Security professionals break the term security into three parts: confidentiality, integrity, and availability.
1. confidentiality (rahasia)
Confidentiality is all about determining the appropriate level of access to information. Hak akses u/ data/file/folder.

2. Integrity (keutuhan)
Tidak adanya kehilangan data (data tetap utuh tanpa ada modifikasi).

3. Availability (ketersediaan)
Ketersediaan data yg akan diakses, menuju pada pemikiran back up data or system

Identifikasi Resiko
1. Attack
An attack against a system is an intentional attempt to bypass system security controls or organizational policies to affect the operation of the system (active attack) or gain access to information (passive attack). Attacks can be classified into insider attacks in which someone from within an organization who is authorized to access a system uses it in an unauthorized way, or outsider attacks, which originate outside of the organization's security perimeter, perhaps on the Internet at large
In order for active and passive attacks to succeed, something must be at fault. Attacks necessarily leverage fundamental behavioral problems in software, improper configuration and use of software, or both. In this chapter, we examine these classes of attacks including the special-case denial of service (DoS) attack.

2. Problem software
2.1 Buffer OverFlow
2.2 Injeksi SQL
There are, of course, ways to defend against SQL injection attacks from within web applications. One common approach is to parse every value provided by the user. Make sure it doesn't contain any undesirable characters like backticks, quotes, semi-colons, and so on. Also ensure that the valid characters are appropriate for the value being returned. To get around the problem completely, developers may be able to use stored procedures and avoid dynamically creating SQL.
2.3 Software problem lain

Proteksi :

Being aware of vulnerabilities is a good first step.
Installah 3rd party soft. yang jelas minim bugnya.
Rajin mengkuti mailing list
Selalu lakukan patch

3. DOS ATTACK
DoS attacks are active—they seek to consume system resources and deny the availability of your systems to legitimate users. The root cause of a system or network being vulnerable to a DoS attack may be based on a software vulnerability, as a result of improper configuration and use, or both. DoS attacks can be devastating, and depending on how they are carried out, it can be very difficult to find the source. DoS attacks have a diverse list of possible targets.

Target: physical
DoS attacks can occur at the physical layer. In an 802.11 wireless network, an attacker can flood the network by transmitting garbage in the same frequency band as the 802.11 radios.

Target: network
At the data link and network layers, traffic saturation can interfere with legitimate communications. Flooding a network with illegitimate and constantly changing arp requests can place an extreme burden on networking devices and confuse hosts. Attempting to push a gigabit of data per second through a 100 Mbps pipe will effectively overrun any legitimate network traffic. Too much traffic is perhaps the quintessential example of a DoS attack

Target: application
These DoS attacks generally use up some finite resource on a host such as CPU, memory, or disk I/O. An attacker may send several application requests to a single host in order to cause the application to consume an excessive amount of system resources.
She may simply exploit a bug in code once that causes the application to spiral out of control or simply crash. Some services that fork daemons at every new connection may be subject to a DoS if tens or hundreds of thousands of connections are made within a short period of time

Proteksi :
Physical -> lakukan load balancer
Network -> IDS hosts may be used to help detect these kinds of attacks and automatically update firewall or router configurations to drop the traffic
Application -> secure architecture and build, controlled maintenance, and monitoring logs.

4. Konfigurasi yang kurang sip.
4.1. Konfigurasi yang ceroboh
4.2 Acccount access.
permission file , setuid (memberikan akses hanya pada id, bukan pada nama user).
-r-sr-xr-x 1 root wheel 23392 Jun 4 21:57 traceroute

To find setuid and setgid files on your BSD system, run the following command:

% find / -type f \( -perm -2000 -o -perm -4000 \) -print

1. Listen port
Jika ada bbrp ip maka lakukan spesifikasi dgn Listen : IPV4:80

Cara securing apache part 1 :
1. Pastikan install security patch terbaru.
2. Sembunyikan informasi mengenai server dgn menambahkan baris berikut di httpd.conf
ServerSignature Off
ServerTokens Prod
3. Jangan jalankan apache dgn user administratif, buat saja user n group lain, misal www group www.
4. Untuk memblok agar apache tidak bisa mengakses selain document rootnya, lakukan sbb :

Order Deny,Allow
Deny from all
Options None
AllowOverride None


Order Allow,Deny
Allow from all



Untuk disable directory browsing, tambahkan berikut pada tag setelah
Options -Indexes

Untuk disable server side includes tambahkan berikut pada tag setelah
Options -Includes

Bisa juga spt ini : Options -ExecCGI -FollowSymLinks -Indexes
Atau jika ingin mendisable langsung aja Options None.

5. Mematikan support u/ .htaccess files
Tambahkan AllowOverride None pada tag setelah

Note :
Jika menggunakan pilihan Overrides pastikan file .htaccess tdk bisa didownloaded atau ubah namanya selain .htaccess. Misal, bisa kita ubah ke .httpdoverride dan block smua akses agar tdk bisa mendownload files start with .ht dgn cara sbb :

AccessFileName .httpdoverride

Order allow,deny
Deny from all
Satisfy All


6. Disable module yang tidak diperlukan :
grep LoadModule httpd.conf
mod_imap, mod_include, mod_info, mod_userdir, mod_status, mod_cgi, mod_autoindex
Modul² tersebut biasaya jarang diperlukan.

7. Pastikan hanya root yang bisa mempunyai hak akses binary dan config filenya
chown -R root:root /usr/local/apache
chmod -R o-rwx /usr/local/apache

8. Kurangi TimeOut valuenya untuk menghindari DOS Attack
Timeout 60

9. Limiting large requests
LimitRequestBody 1048576 (akan melimit upload hanya sampai 1MB)

10. Limiting Concurrency
Apache mempunyai bbrp konfigurasi u/ menangani request berjamaah :P.
MaxClients : adl max. child proses yg akan dicreate u/ memenuhi request. Jangan diset terlalu tinggi jika memori anda ecek2.

