Ceritanya berawal dari instalasi server yang menggunakan 2HD. Kedua HD merk sigit tsb terpasang di IDE 1, sbg juragan dan pembantu alias master n slave.
Di FreeBSD dikenal sbg ad0 dan ad1. ad0 saya install OS FreeBSD sedangkan ad0 tidak ada OS nya, hanya partisi data saja.

Jreng.. jreng.. takdir berkata lain, baru semalam dipasang ternyata ngadat hihi..
setelah cek sana sini sono ternyata HD satunya gak berezzz. Untung aja hd yg tak partisi sbg data, bukan OS e.. lek OS e lak ndomblong aq nginstall maneh... :P

Akhirnya pasang HD baru, tp HD yg kedua gak tak jadiin pembantu. Smua tak jadiin master biar adil. Nah.. berhubung HD pengganti ini partisinya masih NTFS, maka perlu qta partisi ulang, dilabel trus di mount biar terbaca di OS ku.
Begini loh caranya yg cepet :

- ketik sysinstall u/ FreeBSD versi 6 ke atas, untuk v.5 kebawah ketik /stand/sysinstall.
- pilih configure - partition
- delete semua partisi (d) - ketik a - ketik w, kalau ada komentar pilih yes aja wes - ketik q untuk finish
- untuk pilihan instalasi MBR, pilih "none".
- pilih label
- ketik c - jika ingin dijadikan satu partisi jangan edit angka yg ada - kemudian pilih "file system" ketikkan nama mount pointnya, misal : /data
ketik w - pilih "yes"
- ketik q untuk finish

Nah, belum selesai kare di /etc/fstab belum ada mounting pointnya :P
tinggal tambahkan aja :
# Device Mountpoint FStype Options Dump Pass#
/dev/ad2s1d /data ufs rw 2 2

Selesai.

Untuk mode text ada juga caranya :

# fdisk -BI /dev/ad2
# bsdlabel -w -B ad2s1d
# bsdlabel ad2s1d
# newfs /dev/ad2s1d
# bsdlabel -e ad2s1d
# mount /dev/ad2s1d /data

Jgn lupa tambahkan mountingnya di /etc/fstab

^___^

Siapa bilang samba itu khas brazil? buktinya di sini ada samba terasi.. samba goreng ati :P.

Bismillah, kita mulai buat sambal..

# cd /usr/ports/net/samba
# make install clean
# cd /usr/ports/security/samba-vscan (saya pakai clamd)
# make install clean

File konfigurasi samba ada di /usr/local/etc/smb.conf
Mari kita edit file konfigurasinya :

log file = /var/log/samba/log.%m
log file = /var/log/Samba-%m.log

[global]
workgroup = grupkerjo
security = share
server string = Data Server
#local master = yes
#os level = 65
#domain master = yes
#preferred master = yes
#null passwords = no
#hide unreadable = yes
hide dot files = yes

[data]
comment = Iki loh mek komentar, gak ngaruh opo².. sumpah!
browseable = yes
writable = yes
path = /data/home/
security = USER
encrypt passwords = yes
smb passwd file = /usr/local/etc/samba/smbpasswd
username map = /etc/passwd

[umum]
comment = %h Shared Public Directory
path = /data/umum/
force directory mode = 0777
force create mode = 0777
force group = nobody
force user = nobody
public = yes
writeable = yes
read only = no
vfs object = vscan-clamav
vscan-kavp: config-file = /usr/local/etc/samba-vscan/vscan-clamav.conf


Ket :
Jika kita mengakses server samba, anggap saja ipnya 10.11.12.13, maka akan ada 2 folder yaitu data dan umum. Untuk umum bisa diakses tanpa ada login, sedangkan u folder data akan muncul login.

Cara create login adalah dgn adduser di OS, misalkan usernamenya runia.
Lanjutkan dengan create login tsb u/ samba.
# smbpasswd -a runia

Nahh.. selanjutnya adalah pengalaman yg simple tapi sebel :))
Ceritanya, dari windows itu kalau mau ngakses ke folder samba yg kita kasih password kan usernamenya selalu default dgn login sewaktu kita masuk windows..(biasanya sih Guest).

Untuk meyiasatinya, akses folder kita - klik kanan - map work drive. NAH! klik pada pilihan "login as different user". Masukkan login kita, misal runia disertai passwordnya...

Selamat mencoba.. dan selamat tidur.. aku ngantukk

Install BerkeleyDB

cd /downloads
fetch http://www.sleepycat.com/update/snapshot/db-4.0.14.tar.gz
tar xzvf db-4.3.28.NC.tar.gz
cd db-4.3.28.NC
cd build_unix
../dist/configure --prefix=/usr/local/BerkeleyDB
make
make install
cd ..
cd ..
cd /usr/local/BerkeleyDB/lib
cp * /usr/local/lib
cd /usr/local/BerkeleyDB/include
cp * /usr/local/include

fetch http://www.squidguard.org/squidGuard-1.2.0.tar.gz
tar -xzvf squidGuard-1.2.0.tar.gz
cd squidGuard-1.2.0
./configure
make
make test
make install

buat directory
/usr/local/squidGuard/log
cd /usr/local/squidGuar/
fetch http://squidguard.mesd.k12.or.us/blacklists.tgz
tar -xzvf blacklist.tgz
mv blacklist db
chown -R squid:squid db

buat file
ee /usr/local/squidGuard/squidguard.conf

dbhome /usr/local/squidGuard/db
logdir /usr/local/squidGuard/log
dest ads {
domainlist ads/domains
urllist ads/urls
}

dest drugs {
domainlist drugs/domains
urllist drugs/urls
}

dest gambling {
domainlist gambling/domains
urllist gambling/urls
}

dest hacking {
domainlist hacking/domains
urllist hacking/urls
}

dest porn {
domainlist porn/domains
urllist porn/urls
}

dest redirector {
domainlist redirector/domains
urllist redirector/urls
}

dest spyware {
domainlist spyware/domains
urllist spyware/urls
}

dest violence {
domainlist violance/domains
urllist violance/urls
}

dest white {
domainlist white/domains
urllist white/urls
}

acl {
default {
pass white !ads !drugs !gambling !hacking !porn !redirector !spyware !violence all
redirect http://localhost/block.html
}
}

Tambahkan baris berikut pada squid.conf
redirect_program /usr/local/bin/squidGuard -c /usr/local/squidGuard/squidguard.conf

Jalankan squidguard
/usr/local/bin/squidGuard -c /usr/local/squidGuard/squidguard.conf
dan restart squid
/squid/sbin/squid -k reconfigure

Ia berkata : "Ya Tuhanku, sesungguhnya tulangku telah lemah dan kepalaku telah ditumbuhi uban, dan aku belum pernah kecewa dalam berdo'a kepada Engkau, ya Tuhanku. (QS : 19:4)

Kekuatan sebuah do'a dan keyakinan akan pertolongan dari Tuhan yang Maha memiliki dan Maha berkehendak adalah bukti tawakal seorang hamba. Seperti kutipan do'a nabi Zakariya di atas. Semoga dapat kita ambil hikmahnya dan yakinlah bahwa setiap masalah pasti ada jalan keluarnya. Kalo ngga ada yah bisa pakai tangga darurat yang ada plangnya EXIT itu lohh.. :P..

Barusan iseng2 bantu teman bikin script pengcopyan file dgn kondisi tertentu. Berikut scriptnya :

# ee /etc/duplikat
cd /home/rahma/coba
lastfile=$(ls -rt | egrep -v '^d' | tail -20)
for file in $lastfile
do
echo $file
cp $file /home/rahma/coba2
done

Script diatas adalah script yang akan menjalankan duplikasi 20 file terbaru dari folder coba ke folder coba2.
Tinggal di pasang di crontab dan dijalankan sesuai dengan waktu yang diinginkan ^^.

Besok hari terakhir jadi orang kantoran...
Yup, saya resign, setelah disana lumayan lama.
Waktu bilang ke ortu, It's OK! asalkan kuliahku cepat selesai ^^.
Malah bapak sempat bilang, nanti kalau sudah dpt ijasah suruh memperdalam bhs inggris n cari beasiswa ke LN. Bapak yang aneh..:P harusnya kan disuruh cepat² nikah, koq malah suruh sekolah lagi. But gpp sich, kalau sama Allah dikasih kesempatan pasti kuwujudkan impianmu pak! I'll try my best for you two!

Bye.. bye my opis.. banyak suka.. banyak duka.. banyak pengalaman dan pelajaran disana...Bye bye nokia 2255, bye wireless.. bye meja pojok dekat jendela ^_^

Saatnya memulai yang baru dengan lebih baik. BISMILLAH....

Postingan ini repost, berhubung yang dulu belum selesai dan kebetulan ada teman yang lagi pusing² mau nyoba captive portal ini. Kita mulai aja ya,.. *baca bismillah*

SESI KONFIGURASI HARDWARE

# ee /usr/src/sys/i386/conf/kernelku

Edit file kernelku, untuk firewall terserah tapi untuk device tun wajib, fadhu ain!

options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_FORWARD
options IPFILTER
options IPDIVERT (jika natnya nanti menggunakan NATD)
options DUMMYNET
options TCP_DROP_SYNFIN
device tun

simpan dan building kernel
# config kernelku
Kernel build directory is ../compile/kernelku
Don't forget to do a ``make depend''
# cd ../compile/kernelku
# make depend && make && make install && reboot

Ok, urusan kernel selesai, pastikan kita memiliki 2 NIC. Untuk NIC yang terhubung ke internet silahkan diconfig, sedangkan untuk yang terhubung ke AP(Wireless device) jangan diberi ip. Berikut contohnya :

# ifconfig
rl0: flags=8802 mtu 1500 options=8 ether 00:0e:2e:cb:3c:bb media: Ethernet autoselect
media: Ethernet autoselect (100baseTX ) status: active

xl0: flags=8843 mtu 1500 options=9 inet 203.134.232.20 netmask 0xffffffc0 broadcast 203.134.232.63 inet6 fe80::2b0:d0ff:fe4b:af9%xl0 prefixlen 64 scopeid 0x2 ether 00:b0:d0:4b:0a:f9 media: Ethernet autoselect (100baseTX ) status: active

Untuk AP (Access Point) setting saja ssidnya, Modenya mode Access Point dan IPnya terserah (ip defaultnya ga masalah) yang penting client bisa konek ke AP kita. jangan aktifkan dhcpnya karena nanti chilli yang akan memberi ip ke client yang konek.

