Lumayan ada ilmu baru hasil diskusi dengan admin sebelah dan baca manual PF.
Rulenya sbb :

out_if = bce0
table persist
pass quick from 10.10.3.0/29
block quick from

pass in on $int_if proto { tcp } from any to 10.10.7.4 port 80 flags S/SA keep state \
(max-src-conn 2, max-src-conn-rate 5/5, overload flush global)

Penjelasan sbb :
max-src-conn number
Limit the maximum number of simultaneous TCP connections which have completed the 3-way handshake that a single host can make.

max-src-conn-rate number / interval
Limit the rate of new connections to a certain amount per time interval.

Bagi saya yg awam sulit sekali memahami maksudnya, Hiks..
So dicoba aja testing dengan rule diatas saya coba sebagai berikut :

Saya membuka http://10.10.7.4 di 5 tab firefox dan saya reload dalam waktu bersamaan.Dan halaman masih bisa dibuka.
Akan tetapi jika saya buka 6 halaman http://10.10.7.4 dengan browser berbeda maupun browser yg sama maka saya cek :

# pfctl -t bruteforces -Tshow
10.10.7.1

IP saya terjaring dalam rule tsb.

Kemudian rule coba saya ubah
pass in on $int_if proto { tcp } from any to 10.10.7.4 port 80 flags S/SA keep state \
(max-src-conn 1, max-src-conn-rate 5/5, overload flush global)

max-src-conn nya saya set 1 saja.

Saya coba buka http://10.10.7.4 pada 1 tab saja di firefox dan coba buka halaman tsb di chrome.
Alhasil :
# pfctl -t bruteforces -Tshow
10.10.7.1

Saya coba juga buka dengan IP berbeda, ternyata ip ke 2 langsung kena jaring

# pfctl -t bruteforces -Tshow
10.10.7.10

Saya menyimpulkan sbb :
max-src-conn : berapa banyak browser yg akan di launch untuk mengakses web kita ternyata.
Tidak membedakan IP. oh ternyata sekali buka browser dan akses itu dihitung 1 TCP connection hehe..
max-src-conn-rate a/b : dalam b detik berapa a tab yg akan dibuka/direfresh.
ada juga max-src-node : asumsi saya ini melimit berapa banyak ip yg boleh mengakses, tidak disarankan kalau web kita untuk umum.

1. Optimasi Kernel
Setelah instalasi yg perlu di perhatikan adalah kompile kernel.
Buang device2 yang tidak diperlukan. eth driver, pcmcia dll.
1. DIsable IPv6
2. DISABLE NFS

Untuk option tambahan mgkn bisa ditambahkan pada kernel sbb :

options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_FORWARD
options IPFIREWALL_DEFAULT_TO_ACCEPT
options DUMMYNET
options IPFILTER
options IPFILTER_LOG

#### PF OPTION ####
device pf
device pflog
device pfsync


2. Setting SSHD
ee /etc/ssh/sshd.config

Port 1234
Protocol 2
MaxAuthTries 2
MaxSessions 8
PermitRootLogin no
#StrictModes yes
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
PermitEmptyPasswords no
UseDNS no
Banner none
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
AllowUsers user1
AllowUsers user2


3. Setting TTYS
# If console is marked "insecure", then init will ask for the root password
# when going to single-user mode.
console none unknown off insecure
#
ttyv0 "/usr/libexec/getty Pc" cons25 on secure
# Virtual terminals
ttyv1 "/usr/libexec/getty Pc" cons25 on secure
ttyv2 "/usr/libexec/getty Pc" cons25 on secure
#ttyv3 "/usr/libexec/getty Pc" cons25 on secure
#ttyv4 "/usr/libexec/getty Pc" cons25 on secure
#ttyv5 "/usr/libexec/getty Pc" cons25 on secure
#ttyv6 "/usr/libexec/getty Pc" cons25 on secure
#ttyv7 "/usr/libexec/getty Pc" cons25 on secure
ttyv8 "/usr/local/bin/xdm -nodaemon" xterm off secure

Saran dari Dru Lavigne sbb :