Perintah yg lain adl MaxSpareServers, MaxRequestsPerChild, ThreadsPerChild, ServerLimit, MaxSpareThreads. Sesuaikan pilihan tersebut dgn OS dan hardware sistem.

11. Membatasi akses web dari IP / Network tertentu

Order Deny,Allow
Deny from all
Allow from 176.16.0.0/16

12. KeepAlive setting
Defaultnya on. Bisa diubah ke MaxKeepAliveRequests 100, and the KeepAliveTimeout 15. Lihat log dan sesuaikan kebutuhan.

13. Jika sudah biasa menggunakan chroot atau jail maka lebih sip :P.

Sumpah ini bukan hasil oprekan saya :P, ini adalah kumpulan hasil gugling n coba² :P.

Tambahkan baris berikut di sysctl.conf (u/ mengaktifkan filtering pada layer 2)
# sysctl net.link.ether.ipfw=1

Contoh :
# ipfw -q add 2 deny mac 00:21:E8:21:A4:BD any
Deny from any source MAC address to destination MAC address 00:21:E8:21:A4:BD.
Sebagaimana dijelaskan di manualnya...
{ MAC | mac } dst-mac src-mac.

Lengkapnya check this out! : http://www.hmug.org/man/8/ipfw.php

cd /usr/ports/ports-mgmt/portupgrade
make install clean
It's now possible to update all the software on the system by running the command:
portupgrade -ai

portaudit
which shows the published vulnerabilities affecting the packages installed on your system
As the superuser root, run:
cd /usr/ports/ports-mgmt/portaudit
and then
make install clean

It's now possible to update the vulnerabilities database and audit the installed packages by running the command:
portaudit -Fa

Those are some tricks you may find useful:
to show the differences between the version of the installed packages and the ones of the ports collection currently present on the system, run:
pkg_version -v

to print some informations of a port, like it's dependencies, for example of asterisk, run, in the /usr/ports folder, the command:
make search name=asterisk

to print the dependencies of an installed package, for example of gmake, run:
pkg_info -xr gmake


to print the dependencies of a package, even not installed, for example of proftpd, run, in the folder of it's port, the command:
make pretty-print-build-depends-list
but first you have to run, in the /usr/ports folder, the command:
make index
which, after a while, will build an index with the informations of the packages

And if, for example, the package portupgrade is installed, it's manual can be viewed by running:
man portupgrade

libpcap from http://www.tcpdump.org/
libpng from http://www.libpng.org/
libgd from http://www.boutell.com/gd/

Download libcap in http://www.tcpdump.org/ and install

zlib – Free open source compression library
fetch http://www.zlib.net/zlib-1.2.3.tar.gz
tar xvf zlib-1.2.3.tar.gz
cd zlib-1.2.3
./configure
make && make install

libpng – PNG reference library for creating graphics / images

fetch http://easynews.dl.sourceforge.net/sourceforge/libpng/libpng-1.2.10.tar.gz
tar xvf libpng-1.2.10.tar.gz
cd libpng-1.2.10
./configure
make && make install

fetch http://www.boutell.com/gd/http/gd-2.0.33.tar.gz
tar xvf gd-2.0.33.tar.gz
cd gd-2.0.33
./configure --disable-shared --with-gd-lib=/usr/local/lib --with-gd-inc=/usr/local/include/
make
make install

Download bandwidthd-2.0.1.tgz
./configure && make && make install
ee /usr/local/bandwidthd/etc/bandwidthd.conf
subnet 10.10.10.0/25
dev "rl0"

/usr/local/bandwidthd/bandwidthd, akan mengcreate /usr/local/bandwidthd/htdocs
arahkan document directory webserver ke folder tsb & aktifkan webserver.

^___________^

INSTALL mySQL:
Pertama install dulu mysql, saya menggunakan mySql 5.
Jika sudah jalankan dan otomatisasi shg berjalan sewaktu reboot.

INSTALL FreeRadius:
cd /usr/ports/net/freeradius
% make && make install
Pilih mySQL support dan SNMP (optional).

CONFIGURE freeRADIUS:
% cd /usr/local/etc/raddb
Pastikan file² berikut ada

% clients.conf (basic config cukup & memakai localhost)

% users
Untuk pengetesan pertama tambahkan baris
ainoer Auth-Type := Local, User-Password == "testpass"

% cp snmp.conf.sample snmp.conf
% cp sql.conf.sample sql.conf
% cp huntgroups.sample huntgroups
% cp dictionary.sample dictionary
% cp hints.sample hints
% cp acct_users.sample acct_users
% cp preproxy_users.sample preproxy_users


% cp radiusd.conf.sample radiusd.conf
Edit radiusd.conf,
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes

% radiusd -X &
% radtest ainoer testpass localhost 1812 testing123

Jika berhasil ada indikasi sbb :
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=119, length=20


CREATE DATABASE & TABEL
Login ke mysql dan create database dengan nama radius.
Carilah file dengan nama db_mysql.sql kemudian import ke database.
/bin/mysql -u root radius < /usr/local/share/examples/freeradius/db_mysql.sql