SESI MUMETISASI

Ok Urusan hardwarenya selesai, sekarang mulai proses instalasi software2 yang dibutuhkan :

download source file openssl openssl-0.9.8e dan ekstrak
./config
make && make test && make install

download source file apache httpd-2.2.3 dan ekstrak
./configure --prefix=/usr/local/apache --enable-ssl --with-ssl=/usr/local/ssl
make && make install

Untuk mengaktifkan ssl di httpd bisa di link ini http://www.dev411.com/wiki/Installing_Apache2_SSL

Untuk instalasi radius, ikuti petunjuk di postingan saya yang ini (mysql harus terinstall ya)

download source file chillispot-1.0 dan ekstrak
./configure
make && make install

# ee /usr/local/apache/conf/httpd.conf (setting directory cgi & ssl saya sbb:)
ScriptAlias /cgi-bin/ "/usr/local/apache/cgi-bin/"
Include conf/extra/httpd-ssl.conf

# ee /usr/local/apache/conf/extra/httpd-ssl.conf
Listen 443
DocumentRoot "/data"
ServerName 192.168.182.1
ServerAdmin noc.spin.net.id
SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key

# cp /usr/local/share/chillispot/hotspotlogin.cgi /usr/local/www/cgi-bin/
# cp /usr/local/share/chillispot/chilli.conf /etc/chilli.conf

Saya anggap instalasi freeradius dan mysqlnya sudah terinstall dan berhasil.
Untuk chilli, konfigurasinya ada di /etc/chilli.conf, setting sbb :
net 192.168.182.0/24
dynip 192.168.182.0/24
statip 192.168.182.0/24
dns1 203.134.239.153
dns2 203.134.232.3
radiuslisten 203.134.232.20
radiusserver1 203.134.232.35 (ip dimana radius server terinstall)
radiusserver2 203.134.232.35 (ip dimana radius server terinstall)
radiusauthport 1812
radiusacctport 1813

# TAG: radiussecret
# Radius shared secret for both servers
# For all installations you should modify this tag.
radiussecret testing123
# password radius ada di /usr/local/etc/raddb/clients.conf

dhcpif rl0
# nama interface yang terhubung ke wireless device

# Universal access method (UAM) parameters
uamserver https://192.168.182.1/cgi-bin/hotspotlogin.cgi
uamhomepage http://192.168.182.1/welcome.html
uamsecret ht2eb8ej6s4et3rg1ulp
uamport 3990
uamallowed 192.168.182.1,203.134.232.20,203.134.232.35,203.134.232.3,203.134.239.153

# ee /usr/local/apache/cgi-bin/hotspotlogin.cgi
$uamsecret = "ht2eb8ej6s4et3rg1ulp";
$userpassword=1;

Uam secret pada chilli.conf dan hotspotlogin.cgi harus sama.
Untuk directory web saya terletak di /data dan saya create welcome.html disana dengan isi sbb :

Click Here For Login

Aktifkan ipnat di /etc/defaults/rc.conf kemudian tambahkan baris berikut di file konfigurasi ipnatnya.
# ee /etc/ipnat.rules
map rl0 192.168.182.0/24 -> 203.134.232.20/32

OK, jika sudah selesai semua, jalankan chillinya sbb :
# chilli --fg -c /etc/chilli.conf &
Hasil ifconfig sbb :

rl0: flags=8843 mtu 1500
options=8
inet 0.0.0.0 netmask 0xff000000 broadcast 0.255.255.255
inet6 fe80::20e:2eff:fecb:3cbb%rl0 prefixlen 64 scopeid 0x1
ether 00:0e:2e:cb:3c:bb
media: Ethernet autoselect (100baseTX )
status: active

xl0: flags=8843 mtu 1500
options=9
inet 203.134.232.20 netmask 0xffffffc0 broadcast 203.134.232.63
inet6 fe80::2b0:d0ff:fe4b:af9%xl0 prefixlen 64 scopeid 0x2
ether 00:b0:d0:4b:0a:f9
media: Ethernet autoselect (100baseTX )
status: active

tun0: flags=8051 mtu 1500
inet6 fe80::20e:2eff:fecb:3cbb%tun0 prefixlen 64 scopeid 0x4
inet 192.168.182.1 --> 192.168.182.1 netmask 0xffffff00
Opened by PID 42197

Selamat mencoba dan jangan menyerah ya.. saya juga butuh berhari-hari koq nguplek² ini dan alhamdulillah berhasil.. tapi akhirnya ngga dipakai... asem! :P

Berhubung ada suatu hal, maka saya harus migrasi semua mail² saya yang sekarang ini pakai Outlook Xpress ke Thunder Bird. Emailnya buwanyakkk bok.. ribuan deh.. maklum email dari jaman gak enak dulu sampai jaman tambah ga enak masih ada..

Setelah coba mencoba.. lagi.. kau mencoba... *koq jadi lagu dangdut?*
Ternyata cara paling mudah adalah dengan cukup mengcopy folder dimana database email disimpan (.dbx) oleh OE dan mengimportnya ke TB.

Letak folder di OE bisa dicek dengan cara klik tool - option - pada tab maintenance - nahh disitu ada store folder kan? ya disitu letaknya... Kalau TBnya di lain PC tinggal copy aja isi folder tsb dan paste ke PC tujuan. Selanjutnya buka TB klik menu tool - import - pilih mail - pilih OE dan arahkan ke folder dimana database email berada - klik Ok..

Selesai deh... kalau email kamu ribuan ya tinggal aja ngopi² dulu :P.

Innodb?
Saya juga barusan tahu koq, berikut ini kutipan mengenai innodb (diambil dari sini & tambahan untuk setting di mysql ver 5 saya yg terinstall di FreeBSD 5.4).

Tipe database di MySQL secara default adalah MyIsam, selain itu mysql juga mendukung untuk tipe database InnoDB dan BerkeleyDB. Database tipe InnoBD supports transactions, row-level locking, dan foreign keys. Membuat tabel tipe InnoDB sama saja dengan MyISAM, cuma ada sedikit perbedaan pada tipe ENGINE yang digunakan.
Contohnya:
CREATE TABLE parent (id INT NOT NULL, PRIMARY KEY (id)) ENGINE=INNODB;
CREATE TABLE child (id INT, parent_id INT, INDEX par_ind (parent_id), FOREIGN KEY (parent_id) REFERENCES parent(id) ON DELETE CASCADE) ENGINE=INNODB;

jika tidak menuliskan ENGINE=INNODB maka tipe tabel yang terbentuk adalah MyISAM.
ON DELETE CASCADE maksudnya apabila ada record di tabel parent yang dihapus maka pada tabel child record yang terkait dengan record parent akan ikut terhapus juga.Terdapat berbagai macam option-option lainnya seperti : ON DELETE RESTRICT, ON UPDATE CASCADE, dll yang bisa digunakan sesuai kebutuhan database.

Untuk mengaktifkan innodb, edit file /etc/my.conf dan pada sesi innodb sbb :
# Uncomment the following if you are using
InnoDB tablesinnodb_data_home_dir = /usr/local/mysql/var/
innodb_data_file_path = ibdata1:10M:autoextend
innodb_log_group_home_dir = /usr/local/mysql/var/
innodb_log_arch_dir = /usr/local/mysql/var/
# You can set .._buffer_pool_size up to 50 - 80 %
# of RAM but beware of setting memory usage too high
innodb_buffer_pool_size = 16M
innodb_additional_mem_pool_size = 2M
# Set .._log_file_size to 25 % of buffer pool size
innodb_log_file_size = 5M
innodb_log_buffer_size = 8M
innodb_flush_log_at_trx_commit = 1
innodb_lock_wait_timeout = 50

OK, save dan restart mysqlnya.
Done.. done.. minum dulu ahh.. hauss..

Namanya manusia ga luput dari kesalahan, lalai dan teledor. Dan akibatnya macam², tak jarang kesalahan kecilpun bisa berakibat fatal. Bayangin aja misalnya dokter salah tulis dikit aja ngasih resep, atau diagnosa bisa berakibat kematian kan..

Ok, kita ngga akan bahas medis karna gw ga ngeri sekali sama. Gw cuman mau nulis kesalahan kecil gue yang berakibat fatal meski ga sampe menyebabkan kematian *sigh*

Sore kemarin server gw loadnya beraaattt banget... seperti seorang pemuda yang naik BMW tapi mangku gajah lampung! Segera saja otakku yang mungkin sama dgn otak manusia indonesia yang jarang digunakan karena takut aus mulai terasah.
Tiba2 saja saya sudah login di gateway server² dan mulai mengallow ip tertentu yang diijinkan untuk ngakses server dan mulai mendeny ip2 yang tidak dibutuhkan untuk mengurangi load server gw yang sedang mangku gajah duduk..
Crap!
Ada rule yang salah saat ngetikkan baris2 perintah firewall...
Jadinya gateway ga bisa saya akses dan server yang lain juga sama kecuali server yg diduduki gajah tadi.

Help.. tasukete kudasai!..
Gatewaynya jauh di ibukota negara banjir nan macet 924 km darisini.
Harus call teman dulu disana, setelah proses yang mendebarkan bin menyebalkan bisa juga terhubung dan dia harus menempuh lebih dari 30 menit untuk sampai dan cangkruk di consolenya.
Oh baru cobaan gini aja gw dah bingung setengah hidup, ya maklum wong gatewaynya u/ beberapa server maha penting.

Finally smua bisa diatasi *ya jelas wong emang rulenya simple tapi mematikan*
Server yang lambreta ternyata karena ada salah satu cust. yang ngabis2in resource servernya, so smtr saya suspend dulu.
Report juga udah kukirim, report yang apa adanya tanpa bumbu² sedikitpun. Rangkaian kejadian dari awal sampai akhir sampai main effect kutulis disertai perasaan nano-nano seorang kuli yang sedang berkecamuk di dada. yah mo gmn lagi emang salah saya jadi tinggal siap2 konsekuensinya aja..

Hikmah yang bisa diambil :
1. Terkadang dengan cobaan sedikit saja, manusia sudah merasa merana. Terkadang makian sampai keluar, seakan lupa kalau nikmat yang telah diterima begitu banyak sampai tidak bisa dihitung bahkan walau jari gajah lampung ikut serta juga ga bakal cukup untuk ngitung. Kalkulator bisa jadi akan buffer overflow kalau kita maksa ngitung.

2. Jika melakukan sesuatu yang harus cepat selesai, dan cukup merepotkan. Biasakan untuk menenangkan diri dan konsentrasi penuh dan jangan lupa bismillah.

3. Usahakan ruangan cukup kondusif, tidak ada teman yang mengganggu, suara atau hal² kurang penting lainnya.

dns1 named[1376]: client 125.162.42.67#64136: update 'swisscontact.or.id/IN' denied

I keep getting log messages like the following. Why?
Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied
A:
Someone is trying to update your DNS data using the RFC2136 Dynamic Update protocol. Windows 2000 machines have a habit of sending dynamic update requests to DNS servers without being specifically configured to do so. If the update requests are coming from a Windows 2000 machine, see http://support.microsoft.com/support/kb/articles/q246/8/04.asp for information about how to turn them off.

Pake BIND? dan mengalami error sbb :

named[375]: master/domain.org:11: ignoring out-of-zone data ns2.mine.net.id

sama donk :P

Awalnya sih saya kira ada kesalahan di zone filenya. Tapi setelah diamati dalam tempo yang sesingkat²nya koq smua btul? ada apa ini.. ada apa.. :p
Saya coba query dari luar bisa u/ domain yg ada errornya tadi, dicek dari situs2 u/ cek dns juga ketemu tuh record²nya.

Akhirnya saya biarkan saja, toh sepertinya ngga ngaruh..
Sampai dengan pagi ini ada imel dari bos, nemuin log itu suruh nyari kenapa..
sebernaya gw juga bingung krn cari2 di google juga ga nemu, kalo nemu pun semua berkaitan dgn penulisan zone yang salah..

Ndilalah koq ada eror tambahan root. server bla bla.. duh sayang log e ilang :(
Gak pakai pikir lama, iseng² berhadiah tak coba replace named.rootnya

# dig @a.root-servers.net . ns > named.root
# rndc reload

Hurray.. thx god.. gw liat di log dah bersih sih.. n di query jg lancaarrr.. muach...

Ups.. jgn senang dulu.. ada cobaan lain.. muncul error ini nih di log, banyak lagi..