General Hardening Tips

• restricting ssh access using the AllowUsers keyword in / etc/ssh/sshd_config
• using chflags to set the schg flag on system binaries and configuration files that
don't require modifications
• implementing a file integrity checking system such as tripwire
(http:/ /www.tripwire.com), aide (http:/ /www.cs.tut.fi/~rammer /aide.html)or
implementing your own using mtree
• changing /etc/motd removing the COPYRIGHT notice
• subscribing to the FreeBSD security advisories mailing list
(http:/ /lists.freebsd.org/mailman/listinfo/freebsd- security- notifications)
• reviewing mount(8) to see if any options are applicable to your filesystems
• reviewing your sysctl(8) settings; http:/ /sysctl.enderunix.org/ provides some
helpful descriptions
• reviewing your rc.conf(5) settings
Finally, do:
• read root's emails daily and have a log review action plan

does this system really need IPv6 support?
• do I really want NFS (and its inherent security risks) on an Internet facing server?
• should I be loading filesystems I'll never use? (e.g. DOS, CD9660)
• do I need SCSI drivers on a non- SCSI system?
• do I need hardware RAID drivers if I'm using software RAID?
• do I really need to load dozens of NIC drivers if I always buy the same brand of NIC?
• do I need PCMCIA or wireless support on a non- laptop system?
• will I be using USB or Firewire?

KERNEL

1. DIsable IPv6
2. DISABLE NFS

There are many tools available to create a custom backup solution, ranging
built- in FreeBSD utilities to third- party software applications available through
ports collection. In a more complex scenario you may wish to investigate:
• bacula http://www.bacula.org
• rsnapshot http://www.rsnapshot.org
• boxbackup http://www.fluffy.co.uk/boxbackup/


General Hardening Tips

• restricting ssh access using the AllowUsers keyword in / etc/ssh/sshd_config
• using chflags to set the schg flag on system binaries and configuration files that
don't require modifications
• implementing a file integrity checking system such as tripwire
(http:/ /www.tripwire.com), aide (http:/ /www.cs.tut.fi/~rammer /aide.html)or
implementing your own using mtree
• changing /etc/motd , adding an ssh banner, and removing the COPYRIGHT notice
• subscribing to the FreeBSD security advisories mailing list
(http:/ /lists.freebsd.org/mailman/listinfo/freebsd- security- notifications)
• reviewing mount(8) to see if any options are applicable to your filesystems
• reviewing your sysctl(8) settings; http:/ /sysctl.enderunix.org/ provides some
helpful descriptions
• reviewing your rc.conf(5) settings
Finally, do:
• read root's emails daily and have a log review action plan

Lagi nyoba cacheboy tapi belum berhasil yang Tproxy karena mesinku amd. Googling nemu artikel berikut. Semoga bermanfaat
Diambil dari : http://hikmah-teknologi.blogspot.com/

LUSCA TPROXY on FREEBSD-7-STABLE
patch kernel:
cd /usr/src
fetch http://squid-proxy-pkg.googlecode.com/files/freebsd-tproxy-sys.patch
path -p0 < freebsd-tproxy-sys.patch

di kernel : /sys/i386/conf/PROXY
options IP_NONLOCALBIND
options IPDIVERT
options IPFIREWALL
options IPFIREWALL_NAT
options IPFIREWALL_VERBOSE
options IPFIREWALL_FORWARD
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IP_NONLOCALBIND
options LIBALIAS

#option tunning for squid
options VFS_AIO
options MAXFILES=262144
options MSGMNB=32768
options MSGMNI=82
options MSGSEG=4096
options MSGSSZ=128
options MSGTQL=2048
options SHMSEG=32
options SHMMNI=256
options SHMMAX=4194304
options SHMALL=16384
makeoptions COPTFLAGS="-O2 -pipe -funroll-loops -ffast-math"
makeoptions NO_MODULES=yes

build kernel
cd /usr/src
make buildkernel KERNCONF=PROXY && make installkernel KERNCONF=PROXY

di /etc/sysctl.conf
net.inet.ip.nonlocalok=1

cp /usr/src/sys/netinet/in.h /usr/include/netinet


install squid
pkg_add -v http://squid-proxy-pkg.googlecode.com/files/lusca-with-tproxy-r14371_3.tbz