Masukkan record² berikut :
INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('rahma', 'Password', 'passku');
INSERT INTO radgroupcheck (GroupName, Attribute, Value) VALUES ('dynamic', 'Auth-Type', 'Local');
INSERT INTO radgroupreply (GroupName, Attribute, op, Value) VALUES ('dynamic', 'Framed-Compression', ':=', 'Van-Jacobsen-TCP-IP');
INSERT INTO radgroupreply (GroupName, Attribute, op, Value) VALUES ('dynamic', 'Framed-Protocol', ':=', 'PPP');
INSERT INTO radgroupreply (GroupName, Attribute, op, Value) VALUES ('dynamic', 'Service-Type', ':=', 'Framed-User');
INSERT INTO radgroupreply (GroupName, Attribute, op, Value) VALUES ('dynamic', 'Framed-MTU', ':=', '1500');
INSERT INTO radgroupreply (GroupName, Attribute, op, Value) VALUES ('dynamic', 'X-Ascend-Assign-IP-Pool', ':=', '0');
INSERT INTO radgroupreply (GroupName, Attribute, op, Value) VALUES ('dynamic', 'X-Ascend-Maximum-Time', ':=', '7200');
INSERT INTO radgroupreply (GroupName, Attribute, op, Value) VALUES ('dynamic', 'X-Ascend-Route-IP', ':=', 'Route-IP-Yes');
INSERT INTO radgroupreply (GroupName, Attribute, op, Value) VALUES ('dynamic', 'Idle-Timeout', ':=', '1800');
INSERT INTO usergroup (UserName, GroupName) VALUES ('rahma', 'dynamic');

select * from radcheck;
+----+----------+-----------+----+--------+
| id | UserName | Attribute | op | Value |
+----+----------+-----------+----+--------+
| 1 | rahma | Password | == | passku |
+----+----------+-----------+----+--------+

mysql> select * from radgroupcheck;
+----+-----------+-----------+----+-------+
| id | GroupName | Attribute | op | Value |
+----+-----------+-----------+----+-------+
| 1 | dynamic | Auth-Type | := | Local |
+----+-----------+-----------+----+-------+

select * from radgroupreply;
+----+-----------+-------------------------+----+---------------------+------+
| id | GroupName | Attribute | op | Value | prio |
+----+-----------+-------------------------+----+---------------------+------+
| 1 | dynamic | Framed-Compression | := | Van-Jacobsen-TCP-IP | 0 |
| 2 | dynamic | Framed-Protocol | := | PPP | 0 |
| 3 | dynamic | Service-Type | := | Framed-User | 0 |
| 4 | dynamic | Framed-MTU | := | 1500 | 0 |
| 5 | dynamic | X-Ascend-Assign-IP-Pool | := | 0 | 0 |
| 6 | dynamic | X-Ascend-Maximum-Time | := | 7200 | 0 |
| 7 | dynamic | X-Ascend-Route-IP | := | Route-IP-Yes | 0 |
| 8 | dynamic | Idle-Timeout | := | 1800 | 0 |
+----+-----------+-------------------------+----+---------------------+------+

select * from usergroup;
+----------+-----------+----------+
| UserName | GroupName | priority |
+----------+-----------+----------+
| rahma | dynamic | 1 |
+----------+-----------+----------+


% cd /usr/local/etc/raddb/
Edit sql.conf
Isikan password database( root dgn pass = "" jika masih belum diberi password)

Edit radiusd.conf.
Pada bagian authorize{}:
Hilangkan # pada 'sql'
Pada bagian accounting {}:
Hilangkan # pada 'sql' accounting{}.

Pada post-auth ():
Hilangkan # pada 'sql'
Hilangkan # 3 baris terkahir dari post-auth dan ganti ke sql modul.

Post-Auth-Type REJECT {
sql
}
kill & restart in debug.
% radiusd -X

Selamat mencoba ;)

Edited :

Ternyata ada yang kurang, settingan di atas kan database mysqlnya masih belum diberi password..
Setelah diberi password kmudain dijalankan la koq error...
rlm_sql_mysql: Mysql error 'Client does not support authentication please upgrade mysql client dst..

Coba cek librarynya :
# ldd /usr/local/lib/rlm_sql_mysql.so/usr/local/lib/rlm_sql_mysql.so:
libmysqlclient.so.12 => /usr/local/lib/mysql/libmysqlclient.so.12 (0x28157000)
libz.so.2 => /lib/libz.so.2 (0x28177000)
libcrypt.so.2 => /lib/libcrypt.so.2 (0x28187000)
libm.so.3 => /lib/libm.so.3 (0x2819f000)
libc.so.5 => /lib/libc.so.5 (0x28079000)
Udah sip tuw.. but why.. masak harus upgrade mysql clientnya kan versine udah 5.0 ach ngga harus dech kayaknya.. jgn percaya begitu saja sama warning :P .. googling dulu ach..
Setelah berpusing² eh jadi ingat instalasi pureftpd dgn mysql.. so aku coba dey..
# cd /usr/local/mysql/lib/mysql/
# cp * /usr/local/lib

Cihuy! Alhamdulillah..berhasil pemirsa..

# Download source awstat dan ekstrak
# Kopi directory "js", "classes", "css" and "icon" ke "/www/awstats"
# Kopi folder cgi-bin ke directory cgi-bin apache anda

Edit awstats.model.conf file & ubah bbrp parameternya :
LogFile = "../www/log.%YYYY%MM" (assuming your log files are being placed in the www root directory).
SiteDomain = "www.yourdomain.com"
DirIcons = "http://www.yourdomain.com/awstats/icon"
AllowToUpdateStatsFromBrowser = 1
/usr/local/nf/bin/perl ../cgi-bin/awstats.pl -config=model -update

Statistik bisa diakses di :
http://www.domain.com/cgi-bin/awstats.pl?config=model

Singkatan dari PHP: Hypertext Preprocessor adalah salah satu bahasa pemrograman web yang paling populer digunakan. Pada saat ini pengguna PHP mencapai sekitar 7 juta domain meliputi sekitar 1 juta IP address.

Instalasi PHP pada Server
Berbeda dari kebanyakan penyedia layanan web hosting lainnya, PHP pada indoglobal.com kami konfigurasikan dengan tujuan supaya lebih fleksibel dengan menghindari kelemahan-kelemahan keamanan pada PHP.

Pada sistem kami, PHP kami install secara modular, dengan komponen-komponennya dipisahkan dari intinya. Hal ini kami lakukan untuk meningkatkan kapabilitas PHP pada server-server kami dan meminimalkan penggunaan sumber daya memori.

