/main.cf
smtpd_recipient_restrictions =
reject_unauth_pipelining
reject_non_fqdn_recipient
reject_unknown_recipient_domain
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
permit

broken_sasl_auth_clients = yes
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous

=== Selesai ===

/usr/local/sbin/saslauthd:
libgssapi.so.7 => /usr/lib/libgssapi.so.7 (0x2807e000)
libkrb5.so.7 => /usr/lib/libkrb5.so.7 (0x2808c000)
libasn1.so.7 => /usr/lib/libasn1.so.7 (0x280c4000)
libroken.so.7 => /usr/lib/libroken.so.7 (0x280e5000)
libcrypt.so.2 => /lib/libcrypt.so.2 (0x280f3000)
libcrypto.so.3 => /lib/libcrypto.so.3 (0x2810b000)
libcom_err.so.2 => /usr/lib/libcom_err.so.2 (0x28202000)
libpam.so.2 => /usr/lib/libpam.so.2 (0x28204000)
libc.so.5 => /lib/libc.so.5 (0x2820b000)

/usr/sbin/postfix:
libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x28083000)
libc.so.5 => /lib/libc.so.5 (0x28096000)
libcrypt.so.2 => /lib/libcrypt.so.2 (0x28170000)

/usr/libexec/postfix/smtpd:
libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x280b6000)
libc.so.5 => /lib/libc.so.5 (0x280c9000)
libcrypt.so.2 => /lib/libcrypt.so.2 (0x281a3000)

mail-h# telnet smtpku.co.id 25
Trying 203.134.232.67...
Escape character is '^]'.
220 smtpku.co.id ESMTP Postfix
ehlo a
250-PIPELINING
250-SIZE 5120000
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250-AUTH=LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Hardening FReeBSD

2007-12-31T12:41:00.000+07:00

Sebelumnya sih sudah pernah posting yang berbau hardening system, tapi sepertinya artikel berikut lebih lengkap deh.. thx to mbah google.

Tips dan trik seputar FreeBSD Security.
1. Selalu berdo'a sebelum action
2. Selalu membuat BACKUP sebelum melakukan segala sesuatunya.

BASIC SYSTEM HARDENING
1. Gunakan selalu FreeBSD versi STABLE (heheh..belum saya lakukan, selalu saja pake release). 2. Jangan menjalankan services yang tidak perlu, lihat /etc/inetd.conf, /etc/rc.conf

SERVICES PROTECTION
1. Gunakan chroot(8) atau jail(8) untuk menjalankan program-program yang berisiko vulnerable.
2.Memfilter setiap akses terhadap services menggunakan Firewall atau Packet Filtering software seperti ipfw atau IPF (ipfilter).
3. Aktifkan option log_in_vain="YES" untuk melihat koneksi ke port-port TCP/UDP yang
tidak menjalankan services.

SECURE LOGGING
Non-aktifkan syslogd logging ke mesin remote. gunakan option “-s -s”
Pastikan pada /etc/syslog.conf terdapat:
security.* /var/log/security
ftp.* /var/log/ftpd.log
auth.* /var/log/auth.log

Aktifkan ipfw atau IPF logging pada /etc/syslog.conf

B O F H (bastard operator from hell)
1. Gunakan AllowUsers/AllowGroups pada konfigurasi SSH untuk menentukan siapa saja user yang dapat login menggunakan SSH.
2. Gunakan tcp wrappers untuk mengijinkan atau melarang akses pada tcp-based services.
3. Berikan shell /sbin/nologin pada user yang hanya membutuhkan akses ftp.
4. Lakukan user accounting. accounting_enable="YES"

LOCKING-DOWN FILESYSTEM
1. Selalu membuat beberapa partisi.
2. Mount semua partisi kecuali /usr dengan argument ‘nosuid’
3. Hilangkan suid bits pada binary yang tidak digunakan (seperti pada UUCP binary files)
4. Gunakan chflags dengan variable sappnd pada logfiles, dan schg pada binary files.
# ls -lo /usr/bin/su
-r-sr-x--- 1 root wheel schg 8200 May 1 09:37 /usr/bin/su

KERNEL SECURELEVELS
Variable kernel securelevels menunjukkan level security.
Value antara ‘-1’ sampai ‘3’, dan ‘0’ adalah ‘insecure mode’.
Securelevel hanya dapat meningkat nilainya, dan tidak dapat turun pada multiuser mode.
Securelevel dikontrol menggunakan sysctl(8) dan sysctl.conf(5).

Securelevel 1 = flag sappnd dan schg tidak dapat diubah, kernel module tidak dapat diload/unload.
Securelevel 2 = securelevel 1 + tidak dapat menulis pada disk kecuali mount(2)
Securelevel 3 = securelevel 2 + ipfw rules tidak dapat dimodifikasi

KERNEL STATES CONTROL & SYSTEM CONFIGURATION

sysctl & rc.conf

net.inet.tcp.blackhole=2, net.inet.udp.blackhole=1
untuk tidak membuat RST pada portscan
kern_securelevel_enable="YES",
kern_securelevel="?" # range: -1..3;
icmp_drop_redirect="YES"
fsck_y_enable="YES"

SECURE REMOTE CONNECTIONS

1. Non-aktifkan telnet, dan r* commands, gunakan SSH atau OpenSSH sebagai pengganti
2. Gunakan sftp sebagai pengganti ftp
3. Gunakan otentifikasi pubkey pada SSH
4. Pertimbangkan kembali penggunaan OTP (One-Time-Password)

FIREWALL / PACKET FILTERING
Sebuah firewall dapat:
melakukan deny/permit packets
membedakan rules setiap interfaces

Software yang dapat digunakan:

ipfw (IPFirewall):
options IPFIREWALL enable ipfw
options IPFIREWALL_VERBOSE enable firewall logging
options IPFIREWALL_VERBOSE_LIMIT limit firewall logging
options IPDIVERT enable divert(4) sockets

IPF (IPFilter):
http://coombs.anu.edu.au/~avalon/

SECURITY CHECKS

nmap, swiss-army knife, err network mapper ;)
http://www.insecure.org/nmap/

snort, Lightweight network intrusion detection system
http://www.snort.org/

tripwire, Filesystem security & verification program
http://www.tripwire.org/

chkrootkit, memeriksa apakah terdapat rootkit pada local system.
http://www.chkrootkit.org/

dsniff, monkey watch monkey sniff
http://www.monkey.org/~dugsong/dsniff/

WHAT’S NEXT?

FreeBSD Security web page:
http://www.freebsd.org/security/security.html

FreeBSD Security How-To:
http://people.freebsd.org/~jkb/howto.html

FreeBSD Security advisories:
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/

FreeBSD Hardening Project:
http://www.watson.org/fbsd-hardening/

WHAT’S NEXT?

FreeBSD ipfw howto:
http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO

IPF (ipfilter) howto:
http://www.obfuscation.org/ipf/ipf-howto.html

Cerb, security kernel module:
http://cerber.sourceforge.net/

Packetstorm Defense Tools:
http://packetstormsecurity.nl/defense.html

Akses file dari CD

2007-11-29T12:34:00.000+07:00

Tambahkan berikut pada kernel

MOUNTING A CD-ROM DISK

We need to set up a directory before we can mount the CD, so let's go to the OS root directory by entering:

cd /
mkdir /cdrom
mount -t cd9660 /dev/acd0c /cdrom

READ A DIRECTORY LISTING
The CD-ROM disk is now mounted. To test, enter:
ls -lt /cdrom

This should give us a listing of the files on the CD.
COPY OR MOVE FILES
cp -p /cdrom/somefile.conf /some/directory/on/hard/drive/

UNMOUNT CD-ROM DISK
Once we are finished using the CD-ROM disk, before we remove it, enter:
umount /cdrom

Program saya jalan?

2007-11-22T13:08:00.000+07:00

Berawal dari insiden matinya source streaming server saya kemarin, saya tak tahu kalau mati *dudulzmodeon*, HP lagi masuk bengkel ples sore itu saya sedang mengunjungi bu dokter jadi tidak ada koneksi internet sama sekali.
Dari dokter gigi saya ke matos ma adek..baru tahu setelah yang shift call ke hp adekQ. Fyuh.. matinya lmy lama *sighhh* gara2 yg jaga juga kagak ngerti adudududu...

So, hari ini otakku yang makin lama makin aus karena jrg digunakan :P mulai dikit2 bekerja.. gimana kalo dibuatin script aja biar ngecek tiap bbrp menit sekali.

Nih contohnya scriptnya, kasih aja nama /etc/cekecek
#!/bin/sh
SERVICE=httpd;
if ps ax | grep -v grep | grep $SERVICE > /dev/null
then
echo "$SERVICE service running, everything is fine"
else
echo "$SERVICE is not running"
/etc/rc.d/http
fi

Masukin ke crontab, oven tiap 1 jam sekali :P
59 * * * * /etc/cekecek

Buat para remote-R sejati

2007-11-20T13:58:00.001+07:00

Sodara2 sering remote dan tiba² pas lagi khusyuk²nya install sesuatu tiba-tiba koneksi putus. Jadi sebel bin ambien kan...
Hehehe kebetulan setelah ngintip blognya om Giest ada solusinya niy. Yups, qta bisa nginstall yg namanya screen, tutor berikut diambil dari postingannya om Giest.

#cd /usr/ports/sysutils/screen
make install clean

PEMAKAIAN

Perintah-perintah di screen yang penting sbb :

screen

ctrl a c = membuat session screen baru
ctrl a p = berpindah antar screen session
ctrl a d = keluar dari screen session tanpa mematikan proses yang sedang dilakukan.
exit = keluar dari screen setelah proses yang sedang dilakukan selesai

CONTOH

Ketikan screen untuk memulai screen session, apabila pertama kali maka ini adalah screen session satu-satunya sementara apabila anda pernah membuat screen session sebelumnya, maka perintah ini akan memulai screen session baru tanpa mengganggu session sebelumnya.

kemudian ketikan perintah yang ingin anda lakukan misalnya top, setelah top berjalan kemudian andaketikan ctrl a c untuk membuat screen baru dan anda akan mendapatkan screen kosong yang lain. Disini anda bisa melakukan perintah yang lain seperti misalnya ping ke host yang anda inginkan.

Setelah semua proses diatas berjalan untuk berpindah antar screen tadi (dari perintah top ke ping) anda cukup mengetikan ctrl a p dan anda pun sudah kembali ke screen berikutnya.

Untuk keluar dari screen tanpa mematikan proses screen tadi, anda cukup mengetikan ctrl a d maka anda akan kembali ke shell dan bukan di screen lagi. Apabila anda kemudian keluar atau mematikan remote koneksi maka session screen anda tetap berjalan.
Apabila anda karena alasan tertentu putus koneksi dengan server yang anda remote anda dan belum sempat keluar dari screen jangan takut karena proses yang anda lakukan tetap berjalan anda tinggal melanjutkan nya saja.