di /usr/local/etc/squid/squid.conf

http_port XXX.INTERNAL.IP.XXX:3128 transparent tproxy


# em0 -> External interface (to mikrotik)
# em1 -> Internal interface (to client)

di /etc/ipfw.tproxy
ipfw add fwd 192.168.1.1,3128 tcp from 192.168.1.0/24 to any 80 in via em1 # default rule to transparent proxy
ipfw add fwd 192.168.1.1 tcp from any 80 to 192.168.1.0/24 in via em0 # catch the packets that come back using the clients IPs

di rc.conf
gateway_enable="YES"
ifconfig_em0="192.168.0.1 255.255.255.252"
ifconfig_em1="192.168.1.1 255.255.255.0"
firewall_enable="YES"
firewall_script="/etc/ipfw.tproxy"
firewall_type="open"
firewall_logging="YES"

fsck_y_enable="YES"
background_fsck="NO"

squid_enable="YES"
#disini tidak menggunakan bind taoi dnsmasq

dnsmasq_enable="YES"
dnsmasq_flags="--conf-file=/usr/local/etc/dnsmasq.conf"

dan jangan lupa di router paling atas untuk membuat NAT dan static routes utk ip di bawah proxy

Back to proxy, especially squid. Eh ada lagi yang namanya cacheboy.
Cacheboy adalah optimasi dari squid stable 2. Menurut pemahaman saya sih cacheboy itu versi moddingnya squid 2 begitulah gampangnya. Nah waktu mencoba instalasi via port ada banyak option yang bisa di enable/disable. Nah berhubung sudah lama gak ngutik squid jadi perlu cari2 lagi fungsi2 option tsb. Antara lain :

1. Delay pool : Fitur ini digunakan untuk limitasi bandwidth
2. AUFS dan COSS : Ini adalah tipe file penyimpanan cache dari squid
3. PF dan IPF transparent : Ini untuk mengaktifkan support PF firewall atau IPF firewall untuk transparent proxy
4. Enable Tproxy : untuk mengaktifkan Tproxy.

Penjelasan Tproxy dari internet sbb :

Transparent Proxy (TProxy)

Tproxy is truly transparent proxy. A transparent proxy or more precisely an interception proxy is the one that becomes transparent to the clients by transparently intercepting the http requests and serving the response, which means the client need not be explicitly configured to use the proxy but they are transparently sent to the proxy without the client's knowledge. Since the interception proxy forwards the request on behalf of the client, the web server see's the source of the request come from the proxy and hence it is not transparent to the web server.

The tproxy feature comes into solving this issue and makes itself transparent to both for the client and the web server. However, the interception and/or tproxy feature requires kernel support and packet redirection feature of the operating system.


Note: To make still more truly transparent, the proxy should be configured not to add any extra headers while forwarding the request and serving the response.

Nha kira2 terjemahannya spt ini.

Tproxy adalah transparent proxy yg sebenar2nya. Transparent proxy atau proxy penangkap adalah proxy yang bekerja dengan menangkap paket http/browsing dari client secara transparan. Dengan kata lain, di sisi client tidak memerlukan adanya konfigurasi pengaktifkan proxy karena secara otomatis dan mau tidak mau akan lewat proxy.

Karena proxy tsb menangkap paket dan melakukan koneksi ke webserver tujuan maka yg dikenali oleh webserver tujuan adalah IP dari proxy bukan dari client.

Fitur dari Tproxy inilah kuncinya, sehingga webserver tujuan mengenali langsung ip client (tentu saja ip public). Fitur ini memerlukan pengaktifan pada kernel dari OS yang dipakai.

Caranya mudah. Install saja ntp via port
Kemudian
# ee /etc/ntp.conf
server 3.id.pool.ntp.org
server 0.asia.pool.ntp.org
server 2.asia.pool.ntp.or

driftfile /var/db/ntp.drift

Save file /etc/ntp.conf dengan konfigurasi di atas.
Kemudian start service dengan perintah

/etc/rc.d/ntpd start

Kemudian jalankan perintah
ntpdate -d localhost

Jika ada pesan no server bla2. Maka coba tunggu kisaran 10 s/d 15 menit. Dan coba ulangi lagi sampai terjadi sinkronisasi sbb

1 Mar 14:01:36 ntpdate[19223]: step time server localhost offset -225.715219 sec

Jangan lupa untuk membuka port 123 udp.