Modul-modul PHP yang kami install pada server kami adalah:

Module Description
bcmath BCMath arbitrary precision mathematics module
bz2 Bzip2 compression module
calendar Calendar module
ctype Character type module
curl Client URL library module
dba Hash file (DBM or similar) abstraction layer module
dbase dBase module
dbx Database abstraction layer module
dio Direct I/O Module
domxml Document object model (DOM) module
exif EXIF JPEG header module
filepro Filepro database module
fribidi Bidirectional text module
ftp FTP module
gd Image generation module
gettext Native language support and internationalization module
gmp GNU MP library for arbitrary precision arithmetic
iconv Character set conversion module using IConv
imap IMAP, POP3 and NNTP module
interbase Interbase database module
ldap LDAP client module
mcrypt MCrypt encryption module
mhash MHash hashing algorithm module
mime_magic MIME type detection module
ming Shockwave flash creation module using ming library
mnogosearch MnogoSearch search engine module
mysql MySQL database client module
ncurses Ncurses terminal screen control module
odbc UNIX ODBC module
overload Object property and method call overloading module
pcntl Process control functions module
pgsql PostgreSQL database client module
posix Module for accessing POSIX system interface
pspell PSpell spell checking module
recode Character sets encoding conversion using GNU Recode
shmop Shared memory module using SHMOP
snmp SNMP client module
sockets Low level sockets module
swf Shockwave Flash module using libswf library
sybase Sybase database client module
sysvmsg System V messages module
sysvsem System V semaphore module
sysvshm System V shared memory module
tokenizer Tokenizer module
wddx Web Distributed Data Exchange (WDDX) module
xmlrpc XMLRPC and SOAP module
xslt XSLT processor module
yaz YAZ module
yp YP module
zip ZIP files read access module
zlib Zlib compression module

Sedangkan modul-modul yang selalu termuat pada PHP karena alasan teknis adalah:

Module Description
openssl OpenSSL for SSL related cryptographic functions
pcre Perl compatible regular expression library
session HTTP session support
wddx Web Distributed Data Exchange module
xml Extensible Markup Language (XML) parser module

Module PHP Custom
Terkadang dibutuhkan module PHP yang tidak terdapat pada daftar kami di atas (misalnya: module PHP dari pihak ketiga), atau anda memrogram module PHP anda sendiri. Pada kasus-kasus tersebut anda dapat menginstall module PHP yang anda butuhkan.

Konfigurasi PHP di SiteManager
Segala sesuatu mengenai konfigurasi PHP dapat dilakukan pada SiteManager dengan menggunakan antarmuka yang intuitif dan mudah digunakan.

Anda dapat melakukan konfigurasi PHP untuk account anda secara global, dan untuk setiap subdomain anda. Subdomain-subdomain anda bisa memiliki konfigurasi masing-masing jika anda menginginkannya. Misalnya anda menginginkan pada subdomain 1 diinstall dukungan MySQL dan PCRE, namun pada subdomain 2 diinstall dukungan PostgreSQL dan GD.

Selain konfigurasi modul yang diinstall, anda juga dapat mengubah setting-setting PHP yang lainnya seperti penggunaan tag ASP, penanganan kondisi error dan lain-lain. Hampir semua setting yang biasanya harus diedit secara manual pada file php.ini kini dapat anda edit dengan mudah melalui SiteManager.

Dukungan PEAR
Sistem kami juga mendukung PEAR, apapun module PEAR yang anda perlukan dapat anda install dengan mudah melalui SiteManager. Termasuk di antaranya adalah module PECL. Dari SiteManager anda juga dapat menghapus instalasi module PEAR yang telah terinstall sebelumnya dan melihat informasi mengenai module PEAR. Anda juga dapat menggunakan antarmuka command line standard jika anda menginginkannya, seluruhnya telah kami set untuk anda.

Keamanan dan Fleksibilitas
Konfigurasi PHP pada lingkungan web hosting sudah biasa menjadi masalah. Hampir semua perusahaan web hosting mengkonfigurasikan PHP dalam bentuk module Apache. Konfigurasi ini memiliki masalah tergantung dari apakah safe mode dinyalakan atau tidak.

Tanpa safe mode, PHP sangatlah tidak aman. Seorang pengguna di sebuah sistem dapat melihat atau mendownload file miliki pengguna lain pada sistem yang sama. Kode PHP seperti akan dapat digunakan untuk melihat isi dari file-file milik pengguna lain, termasuk yang bersifat sensitif misalnya yang mengandung password database, nomor kartu kredit atau informasi lainnya.
Dengan safe mode, PHP sangatlah tidak fleksibel. Anda tidak akan dapat menggunakan sebagian besar program pihak ketiga karena safe mode akan menonaktifkan sebagian fungsi dari PHP. Seluruh program yang memerlukan penulisan atau pembacaan file sama sekali tidak akan berfungsi sama sekali.
indoglobal.com menggunakan konfigurasi lain. Kami menggunakan versi CGI dari PHP, dan bukan Apache module. Dengan cara ini, pelanggan-pelanggan kami dapat menggunakan PHP dengan aman dan seluruh program PHP akan berfungsi tanpa bermasalah. Dalam sebagian besar kasus anda bahkan tidak akan menyadari bahwa PHP dijalankan dalam mode CGI.

indoglobal.com adalah salah satu perusahaan web hosting pertama yang menyadari akan isu ini. Semenjak kami berdiri (tahun 1997, sebelum PHP 3 dirilis) kami telah nencoba berbagai macam konfigurasi PHP untuk mencari cara terbaik menjalankan PHP pada lingkungan shared hosting tanpa mengorbankan keamanan pengguna serta fasilitas dari PHP. Dari bertahun-tahun pengalaman kami, kami yakin bahwa konfigurasi ini merupakan cara terbaik untuk menjalankan PHP pada sistem shared hosting.