Untuk melanjutkan session screen pertama anda harus login dengan user yang membuat screen session. User yang lain tidak akan bisa melanjutkan (resume) session screen milik user yang lain.

Setelah anda login dengan user bersangkutan sekarang ketikan screen -r apabila anda sebelumnya memiliki session screen lebih dari satu silahkan cek terlebih dahulu dengan cara seperti berikut ini

/usr/local/bin/screen screen -ls
There are screens on:
96050.ttyp0.giest (Detached)
96172.ttyp0.giest (Detached)
2 Sockets in /tmp/screens/S-root.
/usr/local/bin/screen screen -ls
There are screens on:
96050.ttyp0.giest (Detached)
96172.ttyp0.giest (Detached)
2 Sockets in /tmp/screens/S-root.

Seperti terlihat bahwa ada dua session screen yang aktif untuk masuk dan mempergunakan session yang aktif lakukan perintah berikut ini

screen -r 96172.ttyp0.giest
screen -r 96172.ttyp0.giest
maka anda sekarang akan bekerja di screen tersebut sementara screen session yang lain tetap aman.

Ok sekarang tidak perlu lagi takut melakukan pekerjaan yang memerlukan waktu lama secara remote cukup buka screen dan koneksi putus bukan masalah lagi.

taken from giest.org

port ku perlu apa aja?

2007-11-20T13:18:00.000+07:00

make pretty-print-build-depends-list
make pretty-print-run-depends-list

make -V RUN_DEPENDS and make -V BUILD_DEPENDS

You can use this to check for the value of any make variable (LIB_DEPENDS, OPTIONS, WITH_*, WITHOUT_*, etc).

# cd /usr/ports/category/port
# make build-depends-list
# make run-depends-list

Just Copy oaste.. :(

2007-11-20T09:26:00.000+07:00

Learn some of the basic steps you can take to make your FreeBSD system more secure.
1. set additional flags on your /tmp and /home directories. I will show you how to see your current flags and how to change them[root]# mount/dev/ad0s1a on / (ufs, local)/dev/ad0s1f on /tmp (ufs, local, nodev, nosuid, soft-updates)/dev/ad0s1g on /usr (ufs, local, soft-updates)/dev/ad0s1e on /var (ufs, local, soft-updates)/dev/ad0s1h on /home (ufs, local, nosuid, with quotas, soft-updates)procfs on /proc (procfs, local)
The two partitions above are the ones we will be adding flags for. As you can see I added nodev and nosuid on /tmp and nosuid and quotas on /home
nodev - stops character or block special devices on the filesystemnosuid - disables suid programs from being run from this filesystemquotas - to limit the amount of disk space that your users may use
You can set these flags in /etc/fstab file
the /tmp directory is a world writable directory so taking these additional steps is a good idea
2. Set your system security level. For most machines there is no reason to run in securelevel -1, unless you wish to run X-Windows on the machine. If you would like to run a server it is best NOT to run X and step up your kernel security level to 1.
Changing this to 1 will mean that you may no longer replace the kernel without being in single user mode (system immutable and system append-only flags are also enforced), KLD's may not be loaded/unloaded and /dev/mem and /dev/kmem may not be opened for writing. To change the security level do the following:
[root]# sysctl kern.securelevel=1
to make this change permanent add the following to/etc/rc.conf:
kern_securelevel_enable="YES"kern_securelevel="1"
3.Remove the toor user.
By default, FreeBSD ships with an additional user that has a UID of 0. This user is known as toor (root backwards), and is intended as a backup user, so that if you mistakenly broke (for eg) root's shell, you could log in using this user and fix things. The account is disabled (passwordless) by default, and hence of no use UNLESS you change it's password. You may either choose to set a password for it, or remove it.
It should be noted that the rmuser(8) command will not allow the deletion of an account with a UID of 0, so you will need to use vipw(8) to remove this account.
4. Shutdown and services you are not using
[root]# netstat -na grep LISTENtcp46 0 0 *.80 *.* LISTENtcp4 0 0 *.22 *.* LISTENtcp46 0 0 *.22 *.* LISTEN
This shows that http(80) and ssh(22) are listening. If you have a process listening and you're unsure of what process is keeping that port open you may use sockstat(1) to list open sockets and provide you with the relevant information
You can all see anything listening for UDPnetstat -nap udpudp4 0 0 *.514 *.*
Here, you see that syslogd is listening on port 514 (UDP). You can disable syslogd from listening on a port by changing/etc/rc.confsyslogd_enable="YES"syslogd_flags="-ss"
5. Setup packets being sent to non-listening ports to be ignored and go to a 'Black Hole'
[root]# sysctl net.inet.tcp.blackhole=1
to make this change permanent modify/etc/rc.conf
net.inet.tcp.blackhole=1net.inet.udp.blackhole=1
6. KEEP YOUR PACKAGES AND OS CURRENT.
I have an article here on how to automatically update your freeBSD box. I would suggest you set this up!

Update binary freebsd

2007-11-17T12:31:00.000+07:00

Pertama install dulu freebsd-update
# whereis freebsd-update
freebsd-update: /usr/local/sbin/freebsd-update
# cd /usr/local/sbin/freebsd-update
make install clean

cp /usr/local/etc/freebsd-update.conf.sample /usr/local/etc/freebsd-update.conf
# rehash
# freebsd-update fetch
# freebsd-update install

Shell-ku?

2007-11-17T09:52:00.000+07:00

Untuk mengetahui jenis shell yang sedang kita gunakan ketik :
# echo $SHELL
/bin/csh

atau dgn perintah berikut :

office-mlg# ps -p $$
PID TT STAT TIME COMMAND
59155 p0 S 0:00.04 /bin/csh

Untuk melihat shell apa saja yang tersedia di FreeBSDBox-mu ketik :
# more /etc/shells
/bin/sh
/bin/csh
/bin/tcsh
/usr/local/bin/bash

Ada satu tips lagih.. coba aja :

chmod 0750 `which curl` 2 > & - ; chmod 0750 `which fetch` 2 > & - ; chmod 0750 `which wget` 2 > & -

#!/bin/bash
USERS="$(awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}'
/etc/passwd2 | cut -d: -f1)"
for u in $USERS
do
pw lock $u
done

Where
NF : Total number of record (so only continue if we have more than one record in password file)
$1 : First field in /etc/master.passwd
$2 : Second filed in /etc/master.passwd
$1 !~ /^[#+-]/ : It compares first field (user login name) and make sure it does not starts with either +,- or # symbol

How does it work?
1) Awk statement read each line in /etc/master.passwd where fields separated by : symbol
2) Account has no password if password field ($2) in /etc/master.passwd is empty

Once you found all such passwordless account., you can Lock user account with the following command:
pw lock {username}

# pw lock s2099msFor unlocking the account use:
pw unlock {username}

# pw unlock s2099ms

rootkitHunter

2007-11-16T12:47:00.000+07:00

Sebelumnya install rkhunter paling engga, qta musti punya : wget | curl | elinks | links | lynx bget GET

# fetch http://optusnet.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.3.0.tar.gz
unpack the tarball and, as root, run the installation script:
tar zxf rkhunter-.tar.gz
cd rkhunter
./installer.sh --layout default --install
atau
./installer.sh --layout custom /usr/local/ --install

To show where files are installed using the "oldschool" layout run:

./installer.sh --layout oldschool --show
PREFIX: /usr/local
Application: /usr/local/bin
Configuration file: /usr/local/etc
Documents: /usr/local/rkhunter/lib/rkhunter/docs
Man page: /usr/local/rkhunter/lib/man/man8
Scripts: /usr/local/rkhunter/lib/rkhunter/scripts
Databases: /usr/local/rkhunter/lib/rkhunter/db
Temporary files: /usr/local/rkhunter/lib/rkhunter/tmp

./rkhunter --update
./rkhunter -c

Before running RKH you will need to fill the file properties database by
running the following command:

rkhunter --propupd

To run RKH, as root, simply enter the following command:

rkhunter --check

By default, the log file '/var/log/rkhunter.log' will be created. It
will contain the results of the checks made by RKH.

To see what other options can be used with rkhunter, enter:

rkhunter --help

NOTE: The first run of 'rkhunter' after installation may give some
warning messages. Please see the FAQ file for more details
about this.

Uninstall

tar zxf rkhunter-.tar.gz
cd rkhunter
./installer.sh --layout default --remove

If you chose a different layout, for example '/usr', then run the
installer using:

./installer.sh --layout /usr --remove

beastie tipz

2007-11-14T13:07:00.000+07:00

"ls -G", "ls -F" atau "ls -FG"
Gunakan untuk directory listing berwarna ;)

'set autolist'
pada tcsh shell digunakan u/ scr otomatis menampilkan semua kemungkinan saat melakukan ekspansi file/directory

'set autologout = 30'
jika idle lbh dari 30 menit akan dilogout (u/ tcsh shell)

`set filec'
mengaktifkan (file completion) dlm tcsh dengan menekan TAB

`set watch = (0 any any)'
Untuk mengaktifkan notifikasi jika ada user log in/out.

set prompt = '%n@%m:%/%# '
contoh tampilan rahm@server:/usr# u/ bold sbb : set prompt = '[%B%m%b] %B%~%b%# '

grep "string" filename1 [filename2 filename3 ...]
mencari suatu string dari suatu file

Setting alias u/ memendekkan perintah
alias lf="ls -FA"
alias ll="ls -lA"
alias su="su -m"

di csh or tcsh, spt ini :
alias lf ls -FA
alias ll ls -lA
alias su su -m
ketik 'alias' untuk melihat daftar alias yang ada

Lihat /etc/rc untuk melihat loading system.

whereis 'namaprog'
Gunakan untuk mencari binary, manual atau source dir. dari suatu program.

Ctrl-D
Gunakan untuk exit/logout dr shell.

"du -s * sort -n "
U. list directory dan sizenya.

Mixer
U. mengatur volume peripheral sound.

pkg_add -r
automatically download and install binary packages and it's dependency.

Mencari port tertentu?, ketik berikut pada dir. /usr/ports
"make search port="
or
"make search key=""

swapinfo
menampilkan virtual memory

"zcat" atau "zmore"
U/ membaca file terkompresi tanpa ekstraksi

du /partition_or_directory_name sort -rn head
Untuk melihat 10 file terbesar dlm dir. / partisi

file namafile
Untuk melihat apakah textfile, exe atau tipe file lain.

col -bx <> newfile
Untuk meremove karakter ^M pada DOS file

lock -p
Untuk melock terminal.

dig -x IP-address
U. melihat hostname suatu ip

Tambahkan berikut pada C Shell u/ melindungi core files dari penulisan.
limit coredumpsize 0

"leave +hhmm"
Untuk men-set reminder terminal

"sockstat -4l"
Need to see which daemons are listening for connection requests? Use
for IPv4, and "sockstat -l" for IPv4 and IPv6.