Dapat info penting dari mas chakim yg istrinya kena angin duduk. berikut ini hal2 yang perlu diketahui.
Penyebab :
(1) Sering begadang/pengaruh angin malam
(2) Hobi nahan kentut/boel
(3) Lingkungan/cuaca dingin yang ekstrim dan terus menerus
(4) Telat makan
(5) Masuk angin biasa yang dibiarkan

ciri2nya
(1) rasanya seperti ada yg ngganjel di antara perut+dada
(2) ingin sendawa/kentut tapi susah sekali dan meskipun bisa hampir tidak mengurangi rasa sakit no.1
(3) dibawa duduk/...bungkuk/jalan/bahkan berbaring pun sulit
(4) badan rasanya dingin (bhs jawa: anyep)
Beda sama masuk angin biasa : angin duduk tidak bisa hilang meski sudah dikerokin/minum obat masuk angin/dioles minyak angin yang panas sekalipun

Cara mengatasi :
Sebelumnya olesin perut + dada + pinggang + punggung dengan minyak cap kap*k, bila perlu kerokan, trus masak air, air hangat hasil masak tsb dimasukkan dalam 2 buah botol (botol kaca lebih bagus), botol pertama letakkan di ulu hati atau bagian perut depan tempat angin duduk ga mau keluar, botol kedua diletakkan pada kedua telapak kaki, posisi badan rebah menghadap ke atas, bila perlu pakai jaket + celana training + kaos kaki + selimut tebal, tunggu sampai keringat dingin keluar dan bisa kentut, jika setelah setengah jam tidak kunjung reda, ganti air dalam botol yang udah kurang dingin dengan air hangat baru, dan tempel lagi di tempat spt diatas, semoga bermanfaat, mengingat resiko angin duduk ini adalah meninggal dunia jika terlambat mengatasi (based on a true story)

Barusan lagi update script untuk checking quota di mysql.
Scriptnya ini menggunakan PHP. Jika ada database yang melebihi quota yang disediakan maka akan di lock dan dikirim email pemberitahuan.
Nah ternyata waktu check quota ada notifikasi error
locking database /usr/sbin/sendmail not found.

Sepertinya error tersebut terjadi karena saya baru migrasi dari sendmail ke postfix.
Ternyata solusinya mudah. Pertama cari dulu binary sendmail

# whereis sendmail
sendmail: /usr/local/sbin/sendmail

Kemudian edit php.ini pada bagian berikut :

sendmail_path = /usr/local/sbin/sendmail -t -i -f noreply@domain.com

restart webserver dan silhakan test kembali..

cd /usr/ports/www/eaccelerator

You have installed the eaccelerator package.
Edit /usr/local/etc/php.ini and add:
zend_extension="/usr/local/lib/php/20060613/eaccelerator.so"
Then create the cache directory:
mkdir /tmp/eaccelerator
chown www /tmp/eaccelerator
chmod 0700 /tmp/eaccelerator

u can try to config :
zend_extension="/usr/local/lib/php/20060613/eaccelerator.so"
eaccelerator.shm_size="16"
eaccelerator.cache_dir="/tmp/eaccelerator"
eaccelerator.enable="1"
eaccelerator.optimizer="1"
eaccelerator.check_mtime="1"
eaccelerator.debug="0"
eaccelerator.filter=""
eaccelerator.shm_max="0"
eaccelerator.shm_ttl="0"
eaccelerator.shm_prune_period="0"
eaccelerator.shm_only="0"
eaccelerator.compress="1"
eaccelerator.compress_level="9"

eaccelerator.shm_size
This setting will allow you to control the amount of shared memory eAccelerator should allocate to cache PHP scripts. The number sets the amount of memory in megabytes. Setting this value to 0 will use the default size.

eaccelerator.shm_size

This setting will allow you to control the amount of shared memory eAccelerator should allocate to cache PHP scripts. The number sets the amount of memory in megabytes. Setting this value to 0 will use the default size.