Ampun dech…..Guru Pembimbing aq memang sangat jeniuz orang nya tapi selalu merendah klo dipuji, jadi gua blom selesai yang diatas akan dikasih buku pemograman PHP dengan format bahasa Inggris….ehemmm pasti yang ini sangat favorite, dengan ketebalan hampir 1000 halaman coy…kira2 sendiri aja kalinya. Tapi yang namanya belajar tidak sulit kita harus niat.

diambil dr : http://paulvandyk.wordpress.com/

Mendisable phpinfo function di PHP yg kiranya membahayakan :p (kecuali bagi admin).

If you leave phpinfo enabled and use some file other than phpinfo.php, it can still be found. It is pretty trivial to figure out that if you search for a couple specific terms, that you will find the PHP test page that somebody created and forgot about. Consider using safe mode. Just set:
; Safe Mode
;
safe_mode = On

in php.ini and restart your webserver to use this. You can verify whether safe mode is enabled using the above phpinfo technique. Another item to consider is the disable_functions directive. For instance, you could set this:

disable_functions = "dl,phpinfo,shell_exec,passthru,exec,popen,system,
proc_get_status,proc_nice,proc_open,proc_terminate,proc_close"


Sedangkan di apache tambahkan line berikut :

ServerTokens Prod
ServerSignature Off

Sebelumnya test dulu sekuritas *satpam kalee* webserver qta, bisa menggunakan nikto.

# wget http://cirt.net/nikto/nikto-current.tar.gz
# tar -xvzf nikto-current.tar.gz
masuk directory nikto dan lakukan update.
# ./nikto.pl -update
Nah.. siap u/ testing :
# ./nikto.pl -h www.yahoo.com

Selamat mencoba... ;)

Dari source file pospix lakukan sbb :
% make -f Makefile.init makefiles
% make tidy
% make
# mv /usr/sbin/sendmail /usr/sbin/sendmail.OFF
# mv /usr/bin/newaliases /usr/bin/newaliases.OFF
# mv /usr/bin/mailq /usr/bin/mailq.OFF
# chmod 755 /usr/sbin/sendmail.OFF /usr/bin/newaliases.OFF /usr/bin/mailq.OFF
/etc/passwd:
postfix:*:12345:12345:postfix:/no/where:/no/shell
/etc/group:
postfix:*:12345:
/etc/group:
postdrop:*:54321:
# make install (interactive version, first time install)
# make upgrade (non-interactive version, for upgrades)

Bagi kamu2 yang punya bakat presenter tapi belom kesampaian, ngga ada salahnya siaran di radio sendiri.. yuk2...buat stesyen radio sendiri..
Pertama siapkan dolo seperangkat *Nix box dengan soundcardnya
n then install icecast2 ama darkice..

ICECAST2

icecast membutuhkan pendukung sbb:
libxml2 - http://xmlsoft.org/downloads.html
libxslt - http://xmlsoft.org/XSLT/downloads.html
curl - http://curl.haxx.se/download.html (>= version 7.10 required)
NOTE: icecast may be compiled without curl, however this will disable all Directory server interaction (YP).
ogg/vorbis - http://www.vorbis.com/files (>= version 1.0 required)

Nah stl itu baru d/l souce icecast di www.icecast.org dan lakukan instalasi.
Jika setelah mencoba instalasi beberapa kali gagal terus dan sudah berputus asa dijalan Allah.. maka via port saja yha..

cd /usr/ports/audio/icecast2 && make install clean
proses instalasi akan berjalan dgn sendirinya, semetara anda harus bertobat dulu karena anda telah putus asa.. :P

Lakukan edit /usr/local/etc/icecast.xml dengan editor favorit ..



50
2
5
102400
30
15
10
1
65535



passku

passku2


admin
12345



123.134.237.237
123.134.237.237

8000
123.134.237.237

admin
runia
2
/tmp/dump-example1.ogg
65536
/test.ogg
1
1
1






/usr/local/share/icecast

/var/log/icecast
/usr/local/share/icecast/web
/usr/local/share/icecast/admin








access.log
error.log

4



0




OKeh2 sekarang jalankan icecast2nya
/usr/local/bin/icecast -c /usr/local/etc/icecast.xml &

DARKICE
cd /usr/ports/audio/darkice && make install clean
edit /usr/local/etc/darkice.cfg
# this section describes general aspects of the live streaming session
[general]
duration = 0 # duration of encoding, in seconds. 0 means forever
bufferSecs = 5 # size of internal slip buffer, in seconds
reconnect = yes
# this section describes the audio input that will be streamed
[input]
device = /dev/dsp # OSS DSP soundcard device for the audio input
sampleRate = 22050 # sample rate in Hz. try 11025, 22050 or 44100
bitsPerSample = 16 # bits per sample. try 16
channel = 1 # channels. 1 = mono, 2 = stereo

# this section describes a streaming connection to an IceCast server
# there may be up to 8 of these sections, named [icecast-0] ... [icecast-7]
# these can be mixed with [icecast2-x] and [shoutcast-x] sections
[icecast2-0]
format = mp3
bitrateMode = cbr # constant bit rate
bitrate = 16 # bitrate of the mp3 stream sent to the server
quality = 0.8 # encoding quality
server = 123.134.237.237
# host name of the server
port = 8000 # port of the IceCast server, usually 8000
password = passku # source password to the IceCast server
mountPoint = radio # mount point of this stream on the IceCast server
name = Radio - Trial
# name of the stream
description = This is only a trial
# description of the stream
url = http://123.134.237.237:8000
# URL related to the stream
genre = my own # genre of the stream
public = yes # advertise this stream?

/usr/local/bin/darkice -c /usr/local/etc/darkice.cfg &;

Sekarang akses http://123.134.237.237:8000 untuk melihat status servernya dan http://123.134.237.237:8000/admin/ untuk administrator.

Apa skr radiyo Qta sudah bisa on-er? tentu belum.. kalau sound cardnya belum diaktifken hihih...