Feb 22 09:36:46 dns1 named[1376]: client IP#57305: RFC 1918 response from Internet for 3.0.168.192.in-addr.arpa

Untungya di FAQ ada :

Q: What does "RFC 1918 response from Internet for 0.0.0.10.IN-ADDR.ARPA"
mean?
A:
If the IN-ADDR.ARPA name covered refers to a internal address
space you are using then you have failed to follow RFC 1918 usage rules and are
leaking queries to the Internet. You should establish your own zones for these
addresses to prevent you querying the Internet's name servers for these
addresses. Please see http://as112.net/ for details of the problems you are causing
and the counter measures that have had to be deployed.
If you are not using
these private addresses then a client has queried for them. You can just ignore
the messages, get the offending client to stop sending you these messages as
they are most probably leaking them or setup your own zones empty zones to serve
answers to these queries.
zone "10.IN-ADDR.ARPA" {
type master;
file
"empty";
};
zone "16.172.IN-ADDR.ARPA" {
type master;
file
"empty";
};
...
zone "31.172.IN-ADDR.ARPA" {
type master;
file
"empty";
};
zone "168.192.IN-ADDR.ARPA" {
type master;
file
"empty";
};
empty:
@ 10800 IN SOA .
. (
1 3600 1200 604800 10800 )
@ 10800 IN NS
.

Hahaha.. bahasa inggris canggih gtu.. yang jelas dnsku ga dipake u/ query ip lokal, so spt saran di atas aku tambahin zone2 tsb.. trus reload deh.

Semalam udah semangat 456789 mau nyoba debian yang udah lama tak terjamah tangan halusku, tapi tak dinyana aku lupa password rootnya ^^. Untung jam 11an nak ibnu bisa dikontak, secara dia biasa bersentuhan dgn mbak debby ini :P. *tenkiu yo le*

Berikut langkahnya, boot loadernya pakai grub nih bukan lilo and stich :P.

1. Waktu boot pilih "recory mode" dan tekan c.
2. Selanjutnya akan ada 4 pilihan, dan arahkan kursor pada pilihan yang ada tulisannya kernel bla2, pokoknya paling panjang sendiri deh, kemudian tekan e.
3. Tambahkan "init=/bin/bash" pada akhir baris dan tekan enter. Voila, udah masuk single mode.
4. ketikkan "mount -o remount, rw /"
5. ketik passwd, isikan password yang baru
6. kemudian ubah akses ke readonly "mount -o remount, ro /"
7. Selesai dan reboot deh..

Kalau di freebsd langkahnya lebih mudah,
1. Waktu boot, pada boot menu tekan angka 3
2. mount -a
3. ketik passwd dan isikan password baru dan reboot

Untuk freebsd ada pilihan untuk tetap prompt password walaupun kita masuk di single mode, bisa di cek /etc/ttys dan ubah pilihan secure menjadi insecure. Itu kalo qta admin paranoid n menjamin kalo qta ga bakalan lupa password kita :p.
Kalo di debian belum tahu sih gmn caranya, tapi kata si ibnu sih di linux yg versi baru u/ single modenya udah diprompt password juga.

Siang ini makan siang ditemani seporsi mie ayam bakso ples artikel lsof but tanpa teh botol s*sro. Langsung install aja deh, drpd lupa n banyak kerjaan, installnya juga via jalur xpress :P

# cd /usr/ports/sysutils/lsof
# make install clean
# rehash

Lsof merupakan utility yang hampir mirip dengan netstat -an tapi mungkin lebih lengkap kali ya, karena qta juga bisa melihat file2 yang sedang dijalakan apa saja oleh suatu program, mulai dr binary file, library dan file2 yang berhubungan dengan program yg sedang berjalan.. la wong namanya aja "List open files" ker..

ok lanjut...

# lsof -l
perintah ini akan memperlihatkan smuaaa list prog yang sedang berjalan, sengaja ga dicapture hasilnya (panjang bokkk)

# lsof -c named
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
named 89535 named cwd VDIR 4,12 512 16662 /chroot/named/conf
named 89535 named rtd VDIR 4,12 512 16656 /chroot/named
named 89535 named jld VDIR 4,12 512 16656 /chroot/named
named 89535 named txt VREG 4,17 3507739 7774967 /usr/local/sbin/named
named 89535 named txt VREG 4,12 142236 16549 /libexec/ld-elf.so.1
named 89535 named txt VREG 4,12 1017456 8301 /lib/libcrypto.so.3
named 89535 named txt VREG 4,12 884716 8280 /lib/libc.so.5
named 89535 named 0u VCHR 2,2 0t0 7 /dev/null
named 89535 named 1u VCHR 2,2 0t0 7 /dev/null
named 89535 named 2u VCHR 2,2 0t0 7 /dev/null
named 89535 named 3u unix 0xc40a0000 0t0 ->0xc181a288
named 89535 named 4u VCHR 2,2 0t0 7 /dev/null
named 89535 named 5r VCHR 248,0 0t0 16 /dev/random
named 89535 named 22u IPv4 0xc3f980b4 0t0 UDP *:54519

lengkap kan? kalau ga mau panjang2 atau mau lihat file apa yg dijalankan tinggal ketik
# lsof -a -d cwd -c named
named 89535 named cwd VDIR 4,12 512 16662 /chroot/named/conf

kalau mau lihat pakai port berapa ya tinggal
# lsof -a -c named | grep "*:"
named 89535 named 22u IPv4 0xc3f980b4 0t0 UDP *:54519

Sep kan? lumayan bisa lihat service yang berjalan apa aja, n dikill aja kalo gak penting, bikin server berat, makan bw or samting else..

Huekz.. abis makan mie koq rasanya mual.. kayaknya mie/pentol nya byk msgnya niy, oh nooo saya skr ga bisa kena msg.. ora tawar jeesss...

rsync adalah utility u/ memindah2 file/sinkronisasi file.
Kata manualnya sih rsync bisa digunakan sbb :

1. for copying local files. This is invoked when neither source nor destination path contains a : separator
2. for copying from the local machine to a remote machine using a remote shell program as the transport (such as rsh or ssh). This is invoked when the destination path contains a single : separator.
3. for copying from a remote machine to the local machine using a remote shell program. This is invoked when the source contains a : separator.
4. for copying from a remote rsync server to the local machine. This is invoked when the source path contains a :: separator or a rsync:// URL.
5. for copying from the local machine to a remote rsync server. This is invoked when the destination path contains a :: separator.
6. for listing files on a remote machine. This is done the same way as rsync transfers except that you leave off the local destination.

So, yuk mari kita buktikan.

Anggap saja server utama ipnya 10.10.10.75 dan server backupipnya 10.10.10.60
Nah rsync modenya nanti pakai yang over ssh.

Login ke 10.10.10.60, di directory /home ketik :
# ssh-keygen -f qlogin -t rsa
untuk password langsung enter saja, perintah ini akan mengenerate private (qlogin) dan public key (qlogin.pub)

Selanjutnya copykan qlogin.pub ke server 10.10.10.75 di directory homeuser/.ssh dan rename menjadi authorized_keys2, spt ini nih hasilnya : /home/rahma/.ssh/authorized_keys2

Kita tes, sukses ga login ssh scr otomatis..
Login ke 10.10.10.60, masuk ke directory dimana qlogin berada dan ketik
# ssh -i qlogin rahma@10.10.10.75

OK, setelah sshnya lantjar djaja, tinggal install rsyncnya.. (spt biasa wes.. ndak usah dijelasin yak :P)...

Nah untuk perintah sinkronisasi/backup filenya spt ini :
masuk ke dir dimana qlogin (private keynya berada), kebetulan punyaku di /home
# cd /home
# /usr/local/rsync/bin/rsync -e "ssh -i qlogin -l rahma -p 2223" -avz rahma@10.10.10.75:/home/www /home/BACKUP75/

sent 1636 bytes received 2421838595 bytes 3734526.19 bytes/sectotal size is 2421962606 speedup is 1.00

# cd /usr/local/mysql/lib/mysql/
# cp * /usr/local/lib
# cd /usr/local/mysql/include/
# cp * /usr/local/include/

Download cyrus-sasl-2.1.19 dan patchnya, kemudian ekstrak dan lakukan patching

# cd /cyrus-sasl-2.1.19
# patch -p1 < ../cyrus-sasl-2.1.19-checkpw.c+sql.c.patch. # ./configure --enable-static --enable-shared --enable-sql --with-mysql=/usr/local/mysql --enable-login --disable-otp --disable-ntlm # make && make install # ln -s /usr/local/lib/sasl2 /usr/lib/sasl2 # cd /usr/local/lib/sasl2 # cp *sql* /lib/ # vi /usr/local/lib/sasl2/smtpd.conf pwcheck_method: auxprop auxprop_plugin: sql sql_engine: mysql mech_list: DIGEST-MD5 CRAM-MD5 PLAIN LOGIN sql_engine: mysql sql_hostnames: localhost sql_user: dbmail sql_passwd: s3cr3t sql_database: dbmail sql_verbose: yes sql_select: SELECT passwd FROM dbmail_users WHERE userid = '%u@%r' # cd postfix-2.4.5 # make tidy
# make makefiles CCARGS="-DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/usr/local/include/sasl" AUXLIBS="-L/usr/local/lib/ -lsasl2" atau
# make makefiles CCARGS="-DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/usr/local/include/sasl -DHAS_MYSQL -I/usr/local/mysql/include/mysql" AUXLIBS="-L/usr/local/lib/ -lsasl2 -L/usr/local/mysql/ -lmysqlclient -lz -lm"

# make install

tambahkan baris berikut pada /etc/postfix/main.cf
smtpd_recipient_restrictions =
reject_unauth_pipelining
reject_non_fqdn_recipient
reject_unknown_recipient_domain
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
permit

broken_sasl_auth_clients = yes
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous

=== Selesai ===

/usr/local/sbin/saslauthd:
libgssapi.so.7 => /usr/lib/libgssapi.so.7 (0x2807e000)
libkrb5.so.7 => /usr/lib/libkrb5.so.7 (0x2808c000)
libasn1.so.7 => /usr/lib/libasn1.so.7 (0x280c4000)
libroken.so.7 => /usr/lib/libroken.so.7 (0x280e5000)
libcrypt.so.2 => /lib/libcrypt.so.2 (0x280f3000)
libcrypto.so.3 => /lib/libcrypto.so.3 (0x2810b000)
libcom_err.so.2 => /usr/lib/libcom_err.so.2 (0x28202000)
libpam.so.2 => /usr/lib/libpam.so.2 (0x28204000)
libc.so.5 => /lib/libc.so.5 (0x2820b000)

/usr/sbin/postfix:
libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x28083000)
libc.so.5 => /lib/libc.so.5 (0x28096000)
libcrypt.so.2 => /lib/libcrypt.so.2 (0x28170000)

/usr/libexec/postfix/smtpd:
libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x280b6000)
libc.so.5 => /lib/libc.so.5 (0x280c9000)
libcrypt.so.2 => /lib/libcrypt.so.2 (0x281a3000)


mail-h# telnet smtpku.co.id 25
Trying 203.134.232.67...
Escape character is '^]'.
220 smtpku.co.id ESMTP Postfix
ehlo a
250-PIPELINING
250-SIZE 5120000
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250-AUTH=LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Sebelumnya sih sudah pernah posting yang berbau hardening system, tapi sepertinya artikel berikut lebih lengkap deh.. thx to mbah google.

Tips dan trik seputar FreeBSD Security.
1. Selalu berdo'a sebelum action
2. Selalu membuat BACKUP sebelum melakukan segala sesuatunya.

BASIC SYSTEM HARDENING
1. Gunakan selalu FreeBSD versi STABLE (heheh..belum saya lakukan, selalu saja pake release). 2. Jangan menjalankan services yang tidak perlu, lihat /etc/inetd.conf, /etc/rc.conf

SERVICES PROTECTION
1. Gunakan chroot(8) atau jail(8) untuk menjalankan program-program yang berisiko vulnerable.
2.Memfilter setiap akses terhadap services menggunakan Firewall atau Packet Filtering software seperti ipfw atau IPF (ipfilter).
3. Aktifkan option log_in_vain="YES" untuk melihat koneksi ke port-port TCP/UDP yang
tidak menjalankan services.