": > filename"
Untuk mengosongkan file

ls -R / more
melihat seluruh directory sistem

translated from : http://nixdoc.net/FreeBSD-Tips/

ODBC di PHP

2007-10-26T14:26:00.000+07:00

Siang ini ada yang rikues, server windows dgn apache n phpnya ga mau kalo pake database sql tapi maunya pake ODBC, yaw dah.. apa sich yang engga untuk dikau ? qeqeqe...

Pertama create dsn namenya di ODBC, pilih mdb driver dan select nama databasenya, misal metuek.mdb. Kalau untuk apache yang under unix settingnya gini
# cd /etc
# ee odbc.ini
[test]Description = test
DatabaseDriver = /usr/lib/libmdbodbc.so
Database = /var/www/test.mdb

Sudah? jika sudah re-start dunk apachenya.

Contoh script phpnya krg lebih spt ini niy.
$conn=odbc_connect('test','','');
if (!$conn) { exit("Connection Failed: " . $conn); }

$sql="SELECT * FROM customers";
$rs=odbc_exec($conn,$sql);
if (!$rs) {
exit("Error in SQL");
}
echo ;
echo ;
echo ;
while (odbc_fetch_row($rs))
{
$compname=odbc_result($rs,"CompanyName");
$conname=odbc_result($rs,"ContactName");
echo ;
echo ;
}
odbc_close($conn);
echo

Companyname	Contactname
$compname	$conname

;
?>

delete file by date

2007-10-26T14:12:00.000+07:00

find /directory -name "namafile" -mtime +30 xargs rm atau
find /directory -name "namafile" -mtime +30 -type f -exec rm {}\;

Perintah diatas akan mencari file 30 hari n older dan akan menghapusnya.

-mtime n : kondisi True jika isi file modified n days ago.
Type Description
b : A block special device file
c : A character special device file
d : A directory
f : A plain file (SV only)
p : A named pipe (FIFO) (SV only)
l : A symbolic link to a file
s : A socket (BSD only)

Cek Cek ...

2007-10-26T09:38:00.000+07:00

Sebagai admin gadungan, yah tugasnya secara rutin ngintip2 log di server.. tapi, koq slalu ada yang kelewatan yah ada yg belom dicek getuh..

akhirnya saya putuskan untuk saya tulis disini aja deh, kebetulan ini u/ mailserver untuk yg lain ga jauh beda..

1. Cek log /var/log/messages, /var/log/maillog n jgn lupa untuk cek dmesg dan auth.log

2. ps -ax, top, trafshow, sockstat -l adalah wajib hukumnya.

3. /var/virusmails harus didelete sisakan aja yang baru2, kali aja ada yg komplen.

# ls -l /var/virusmails/ |wc -l

4. /usr/local/mysql/var juga harus dicek minimal 1 bulan sekali file mysql-bin.xxxxx dan sisakan hanya 1 bulan terakhir saja.

5. /var/amavisd/tmp/.... (log temporary amavis dan clamd) juga harus
didelete setiap minggu (jika ada).

mailbox2 user juga harus dimonitor.

Tip

2007-10-05T15:26:00.000+07:00

In case of attacks, you can fiddle up with the following values:

net.inet.tcp.msl (on my machine, 10000. default is 30000)
net.inet.tcp.keepidle (default 10000)
net.inet.tcp.keepintvl (default 7500)
net.inet.tcp/udp.blackhole (turn on for DoS)
net.inet.tcp.tcbhashsize (push up to a reasonable value)

--------------------------------------------------------------------------------

For a better performance, you should mess up with:

kern.ipc.somaxconn (my machine = 4096, default. 128)
kern.ipc.maxsockets
net.inet.ip.intr_queue_maxlen
kern.maxfiles (65535, 16424 as default)
vfs.vmiodirenable (set to 1, 0 is the default)
net.inet.tcp.sendspace (see tuning(7) for more explanations)
net.inet.tcp.recvspace
option NMBCLUSTERS in the kernel (check how many clusters you use with netstat -mb -- don't overtune it, on my busiest webservers the number of used clusters never went above 2256, so 8192 should be enough for all servers), and, of course, maxusers. Well, that era has ended. Right now I discovered a
2827/16384/16384 mbuf clusters in use (current/peak/max)
on a webserver, so I'm gonna bump it to 32k. Also, I'm going to reduce the net.inet.tcp.sendspace from 32k to 16k, because the web traffic means a lot of small files. In case you find out you're just about to run out of NMBCLUSTERS (ex. 6301/8100/8704 mbuf clusters in use (current/peak/max) -- on one of my servers), in case of a webserver, and cannot recompile a new kernel with a bumped NMBCLUSTERS, then set KeepAlive to off in your Apache, and this will save you some clusters by removing many FIN_WAIT_2 connections (More here).
kern.ipc.shm_use_phys -- turn to 1 if the main application of your server uses shared memory, it has improved the activity of my web server.
netstat -f inet can give you valuable informations. For example, a lot of connections with Send-Q != 0 means that your server is storing datas into the mbufs, because the uplink is saturated or (more often) the clients are too 'slow' to receive datas. Non-null values for Recv-Q, on the other hand, means that your server is too slow in serving the requests, which increase the number of mbufs for incoming connections.
net.inet.tcp.msl -- take it down from the default 30,000 to something like 10,000 or even less if you notice too many TIME_WAIT connections in netstat -f inet
net.inet.tcp.inflight_enable -- for bandwidth delay limiting (TCP connections). Read more about in tuning(7).

--------------------------------------------------------------------------------

Firewalling with IPF gave me quite some problems, mostly related to the state table. The customers experienced some broke connections (browser hanging forever when loading up a page), even though the channel was not full (bandwidth-wise). What you can do in a situation like this is play with:

net.inet.ipf.fr_tcpidletimeout=7200 (I like to leave this higher, though, because it kills my idle ssh sessions on the servers as well -- and I hate logging in each other hour or so).
net.inet.ipf.fr_tcpclosewait=120
net.inet.ipf.fr_tcplastack=120
net.inet.ipf.fr_tcptimeout=240
net.inet.ipf.fr_tcpclosed=60
net.inet.ipf.fr_tcphalfclosed=300
net.inet.ipf.fr_udptimeout=90
net.inet.ipf.fr_icmptimeout=35
More about this values here.
You can check how many states are active by looking into the output of ipfstat -s (active). I experienced values growing from 0 to approx. 4000 and then 0 again, which meant the state table got full, and was resetted. You can also carefully increment the number of states in '/usr/include/netinet/ip_state.h' (IPSTATE_SIZE and IPSTATE_MAX -- in my case IPSTATE_MAX was set to 4013, which made the table reset like I said before, at a value approx. equal to 4000). You have to set these two values at resonable values (not too high, don't overtune!), they need to be prime values, and IPSTATE_MAX should be approx. 70% of IPSTATE_SIZE. More infos can be found here.
One other thing that one might do is remove any unnecessary 'keep state's from the firewall configuration. For example, Apache communicates with the clients on port 80 exclusively, so if you 'pass all from any to $my_host port = 80', then you don't need keep states.
As about the NAT using IPFilter, you might consider defining LARGE_NAT in src/contrib/ipfilter/ip_nat.h and src/sys/contrib/ipfilter/netinet/ip_nat.h.
One other problem that I had, having the same source, was that FTP transfers of a zillion+ files would just stall from time to time (after about 100 transferred files). Reason was that the state table was becoming full, and was 'cleaned up' by the kernel, which meant lost state. Freeing the unneeded 'keep states' from the firewall rules, and twaking the parameters above made this problem dissapear as well.
A very nice feature of FreeBSD's kernel is also the DEVICE_POLLING kernel option, which basically means that the system will not treat any interrupt coming from the network cards independently, but rather 'poll' the devices at certain intervals of times. That saves a lot of system activity. You might also consider tweaking with the "option HZ", and also enabling 'kern.polling.enable' and 'kenr.polling.user_frac'. Unfortunately, DEVICE_POLLING works only with certain NICs, but I've experienced very good results with the Intel EtherExpress (fxp). You can see the performance on some snapshots of my firewall here.

--------------------------------------------------------------------------------

Special settings:

In order to run ipf and ipfw on the same machine (ipf for firewall, ipfw for traffic shaping), you can do the following:
ipf -f a_file, where a_file contains something like: "pass out quick proto tcp from x.x.x.x to y.y.y.y port = z flags S keep state"
ipfw add pipe 10 ip from x.x.x.x to y.y.y.y
ipfw pipe 10 config bw 10Kbit/s queue 50KBytes

http://www.nsrc.org/freebsd-tips.html

2007-10-02T10:29:00.000+07:00

ICMP Internet Control Message Protocol

didesain u/ mengontrol pesan antar router dan antar host.

Sebuah ICMP header mengikuti IP header pada Paket IP, tapi bukan dianggap sbg header layer 4 seperti TCP dan UDP tapi ICMP dianggap sebagai satu kesatuan dari IP.

Here is a picture of the fields an ICMP header adds to an IP
packet:
8 16 32 bits
Type Code Checksum
Identifier Sequence number
Data

You'll note that an ICMP header is composed of six fields. Interestingly, the Data field does not contain the actual ICMP "message." Instead, the Type and the Code fields contain numeric values, and each numeric value represents a specific ICMP message. Every ICMP packet must have a Type value, but only some ICMP types have an associated non-zero Code value.

RFC 1700 contains the possible values for each ICMP type and code; I've summarized these into the following table:
Type Name Code(s)
0 Echo reply 0 - none
1 Unassigned
2 Unassigned
3 Destination unreachable 0 - Net unreachable
1 - Host unreachable
2 - Protocol unreachable
3 - Port unreachable
4 - Fragmentation needed and DF bit set
5 - Source route failed
6 - Destination network unknown
7 - Destination host unknown
8 - Source host isolated
9 - Communication with destination network is administratively prohibited
10 - Communication with destination host is administratively prohibited
11 - Destination network unreachable for TOS
12 - Destination host unreachable for TOS
4 Source quench 0 - none
5 Redirect 0 - Redirect datagram for the network
1 - Redirect datagram for the host
2 - Redirect datagram for the TOS and network
3 - Redirect datagram for the TOS and host
6 Alternate host address 0 - Alternate address for host
7 Unassigned
8 Echo 0 - None
9 Router advertisement 0 - None
10 Router selection 0 - None
11 Time Exceeded 0 - Time to live exceeded in transit
1 - Fragment reassembly time exceeded
12 Parameter problem 0 - Pointer indicates the error
1 - Missing a required option
2 - Bad length
13 Timestamp 0 - None
14 Timestamp reply 0 - None
15 Information request 0 - None
16 Information reply 0 - None
17 Address mask request 0 - None
18 Address mask reply 0 - None
19 Reserved (for security)
20-29 Reserved (for robustness experiment)
30 Traceroute
31 Datagram conversion error
32 Mobile host redirect
33 IPv6 where-are-you
34 IPv6 I-am-here
35 Mobile registration request
36 Mobile registration reply
37-255 Reserved

You'll note that the ICMP types that do have associated codes use the Code field to further explain the message value in the Type field. For example, ICMP Type 3 represents "destination unreachable." There can be many reasons why a destination is unreachable; accordingly, every ICMP Type 3 packet will also use one of the codes to explain why the destination was unreachable.