# kldload snd_ich (jenis sonkarmu)
# ee /boot/default/loader.conf
snd_ich_load="YES" # Intel ICH
snd_driver_load="YES" # All sound drivers

Edit kernel dan compile
device sound
device snd_ich

Reboot... dan jalankan icecast & darkice

Instalasi Mysql
Set password

shell> mysql --user=root mysql
mysql> SET PASSWORD FOR 'root'@'localhost' = PASSWORD('');
mysql> flush privileges;
mysql> quit;2.3-

Buat database
mysqladmin --user=root -p create radius

Buat user mengakses database radius
shell> mysql --user=root -p mysql
mysql> GRANT ALL ON ftp.* TO radius@localhost IDENTIFIED BY '';
mysql> flush privileges;
mysql> quit;


shell> gunzip /usr/share/doc/freeradius/examples/db_mysql.sql.gz
shell> mysql --user=radius -p radius < /usr/share/doc/freeradius/examples/db_mysql.sql

shell> gunzip /usr/share/doc/freeradius/examples/mysql.sql.gz
shell> mysql --user=radius -p radius < /usr/share/doc/freeradius/examples/mysql.sql



The data base is made up of 8 tables making it possible to define: rights of each user drooits of each groups

The table: nas
Cetta table contains same information as the /etc/freeradius/clients.conf file. It makes it possible to add NAS.
key value
nasname 127.0.0.1
shortname nas1
type other
ports
secret mySecret
community public
description NAS1 for the tests

The table: radacct This table contains all information of connection, disconnection, etc… It is a table which you accederer in reading primarily. No parameter to be carried out in this table.

The table: radcheck This table contains information to be checked at the time of the authentification. Primarily it will contain login/password.
key value
UserName yoann
Attribute User-Password
op ==
Value test

This table functions like the table radcheck, but with a concept of group. (It allows for example checked that the users of group PPTP have well the value “1” (PPP) for the Framed-Protocol key, value 2 would have been for SLIPWAY)
key value
GroupName PPTP
Attribute Framed-Protocol
op ==
Value 1

The table: radreply This table contains the parameters returned with the customers after an authentification succeeded. (It makes it possible for example to allot an address IP specific to a user.)
key value
UserName yoann
Attribute Framed-IP-Address
op :=
Value 192.168.40.101

The table: radgroupreply This table functions like the table radreply, but with a concept of group. (It makes it possible for example to allot the IP of a waiter DNS has all the users of group PPTP)
key value
GroupName PPTP
Attribute MS-Primary-DNS-Server
op :=
Value 192.168.40.1

The table: usergroup This table definite the membership of a user has a group. It is indeed possible to define duties applicable to a user group.
key value
UserName yoann
GroupName PPTP
priority 1

The table: radpostauth To define…

KONFIGURASI RADIUS
/etc/freeradius/sql.conf
sql {
# Database type
driver = "rlm_sql_mysql"

# Connect info
server = "localhost"
login = "radius"
password = ""

# Database table configuration
radius_db = "radius"

...

# Set to 'yes' to read radius clients from the database ('nas' table)
readclients = yesFramed-IP-Address
}

Note: The value readclients with yes, makes it possible to store the list of the NAS in the table nas of the data base radius, in addition to the NAS present in the /etc/freeradius/clients.conf file. The addition of a new entry in the table nas is not dynamic, enframed-IP-Address effect the list of the NAS is built with the launching of freeradius starting from the /etc/freeradius/clients.conf file and the table sql nas.

To take into account the changes, it to reload the files of configuration:
shell> /etc/init.d/freeradius
the /etc/freeradius/radiusd.conf file
modules {
chap {
authtype = CHAP
}

mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
}

$INCLUDE ${confdir}/sql.conf #1249
}

authorize { #1774
chap
mschap
suffix
sql
}

authenticate { #1887
Auth-Type CHAP {
chap
}

Auth-Type MS-CHAP {
mschap
}
}

accounting {
sql
}

session {
sql
}

Test of the installation of freeradius
We will add a local NAS to test the configuration. For that it is necessary to publish the /etc/freeradius/clients.conf file
client 127.0.0.1 {
secret = mySecret
shortname = localhost
nastype = other
}

It is necessary for us to create an entry for the NAS whose IP is 127.0.0.1, and to specify a key secrecy which will be used for encoding of information between the NAS and the Waiter Radius. Note: We could here, to add an entry in the table nas base sql, but we will approach this solution further.
To launch freeradius in mode comforts: debug mode

To have a maximum of information for debuger our installation, and to include/understand what it occurs, we will stop the service freeradius and the throw in mode comforts with the options which are well:

shell> /etc/init.d/freeradius stop
shell> freeradius -XXX

To add an account of test in our table radcheck

shell> mysql --user=radius -p radius
mysql> INSERT INTO radcheck(UserName,Attribute,op,Value) VALUES ('yoann','User-Password','==','test');
mysql> quit;

We added here the user “yoann” with the password “test”
Test of the authentification We go use the tool radtest whose syntax is as follows:
radtest
Note: to use the port by default radius you can use 0.

shell> radtest yoann test 127.0.0.1 0 mySecret
Sending Access-Request of id 186 to 127.0.0.1 port 1812
User-Name = "yoann"
User-Password = "test"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=186, length=20

If the authentification is correct, you will receive the Access-Accept message. You can now stop freeradius in mode comforts (Ctrl+C) and start again it in time that service. shell> /etc/init.d/freeradius start

Installation/Configuration of pptpd
You must, above all, you ensure that your kernel supports the MMPE Encryption which will allow us crypter the data in MPPE-128, in addition to authentification MS-CHAP-V2

/etc/pptpd.conf
option /etc/ppp/pptpd-options
logwtmp
localip 10.1.100.254
remoteip 10.1.100.1-200
Note: The line remoteip optional, because it is perhaps replaced by the value of attribute Framed-IP-Address contained in our table radreply

/etc/ppp/pptpd-options
Name of the local system for authentication purposes
# (must match the second field in /etc/ppp/chap-secrets entries)
name pptpd

# Authentification Encryption
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2

# Data Encryption
require-mppe-128

# Disable BSD Compression
nobsdcomp

# Network and Routing
ms-dns 10.1.100.254
proxyarp
nodefaultroute

# Create a UUCP-style lock file for the pseudo-tty to ensure exclusive access.
lock

# Enable connection debugging facilities.
debug

# Print out all the option values which have been set.
# (often requested by mailing list to verify options)
dump

# Miscellaneous
ipcp-accept-local
ipcp-accept-remote

lcp-echo-failure 3
lcp-echo-interval 5

# Plugins
plugin radius.so

First of all, you must have available empty space contiguous with
the partition you wish to expand. If you do not have that, then
you will have to start from scratch, or add another disk drive.