SECURE LOGGING
Non-aktifkan syslogd logging ke mesin remote. gunakan option “-s -s”
Pastikan pada /etc/syslog.conf terdapat:
security.* /var/log/security
ftp.* /var/log/ftpd.log
auth.* /var/log/auth.log

Aktifkan ipfw atau IPF logging pada /etc/syslog.conf


B O F H (bastard operator from hell)
1. Gunakan AllowUsers/AllowGroups pada konfigurasi SSH untuk menentukan siapa saja user yang dapat login menggunakan SSH.
2. Gunakan tcp wrappers untuk mengijinkan atau melarang akses pada tcp-based services.
3. Berikan shell /sbin/nologin pada user yang hanya membutuhkan akses ftp.
4. Lakukan user accounting. accounting_enable="YES"

LOCKING-DOWN FILESYSTEM
1. Selalu membuat beberapa partisi.
2. Mount semua partisi kecuali /usr dengan argument ‘nosuid’
3. Hilangkan suid bits pada binary yang tidak digunakan (seperti pada UUCP binary files)
4. Gunakan chflags dengan variable sappnd pada logfiles, dan schg pada binary files.
# ls -lo /usr/bin/su
-r-sr-x--- 1 root wheel schg 8200 May 1 09:37 /usr/bin/su


KERNEL SECURELEVELS
Variable kernel securelevels menunjukkan level security.
Value antara ‘-1’ sampai ‘3’, dan ‘0’ adalah ‘insecure mode’.
Securelevel hanya dapat meningkat nilainya, dan tidak dapat turun pada multiuser mode.
Securelevel dikontrol menggunakan sysctl(8) dan sysctl.conf(5).

Securelevel 1 = flag sappnd dan schg tidak dapat diubah, kernel module tidak dapat diload/unload.
Securelevel 2 = securelevel 1 + tidak dapat menulis pada disk kecuali mount(2)
Securelevel 3 = securelevel 2 + ipfw rules tidak dapat dimodifikasi

KERNEL STATES CONTROL & SYSTEM CONFIGURATION

sysctl & rc.conf

net.inet.tcp.blackhole=2, net.inet.udp.blackhole=1
untuk tidak membuat RST pada portscan
kern_securelevel_enable="YES",
kern_securelevel="?" # range: -1..3;
icmp_drop_redirect="YES"
fsck_y_enable="YES"


SECURE REMOTE CONNECTIONS

1. Non-aktifkan telnet, dan r* commands, gunakan SSH atau OpenSSH sebagai pengganti
2. Gunakan sftp sebagai pengganti ftp
3. Gunakan otentifikasi pubkey pada SSH
4. Pertimbangkan kembali penggunaan OTP (One-Time-Password)

FIREWALL / PACKET FILTERING
Sebuah firewall dapat:
melakukan deny/permit packets
membedakan rules setiap interfaces

Software yang dapat digunakan:

ipfw (IPFirewall):
options IPFIREWALL enable ipfw
options IPFIREWALL_VERBOSE enable firewall logging
options IPFIREWALL_VERBOSE_LIMIT limit firewall logging
options IPDIVERT enable divert(4) sockets

IPF (IPFilter):
http://coombs.anu.edu.au/~avalon/


SECURITY CHECKS

nmap, swiss-army knife, err network mapper ;)
http://www.insecure.org/nmap/

snort, Lightweight network intrusion detection system
http://www.snort.org/

tripwire, Filesystem security & verification program
http://www.tripwire.org/

chkrootkit, memeriksa apakah terdapat rootkit pada local system.
http://www.chkrootkit.org/

dsniff, monkey watch monkey sniff
http://www.monkey.org/~dugsong/dsniff/



WHAT’S NEXT?

FreeBSD Security web page:
http://www.freebsd.org/security/security.html

FreeBSD Security How-To:
http://people.freebsd.org/~jkb/howto.html

FreeBSD Security advisories:
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/

FreeBSD Hardening Project:
http://www.watson.org/fbsd-hardening/


WHAT’S NEXT?

FreeBSD ipfw howto:
http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO

IPF (ipfilter) howto:
http://www.obfuscation.org/ipf/ipf-howto.html

Cerb, security kernel module:
http://cerber.sourceforge.net/

Packetstorm Defense Tools:
http://packetstormsecurity.nl/defense.html

Tambahkan berikut pada kernel

MOUNTING A CD-ROM DISK

We need to set up a directory before we can mount the CD, so let's go to the OS root directory by entering:

cd /
mkdir /cdrom
mount -t cd9660 /dev/acd0c /cdrom

READ A DIRECTORY LISTING
The CD-ROM disk is now mounted. To test, enter:
ls -lt /cdrom

This should give us a listing of the files on the CD.
COPY OR MOVE FILES
cp -p /cdrom/somefile.conf /some/directory/on/hard/drive/

UNMOUNT CD-ROM DISK
Once we are finished using the CD-ROM disk, before we remove it, enter:
umount /cdrom

Berawal dari insiden matinya source streaming server saya kemarin, saya tak tahu kalau mati *dudulzmodeon*, HP lagi masuk bengkel ples sore itu saya sedang mengunjungi bu dokter jadi tidak ada koneksi internet sama sekali.
Dari dokter gigi saya ke matos ma adek..baru tahu setelah yang shift call ke hp adekQ. Fyuh.. matinya lmy lama *sighhh* gara2 yg jaga juga kagak ngerti adudududu...

So, hari ini otakku yang makin lama makin aus karena jrg digunakan :P mulai dikit2 bekerja.. gimana kalo dibuatin script aja biar ngecek tiap bbrp menit sekali.

Nih contohnya scriptnya, kasih aja nama /etc/cekecek
#!/bin/sh
SERVICE=httpd;
if ps ax | grep -v grep | grep $SERVICE > /dev/null
then
echo "$SERVICE service running, everything is fine"
else
echo "$SERVICE is not running"
/etc/rc.d/http
fi

Masukin ke crontab, oven tiap 1 jam sekali :P
59 * * * * /etc/cekecek

Sodara2 sering remote dan tiba² pas lagi khusyuk²nya install sesuatu tiba-tiba koneksi putus. Jadi sebel bin ambien kan...
Hehehe kebetulan setelah ngintip blognya om Giest ada solusinya niy. Yups, qta bisa nginstall yg namanya screen, tutor berikut diambil dari postingannya om Giest.


#cd /usr/ports/sysutils/screen
make install clean

PEMAKAIAN

Perintah-perintah di screen yang penting sbb :

screen

ctrl a c = membuat session screen baru
ctrl a p = berpindah antar screen session
ctrl a d = keluar dari screen session tanpa mematikan proses yang sedang dilakukan.
exit = keluar dari screen setelah proses yang sedang dilakukan selesai

CONTOH

Ketikan screen untuk memulai screen session, apabila pertama kali maka ini adalah screen session satu-satunya sementara apabila anda pernah membuat screen session sebelumnya, maka perintah ini akan memulai screen session baru tanpa mengganggu session sebelumnya.

kemudian ketikan perintah yang ingin anda lakukan misalnya top, setelah top berjalan kemudian andaketikan ctrl a c untuk membuat screen baru dan anda akan mendapatkan screen kosong yang lain. Disini anda bisa melakukan perintah yang lain seperti misalnya ping ke host yang anda inginkan.

Setelah semua proses diatas berjalan untuk berpindah antar screen tadi (dari perintah top ke ping) anda cukup mengetikan ctrl a p dan anda pun sudah kembali ke screen berikutnya.

Untuk keluar dari screen tanpa mematikan proses screen tadi, anda cukup mengetikan ctrl a d maka anda akan kembali ke shell dan bukan di screen lagi. Apabila anda kemudian keluar atau mematikan remote koneksi maka session screen anda tetap berjalan.
Apabila anda karena alasan tertentu putus koneksi dengan server yang anda remote anda dan belum sempat keluar dari screen jangan takut karena proses yang anda lakukan tetap berjalan anda tinggal melanjutkan nya saja.

Untuk melanjutkan session screen pertama anda harus login dengan user yang membuat screen session. User yang lain tidak akan bisa melanjutkan (resume) session screen milik user yang lain.

Setelah anda login dengan user bersangkutan sekarang ketikan screen -r apabila anda sebelumnya memiliki session screen lebih dari satu silahkan cek terlebih dahulu dengan cara seperti berikut ini

/usr/local/bin/screen screen -ls
There are screens on:
96050.ttyp0.giest (Detached)
96172.ttyp0.giest (Detached)
2 Sockets in /tmp/screens/S-root.
/usr/local/bin/screen screen -ls
There are screens on:
96050.ttyp0.giest (Detached)
96172.ttyp0.giest (Detached)
2 Sockets in /tmp/screens/S-root.

Seperti terlihat bahwa ada dua session screen yang aktif untuk masuk dan mempergunakan session yang aktif lakukan perintah berikut ini

screen -r 96172.ttyp0.giest
screen -r 96172.ttyp0.giest
maka anda sekarang akan bekerja di screen tersebut sementara screen session yang lain tetap aman.

Ok sekarang tidak perlu lagi takut melakukan pekerjaan yang memerlukan waktu lama secara remote cukup buka screen dan koneksi putus bukan masalah lagi.

taken from giest.org

make pretty-print-build-depends-list
make pretty-print-run-depends-list

make -V RUN_DEPENDS and make -V BUILD_DEPENDS

You can use this to check for the value of any make variable (LIB_DEPENDS, OPTIONS, WITH_*, WITHOUT_*, etc).


# cd /usr/ports/category/port
# make build-depends-list
# make run-depends-list

Learn some of the basic steps you can take to make your FreeBSD system more secure.
1. set additional flags on your /tmp and /home directories. I will show you how to see your current flags and how to change them[root]# mount/dev/ad0s1a on / (ufs, local)/dev/ad0s1f on /tmp (ufs, local, nodev, nosuid, soft-updates)/dev/ad0s1g on /usr (ufs, local, soft-updates)/dev/ad0s1e on /var (ufs, local, soft-updates)/dev/ad0s1h on /home (ufs, local, nosuid, with quotas, soft-updates)procfs on /proc (procfs, local)
The two partitions above are the ones we will be adding flags for. As you can see I added nodev and nosuid on /tmp and nosuid and quotas on /home
nodev - stops character or block special devices on the filesystemnosuid - disables suid programs from being run from this filesystemquotas - to limit the amount of disk space that your users may use
You can set these flags in /etc/fstab file
the /tmp directory is a world writable directory so taking these additional steps is a good idea
2. Set your system security level. For most machines there is no reason to run in securelevel -1, unless you wish to run X-Windows on the machine. If you would like to run a server it is best NOT to run X and step up your kernel security level to 1.
Changing this to 1 will mean that you may no longer replace the kernel without being in single user mode (system immutable and system append-only flags are also enforced), KLD's may not be loaded/unloaded and /dev/mem and /dev/kmem may not be opened for writing. To change the security level do the following:
[root]# sysctl kern.securelevel=1
to make this change permanent add the following to/etc/rc.conf:
kern_securelevel_enable="YES"kern_securelevel="1"
3.Remove the toor user.
By default, FreeBSD ships with an additional user that has a UID of 0. This user is known as toor (root backwards), and is intended as a backup user, so that if you mistakenly broke (for eg) root's shell, you could log in using this user and fix things. The account is disabled (passwordless) by default, and hence of no use UNLESS you change it's password. You may either choose to set a password for it, or remove it.
It should be noted that the rmuser(8) command will not allow the deletion of an account with a UID of 0, so you will need to use vipw(8) to remove this account.
4. Shutdown and services you are not using
[root]# netstat -na grep LISTENtcp46 0 0 *.80 *.* LISTENtcp4 0 0 *.22 *.* LISTENtcp46 0 0 *.22 *.* LISTEN
This shows that http(80) and ssh(22) are listening. If you have a process listening and you're unsure of what process is keeping that port open you may use sockstat(1) to list open sockets and provide you with the relevant information
You can all see anything listening for UDPnetstat -nap udpudp4 0 0 *.514 *.*
Here, you see that syslogd is listening on port 514 (UDP). You can disable syslogd from listening on a port by changing/etc/rc.confsyslogd_enable="YES"syslogd_flags="-ss"
5. Setup packets being sent to non-listening ports to be ignored and go to a 'Black Hole'
[root]# sysctl net.inet.tcp.blackhole=1
to make this change permanent modify/etc/rc.conf
net.inet.tcp.blackhole=1net.inet.udp.blackhole=1
6. KEEP YOUR PACKAGES AND OS CURRENT.
I have an article here on how to automatically update your freeBSD box. I would suggest you set this up!