In our dump file, packets 4-9 contained ICMP information. These packets were created right after ARP had determined the destination MAC address and just before the TCP 3-way handshake. Let's take a look at packets 4 and 5:

tcpshow < dump

-------------------------------------------------
Packet 4
TIME: 10:25:28.608640 (0.000355)
LINK: 00:00:B4:3C:56:40 -> 00:50:BA:DE:36:33 type=IP
IP: 10.0.0.2 -> 10.0.0.1 hlen=20 TOS=00 dgramlen=84 id=0010
MF/DF=0/0 frag=0 TTL=255 proto=ICMP cksum=A796
ICMP: echo-request cksum=169F
DATA: ....:_.:6....
..................... !"#$%&'()*+,-./01234567
-------------------------------------------------
Packet 5
TIME: 10:25:28.608722 (0.000082)
LINK: 00:50:BA:DE:36:33 -> 00:00:B4:3C:56:40 type=IP
IP: 10.0.0.1 -> 10.0.0.2 hlen=20 TOS=00 dgramlen=84 id=9551
MF/DF=0/0 frag=0 TTL=255 proto=ICMP cksum=1255
ICMP: echo-reply cksum=1E9F
DATA: ....:_.:6....
..................... !"#$%&'()*+,-./01234567

Notice that these are normal IP packets with the expected IP header fields. Immediately following the IP header is the ICMP header which is followed by some strange-looking data. The tcpshow utility did not show all of the ICMP fields, but you can see that Packet No. 4 was an echo-request and Packet No. 5 was an echo-reply. If we look up these names in the chart, we'll see that Packet 4 contains an ICMP Type 8 Code 0 message, and Packet 5 contains an ICMP Type 0 Code 0 message.

Let's look at these same packets using Ethereal. Because Ethereal is so verbose, I'll just show the frame number and the ICMP header:

Also in FreeBSD Basics:

Fun with Xorg

Sharing Internet Connections

Building a Desktop Firewall

Using DesktopBSD

Using PC-BSD

more etherdump

more etherdump

Frame 4 (98 on wire, 98 captured)
Internet Control Message Protocol
Type: 8 (Echo (ping) request)
Code: 0
Checksum: 0x169f (correct)
Identifier: 0xdd00
Sequence number: 00:00
Data (56 bytes)

0 3a5f a23a 36c3 0600 0809 0a0b 0c0d 0e0f :_.:6...........
10 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f ................
20 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f !"#$%&'()*+,-./
30 3031 3233 3435 3637 01234567

Frame 5 (98 on wire, 98 captured)
Internet Control Message Protocol
Type: 0 (Echo (ping) reply)
Code: 0
Checksum: 0x1e9f (correct)
Identifier: 0xdd00
Sequence number: 00:00
Data (56 bytes)

0 3a5f a23a 36c3 0600 0809 0a0b 0c0d 0e0f :_.:6...........
10 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f ................
20 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f !"#$%&'()*+,-./
30 3031 3233 3435 3637 01234567

Notice that Ethereal interprets all of the ICMP fields, including the Type and Code numbers. It also indicates the name of the utility that issued these ICMP packets -- before TCP initiated its 3-way handshake, three "ping" packets were sent out to verify connectivity between my telnet client and the telnet server. The first ping packet contained the echo-request and it was followed by the desired echo-reply.

Packets 6 and 7 contained the next echo-request/echo-reply pair. These packets were identical, except they both contained a sequence number of 01:00, instead of the sequence number of 00:00 you saw in Packets 4 and 5. Packets 8 and 9 contained the last echo-request/echo-reply pair and both shared a sequence number of 02:00. However, all six packets contained the same Identifier value of 0xdd00; this means that they were all issued from the same ping command.

To summarize, whenever you run the ping utility, you will send out ICMP Type 8 Code 0 packets. Each packet will have the same identifier, but every packet's sequence number will be increased by 1. If you have connectivity to the other host, you should receive back ICMP Type 0 Code 0 packets with the same identifier. If you don't receive all the packets back in sequence, you don't have a very reliable connection.

You've probably used the ping utility yourself to test the connection between two hosts running TCP/IP; you may have not known that ping uses ICMP. Here is an interesting article on ping by the author of the utility.

The traceroute utility is another utility that uses ICMP messages, but its usage is different from that of the ping utility. When you type traceroute hostname, three UDP packets are sent out with a TTL (time to live) value of 1. These three packets will arrive at the router closest to you which will decrease the TTL by one, meaning the TTL will now be 0. When routers notice a TTL of 0, they respond by sending an ICMP packet of Type 11 Code 0, or "time exceeded" as "time to live exceeded in transit." The traceroute utility will make note of the IP address of the router that sent back the three ICMP packets, calculate the time it took to receive each of the packets, then send out three more UDP packets, this time with a TTL of 2.

Because these packets have a TTL of 2, ICMP packets should be returned by the router that is two hops away from you. Once these packets are received and noted, traceroute sends out three more packets with a TTL of 3. The traceroute utility will continue this pattern until you either reach your final destination or you've gone through the default maximum of 30 routers. The results will be sent to your screen like so:

traceroute www.freebsd.org

traceroute to freefall.freebsd.org (216.136.204.21), 30 hops max, 40 byte packets
1 10.69.4.1 (10.69.4.1) 33.137 ms 110.654 ms 52.307 ms
2 d226-12-1.home.cgocable.net (24.226.12.1) 15.413 ms 36.285 ms 12.538 ms
3 cgowave-0-158.cgocable.net (24.226.0.158) 13.857 ms 14.130 ms 16.433 ms
4 cgowave-busy-core.cgocable.net (24.226.1.1) 15.304 ms 15.470 ms 14.940 ms
5 cgowave-0-202.cgocable.net (24.226.0.202) 16.681 ms 14.324 ms 16.357 ms
6 10.0.185.33 (10.0.185.33) 16.066 ms 15.919 ms 17.318 ms
7 c1-pos8-0.bflony1.home.net (24.7.74.29) 18.234 ms 18.063 ms 19.266 ms
8 c1-pos1-0.hrfrct1.home.net (24.7.65.253) 27.590 ms 25.213 ms 48.447 ms
9 c1-pos3-0.nycmny1.home.net (24.7.69.2) 32.722 ms 29.405 ms 29.724 ms
10 ibr02-p1-0.jrcy01.exodus.net (24.7.70.122) 31.728 ms 48.891 ms 29.017 ms
11 bbr02-g4-0.jrcy01.exodus.net (216.32.223.114) 37.117 ms 37.070 ms 62.180 ms
12 bbr01-p2-0.okbr01.exodus.net (216.32.132.109) 59.707 ms 40.090 ms 39.422 ms
13 bbr02-p3-0.sttl01.exodus.net (216.32.132.89) 142.048 ms 101.184 ms 86.259 ms
14 bbr01-g5-0.sttl01.exodus.net (216.32.29.19) 83.362 ms 83.433 ms 83.103 ms
15 bbr01-p1-0.tkwl01.exodus.net (209.185.9.66) 85.309 ms 123.174 ms 83.753 ms
16 bbr01-p4-0.sntc05.exodus.net (216.32.173.229) 88.995 ms 90.207 ms 88.723 ms
17 dcr01-g2-0.sntc05.exodus.net (64.56.192.3) 109.213 ms 90.418 ms 90.458 ms
18 g2-1.bas1-m.sc5.yahoo.com (64.56.207.146) 170.210 ms 164.354 ms 281.053 ms
19 freefall.freebsd.org (216.136.204.21) 91.146 ms 88.509 ms 91.049 ms

Note that the traceroute utility numbered each hop, gave the name and IP address of the associated router, and recorded the time it took to receive an ICMP response to each of the three UDP packets that were sent to each router.

The ping and traceroute utilities are the most common utilities used by users that involve the ICMP protocol. However, there is another ICMP type that you should be aware of as it can affect network performance if there are routers between you and your final destination.

When I captured the packets involved in the telnet session, both the telnet client and the telnet server were cabled onto the same LAN and none of the packets had to pass through a router. During the TCP 3-way handshake, each host indicated the maximum segment size (MSS) it was capable of receiving. The tcpshow utility did not interpret this data, but it can be seen using Ethereal:

more etherdump

Frame 10 (60 on wire, 60 captured)
Internet Protocol
Source: biko (10.0.0.2)
Destination: genisis (10.0.0.1)
Transmission Control Protocol, Src Port: blackjack (1025), Dst Port: telnet (23), Seq: 3205630181, Ack: 0
Source port: blackjack (1025)
Destination port: telnet (23)
Sequence number: 3205630181
Header length: 24 bytes
Flags: 0x0002 (SYN)
Window size: 16384
Checksum: 0x7814
Options: (4 bytes)
Maximum segment size: 1460 bytes

Frame 11 (58 on wire, 58 captured)
Internet Protocol
Source: genisis (10.0.0.1)
Destination: biko (10.0.0.2)
Transmission Control Protocol, Src Port: telnet (23), Dst Port: blackjack (1025), Seq: 1746119590, Ack: 3205630182
Source port: telnet (23)
Destination port: blackjack (1025)
Sequence number: 1746119590
Acknowledgement number: 3205630182
Header length: 24 bytes
Flags: 0x0012 (SYN, ACK)
Window size: 17520
Checksum: 0x5fd9
Options: (4 bytes)
Maximum segment size: 1460 bytes

Because both computers were cabled onto the same LAN, they both understood and agreed upon a MSS of 1,460 bytes. Note that this is a maximum "segment" size, meaning a segment of data without including the extra bytes needed for the headers and frame. In this example, both hosts agreed that they wouldn't send a segment of data that was bigger than a 1,460-byte chunk.

What would happen if these two same hosts were not on the same LAN and their packets had to pass through a network that could only accept frames with a maximum transmission unit (MTU) size of 576 bytes? Because the two end hosts had already agreed upon a segment size of 1,460 bytes, they would be creating their IP packets accordingly. When these IP packets arrive at the router, which is cabled to the network with the smaller MTU, it will have to re-package every packet into smaller segments that will fit into the smaller size frames of that network. The destination host will then have to reassemble all of the fragmented packets back into the original agreed-upon sized segment. This creates more work and definitely slows things down.