You can use sysinstall to recreate partitions and modify slices as
long as there is space available and as long as the drive or slice
is not mounted and in use. (drive is you are modifying slices and
slice if you are modifyine partitions)

If you do not use sysinstall then fdisk is used to change slices. You
may need to do it from a fixit disk because it is likely you will be
modifying the FreeBSD slice that the system normally uses to boot.

If you want to change a partition within a slice (namely the FreeBSD
slice) you need to use bsdlabel(8). That creates and writes the slice's
label and defines partitions. After using bsdlabel, you must use
newfs(8) to create the file system on the newly created/modified partition.

But, still, to add space to a partition, there must be free space -
eg space that is not in a partition already - right next to the
partition you want to expand.

Alternatively, you do not specifically have to increase the /var partition.
you can move some of its contents to another partition where there is
sufficient free space (if such exists) and then create symbolic links
to the new location[s]. Common candidated for such moving and linking
are /var/spool, /var/log, /var/db and/or /var/mail.

My habit is to have a large partition that contains home directories
and other overflows. Typical mount point is /home.
Then, I usually put /var/spool and /var/log there as directories
named /home/var.spool and /home/var.log and link them back to
the original names in /var. eg, after copying those directories
over to /home/var.spool and /home/var.log respectively, I then
rm the original /var/spool and /var/log and then create links.
Actually, first I rename them, then do the link and check things
before actually rm-ing the originals. Something like this:

All must be done as root (and probably best in single user, but not required).
cd /var
use tar | tar or cp -Rp to make a new copy in /home
cp -Rp spool /home/var.spool
mv spool oldspool
ln -s /home/var.spool spool
cp -Rp log /home/var.log
mv log oldlog
ln -s /home/var.log log
Check it all out to make sure it is just fine
cd /var
rm -rf oldspool
rm -rf oldlog

I like to use the naming convention of var.spool and var.log for the
copies because it reminds me of where there come from.

I a similar thing with /var/db in /var
and with /uar/local, /usr/ports, and /usr/src in /usr

Then those things which grow, sometimes unexpectedly can have room
without me constantly monitoring them. It also makes backups more
straightforward. Everything that is frequently changing is in /home.

Of course, if you do not have a large directory with plenty of
space available, then you may be looking to add some disk space.

FSCK Otomatis
If your server/box gets stuck at fsck after a reboot or a crash, then just add the following lines to /etc/rc.conf:

fsck_y_enable=”YES”

It will run fsck automatically and will avoid your box getting stuck after reboot waiting for somebody to manually run fsck.

IPFW tanpa compile kernel
IF you don’t want to recompile kernel, just because you want to enable ipfw, you can use the following command to do so:

kldload ipfw && ipfw add 65534 allow all from any to any

Never issue the above command without ipfw add 65534 allow all from any to any else you might end up with a locked box.

sysctl.conf for your high traffic server - under high load :

security.bsd.see_other_uids=0
net.inet.tcp.recvspace=65535
net.inet.tcp.sendspace=65535
#kern.ps_showallprocs=0
kern.ipc.shmmax=67108864
kern.ipc.shmall=32768
net.inet.tcp.inflight.enable=1
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
net.inet.ip.rtexpire=2
net.inet.ip.rtminexpire=2
kern.ipc.somaxconn=1024
net.inet.ip.check_interface=1

kern.maxfiles=32768
kern.maxfilesperproc=2000

kern.ipc.maxsockets=163840
kern.ipc.maxsockbuf=2097152

net.inet.ip.fw.dyn_syn_lifetime=1
net.inet.ip.fw.dyn_max=65535
net.inet.ip.fw.dyn_buckets=256
net.inet.ip.fw.dyn_udp_lifetime=5

net.inet.tcp.msl=7500

Lagi ada tugas buat FTP Server n anonymus FTP Serper..
kalo pake pureftp, setelah baca² ternyata ndak bisa support validuser, jadi kudu dipisah². Padahal ini butuhnya kan validuser bisa - anonymous pun jadi..
Setelah baca manual si proftp ternyata bisa, lha tapi koq ngga sukses² :(.
Setelah semedi, dan mandi air sumur tujuh rupa -enggadink- cuman wajah lecek doank..
Akhirnya oh akhirna.. ini nich setep²nya :

1. Download tarball di proftpd.org
2. Ekstrak tarball n masuk directory proftpd
3. ./configure => --h (sesuaikan dengan mood dan itikad dari hati yg paling dalam)
4. make && make install
5. Edit proftpd.conf

###########################################
#
# Server Configuration
#
###########################################

ServerName "AdminWannabe FTPServer"
ServerType standalone
DefaultServer on
Port 21
Umask 022
MaxInstances 100
User nobody
Group nobody
DefaultRoot ~
DefaultAddress 203.134.232.20


AllowOverwrite on


<-Anonymous /usr/local/webhosts/ftp>
User ftp
Group ftp
UserAlias anonymous ftp
MaxClients 10
DisplayLogin welcome.msg
DisplayFirstChdir .message
RequireValidShell off