Pertama install dulu freebsd-update
# whereis freebsd-update
freebsd-update: /usr/local/sbin/freebsd-update
# cd /usr/local/sbin/freebsd-update
make install clean

cp /usr/local/etc/freebsd-update.conf.sample /usr/local/etc/freebsd-update.conf
# rehash
# freebsd-update fetch
# freebsd-update install

Untuk mengetahui jenis shell yang sedang kita gunakan ketik :
# echo $SHELL
/bin/csh

atau dgn perintah berikut :

office-mlg# ps -p $$
PID TT STAT TIME COMMAND
59155 p0 S 0:00.04 /bin/csh

Untuk melihat shell apa saja yang tersedia di FreeBSDBox-mu ketik :
# more /etc/shells
/bin/sh
/bin/csh
/bin/tcsh
/usr/local/bin/bash

Ada satu tips lagih.. coba aja :

chmod 0750 `which curl` 2 > & - ; chmod 0750 `which fetch` 2 > & - ; chmod 0750 `which wget` 2 > & -

#!/bin/bash
USERS="$(awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}'
/etc/passwd2 | cut -d: -f1)"
for u in $USERS
do
pw lock $u
done

Where
NF : Total number of record (so only continue if we have more than one record in password file)
$1 : First field in /etc/master.passwd
$2 : Second filed in /etc/master.passwd
$1 !~ /^[#+-]/ : It compares first field (user login name) and make sure it does not starts with either +,- or # symbol

How does it work?
1) Awk statement read each line in /etc/master.passwd where fields separated by : symbol
2) Account has no password if password field ($2) in /etc/master.passwd is empty

Once you found all such passwordless account., you can Lock user account with the following command:
pw lock {username}

# pw lock s2099msFor unlocking the account use:
pw unlock {username}

# pw unlock s2099ms

Sebelumnya install rkhunter paling engga, qta musti punya : wget | curl | elinks | links | lynx bget GET

# fetch http://optusnet.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.3.0.tar.gz
unpack the tarball and, as root, run the installation script:
tar zxf rkhunter-.tar.gz
cd rkhunter
./installer.sh --layout default --install
atau
./installer.sh --layout custom /usr/local/ --install

To show where files are installed using the "oldschool" layout run:

./installer.sh --layout oldschool --show
PREFIX: /usr/local
Application: /usr/local/bin
Configuration file: /usr/local/etc
Documents: /usr/local/rkhunter/lib/rkhunter/docs
Man page: /usr/local/rkhunter/lib/man/man8
Scripts: /usr/local/rkhunter/lib/rkhunter/scripts
Databases: /usr/local/rkhunter/lib/rkhunter/db
Temporary files: /usr/local/rkhunter/lib/rkhunter/tmp

./rkhunter --update
./rkhunter -c

Before running RKH you will need to fill the file properties database by
running the following command:

rkhunter --propupd


To run RKH, as root, simply enter the following command:

rkhunter --check


By default, the log file '/var/log/rkhunter.log' will be created. It
will contain the results of the checks made by RKH.

To see what other options can be used with rkhunter, enter:

rkhunter --help


NOTE: The first run of 'rkhunter' after installation may give some
warning messages. Please see the FAQ file for more details
about this.

Uninstall

tar zxf rkhunter-.tar.gz
cd rkhunter
./installer.sh --layout default --remove

If you chose a different layout, for example '/usr', then run the
installer using:

./installer.sh --layout /usr --remove

"ls -G", "ls -F" atau "ls -FG"
Gunakan untuk directory listing berwarna ;)

'set autolist'
pada tcsh shell digunakan u/ scr otomatis menampilkan semua kemungkinan saat melakukan ekspansi file/directory

'set autologout = 30'
jika idle lbh dari 30 menit akan dilogout (u/ tcsh shell)

`set filec'
mengaktifkan (file completion) dlm tcsh dengan menekan TAB

`set watch = (0 any any)'
Untuk mengaktifkan notifikasi jika ada user log in/out.

set prompt = '%n@%m:%/%# '
contoh tampilan rahm@server:/usr# u/ bold sbb : set prompt = '[%B%m%b] %B%~%b%# '

grep "string" filename1 [filename2 filename3 ...]
mencari suatu string dari suatu file

Setting alias u/ memendekkan perintah
alias lf="ls -FA"
alias ll="ls -lA"
alias su="su -m"

di csh or tcsh, spt ini :
alias lf ls -FA
alias ll ls -lA
alias su su -m
ketik 'alias' untuk melihat daftar alias yang ada

Lihat /etc/rc untuk melihat loading system.

whereis 'namaprog'
Gunakan untuk mencari binary, manual atau source dir. dari suatu program.

Ctrl-D
Gunakan untuk exit/logout dr shell.

"du -s * sort -n "
U. list directory dan sizenya.

Mixer
U. mengatur volume peripheral sound.

pkg_add -r
automatically download and install binary packages and it's dependency.


Mencari port tertentu?, ketik berikut pada dir. /usr/ports
"make search port="
or
"make search key=""


swapinfo
menampilkan virtual memory

"zcat" atau "zmore"
U/ membaca file terkompresi tanpa ekstraksi

du /partition_or_directory_name sort -rn head
Untuk melihat 10 file terbesar dlm dir. / partisi

file namafile
Untuk melihat apakah textfile, exe atau tipe file lain.

col -bx <> newfile
Untuk meremove karakter ^M pada DOS file

lock -p
Untuk melock terminal.

dig -x IP-address
U. melihat hostname suatu ip

Tambahkan berikut pada C Shell u/ melindungi core files dari penulisan.
limit coredumpsize 0

"leave +hhmm"
Untuk men-set reminder terminal

"sockstat -4l"
Need to see which daemons are listening for connection requests? Use
for IPv4, and "sockstat -l" for IPv4 and IPv6.

": > filename"
Untuk mengosongkan file

ls -R / more
melihat seluruh directory sistem


translated from : http://nixdoc.net/FreeBSD-Tips/

Siang ini ada yang rikues, server windows dgn apache n phpnya ga mau kalo pake database sql tapi maunya pake ODBC, yaw dah.. apa sich yang engga untuk dikau ? qeqeqe...

Pertama create dsn namenya di ODBC, pilih mdb driver dan select nama databasenya, misal metuek.mdb. Kalau untuk apache yang under unix settingnya gini
# cd /etc
# ee odbc.ini
[test]Description = test
DatabaseDriver = /usr/lib/libmdbodbc.so
Database = /var/www/test.mdb

Sudah? jika sudah re-start dunk apachenya.

Contoh script phpnya krg lebih spt ini niy.
$conn=odbc_connect('test','','');
if (!$conn) { exit("Connection Failed: " . $conn); }

$sql="SELECT * FROM customers";
$rs=odbc_exec($conn,$sql);
if (!$rs) {
exit("Error in SQL");
}
echo

;
echo ;
echo ;
while (odbc_fetch_row($rs))
{
$compname=odbc_result($rs,"CompanyName");
$conname=odbc_result($rs,"ContactName");
echo ;
echo ;
}
odbc_close($conn);
echo

Companyname	Contactname
$compname	$conname

;
?>

find /directory -name "namafile" -mtime +30 xargs rm atau
find /directory -name "namafile" -mtime +30 -type f -exec rm {}\;

Perintah diatas akan mencari file 30 hari n older dan akan menghapusnya.

-mtime n : kondisi True jika isi file modified n days ago.
Type Description
b : A block special device file
c : A character special device file
d : A directory
f : A plain file (SV only)
p : A named pipe (FIFO) (SV only)
l : A symbolic link to a file
s : A socket (BSD only)

Sebagai admin gadungan, yah tugasnya secara rutin ngintip2 log di server.. tapi, koq slalu ada yang kelewatan yah ada yg belom dicek getuh..

akhirnya saya putuskan untuk saya tulis disini aja deh, kebetulan ini u/ mailserver untuk yg lain ga jauh beda..

1. Cek log /var/log/messages, /var/log/maillog n jgn lupa untuk cek dmesg dan auth.log

2. ps -ax, top, trafshow, sockstat -l adalah wajib hukumnya.

3. /var/virusmails harus didelete sisakan aja yang baru2, kali aja ada yg komplen.

# ls -l /var/virusmails/ |wc -l

4. /usr/local/mysql/var juga harus dicek minimal 1 bulan sekali file mysql-bin.xxxxx dan sisakan hanya 1 bulan terakhir saja.

5. /var/amavisd/tmp/.... (log temporary amavis dan clamd) juga harus
didelete setiap minggu (jika ada).

mailbox2 user juga harus dimonitor.

In case of attacks, you can fiddle up with the following values:

net.inet.tcp.msl (on my machine, 10000. default is 30000)
net.inet.tcp.keepidle (default 10000)
net.inet.tcp.keepintvl (default 7500)
net.inet.tcp/udp.blackhole (turn on for DoS)
net.inet.tcp.tcbhashsize (push up to a reasonable value)


--------------------------------------------------------------------------------

For a better performance, you should mess up with:

kern.ipc.somaxconn (my machine = 4096, default. 128)
kern.ipc.maxsockets
net.inet.ip.intr_queue_maxlen
kern.maxfiles (65535, 16424 as default)
vfs.vmiodirenable (set to 1, 0 is the default)
net.inet.tcp.sendspace (see tuning(7) for more explanations)
net.inet.tcp.recvspace
option NMBCLUSTERS in the kernel (check how many clusters you use with netstat -mb -- don't overtune it, on my busiest webservers the number of used clusters never went above 2256, so 8192 should be enough for all servers), and, of course, maxusers. Well, that era has ended. Right now I discovered a
2827/16384/16384 mbuf clusters in use (current/peak/max)
on a webserver, so I'm gonna bump it to 32k. Also, I'm going to reduce the net.inet.tcp.sendspace from 32k to 16k, because the web traffic means a lot of small files. In case you find out you're just about to run out of NMBCLUSTERS (ex. 6301/8100/8704 mbuf clusters in use (current/peak/max) -- on one of my servers), in case of a webserver, and cannot recompile a new kernel with a bumped NMBCLUSTERS, then set KeepAlive to off in your Apache, and this will save you some clusters by removing many FIN_WAIT_2 connections (More here).
kern.ipc.shm_use_phys -- turn to 1 if the main application of your server uses shared memory, it has improved the activity of my web server.
netstat -f inet can give you valuable informations. For example, a lot of connections with Send-Q != 0 means that your server is storing datas into the mbufs, because the uplink is saturated or (more often) the clients are too 'slow' to receive datas. Non-null values for Recv-Q, on the other hand, means that your server is too slow in serving the requests, which increase the number of mbufs for incoming connections.
net.inet.tcp.msl -- take it down from the default 30,000 to something like 10,000 or even less if you notice too many TIME_WAIT connections in netstat -f inet
net.inet.tcp.inflight_enable -- for bandwidth delay limiting (TCP connections). Read more about in tuning(7).