To help prevent this, TCP uses something called Path-MTU Discovery. TCP will send out IP packets using the agreed MSS size, but will set the DF (don't fragment) bit to 1. If this packet is received by a router that needs to fragment the packet so that it will fit over a network that uses smaller-sized frames, the router will respond with an ICMP Type 3 Code 4 packet which translates to "destination unreachable as fragmentation needed" and "DF bit set." When the host receives this ICMP packet, it knows that it needs to start sending smaller packets.

You can read more about Path-MTU Discovery here.

The last ICMP type I'd like to cover is Source Quench, or ICMP Type 4 Code 0. This message is sent whenever a router is being overwhelmed by packets. It basically tells the host to slow down the rate it is sending packets so it can have a chance to deal with the packets it has already received. This is an important message -- if the host does not slow down its transmission rate, the router will run out of buffer space to store packets and will have to start throwing packets away. Every packet that is thrown away will have to be re-transmitted which will make the original situation worse.

The ICMP types we've covered do have implications when you start creating packet filter rules on your FreeBSD system. Next week, we will start looking at creating these rules, I'd like to summarize the ICMP types and codes that we'll need to be mindful of:
ICMP Type Code Used By
0 0 Ping
3 4 Path-MTU Discovery
4 0 Source Quench
8 0 Ping
11 0 traceroute

Dru Lavigne is a network and systems administrator, IT instructor, author and international speaker. She has over a decade of experience administering and teaching Netware, Microsoft, Cisco, Checkpoint, SCO, Solaris, Linux, and BSD systems. A prolific author, she pens the popular FreeBSD Basics column for O'Reilly and is author of BSD Hacks and The Best of FreeBSD Basics.

Satpam part 2

2007-09-27T10:03:00.000+07:00

Satpam 1

2007-09-26T14:39:00.000+07:00

Security professionals break the term security into three parts: confidentiality, integrity, and availability.
1. confidentiality (rahasia)
Confidentiality is all about determining the appropriate level of access to information. Hak akses u/ data/file/folder.

2. Integrity (keutuhan)
Tidak adanya kehilangan data (data tetap utuh tanpa ada modifikasi).

3. Availability (ketersediaan)
Ketersediaan data yg akan diakses, menuju pada pemikiran back up data or system

Identifikasi Resiko
1. Attack
An attack against a system is an intentional attempt to bypass system security controls or organizational policies to affect the operation of the system (active attack) or gain access to information (passive attack). Attacks can be classified into insider attacks in which someone from within an organization who is authorized to access a system uses it in an unauthorized way, or outsider attacks, which originate outside of the organization's security perimeter, perhaps on the Internet at large
In order for active and passive attacks to succeed, something must be at fault. Attacks necessarily leverage fundamental behavioral problems in software, improper configuration and use of software, or both. In this chapter, we examine these classes of attacks including the special-case denial of service (DoS) attack.

2. Problem software
2.1 Buffer OverFlow
2.2 Injeksi SQL
There are, of course, ways to defend against SQL injection attacks from within web applications. One common approach is to parse every value provided by the user. Make sure it doesn't contain any undesirable characters like backticks, quotes, semi-colons, and so on. Also ensure that the valid characters are appropriate for the value being returned. To get around the problem completely, developers may be able to use stored procedures and avoid dynamically creating SQL.
2.3 Software problem lain

Proteksi :

Being aware of vulnerabilities is a good first step.
Installah 3rd party soft. yang jelas minim bugnya.
Rajin mengkuti mailing list
Selalu lakukan patch

3. DOS ATTACK
DoS attacks are active—they seek to consume system resources and deny the availability of your systems to legitimate users. The root cause of a system or network being vulnerable to a DoS attack may be based on a software vulnerability, as a result of improper configuration and use, or both. DoS attacks can be devastating, and depending on how they are carried out, it can be very difficult to find the source. DoS attacks have a diverse list of possible targets.

Target: physical
DoS attacks can occur at the physical layer. In an 802.11 wireless network, an attacker can flood the network by transmitting garbage in the same frequency band as the 802.11 radios.

Target: network
At the data link and network layers, traffic saturation can interfere with legitimate communications. Flooding a network with illegitimate and constantly changing arp requests can place an extreme burden on networking devices and confuse hosts. Attempting to push a gigabit of data per second through a 100 Mbps pipe will effectively overrun any legitimate network traffic. Too much traffic is perhaps the quintessential example of a DoS attack

Target: application
These DoS attacks generally use up some finite resource on a host such as CPU, memory, or disk I/O. An attacker may send several application requests to a single host in order to cause the application to consume an excessive amount of system resources.
She may simply exploit a bug in code once that causes the application to spiral out of control or simply crash. Some services that fork daemons at every new connection may be subject to a DoS if tens or hundreds of thousands of connections are made within a short period of time

Proteksi :
Physical -> lakukan load balancer
Network -> IDS hosts may be used to help detect these kinds of attacks and automatically update firewall or router configurations to drop the traffic
Application -> secure architecture and build, controlled maintenance, and monitoring logs.

4. Konfigurasi yang kurang sip.
4.1. Konfigurasi yang ceroboh
4.2 Acccount access.
permission file , setuid (memberikan akses hanya pada id, bukan pada nama user).
-r-sr-xr-x 1 root wheel 23392 Jun 4 21:57 traceroute

To find setuid and setgid files on your BSD system, run the following command:

% find / -type f $ -perm -2000 -o -perm -4000 $ -print

Securing apache part 2

2007-09-20T11:04:00.000+07:00

1. Listen port
Jika ada bbrp ip maka lakukan spesifikasi dgn Listen : IPV4:80

TimeOut	300 seconds	bisa dikecilkan (issue dos attack)
KeepAliveTimeout	5 seconds	bisa dikecilkan tapi jgn didisable.
LimitRequestBody	0 bytes (unlimited)	Restricts the total size of the HTTP request body sent from the client. If DoS attacks are occurring as a result of large requests, limit request size.
LimitRequestFields	100 fields	Limits the number of HTTP request header fields that will be accepted from the client. If DoS attacks are occurring as a result of too many HTTP request headers, lower this number.
LimitRequestFieldSize	8190 bytes	Limits the size of the HTTP request header allowed from the client.
LimitRequestLine	8190 bytes	This directive sets the number of bytes that will be allowed on the HTTP request-line.
MaxClients	256 requests	Sets the limit on the number of simultaneous requests that will be served.

Securing apache

2007-09-20T10:07:00.000+07:00

Cara securing apache part 1 :
1. Pastikan install security patch terbaru.
2. Sembunyikan informasi mengenai server dgn menambahkan baris berikut di httpd.conf
ServerSignature Off
ServerTokens Prod
3. Jangan jalankan apache dgn user administratif, buat saja user n group lain, misal www group www.
4. Untuk memblok agar apache tidak bisa mengakses selain document rootnya, lakukan sbb :

Order Deny,Allow
Deny from all
Options None
AllowOverride None

Order Allow,Deny
Allow from all

Untuk disable directory browsing, tambahkan berikut pada tag setelah
Options -Indexes

Untuk disable server side includes tambahkan berikut pada tag setelah
Options -Includes

Bisa juga spt ini : Options -ExecCGI -FollowSymLinks -Indexes
Atau jika ingin mendisable langsung aja Options None.

5. Mematikan support u/ .htaccess files
Tambahkan AllowOverride None pada tag setelah

Note :
Jika menggunakan pilihan Overrides pastikan file .htaccess tdk bisa didownloaded atau ubah namanya selain .htaccess. Misal, bisa kita ubah ke .httpdoverride dan block smua akses agar tdk bisa mendownload files start with .ht dgn cara sbb :

AccessFileName .httpdoverride

Order allow,deny
Deny from all
Satisfy All

6. Disable module yang tidak diperlukan :
grep LoadModule httpd.conf
mod_imap, mod_include, mod_info, mod_userdir, mod_status, mod_cgi, mod_autoindex
Modul² tersebut biasaya jarang diperlukan.

7. Pastikan hanya root yang bisa mempunyai hak akses binary dan config filenya
chown -R root:root /usr/local/apache
chmod -R o-rwx /usr/local/apache

8. Kurangi TimeOut valuenya untuk menghindari DOS Attack
Timeout 60

9. Limiting large requests
LimitRequestBody 1048576 (akan melimit upload hanya sampai 1MB)

10. Limiting Concurrency
Apache mempunyai bbrp konfigurasi u/ menangani request berjamaah :P.
MaxClients : adl max. child proses yg akan dicreate u/ memenuhi request. Jangan diset terlalu tinggi jika memori anda ecek2.

Perintah yg lain adl MaxSpareServers, MaxRequestsPerChild, ThreadsPerChild, ServerLimit, MaxSpareThreads. Sesuaikan pilihan tersebut dgn OS dan hardware sistem.

11. Membatasi akses web dari IP / Network tertentu

Order Deny,Allow
Deny from all
Allow from 176.16.0.0/16

12. KeepAlive setting
Defaultnya on. Bisa diubah ke MaxKeepAliveRequests 100, and the KeepAliveTimeout 15. Lihat log dan sesuaikan kebutuhan.

13. Jika sudah biasa menggunakan chroot atau jail maka lebih sip :P.

Sumpah ini bukan hasil oprekan saya :P, ini adalah kumpulan hasil gugling n coba² :P.

Ngeblok MAC address

2007-09-06T10:13:00.000+07:00

Tambahkan baris berikut di sysctl.conf (u/ mengaktifkan filtering pada layer 2)
# sysctl net.link.ether.ipfw=1

Contoh :
# ipfw -q add 2 deny mac 00:21:E8:21:A4:BD any
Deny from any source MAC address to destination MAC address 00:21:E8:21:A4:BD.
Sebagaimana dijelaskan di manualnya...
{ MAC | mac } dst-mac src-mac.