# ini lho biang keroknya.. dr tadi searching² akhirna ketemu jg AnonRequirePassword off



AllowAll



# Limit WRITE everywhere in the anonymous chroot

DenyAll

<-/Anonymous>

Note : diasumsikan bhw mysql telah terinstall
# cd /lib/mysql/
# cp * /usr/lib
Download source pure ftpd - di ekstrak dan masuk ke directorynya
# fetch ftp.pureftpd.org/pub/pure-ftpd/releases/pure-ftpd-1.0.21.tar.gz
# ./configure \
-–prefix=/usr/local/pureftpd \
-–with-mysql=/w3/mysql \
-–with-paranoidmsg \
-–with-shadow \
-–with-welcomemsg \
-–with-uploadscript \
-–with-quotas \
-–with-cookie \
-–with-pam \
-–with-virtualhosts \
-–with-virtualchroot \
-–with-diraliases \
-–with-sysquotas \
-–with-ratios \
-–with-ftpwho \
-–with-throttling \
-–with-largefile
# make && make install

Then we create an ftp group (”ftpgroup”) and user (”ftpuser”) that all our virtual users will be mapped to. Replace the group- and userid 2001 with a number that is free on your system:
groupadd -g 2001 ftpgroup
useradd -u 2001 -s /bin/false -d /bin/null -c “pureftpd user” -g ftpgroup ftpuser

Now we create a database called pureftpd and a MySQL user named pureftpd which the PureFTPd daemon will use later on to connect to the pureftpd database:
mysql -u root -p
CREATE DATABASE pureftpd;
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP ON pureftpd.* TO ‘pureftpd’@'localhost’ IDENTIFIED BY ‘ftpdpass’;
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP ON pureftpd.* TO ‘pureftpd’@'localhost.localdomain’ IDENTIFIED BY ‘ftpdpass’;
FLUSH PRIVILEGES;

Replace the string ftpdpass with whatever password you want to use for the MySQL user pureftpd. Still on the MySQL shell, we create the database table we need (yes, there is only one table!):
USE pureftpd;
CREATE TABLE ftpd (
User varchar(16) NOT NULL default '',
status enum('0','1') NOT NULL default '0',
Password varchar(64) NOT NULL default '',
Uid varchar(11) NOT NULL default '10',
Gid varchar(11) NOT NULL default '1010',
Dir varchar(128) NOT NULL default '/usr/local/webhosts',
ULBandwidth smallint(5) NOT NULL default '100',
DLBandwidth smallint(5) NOT NULL default '100',
comment tinytext NOT NULL,
ipaccess varchar(15) NOT NULL default '*',
QuotaSize smallint(5) NOT NULL default '0',
QuotaFiles int(11) NOT NULL default 0,
PRIMARY KEY (User),
UNIQUE KEY User (User)
) TYPE=MyISAM;
quit;

BTW, (I’m suggesting that the hostname of your ftp server system is server1.example.com) you can access phpMyAdmin over http://server1.example.com/phpmyadmin/ (you can also use the IP address instead of server1.example.com) in a browser and log in as pureftpd. Then you can have a look at the database. Later on you can use phpMyAdmin to administrate your PureFTPd server.
Configure PureFTPd
#ee /etc/pureftpd-mysql.conf
MYSQLServer localhost
#MYSQLPort 3306
MYSQLUser pureftpd
MYSQLPassword ftpadmin1
MYSQLDatabase pureftpd
#MYSQLCrypt md5, cleartext, crypt() or password() - md5 is VERY RECOMMENDABLE uppon cleartext
MYSQLCrypt md5
MYSQLGetPW SELECT Password FROM ftpd WHERE User="\L" AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R")
MYSQLGetUID SELECT Uid FROM ftpd WHERE User="\L" AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R")
MYSQLGetGID SELECT Gid FROM ftpd WHERE User="\L"AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R")
MYSQLGetDir SELECT Dir FROM ftpd WHERE User="\L"AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R")
MySQLGetBandwidthUL SELECT ULBandwidth FROM ftpd WHERE User="\L"AND status="1" AND (ipaccess = "*" OR ipaccess LIKE
"\R")
MySQLGetBandwidthDL SELECT DLBandwidth FROM ftpd WHERE User="\L"AND status="1" AND (ipaccess = "*" OR ipaccess LIKE
"\R")
MySQLGetQTASZ SELECT QuotaSize FROM ftpd WHERE User="\L"AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R")
MySQLGetQTAFS SELECT QuotaFiles FROM ftpd WHERE User="\L"AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R")

# In the following directives, parts of the strings are replaced at
# run-time before performing queries :
# \L is replaced by the login of the user trying to authenticate.
# \I is replaced by the IP address the user connected to.
# \P is replaced by the port number the user connected to.
# \R is replaced by the IP address the user connected from.
# \D is replaced by the remote IP address, as a long decimal number.
#
# Very complex queries can be performed using these substitution strings,
# especially for virtual hosting.

Make sure that you replace the string ftpdpass with the real password for the MySQL user pureftpd in the line MYSQLPassword! Please note that we use md5 as MYSQLCrypt method, which means we will store the users’ passwords as an MD5 string in the database which is far more secure than using plain text passwords!

ChrootEveryone Yes
CreateHomeDir Yes
MySQLConfigFile /etc/pureftpd-mysql.conf

Now we create the user exampleuser with the status 1 (which means his ftp account is active), the password secret (which will be stored encrypted using MySQL’s MD5 function), the UID and GID 2001 (use the userid and groupid of the user/group you created at the end of step two!), the home directory /home/www.example.com, an upload and download bandwidth of 100 KB/sec. (kilobytes per second), and a quota of 50 MB:
INSERT INTO `ftpd` (`User`, `status`, `Password`, `Uid`, `Gid`, `Dir`, `ULBandwidth`, `DLBandwidth`, `comment`, `ipaccess`, `QuotaSize`, `QuotaFiles`) VALUES (’exampleuser’, ‘1′, MD5(’secret’), ‘2001′, ‘2001′, ‘/home/www.example.com’, ‘100′, ‘100′, ”, ‘*’, ‘50′, ‘0′);

Jalankan pureftp : /usr/local/pureftpd/sbin/pure-config.pl /usr/local/pureftpd/etc/pure-ftpd.conf