--------------------------------------------------------------------------------

Firewalling with IPF gave me quite some problems, mostly related to the state table. The customers experienced some broke connections (browser hanging forever when loading up a page), even though the channel was not full (bandwidth-wise). What you can do in a situation like this is play with:

net.inet.ipf.fr_tcpidletimeout=7200 (I like to leave this higher, though, because it kills my idle ssh sessions on the servers as well -- and I hate logging in each other hour or so).
net.inet.ipf.fr_tcpclosewait=120
net.inet.ipf.fr_tcplastack=120
net.inet.ipf.fr_tcptimeout=240
net.inet.ipf.fr_tcpclosed=60
net.inet.ipf.fr_tcphalfclosed=300
net.inet.ipf.fr_udptimeout=90
net.inet.ipf.fr_icmptimeout=35
More about this values here.
You can check how many states are active by looking into the output of ipfstat -s (active). I experienced values growing from 0 to approx. 4000 and then 0 again, which meant the state table got full, and was resetted. You can also carefully increment the number of states in '/usr/include/netinet/ip_state.h' (IPSTATE_SIZE and IPSTATE_MAX -- in my case IPSTATE_MAX was set to 4013, which made the table reset like I said before, at a value approx. equal to 4000). You have to set these two values at resonable values (not too high, don't overtune!), they need to be prime values, and IPSTATE_MAX should be approx. 70% of IPSTATE_SIZE. More infos can be found here.
One other thing that one might do is remove any unnecessary 'keep state's from the firewall configuration. For example, Apache communicates with the clients on port 80 exclusively, so if you 'pass all from any to $my_host port = 80', then you don't need keep states.
As about the NAT using IPFilter, you might consider defining LARGE_NAT in src/contrib/ipfilter/ip_nat.h and src/sys/contrib/ipfilter/netinet/ip_nat.h.
One other problem that I had, having the same source, was that FTP transfers of a zillion+ files would just stall from time to time (after about 100 transferred files). Reason was that the state table was becoming full, and was 'cleaned up' by the kernel, which meant lost state. Freeing the unneeded 'keep states' from the firewall rules, and twaking the parameters above made this problem dissapear as well.
A very nice feature of FreeBSD's kernel is also the DEVICE_POLLING kernel option, which basically means that the system will not treat any interrupt coming from the network cards independently, but rather 'poll' the devices at certain intervals of times. That saves a lot of system activity. You might also consider tweaking with the "option HZ", and also enabling 'kern.polling.enable' and 'kenr.polling.user_frac'. Unfortunately, DEVICE_POLLING works only with certain NICs, but I've experienced very good results with the Intel EtherExpress (fxp). You can see the performance on some snapshots of my firewall here.


--------------------------------------------------------------------------------

Special settings:

In order to run ipf and ipfw on the same machine (ipf for firewall, ipfw for traffic shaping), you can do the following:
ipf -f a_file, where a_file contains something like: "pass out quick proto tcp from x.x.x.x to y.y.y.y port = z flags S keep state"
ipfw add pipe 10 ip from x.x.x.x to y.y.y.y
ipfw pipe 10 config bw 10Kbit/s queue 50KBytes


http://www.nsrc.org/freebsd-tips.html

ICMP Internet Control Message Protocol

didesain u/ mengontrol pesan antar router dan antar host.

Sebuah ICMP header mengikuti IP header pada Paket IP, tapi bukan dianggap sbg header layer 4 seperti TCP dan UDP tapi ICMP dianggap sebagai satu kesatuan dari IP.

Here is a picture of the fields an ICMP header adds to an IP
packet:
8 16 32 bits
Type Code Checksum
Identifier Sequence number
Data

You'll note that an ICMP header is composed of six fields. Interestingly, the Data field does not contain the actual ICMP "message." Instead, the Type and the Code fields contain numeric values, and each numeric value represents a specific ICMP message. Every ICMP packet must have a Type value, but only some ICMP types have an associated non-zero Code value.

RFC 1700 contains the possible values for each ICMP type and code; I've summarized these into the following table:
Type Name Code(s)
0 Echo reply 0 - none
1 Unassigned
2 Unassigned
3 Destination unreachable 0 - Net unreachable
1 - Host unreachable
2 - Protocol unreachable
3 - Port unreachable
4 - Fragmentation needed and DF bit set
5 - Source route failed
6 - Destination network unknown
7 - Destination host unknown
8 - Source host isolated
9 - Communication with destination network is administratively prohibited
10 - Communication with destination host is administratively prohibited
11 - Destination network unreachable for TOS
12 - Destination host unreachable for TOS
4 Source quench 0 - none
5 Redirect 0 - Redirect datagram for the network
1 - Redirect datagram for the host
2 - Redirect datagram for the TOS and network
3 - Redirect datagram for the TOS and host
6 Alternate host address 0 - Alternate address for host
7 Unassigned
8 Echo 0 - None
9 Router advertisement 0 - None
10 Router selection 0 - None
11 Time Exceeded 0 - Time to live exceeded in transit
1 - Fragment reassembly time exceeded
12 Parameter problem 0 - Pointer indicates the error
1 - Missing a required option
2 - Bad length
13 Timestamp 0 - None
14 Timestamp reply 0 - None
15 Information request 0 - None
16 Information reply 0 - None
17 Address mask request 0 - None
18 Address mask reply 0 - None
19 Reserved (for security)
20-29 Reserved (for robustness experiment)
30 Traceroute
31 Datagram conversion error
32 Mobile host redirect
33 IPv6 where-are-you
34 IPv6 I-am-here
35 Mobile registration request
36 Mobile registration reply
37-255 Reserved

You'll note that the ICMP types that do have associated codes use the Code field to further explain the message value in the Type field. For example, ICMP Type 3 represents "destination unreachable." There can be many reasons why a destination is unreachable; accordingly, every ICMP Type 3 packet will also use one of the codes to explain why the destination was unreachable.

In our dump file, packets 4-9 contained ICMP information. These packets were created right after ARP had determined the destination MAC address and just before the TCP 3-way handshake. Let's take a look at packets 4 and 5:

tcpshow < dump


-------------------------------------------------
Packet 4
TIME: 10:25:28.608640 (0.000355)
LINK: 00:00:B4:3C:56:40 -> 00:50:BA:DE:36:33 type=IP
IP: 10.0.0.2 -> 10.0.0.1 hlen=20 TOS=00 dgramlen=84 id=0010
MF/DF=0/0 frag=0 TTL=255 proto=ICMP cksum=A796
ICMP: echo-request cksum=169F
DATA: ....:_.:6....
..................... !"#$%&'()*+,-./01234567
-------------------------------------------------
Packet 5
TIME: 10:25:28.608722 (0.000082)
LINK: 00:50:BA:DE:36:33 -> 00:00:B4:3C:56:40 type=IP
IP: 10.0.0.1 -> 10.0.0.2 hlen=20 TOS=00 dgramlen=84 id=9551
MF/DF=0/0 frag=0 TTL=255 proto=ICMP cksum=1255
ICMP: echo-reply cksum=1E9F
DATA: ....:_.:6....
..................... !"#$%&'()*+,-./01234567

Notice that these are normal IP packets with the expected IP header fields. Immediately following the IP header is the ICMP header which is followed by some strange-looking data. The tcpshow utility did not show all of the ICMP fields, but you can see that Packet No. 4 was an echo-request and Packet No. 5 was an echo-reply. If we look up these names in the chart, we'll see that Packet 4 contains an ICMP Type 8 Code 0 message, and Packet 5 contains an ICMP Type 0 Code 0 message.

Let's look at these same packets using Ethereal. Because Ethereal is so verbose, I'll just show the frame number and the ICMP header:

Also in FreeBSD Basics:

Fun with Xorg

Sharing Internet Connections

Building a Desktop Firewall

Using DesktopBSD

Using PC-BSD

more etherdump

more etherdump


Frame 4 (98 on wire, 98 captured)
Internet Control Message Protocol
Type: 8 (Echo (ping) request)
Code: 0
Checksum: 0x169f (correct)
Identifier: 0xdd00
Sequence number: 00:00
Data (56 bytes)

0 3a5f a23a 36c3 0600 0809 0a0b 0c0d 0e0f :_.:6...........
10 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f ................
20 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f !"#$%&'()*+,-./
30 3031 3233 3435 3637 01234567

Frame 5 (98 on wire, 98 captured)
Internet Control Message Protocol
Type: 0 (Echo (ping) reply)
Code: 0
Checksum: 0x1e9f (correct)
Identifier: 0xdd00
Sequence number: 00:00
Data (56 bytes)

0 3a5f a23a 36c3 0600 0809 0a0b 0c0d 0e0f :_.:6...........
10 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f ................
20 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f !"#$%&'()*+,-./
30 3031 3233 3435 3637 01234567

Notice that Ethereal interprets all of the ICMP fields, including the Type and Code numbers. It also indicates the name of the utility that issued these ICMP packets -- before TCP initiated its 3-way handshake, three "ping" packets were sent out to verify connectivity between my telnet client and the telnet server. The first ping packet contained the echo-request and it was followed by the desired echo-reply.

Packets 6 and 7 contained the next echo-request/echo-reply pair. These packets were identical, except they both contained a sequence number of 01:00, instead of the sequence number of 00:00 you saw in Packets 4 and 5. Packets 8 and 9 contained the last echo-request/echo-reply pair and both shared a sequence number of 02:00. However, all six packets contained the same Identifier value of 0xdd00; this means that they were all issued from the same ping command.

To summarize, whenever you run the ping utility, you will send out ICMP Type 8 Code 0 packets. Each packet will have the same identifier, but every packet's sequence number will be increased by 1. If you have connectivity to the other host, you should receive back ICMP Type 0 Code 0 packets with the same identifier. If you don't receive all the packets back in sequence, you don't have a very reliable connection.

You've probably used the ping utility yourself to test the connection between two hosts running TCP/IP; you may have not known that ping uses ICMP. Here is an interesting article on ping by the author of the utility.

The traceroute utility is another utility that uses ICMP messages, but its usage is different from that of the ping utility. When you type traceroute hostname, three UDP packets are sent out with a TTL (time to live) value of 1. These three packets will arrive at the router closest to you which will decrease the TTL by one, meaning the TTL will now be 0. When routers notice a TTL of 0, they respond by sending an ICMP packet of Type 11 Code 0, or "time exceeded" as "time to live exceeded in transit." The traceroute utility will make note of the IP address of the router that sent back the three ICMP packets, calculate the time it took to receive each of the packets, then send out three more UDP packets, this time with a TTL of 2.