Lengkapnya check this out! : http://www.hmug.org/man/8/ipfw.php

Port di FReeBSD

2007-08-25T21:29:00.000+07:00

cd /usr/ports/ports-mgmt/portupgrade
make install clean
It's now possible to update all the software on the system by running the command:
portupgrade -ai

portaudit
which shows the published vulnerabilities affecting the packages installed on your system
As the superuser root, run:
cd /usr/ports/ports-mgmt/portaudit
and then
make install clean

It's now possible to update the vulnerabilities database and audit the installed packages by running the command:
portaudit -Fa

Those are some tricks you may find useful:
to show the differences between the version of the installed packages and the ones of the ports collection currently present on the system, run:
pkg_version -v

to print some informations of a port, like it's dependencies, for example of asterisk, run, in the /usr/ports folder, the command:
make search name=asterisk

to print the dependencies of an installed package, for example of gmake, run:
pkg_info -xr gmake

to print the dependencies of a package, even not installed, for example of proftpd, run, in the folder of it's port, the command:
make pretty-print-build-depends-list
but first you have to run, in the /usr/ports folder, the command:
make index
which, after a while, will build an index with the informations of the packages

And if, for example, the package portupgrade is installed, it's manual can be viewed by running:
man portupgrade

bwD

2007-08-23T22:02:00.000+07:00

libpcap from http://www.tcpdump.org/
libpng from http://www.libpng.org/
libgd from http://www.boutell.com/gd/

Download libcap in http://www.tcpdump.org/ and install

zlib – Free open source compression library
fetch http://www.zlib.net/zlib-1.2.3.tar.gz
tar xvf zlib-1.2.3.tar.gz
cd zlib-1.2.3
./configure
make && make install

libpng – PNG reference library for creating graphics / images

fetch http://easynews.dl.sourceforge.net/sourceforge/libpng/libpng-1.2.10.tar.gz
tar xvf libpng-1.2.10.tar.gz
cd libpng-1.2.10
./configure
make && make install

fetch http://www.boutell.com/gd/http/gd-2.0.33.tar.gz
tar xvf gd-2.0.33.tar.gz
cd gd-2.0.33
./configure --disable-shared --with-gd-lib=/usr/local/lib --with-gd-inc=/usr/local/include/
make
make install

Download bandwidthd-2.0.1.tgz
./configure && make && make install
ee /usr/local/bandwidthd/etc/bandwidthd.conf
subnet 10.10.10.0/25
dev "rl0"

/usr/local/bandwidthd/bandwidthd, akan mengcreate /usr/local/bandwidthd/htdocs
arahkan document directory webserver ke folder tsb & aktifkan webserver.

^___________^

FreeRadius dan my SQL

2007-08-23T11:19:00.000+07:00

INSTALL mySQL:
Pertama install dulu mysql, saya menggunakan mySql 5.
Jika sudah jalankan dan otomatisasi shg berjalan sewaktu reboot.

INSTALL FreeRadius:
cd /usr/ports/net/freeradius
% make && make install
Pilih mySQL support dan SNMP (optional).

CONFIGURE freeRADIUS:
% cd /usr/local/etc/raddb
Pastikan file² berikut ada

% clients.conf (basic config cukup & memakai localhost)

% users
Untuk pengetesan pertama tambahkan baris
ainoer Auth-Type := Local, User-Password == "testpass"

% cp snmp.conf.sample snmp.conf
% cp sql.conf.sample sql.conf
% cp huntgroups.sample huntgroups
% cp dictionary.sample dictionary
% cp hints.sample hints
% cp acct_users.sample acct_users
% cp preproxy_users.sample preproxy_users

% cp radiusd.conf.sample radiusd.conf
Edit radiusd.conf,
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes

% radiusd -X &
% radtest ainoer testpass localhost 1812 testing123

Jika berhasil ada indikasi sbb :
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=119, length=20

CREATE DATABASE & TABEL
Login ke mysql dan create database dengan nama radius.
Carilah file dengan nama db_mysql.sql kemudian import ke database.
/bin/mysql -u root radius < /usr/local/share/examples/freeradius/db_mysql.sql

Masukkan record² berikut :
INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('rahma', 'Password', 'passku');
INSERT INTO radgroupcheck (GroupName, Attribute, Value) VALUES ('dynamic', 'Auth-Type', 'Local');
INSERT INTO radgroupreply (GroupName, Attribute, op, Value) VALUES ('dynamic', 'Framed-Compression', ':=', 'Van-Jacobsen-TCP-IP');
INSERT INTO radgroupreply (GroupName, Attribute, op, Value) VALUES ('dynamic', 'Framed-Protocol', ':=', 'PPP');
INSERT INTO radgroupreply (GroupName, Attribute, op, Value) VALUES ('dynamic', 'Service-Type', ':=', 'Framed-User');
INSERT INTO radgroupreply (GroupName, Attribute, op, Value) VALUES ('dynamic', 'Framed-MTU', ':=', '1500');
INSERT INTO radgroupreply (GroupName, Attribute, op, Value) VALUES ('dynamic', 'X-Ascend-Assign-IP-Pool', ':=', '0');
INSERT INTO radgroupreply (GroupName, Attribute, op, Value) VALUES ('dynamic', 'X-Ascend-Maximum-Time', ':=', '7200');
INSERT INTO radgroupreply (GroupName, Attribute, op, Value) VALUES ('dynamic', 'X-Ascend-Route-IP', ':=', 'Route-IP-Yes');
INSERT INTO radgroupreply (GroupName, Attribute, op, Value) VALUES ('dynamic', 'Idle-Timeout', ':=', '1800');
INSERT INTO usergroup (UserName, GroupName) VALUES ('rahma', 'dynamic');

select * from radcheck;
+----+----------+-----------+----+--------+
| id | UserName | Attribute | op | Value |
+----+----------+-----------+----+--------+
| 1 | rahma | Password | == | passku |
+----+----------+-----------+----+--------+

mysql> select * from radgroupcheck;
+----+-----------+-----------+----+-------+
| id | GroupName | Attribute | op | Value |
+----+-----------+-----------+----+-------+
| 1 | dynamic | Auth-Type | := | Local |
+----+-----------+-----------+----+-------+

select * from radgroupreply;
+----+-----------+-------------------------+----+---------------------+------+
| id | GroupName | Attribute | op | Value | prio |
+----+-----------+-------------------------+----+---------------------+------+
| 1 | dynamic | Framed-Compression | := | Van-Jacobsen-TCP-IP | 0 |
| 2 | dynamic | Framed-Protocol | := | PPP | 0 |
| 3 | dynamic | Service-Type | := | Framed-User | 0 |
| 4 | dynamic | Framed-MTU | := | 1500 | 0 |
| 5 | dynamic | X-Ascend-Assign-IP-Pool | := | 0 | 0 |
| 6 | dynamic | X-Ascend-Maximum-Time | := | 7200 | 0 |
| 7 | dynamic | X-Ascend-Route-IP | := | Route-IP-Yes | 0 |
| 8 | dynamic | Idle-Timeout | := | 1800 | 0 |
+----+-----------+-------------------------+----+---------------------+------+

select * from usergroup;
+----------+-----------+----------+
| UserName | GroupName | priority |
+----------+-----------+----------+
| rahma | dynamic | 1 |
+----------+-----------+----------+

% cd /usr/local/etc/raddb/
Edit sql.conf
Isikan password database( root dgn pass = "" jika masih belum diberi password)

Edit radiusd.conf.
Pada bagian authorize{}:
Hilangkan # pada 'sql'
Pada bagian accounting {}:
Hilangkan # pada 'sql' accounting{}.

Pada post-auth ():
Hilangkan # pada 'sql'
Hilangkan # 3 baris terkahir dari post-auth dan ganti ke sql modul.

Post-Auth-Type REJECT {
sql
}
kill & restart in debug.
% radiusd -X

Selamat mencoba ;)

Edited :

Ternyata ada yang kurang, settingan di atas kan database mysqlnya masih belum diberi password..
Setelah diberi password kmudain dijalankan la koq error...
rlm_sql_mysql: Mysql error 'Client does not support authentication please upgrade mysql client dst..

Coba cek librarynya :
# ldd /usr/local/lib/rlm_sql_mysql.so/usr/local/lib/rlm_sql_mysql.so:
libmysqlclient.so.12 => /usr/local/lib/mysql/libmysqlclient.so.12 (0x28157000)
libz.so.2 => /lib/libz.so.2 (0x28177000)
libcrypt.so.2 => /lib/libcrypt.so.2 (0x28187000)
libm.so.3 => /lib/libm.so.3 (0x2819f000)
libc.so.5 => /lib/libc.so.5 (0x28079000)
Udah sip tuw.. but why.. masak harus upgrade mysql clientnya kan versine udah 5.0 ach ngga harus dech kayaknya.. jgn percaya begitu saja sama warning :P .. googling dulu ach..
Setelah berpusing² eh jadi ingat instalasi pureftpd dgn mysql.. so aku coba dey..
# cd /usr/local/mysql/lib/mysql/
# cp * /usr/local/lib

Cihuy! Alhamdulillah..berhasil pemirsa..

Webstatistik dgn awstat

2007-07-16T14:43:00.000+07:00

# Download source awstat dan ekstrak
# Kopi directory "js", "classes", "css" and "icon" ke "/www/awstats"
# Kopi folder cgi-bin ke directory cgi-bin apache anda

Edit awstats.model.conf file & ubah bbrp parameternya :
LogFile = "../www/log.%YYYY%MM" (assuming your log files are being placed in the www root directory).
SiteDomain = "www.yourdomain.com"
DirIcons = "http://www.yourdomain.com/awstats/icon"
AllowToUpdateStatsFromBrowser = 1
/usr/local/nf/bin/perl ../cgi-bin/awstats.pl -config=model -update

Statistik bisa diakses di :
http://www.domain.com/cgi-bin/awstats.pl?config=model

PHP lagi..

2007-07-12T15:02:00.000+07:00

Singkatan dari PHP: Hypertext Preprocessor adalah salah satu bahasa pemrograman web yang paling populer digunakan. Pada saat ini pengguna PHP mencapai sekitar 7 juta domain meliputi sekitar 1 juta IP address.

Instalasi PHP pada Server
Berbeda dari kebanyakan penyedia layanan web hosting lainnya, PHP pada indoglobal.com kami konfigurasikan dengan tujuan supaya lebih fleksibel dengan menghindari kelemahan-kelemahan keamanan pada PHP.

Pada sistem kami, PHP kami install secara modular, dengan komponen-komponennya dipisahkan dari intinya. Hal ini kami lakukan untuk meningkatkan kapabilitas PHP pada server-server kami dan meminimalkan penggunaan sumber daya memori.

Modul-modul PHP yang kami install pada server kami adalah:

Module Description
bcmath BCMath arbitrary precision mathematics module
bz2 Bzip2 compression module
calendar Calendar module
ctype Character type module
curl Client URL library module
dba Hash file (DBM or similar) abstraction layer module
dbase dBase module
dbx Database abstraction layer module
dio Direct I/O Module
domxml Document object model (DOM) module
exif EXIF JPEG header module
filepro Filepro database module
fribidi Bidirectional text module
ftp FTP module
gd Image generation module
gettext Native language support and internationalization module
gmp GNU MP library for arbitrary precision arithmetic
iconv Character set conversion module using IConv
imap IMAP, POP3 and NNTP module
interbase Interbase database module
ldap LDAP client module
mcrypt MCrypt encryption module
mhash MHash hashing algorithm module
mime_magic MIME type detection module
ming Shockwave flash creation module using ming library
mnogosearch MnogoSearch search engine module
mysql MySQL database client module
ncurses Ncurses terminal screen control module
odbc UNIX ODBC module
overload Object property and method call overloading module
pcntl Process control functions module
pgsql PostgreSQL database client module
posix Module for accessing POSIX system interface
pspell PSpell spell checking module
recode Character sets encoding conversion using GNU Recode
shmop Shared memory module using SHMOP
snmp SNMP client module
sockets Low level sockets module
swf Shockwave Flash module using libswf library
sybase Sybase database client module
sysvmsg System V messages module
sysvsem System V semaphore module
sysvshm System V shared memory module
tokenizer Tokenizer module
wddx Web Distributed Data Exchange (WDDX) module
xmlrpc XMLRPC and SOAP module
xslt XSLT processor module
yaz YAZ module
yp YP module
zip ZIP files read access module
zlib Zlib compression module

Sedangkan modul-modul yang selalu termuat pada PHP karena alasan teknis adalah:

Module Description
openssl OpenSSL for SSL related cryptographic functions
pcre Perl compatible regular expression library
session HTTP session support
wddx Web Distributed Data Exchange module
xml Extensible Markup Language (XML) parser module

Module PHP Custom
Terkadang dibutuhkan module PHP yang tidak terdapat pada daftar kami di atas (misalnya: module PHP dari pihak ketiga), atau anda memrogram module PHP anda sendiri. Pada kasus-kasus tersebut anda dapat menginstall module PHP yang anda butuhkan.

Konfigurasi PHP di SiteManager
Segala sesuatu mengenai konfigurasi PHP dapat dilakukan pada SiteManager dengan menggunakan antarmuka yang intuitif dan mudah digunakan.

Anda dapat melakukan konfigurasi PHP untuk account anda secara global, dan untuk setiap subdomain anda. Subdomain-subdomain anda bisa memiliki konfigurasi masing-masing jika anda menginginkannya. Misalnya anda menginginkan pada subdomain 1 diinstall dukungan MySQL dan PCRE, namun pada subdomain 2 diinstall dukungan PostgreSQL dan GD.

Selain konfigurasi modul yang diinstall, anda juga dapat mengubah setting-setting PHP yang lainnya seperti penggunaan tag ASP, penanganan kondisi error dan lain-lain. Hampir semua setting yang biasanya harus diedit secara manual pada file php.ini kini dapat anda edit dengan mudah melalui SiteManager.

Dukungan PEAR
Sistem kami juga mendukung PEAR, apapun module PEAR yang anda perlukan dapat anda install dengan mudah melalui SiteManager. Termasuk di antaranya adalah module PECL. Dari SiteManager anda juga dapat menghapus instalasi module PEAR yang telah terinstall sebelumnya dan melihat informasi mengenai module PEAR. Anda juga dapat menggunakan antarmuka command line standard jika anda menginginkannya, seluruhnya telah kami set untuk anda.

Keamanan dan Fleksibilitas
Konfigurasi PHP pada lingkungan web hosting sudah biasa menjadi masalah. Hampir semua perusahaan web hosting mengkonfigurasikan PHP dalam bentuk module Apache. Konfigurasi ini memiliki masalah tergantung dari apakah safe mode dinyalakan atau tidak.

Tanpa safe mode, PHP sangatlah tidak aman. Seorang pengguna di sebuah sistem dapat melihat atau mendownload file miliki pengguna lain pada sistem yang sama. Kode PHP seperti akan dapat digunakan untuk melihat isi dari file-file milik pengguna lain, termasuk yang bersifat sensitif misalnya yang mengandung password database, nomor kartu kredit atau informasi lainnya.
Dengan safe mode, PHP sangatlah tidak fleksibel. Anda tidak akan dapat menggunakan sebagian besar program pihak ketiga karena safe mode akan menonaktifkan sebagian fungsi dari PHP. Seluruh program yang memerlukan penulisan atau pembacaan file sama sekali tidak akan berfungsi sama sekali.
indoglobal.com menggunakan konfigurasi lain. Kami menggunakan versi CGI dari PHP, dan bukan Apache module. Dengan cara ini, pelanggan-pelanggan kami dapat menggunakan PHP dengan aman dan seluruh program PHP akan berfungsi tanpa bermasalah. Dalam sebagian besar kasus anda bahkan tidak akan menyadari bahwa PHP dijalankan dalam mode CGI.

indoglobal.com adalah salah satu perusahaan web hosting pertama yang menyadari akan isu ini. Semenjak kami berdiri (tahun 1997, sebelum PHP 3 dirilis) kami telah nencoba berbagai macam konfigurasi PHP untuk mencari cara terbaik menjalankan PHP pada lingkungan shared hosting tanpa mengorbankan keamanan pengguna serta fasilitas dari PHP. Dari bertahun-tahun pengalaman kami, kami yakin bahwa konfigurasi ini merupakan cara terbaik untuk menjalankan PHP pada sistem shared hosting.

Ampun dech…..Guru Pembimbing aq memang sangat jeniuz orang nya tapi selalu merendah klo dipuji, jadi gua blom selesai yang diatas akan dikasih buku pemograman PHP dengan format bahasa Inggris….ehemmm pasti yang ini sangat favorite, dengan ketebalan hampir 1000 halaman coy…kira2 sendiri aja kalinya. Tapi yang namanya belajar tidak sulit kita harus niat.

diambil dr : http://paulvandyk.wordpress.com/

Ini dan itu di webserver

2007-07-12T13:33:00.000+07:00

Mendisable phpinfo function di PHP yg kiranya membahayakan :p (kecuali bagi admin).

If you leave phpinfo enabled and use some file other than phpinfo.php, it can still be found. It is pretty trivial to figure out that if you search for a couple specific terms, that you will find the PHP test page that somebody created and forgot about. Consider using safe mode. Just set:
; Safe Mode
;
safe_mode = On

in php.ini and restart your webserver to use this. You can verify whether safe mode is enabled using the above phpinfo technique. Another item to consider is the disable_functions directive. For instance, you could set this:

disable_functions = "dl,phpinfo,shell_exec,passthru,exec,popen,system,
proc_get_status,proc_nice,proc_open,proc_terminate,proc_close"

Sedangkan di apache tambahkan line berikut :

ServerTokens Prod
ServerSignature Off

where's my bug??

2007-07-12T10:28:00.000+07:00

Sebelumnya test dulu sekuritas *satpam kalee* webserver qta, bisa menggunakan nikto.

# wget http://cirt.net/nikto/nikto-current.tar.gz
# tar -xvzf nikto-current.tar.gz
masuk directory nikto dan lakukan update.
# ./nikto.pl -update
Nah.. siap u/ testing :
# ./nikto.pl -h www.yahoo.com

Selamat mencoba... ;)

pospix

2007-07-10T21:42:00.000+07:00

Dari source file pospix lakukan sbb :
% make -f Makefile.init makefiles
% make tidy
% make
# mv /usr/sbin/sendmail /usr/sbin/sendmail.OFF
# mv /usr/bin/newaliases /usr/bin/newaliases.OFF
# mv /usr/bin/mailq /usr/bin/mailq.OFF
# chmod 755 /usr/sbin/sendmail.OFF /usr/bin/newaliases.OFF /usr/bin/mailq.OFF
/etc/passwd:
postfix:*:12345:12345:postfix:/no/where:/no/shell
/etc/group:
postfix:*:12345:
/etc/group:
postdrop:*:54321:
# make install (interactive version, first time install)
# make upgrade (non-interactive version, for upgrades)

Radio Serper

2007-06-08T15:47:00.000+07:00

Bagi kamu2 yang punya bakat presenter tapi belom kesampaian, ngga ada salahnya siaran di radio sendiri.. yuk2...buat stesyen radio sendiri..
Pertama siapkan dolo seperangkat *Nix box dengan soundcardnya
n then install icecast2 ama darkice..

ICECAST2

icecast membutuhkan pendukung sbb:
libxml2 - http://xmlsoft.org/downloads.html
libxslt - http://xmlsoft.org/XSLT/downloads.html
curl - http://curl.haxx.se/download.html (>= version 7.10 required)
NOTE: icecast may be compiled without curl, however this will disable all Directory server interaction (YP).
ogg/vorbis - http://www.vorbis.com/files (>= version 1.0 required)

Nah stl itu baru d/l souce icecast di www.icecast.org dan lakukan instalasi.
Jika setelah mencoba instalasi beberapa kali gagal terus dan sudah berputus asa dijalan Allah.. maka via port saja yha..

cd /usr/ports/audio/icecast2 && make install clean
proses instalasi akan berjalan dgn sendirinya, semetara anda harus bertobat dulu karena anda telah putus asa.. :P

Lakukan edit /usr/local/etc/icecast.xml dengan editor favorit ..

50
2
5

102400

65535

passku

passku2

admin

12345

123.134.237.237

8000

123.134.237.237

admin
runia

/tmp/dump-example1.ogg

65536

/test.ogg

/usr/local/share/icecast

/var/log/icecast
/usr/local/share/icecast/web
/usr/local/share/icecast/admin

access.log
error.log

4

0

OKeh2 sekarang jalankan icecast2nya
/usr/local/bin/icecast -c /usr/local/etc/icecast.xml &

DARKICE
cd /usr/ports/audio/darkice && make install clean
edit /usr/local/etc/darkice.cfg
# this section describes general aspects of the live streaming session
[general]
duration = 0 # duration of encoding, in seconds. 0 means forever
bufferSecs = 5 # size of internal slip buffer, in seconds
reconnect = yes
# this section describes the audio input that will be streamed
[input]
device = /dev/dsp # OSS DSP soundcard device for the audio input
sampleRate = 22050 # sample rate in Hz. try 11025, 22050 or 44100
bitsPerSample = 16 # bits per sample. try 16
channel = 1 # channels. 1 = mono, 2 = stereo

# this section describes a streaming connection to an IceCast server
# there may be up to 8 of these sections, named [icecast-0] ... [icecast-7]
# these can be mixed with [icecast2-x] and [shoutcast-x] sections
[icecast2-0]
format = mp3
bitrateMode = cbr # constant bit rate
bitrate = 16 # bitrate of the mp3 stream sent to the server
quality = 0.8 # encoding quality
server = 123.134.237.237
# host name of the server
port = 8000 # port of the IceCast server, usually 8000
password = passku # source password to the IceCast server
mountPoint = radio # mount point of this stream on the IceCast server
name = Radio - Trial
# name of the stream
description = This is only a trial
# description of the stream
url = http://123.134.237.237:8000
# URL related to the stream
genre = my own # genre of the stream
public = yes # advertise this stream?

/usr/local/bin/darkice -c /usr/local/etc/darkice.cfg &;

Sekarang akses http://123.134.237.237:8000 untuk melihat status servernya dan http://123.134.237.237:8000/admin/ untuk administrator.