Because these packets have a TTL of 2, ICMP packets should be returned by the router that is two hops away from you. Once these packets are received and noted, traceroute sends out three more packets with a TTL of 3. The traceroute utility will continue this pattern until you either reach your final destination or you've gone through the default maximum of 30 routers. The results will be sent to your screen like so:

traceroute www.freebsd.org

traceroute to freefall.freebsd.org (216.136.204.21), 30 hops max, 40 byte packets
1 10.69.4.1 (10.69.4.1) 33.137 ms 110.654 ms 52.307 ms
2 d226-12-1.home.cgocable.net (24.226.12.1) 15.413 ms 36.285 ms 12.538 ms
3 cgowave-0-158.cgocable.net (24.226.0.158) 13.857 ms 14.130 ms 16.433 ms
4 cgowave-busy-core.cgocable.net (24.226.1.1) 15.304 ms 15.470 ms 14.940 ms
5 cgowave-0-202.cgocable.net (24.226.0.202) 16.681 ms 14.324 ms 16.357 ms
6 10.0.185.33 (10.0.185.33) 16.066 ms 15.919 ms 17.318 ms
7 c1-pos8-0.bflony1.home.net (24.7.74.29) 18.234 ms 18.063 ms 19.266 ms
8 c1-pos1-0.hrfrct1.home.net (24.7.65.253) 27.590 ms 25.213 ms 48.447 ms
9 c1-pos3-0.nycmny1.home.net (24.7.69.2) 32.722 ms 29.405 ms 29.724 ms
10 ibr02-p1-0.jrcy01.exodus.net (24.7.70.122) 31.728 ms 48.891 ms 29.017 ms
11 bbr02-g4-0.jrcy01.exodus.net (216.32.223.114) 37.117 ms 37.070 ms 62.180 ms
12 bbr01-p2-0.okbr01.exodus.net (216.32.132.109) 59.707 ms 40.090 ms 39.422 ms
13 bbr02-p3-0.sttl01.exodus.net (216.32.132.89) 142.048 ms 101.184 ms 86.259 ms
14 bbr01-g5-0.sttl01.exodus.net (216.32.29.19) 83.362 ms 83.433 ms 83.103 ms
15 bbr01-p1-0.tkwl01.exodus.net (209.185.9.66) 85.309 ms 123.174 ms 83.753 ms
16 bbr01-p4-0.sntc05.exodus.net (216.32.173.229) 88.995 ms 90.207 ms 88.723 ms
17 dcr01-g2-0.sntc05.exodus.net (64.56.192.3) 109.213 ms 90.418 ms 90.458 ms
18 g2-1.bas1-m.sc5.yahoo.com (64.56.207.146) 170.210 ms 164.354 ms 281.053 ms
19 freefall.freebsd.org (216.136.204.21) 91.146 ms 88.509 ms 91.049 ms

Note that the traceroute utility numbered each hop, gave the name and IP address of the associated router, and recorded the time it took to receive an ICMP response to each of the three UDP packets that were sent to each router.

The ping and traceroute utilities are the most common utilities used by users that involve the ICMP protocol. However, there is another ICMP type that you should be aware of as it can affect network performance if there are routers between you and your final destination.

When I captured the packets involved in the telnet session, both the telnet client and the telnet server were cabled onto the same LAN and none of the packets had to pass through a router. During the TCP 3-way handshake, each host indicated the maximum segment size (MSS) it was capable of receiving. The tcpshow utility did not interpret this data, but it can be seen using Ethereal:

more etherdump



Frame 10 (60 on wire, 60 captured)
Internet Protocol
Source: biko (10.0.0.2)
Destination: genisis (10.0.0.1)
Transmission Control Protocol, Src Port: blackjack (1025), Dst Port: telnet (23), Seq: 3205630181, Ack: 0
Source port: blackjack (1025)
Destination port: telnet (23)
Sequence number: 3205630181
Header length: 24 bytes
Flags: 0x0002 (SYN)
Window size: 16384
Checksum: 0x7814
Options: (4 bytes)
Maximum segment size: 1460 bytes

Frame 11 (58 on wire, 58 captured)
Internet Protocol
Source: genisis (10.0.0.1)
Destination: biko (10.0.0.2)
Transmission Control Protocol, Src Port: telnet (23), Dst Port: blackjack (1025), Seq: 1746119590, Ack: 3205630182
Source port: telnet (23)
Destination port: blackjack (1025)
Sequence number: 1746119590
Acknowledgement number: 3205630182
Header length: 24 bytes
Flags: 0x0012 (SYN, ACK)
Window size: 17520
Checksum: 0x5fd9
Options: (4 bytes)
Maximum segment size: 1460 bytes

Because both computers were cabled onto the same LAN, they both understood and agreed upon a MSS of 1,460 bytes. Note that this is a maximum "segment" size, meaning a segment of data without including the extra bytes needed for the headers and frame. In this example, both hosts agreed that they wouldn't send a segment of data that was bigger than a 1,460-byte chunk.

What would happen if these two same hosts were not on the same LAN and their packets had to pass through a network that could only accept frames with a maximum transmission unit (MTU) size of 576 bytes? Because the two end hosts had already agreed upon a segment size of 1,460 bytes, they would be creating their IP packets accordingly. When these IP packets arrive at the router, which is cabled to the network with the smaller MTU, it will have to re-package every packet into smaller segments that will fit into the smaller size frames of that network. The destination host will then have to reassemble all of the fragmented packets back into the original agreed-upon sized segment. This creates more work and definitely slows things down.

To help prevent this, TCP uses something called Path-MTU Discovery. TCP will send out IP packets using the agreed MSS size, but will set the DF (don't fragment) bit to 1. If this packet is received by a router that needs to fragment the packet so that it will fit over a network that uses smaller-sized frames, the router will respond with an ICMP Type 3 Code 4 packet which translates to "destination unreachable as fragmentation needed" and "DF bit set." When the host receives this ICMP packet, it knows that it needs to start sending smaller packets.

You can read more about Path-MTU Discovery here.

The last ICMP type I'd like to cover is Source Quench, or ICMP Type 4 Code 0. This message is sent whenever a router is being overwhelmed by packets. It basically tells the host to slow down the rate it is sending packets so it can have a chance to deal with the packets it has already received. This is an important message -- if the host does not slow down its transmission rate, the router will run out of buffer space to store packets and will have to start throwing packets away. Every packet that is thrown away will have to be re-transmitted which will make the original situation worse.

The ICMP types we've covered do have implications when you start creating packet filter rules on your FreeBSD system. Next week, we will start looking at creating these rules, I'd like to summarize the ICMP types and codes that we'll need to be mindful of:
ICMP Type Code Used By
0 0 Ping
3 4 Path-MTU Discovery
4 0 Source Quench
8 0 Ping
11 0 traceroute

Dru Lavigne is a network and systems administrator, IT instructor, author and international speaker. She has over a decade of experience administering and teaching Netware, Microsoft, Cisco, Checkpoint, SCO, Solaris, Linux, and BSD systems. A prolific author, she pens the popular FreeBSD Basics column for O'Reilly and is author of BSD Hacks and The Best of FreeBSD Basics.

Security professionals break the term security into three parts: confidentiality, integrity, and availability.
1. confidentiality (rahasia)
Confidentiality is all about determining the appropriate level of access to information. Hak akses u/ data/file/folder.

2. Integrity (keutuhan)
Tidak adanya kehilangan data (data tetap utuh tanpa ada modifikasi).

3. Availability (ketersediaan)
Ketersediaan data yg akan diakses, menuju pada pemikiran back up data or system

Identifikasi Resiko
1. Attack
An attack against a system is an intentional attempt to bypass system security controls or organizational policies to affect the operation of the system (active attack) or gain access to information (passive attack). Attacks can be classified into insider attacks in which someone from within an organization who is authorized to access a system uses it in an unauthorized way, or outsider attacks, which originate outside of the organization's security perimeter, perhaps on the Internet at large
In order for active and passive attacks to succeed, something must be at fault. Attacks necessarily leverage fundamental behavioral problems in software, improper configuration and use of software, or both. In this chapter, we examine these classes of attacks including the special-case denial of service (DoS) attack.

2. Problem software
2.1 Buffer OverFlow
2.2 Injeksi SQL
There are, of course, ways to defend against SQL injection attacks from within web applications. One common approach is to parse every value provided by the user. Make sure it doesn't contain any undesirable characters like backticks, quotes, semi-colons, and so on. Also ensure that the valid characters are appropriate for the value being returned. To get around the problem completely, developers may be able to use stored procedures and avoid dynamically creating SQL.
2.3 Software problem lain

Proteksi :

Being aware of vulnerabilities is a good first step.
Installah 3rd party soft. yang jelas minim bugnya.
Rajin mengkuti mailing list
Selalu lakukan patch

3. DOS ATTACK
DoS attacks are active—they seek to consume system resources and deny the availability of your systems to legitimate users. The root cause of a system or network being vulnerable to a DoS attack may be based on a software vulnerability, as a result of improper configuration and use, or both. DoS attacks can be devastating, and depending on how they are carried out, it can be very difficult to find the source. DoS attacks have a diverse list of possible targets.

Target: physical
DoS attacks can occur at the physical layer. In an 802.11 wireless network, an attacker can flood the network by transmitting garbage in the same frequency band as the 802.11 radios.

Target: network
At the data link and network layers, traffic saturation can interfere with legitimate communications. Flooding a network with illegitimate and constantly changing arp requests can place an extreme burden on networking devices and confuse hosts. Attempting to push a gigabit of data per second through a 100 Mbps pipe will effectively overrun any legitimate network traffic. Too much traffic is perhaps the quintessential example of a DoS attack

Target: application
These DoS attacks generally use up some finite resource on a host such as CPU, memory, or disk I/O. An attacker may send several application requests to a single host in order to cause the application to consume an excessive amount of system resources.
She may simply exploit a bug in code once that causes the application to spiral out of control or simply crash. Some services that fork daemons at every new connection may be subject to a DoS if tens or hundreds of thousands of connections are made within a short period of time

Proteksi :
Physical -> lakukan load balancer
Network -> IDS hosts may be used to help detect these kinds of attacks and automatically update firewall or router configurations to drop the traffic
Application -> secure architecture and build, controlled maintenance, and monitoring logs.

4. Konfigurasi yang kurang sip.
4.1. Konfigurasi yang ceroboh
4.2 Acccount access.
permission file , setuid (memberikan akses hanya pada id, bukan pada nama user).
-r-sr-xr-x 1 root wheel 23392 Jun 4 21:57 traceroute

To find setuid and setgid files on your BSD system, run the following command:

% find / -type f \( -perm -2000 -o -perm -4000 \) -print

1. Listen port
Jika ada bbrp ip maka lakukan spesifikasi dgn Listen : IPV4:80

TimeOut	300 seconds	bisa dikecilkan (issue dos attack)
KeepAliveTimeout	5 seconds	bisa dikecilkan tapi jgn didisable.
LimitRequestBody	0 bytes (unlimited)	Restricts the total size of the HTTP request body sent from the client. If DoS attacks are occurring as a result of large requests, limit request size.
LimitRequestFields	100 fields	Limits the number of HTTP request header fields that will be accepted from the client. If DoS attacks are occurring as a result of too many HTTP request headers, lower this number.
LimitRequestFieldSize	8190 bytes	Limits the size of the HTTP request header allowed from the client.
LimitRequestLine	8190 bytes	This directive sets the number of bytes that will be allowed on the HTTP request-line.
MaxClients	256 requests	Sets the limit on the number of simultaneous requests that will be served.

Cara securing apache part 1 :
1. Pastikan install security patch terbaru.
2. Sembunyikan informasi mengenai server dgn menambahkan baris berikut di httpd.conf
ServerSignature Off
ServerTokens Prod
3. Jangan jalankan apache dgn user administratif, buat saja user n group lain, misal www group www.
4. Untuk memblok agar apache tidak bisa mengakses selain document rootnya, lakukan sbb :

Order Deny,Allow
Deny from all
Options None
AllowOverride None


Order Allow,Deny
Allow from all



Untuk disable directory browsing, tambahkan berikut pada tag setelah
Options -Indexes

Untuk disable server side includes tambahkan berikut pada tag setelah
Options -Includes

Bisa juga spt ini : Options -ExecCGI -FollowSymLinks -Indexes
Atau jika ingin mendisable langsung aja Options None.