Apa skr radiyo Qta sudah bisa on-er? tentu belum.. kalau sound cardnya belum diaktifken hihih...

# kldload snd_ich (jenis sonkarmu)
# ee /boot/default/loader.conf
snd_ich_load="YES" # Intel ICH
snd_driver_load="YES" # All sound drivers

Edit kernel dan compile
device sound
device snd_ich

Reboot... dan jalankan icecast & darkice

VipiEn ples Radiyus alias radi jayus hihihi...

2007-06-07T13:43:00.000+07:00

Instalasi Mysql
Set password

shell> mysql --user=root mysql
mysql> SET PASSWORD FOR 'root'@'localhost' = PASSWORD('');
mysql> flush privileges;
mysql> quit;2.3-

Buat database
mysqladmin --user=root -p create radius

Buat user mengakses database radius
shell> mysql --user=root -p mysql
mysql> GRANT ALL ON ftp.* TO radius@localhost IDENTIFIED BY '';
mysql> flush privileges;
mysql> quit;

shell> gunzip /usr/share/doc/freeradius/examples/db_mysql.sql.gz
shell> mysql --user=radius -p radius < /usr/share/doc/freeradius/examples/db_mysql.sql

shell> gunzip /usr/share/doc/freeradius/examples/mysql.sql.gz
shell> mysql --user=radius -p radius < /usr/share/doc/freeradius/examples/mysql.sql

The data base is made up of 8 tables making it possible to define: rights of each user drooits of each groups

The table: nas
Cetta table contains same information as the /etc/freeradius/clients.conf file. It makes it possible to add NAS.
key value
nasname 127.0.0.1
shortname nas1
type other
ports
secret mySecret
community public
description NAS1 for the tests

The table: radacct This table contains all information of connection, disconnection, etc… It is a table which you accederer in reading primarily. No parameter to be carried out in this table.

The table: radcheck This table contains information to be checked at the time of the authentification. Primarily it will contain login/password.
key value
UserName yoann
Attribute User-Password
op ==
Value test

This table functions like the table radcheck, but with a concept of group. (It allows for example checked that the users of group PPTP have well the value “1” (PPP) for the Framed-Protocol key, value 2 would have been for SLIPWAY)
key value
GroupName PPTP
Attribute Framed-Protocol
op ==
Value 1

The table: radreply This table contains the parameters returned with the customers after an authentification succeeded. (It makes it possible for example to allot an address IP specific to a user.)
key value
UserName yoann
Attribute Framed-IP-Address
op :=
Value 192.168.40.101

The table: radgroupreply This table functions like the table radreply, but with a concept of group. (It makes it possible for example to allot the IP of a waiter DNS has all the users of group PPTP)
key value
GroupName PPTP
Attribute MS-Primary-DNS-Server
op :=
Value 192.168.40.1

The table: usergroup This table definite the membership of a user has a group. It is indeed possible to define duties applicable to a user group.
key value
UserName yoann
GroupName PPTP
priority 1

The table: radpostauth To define…

KONFIGURASI RADIUS
/etc/freeradius/sql.conf
sql {
# Database type
driver = "rlm_sql_mysql"

# Connect info
server = "localhost"
login = "radius"
password = ""

# Database table configuration
radius_db = "radius"

...

# Set to 'yes' to read radius clients from the database ('nas' table)
readclients = yesFramed-IP-Address
}

Note: The value readclients with yes, makes it possible to store the list of the NAS in the table nas of the data base radius, in addition to the NAS present in the /etc/freeradius/clients.conf file. The addition of a new entry in the table nas is not dynamic, enframed-IP-Address effect the list of the NAS is built with the launching of freeradius starting from the /etc/freeradius/clients.conf file and the table sql nas.

To take into account the changes, it to reload the files of configuration:
shell> /etc/init.d/freeradius
the /etc/freeradius/radiusd.conf file
modules {
chap {
authtype = CHAP
}

mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
}

$INCLUDE ${confdir}/sql.conf #1249
}

authorize { #1774
chap
mschap
suffix
sql
}

authenticate { #1887
Auth-Type CHAP {
chap
}

Auth-Type MS-CHAP {
mschap
}
}

accounting {
sql
}

session {
sql
}

Test of the installation of freeradius
We will add a local NAS to test the configuration. For that it is necessary to publish the /etc/freeradius/clients.conf file
client 127.0.0.1 {
secret = mySecret
shortname = localhost
nastype = other
}

It is necessary for us to create an entry for the NAS whose IP is 127.0.0.1, and to specify a key secrecy which will be used for encoding of information between the NAS and the Waiter Radius. Note: We could here, to add an entry in the table nas base sql, but we will approach this solution further.
To launch freeradius in mode comforts: debug mode

To have a maximum of information for debuger our installation, and to include/understand what it occurs, we will stop the service freeradius and the throw in mode comforts with the options which are well:

shell> /etc/init.d/freeradius stop
shell> freeradius -XXX

To add an account of test in our table radcheck

shell> mysql --user=radius -p radius
mysql> INSERT INTO radcheck(UserName,Attribute,op,Value) VALUES ('yoann','User-Password','==','test');
mysql> quit;

We added here the user “yoann” with the password “test”
Test of the authentification We go use the tool radtest whose syntax is as follows:
radtest
Note: to use the port by default radius you can use 0.

shell> radtest yoann test 127.0.0.1 0 mySecret
Sending Access-Request of id 186 to 127.0.0.1 port 1812
User-Name = "yoann"
User-Password = "test"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=186, length=20

If the authentification is correct, you will receive the Access-Accept message. You can now stop freeradius in mode comforts (Ctrl+C) and start again it in time that service. shell> /etc/init.d/freeradius start

Installation/Configuration of pptpd
You must, above all, you ensure that your kernel supports the MMPE Encryption which will allow us crypter the data in MPPE-128, in addition to authentification MS-CHAP-V2

/etc/pptpd.conf
option /etc/ppp/pptpd-options
logwtmp
localip 10.1.100.254
remoteip 10.1.100.1-200
Note: The line remoteip optional, because it is perhaps replaced by the value of attribute Framed-IP-Address contained in our table radreply

/etc/ppp/pptpd-options
Name of the local system for authentication purposes
# (must match the second field in /etc/ppp/chap-secrets entries)
name pptpd

# Authentification Encryption
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2

# Data Encryption
require-mppe-128

# Disable BSD Compression
nobsdcomp

# Network and Routing
ms-dns 10.1.100.254
proxyarp
nodefaultroute

# Create a UUCP-style lock file for the pseudo-tty to ensure exclusive access.
lock

# Enable connection debugging facilities.
debug

# Print out all the option values which have been set.
# (often requested by mailing list to verify options)
dump

# Miscellaneous
ipcp-accept-local
ipcp-accept-remote

lcp-echo-failure 3
lcp-echo-interval 5

# Plugins
plugin radius.so

Menyiasati partisi penuh dgn Linking

2007-06-04T10:50:00.000+07:00

First of all, you must have available empty space contiguous with
the partition you wish to expand. If you do not have that, then
you will have to start from scratch, or add another disk drive.

You can use sysinstall to recreate partitions and modify slices as
long as there is space available and as long as the drive or slice
is not mounted and in use. (drive is you are modifying slices and
slice if you are modifyine partitions)

If you do not use sysinstall then fdisk is used to change slices. You
may need to do it from a fixit disk because it is likely you will be
modifying the FreeBSD slice that the system normally uses to boot.

If you want to change a partition within a slice (namely the FreeBSD
slice) you need to use bsdlabel(8). That creates and writes the slice's
label and defines partitions. After using bsdlabel, you must use
newfs(8) to create the file system on the newly created/modified partition.

But, still, to add space to a partition, there must be free space -
eg space that is not in a partition already - right next to the
partition you want to expand.

Alternatively, you do not specifically have to increase the /var partition.
you can move some of its contents to another partition where there is
sufficient free space (if such exists) and then create symbolic links
to the new location[s]. Common candidated for such moving and linking
are /var/spool, /var/log, /var/db and/or /var/mail.

My habit is to have a large partition that contains home directories
and other overflows. Typical mount point is /home.
Then, I usually put /var/spool and /var/log there as directories
named /home/var.spool and /home/var.log and link them back to
the original names in /var. eg, after copying those directories
over to /home/var.spool and /home/var.log respectively, I then
rm the original /var/spool and /var/log and then create links.
Actually, first I rename them, then do the link and check things
before actually rm-ing the originals. Something like this:

All must be done as root (and probably best in single user, but not required).
cd /var
use tar | tar or cp -Rp to make a new copy in /home
cp -Rp spool /home/var.spool
mv spool oldspool
ln -s /home/var.spool spool
cp -Rp log /home/var.log
mv log oldlog
ln -s /home/var.log log
Check it all out to make sure it is just fine
cd /var
rm -rf oldspool
rm -rf oldlog

I like to use the naming convention of var.spool and var.log for the
copies because it reminds me of where there come from.

I a similar thing with /var/db in /var
and with /uar/local, /usr/ports, and /usr/src in /usr

Then those things which grow, sometimes unexpectedly can have room
without me constantly monitoring them. It also makes backups more
straightforward. Everything that is frequently changing is in /home.

Of course, if you do not have a large directory with plenty of
space available, then you may be looking to add some disk space.

Tipz

2007-06-02T18:27:00.000+07:00

FSCK Otomatis
If your server/box gets stuck at fsck after a reboot or a crash, then just add the following lines to /etc/rc.conf:

fsck_y_enable=”YES”

It will run fsck automatically and will avoid your box getting stuck after reboot waiting for somebody to manually run fsck.

IPFW tanpa compile kernel
IF you don’t want to recompile kernel, just because you want to enable ipfw, you can use the following command to do so:

kldload ipfw && ipfw add 65534 allow all from any to any

Never issue the above command without ipfw add 65534 allow all from any to any else you might end up with a locked box.

twiking

2007-06-02T18:26:00.000+07:00

sysctl.conf for your high traffic server - under high load :

security.bsd.see_other_uids=0
net.inet.tcp.recvspace=65535
net.inet.tcp.sendspace=65535
#kern.ps_showallprocs=0
kern.ipc.shmmax=67108864
kern.ipc.shmall=32768
net.inet.tcp.inflight.enable=1
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
net.inet.ip.rtexpire=2
net.inet.ip.rtminexpire=2
kern.ipc.somaxconn=1024
net.inet.ip.check_interface=1

kern.maxfiles=32768
kern.maxfilesperproc=2000

kern.ipc.maxsockets=163840
kern.ipc.maxsockbuf=2097152

net.inet.ip.fw.dyn_syn_lifetime=1
net.inet.ip.fw.dyn_max=65535
net.inet.ip.fw.dyn_buckets=256
net.inet.ip.fw.dyn_udp_lifetime=5

net.inet.tcp.msl=7500