5. Mematikan support u/ .htaccess files
Tambahkan AllowOverride None pada tag setelah

Note :
Jika menggunakan pilihan Overrides pastikan file .htaccess tdk bisa didownloaded atau ubah namanya selain .htaccess. Misal, bisa kita ubah ke .httpdoverride dan block smua akses agar tdk bisa mendownload files start with .ht dgn cara sbb :

AccessFileName .httpdoverride

Order allow,deny
Deny from all
Satisfy All


6. Disable module yang tidak diperlukan :
grep LoadModule httpd.conf
mod_imap, mod_include, mod_info, mod_userdir, mod_status, mod_cgi, mod_autoindex
Modul² tersebut biasaya jarang diperlukan.

7. Pastikan hanya root yang bisa mempunyai hak akses binary dan config filenya
chown -R root:root /usr/local/apache
chmod -R o-rwx /usr/local/apache

8. Kurangi TimeOut valuenya untuk menghindari DOS Attack
Timeout 60

9. Limiting large requests
LimitRequestBody 1048576 (akan melimit upload hanya sampai 1MB)

10. Limiting Concurrency
Apache mempunyai bbrp konfigurasi u/ menangani request berjamaah :P.
MaxClients : adl max. child proses yg akan dicreate u/ memenuhi request. Jangan diset terlalu tinggi jika memori anda ecek2.

Perintah yg lain adl MaxSpareServers, MaxRequestsPerChild, ThreadsPerChild, ServerLimit, MaxSpareThreads. Sesuaikan pilihan tersebut dgn OS dan hardware sistem.

11. Membatasi akses web dari IP / Network tertentu

Order Deny,Allow
Deny from all
Allow from 176.16.0.0/16

12. KeepAlive setting
Defaultnya on. Bisa diubah ke MaxKeepAliveRequests 100, and the KeepAliveTimeout 15. Lihat log dan sesuaikan kebutuhan.

13. Jika sudah biasa menggunakan chroot atau jail maka lebih sip :P.

Sumpah ini bukan hasil oprekan saya :P, ini adalah kumpulan hasil gugling n coba² :P.

Tambahkan baris berikut di sysctl.conf (u/ mengaktifkan filtering pada layer 2)
# sysctl net.link.ether.ipfw=1

Contoh :
# ipfw -q add 2 deny mac 00:21:E8:21:A4:BD any
Deny from any source MAC address to destination MAC address 00:21:E8:21:A4:BD.
Sebagaimana dijelaskan di manualnya...
{ MAC | mac } dst-mac src-mac.

Lengkapnya check this out! : http://www.hmug.org/man/8/ipfw.php

cd /usr/ports/ports-mgmt/portupgrade
make install clean
It's now possible to update all the software on the system by running the command:
portupgrade -ai

portaudit
which shows the published vulnerabilities affecting the packages installed on your system
As the superuser root, run:
cd /usr/ports/ports-mgmt/portaudit
and then
make install clean

It's now possible to update the vulnerabilities database and audit the installed packages by running the command:
portaudit -Fa

Those are some tricks you may find useful:
to show the differences between the version of the installed packages and the ones of the ports collection currently present on the system, run:
pkg_version -v

to print some informations of a port, like it's dependencies, for example of asterisk, run, in the /usr/ports folder, the command:
make search name=asterisk

to print the dependencies of an installed package, for example of gmake, run:
pkg_info -xr gmake


to print the dependencies of a package, even not installed, for example of proftpd, run, in the folder of it's port, the command:
make pretty-print-build-depends-list
but first you have to run, in the /usr/ports folder, the command:
make index
which, after a while, will build an index with the informations of the packages

And if, for example, the package portupgrade is installed, it's manual can be viewed by running:
man portupgrade

libpcap from http://www.tcpdump.org/
libpng from http://www.libpng.org/
libgd from http://www.boutell.com/gd/

Download libcap in http://www.tcpdump.org/ and install

zlib – Free open source compression library
fetch http://www.zlib.net/zlib-1.2.3.tar.gz
tar xvf zlib-1.2.3.tar.gz
cd zlib-1.2.3
./configure
make && make install

libpng – PNG reference library for creating graphics / images

fetch http://easynews.dl.sourceforge.net/sourceforge/libpng/libpng-1.2.10.tar.gz
tar xvf libpng-1.2.10.tar.gz
cd libpng-1.2.10
./configure
make && make install

fetch http://www.boutell.com/gd/http/gd-2.0.33.tar.gz
tar xvf gd-2.0.33.tar.gz
cd gd-2.0.33
./configure --disable-shared --with-gd-lib=/usr/local/lib --with-gd-inc=/usr/local/include/
make
make install

Download bandwidthd-2.0.1.tgz
./configure &&amp; make && make install
ee /usr/local/bandwidthd/etc/bandwidthd.conf
subnet 10.10.10.0/25
dev "rl0"

/usr/local/bandwidthd/bandwidthd, akan mengcreate /usr/local/bandwidthd/htdocs
arahkan document directory webserver ke folder tsb & aktifkan webserver.

^___________^

INSTALL mySQL:
Pertama install dulu mysql, saya menggunakan mySql 5.
Jika sudah jalankan dan otomatisasi shg berjalan sewaktu reboot.

INSTALL FreeRadius:
cd /usr/ports/net/freeradius
% make && make install
Pilih mySQL support dan SNMP (optional).

CONFIGURE freeRADIUS:
% cd /usr/local/etc/raddb
Pastikan file² berikut ada

% clients.conf (basic config cukup & memakai localhost)

% users
Untuk pengetesan pertama tambahkan baris
ainoer Auth-Type := Local, User-Password == "testpass"

% cp snmp.conf.sample snmp.conf
% cp sql.conf.sample sql.conf
% cp huntgroups.sample huntgroups
% cp dictionary.sample dictionary
% cp hints.sample hints
% cp acct_users.sample acct_users
% cp preproxy_users.sample preproxy_users


% cp radiusd.conf.sample radiusd.conf
Edit radiusd.conf,
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes

% radiusd -X &
% radtest ainoer testpass localhost 1812 testing123

Jika berhasil ada indikasi sbb :
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=119, length=20


CREATE DATABASE & TABEL
Login ke mysql dan create database dengan nama radius.
Carilah file dengan nama db_mysql.sql kemudian import ke database.
/bin/mysql -u root radius < /usr/local/share/examples/freeradius/db_mysql.sql

Masukkan record² berikut :
INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('rahma', 'Password', 'passku');
INSERT INTO radgroupcheck (GroupName, Attribute, Value) VALUES ('dynamic', 'Auth-Type', 'Local');
INSERT INTO radgroupreply (GroupName, Attribute, op, Value) VALUES ('dynamic', 'Framed-Compression', ':=', 'Van-Jacobsen-TCP-IP');
INSERT INTO radgroupreply (GroupName, Attribute, op, Value) VALUES ('dynamic', 'Framed-Protocol', ':=', 'PPP');
INSERT INTO radgroupreply (GroupName, Attribute, op, Value) VALUES ('dynamic', 'Service-Type', ':=', 'Framed-User');
INSERT INTO radgroupreply (GroupName, Attribute, op, Value) VALUES ('dynamic', 'Framed-MTU', ':=', '1500');
INSERT INTO radgroupreply (GroupName, Attribute, op, Value) VALUES ('dynamic', 'X-Ascend-Assign-IP-Pool', ':=', '0');
INSERT INTO radgroupreply (GroupName, Attribute, op, Value) VALUES ('dynamic', 'X-Ascend-Maximum-Time', ':=', '7200');
INSERT INTO radgroupreply (GroupName, Attribute, op, Value) VALUES ('dynamic', 'X-Ascend-Route-IP', ':=', 'Route-IP-Yes');
INSERT INTO radgroupreply (GroupName, Attribute, op, Value) VALUES ('dynamic', 'Idle-Timeout', ':=', '1800');
INSERT INTO usergroup (UserName, GroupName) VALUES ('rahma', 'dynamic');

select * from radcheck;
+----+----------+-----------+----+--------+
| id | UserName | Attribute | op | Value |
+----+----------+-----------+----+--------+
| 1 | rahma | Password | == | passku |
+----+----------+-----------+----+--------+

mysql> select * from radgroupcheck;
+----+-----------+-----------+----+-------+
| id | GroupName | Attribute | op | Value |
+----+-----------+-----------+----+-------+
| 1 | dynamic | Auth-Type | := | Local |
+----+-----------+-----------+----+-------+

select * from radgroupreply;
+----+-----------+-------------------------+----+---------------------+------+
| id | GroupName | Attribute | op | Value | prio |
+----+-----------+-------------------------+----+---------------------+------+
| 1 | dynamic | Framed-Compression | := | Van-Jacobsen-TCP-IP | 0 |
| 2 | dynamic | Framed-Protocol | := | PPP | 0 |
| 3 | dynamic | Service-Type | := | Framed-User | 0 |
| 4 | dynamic | Framed-MTU | := | 1500 | 0 |
| 5 | dynamic | X-Ascend-Assign-IP-Pool | := | 0 | 0 |
| 6 | dynamic | X-Ascend-Maximum-Time | := | 7200 | 0 |
| 7 | dynamic | X-Ascend-Route-IP | := | Route-IP-Yes | 0 |
| 8 | dynamic | Idle-Timeout | := | 1800 | 0 |
+----+-----------+-------------------------+----+---------------------+------+

select * from usergroup;
+----------+-----------+----------+
| UserName | GroupName | priority |
+----------+-----------+----------+
| rahma | dynamic | 1 |
+----------+-----------+----------+


% cd /usr/local/etc/raddb/
Edit sql.conf
Isikan password database( root dgn pass = "" jika masih belum diberi password)

Edit radiusd.conf.
Pada bagian authorize{}:
Hilangkan # pada 'sql'
Pada bagian accounting {}:
Hilangkan # pada 'sql' accounting{}.

Pada post-auth ():
Hilangkan # pada 'sql'
Hilangkan # 3 baris terkahir dari post-auth dan ganti ke sql modul.

Post-Auth-Type REJECT {
sql
}
kill & restart in debug.
% radiusd -X

Selamat mencoba ;)

Edited :

Ternyata ada yang kurang, settingan di atas kan database mysqlnya masih belum diberi password..
Setelah diberi password kmudain dijalankan la koq error...
rlm_sql_mysql: Mysql error 'Client does not support authentication please upgrade mysql client dst..

Coba cek librarynya :
# ldd /usr/local/lib/rlm_sql_mysql.so/usr/local/lib/rlm_sql_mysql.so:
libmysqlclient.so.12 => /usr/local/lib/mysql/libmysqlclient.so.12 (0x28157000)
libz.so.2 => /lib/libz.so.2 (0x28177000)
libcrypt.so.2 => /lib/libcrypt.so.2 (0x28187000)
libm.so.3 => /lib/libm.so.3 (0x2819f000)
libc.so.5 => /lib/libc.so.5 (0x28079000)
Udah sip tuw.. but why.. masak harus upgrade mysql clientnya kan versine udah 5.0 ach ngga harus dech kayaknya.. jgn percaya begitu saja sama warning :P .. googling dulu ach..
Setelah berpusing² eh jadi ingat instalasi pureftpd dgn mysql.. so aku coba dey..
# cd /usr/local/mysql/lib/mysql/
# cp * /usr/local/lib

Cihuy! Alhamdulillah..berhasil pemirsa..