eaccelerator.shm_size = "0"

On Linux the maximum amount of memory a process can allocate is limited by the number set in /proc/sys/kernel/shmmax. Allocating more than this value will result in eAccelerator failing to initialise. The size in this file is given in bytes. You can raise this amount with:

echo value > /proc/sys/kernel/shmmax

Where value is the size in bytes you want to use. This value is reset to the default value evertime you reboot, but you can raise it permanently by adding the amount you need in /etc/sysctl.conf. This is done by adding:

kernel.shmmax = value

eaccelerator.cache_dir

This directory is used for the disk cache. eAccelerator stores precompiled code, session data, content and user entries here. The same data can be stored in shared memory (for quicker access). The default value is “/tmp/eaccelerator”.

eaccelerator.cache_dir = "/tmp/eaccelerator"

This is easy because that directory is easily writable to everyone, and mounted with noexec. However, it isn’t the best because on a lot of systems this directory is cleared on reboot. A better place is /var/cache/eaccelerator. Create the directory and make sure it’s writable to the process eAccelerator runs under.

A safe bet is making it world writeable, a safer and cleaner way is making the user php runs under (most of the time the same user as apache or lighttpd) the owner and set 0644 permissions.

The lazy way:

mkdir /tmp/eaccelerator
chmod 0777 /tmp/eaccelerator

eaccelerator.enable

With this setting you can enable or disable eAccelerator. This may seem like a pretty stupid setting, but it can be very useful. For example this setting can also be used in the vhost section of the Apache configuration. It allows you to disable eAccelerator for a certian vhost by placing php_admin_value eaccelerator.enable 0 in the vhost section.

Setting this value to “1″ enables eAccelerator, which is also the default value. Setting it to “0″ will disable eAccelerator.

eaccelerator.enable = "1"

eaccelerator.optimizer

Enables or disables the optimizer which may speed up code execution. Setting it “1″ will enable eAccelerator, “0″ disables it. By default the optimizer is enabled. The optimizer will only run when the script is compiled before it’s cached.

eaccelerator.optimizer = "1"

eaccelerator.debug

Enables or disables debug logging. Setting this to 1 will print information to the log file about the cache hits of a file. This is only useful when debugging eAccelerator for bug reports.

eaccelerator.debug = 0

eaccelerator.log_file

Set the log file for eaccelerator. When this option isn’t set then the data will be logged to stderr, when using PHP with Apache these lines will be added to the Apache error log.

eaccelerator.log_file = "/var/log/httpd/eaccelerator_log"

eaccelerator.name_space

When using the user cache api for storing data in shared memory, all keys are prepended by the hostname used for the current request. This hostname equals the ServerName? set in the vhost section of apache. This is done to avoid duplicate keys between vhosts. Sometimes this behaviour is desired to share data between vhosts. When setting this option this namespace is used to prepend to each key. By default this is set to “” which instructs eAccelerator to use the hostname as namespace.

When setting this in the main PHP configuration file this namespace will be used by all vhosts. This value can also be set in the vhost section or even in a .htaccess file to allow sharing of data between only two vhosts.

eaccelerator.name_space = ""

eaccelerator.check_mtime

On every hit eAccelerator will check the modification time of a script to see if it changed and needs to be recompiled. Although this is a lot faster then opening the file and compiling it, this still adds some overhead because a stat call needs to be done every time. This setting allows you to disable this check. The downside of disabling this check is that you need to manually clean the eAccelerator cache when you update a file.

By default this check is enabled.

eaccelerator.check_mtime = "1"

eaccelerator.filter

Determine which PHP files can be cached. You can specify the pattern (for example “*.php *.phtml”) the PHP script filename needs to match. If a pattern starts with “!”, the files that match that pattern are excluded from the cache. Default value is “” which will cache all scripts PHP compiles.

Please note that eaccelerator.filter doesn’t work on a URL basis but rather on the absolute filesystem path, so a filter of !/home* would exclude all scripts in /home from being cached.

Multiple patterns need to be seperated by spaces or tabs, but not commas.

eaccelerator.filter = ""

eaccelerator.shm_max

By default there is no limit on the maximum size a user can put in shared memory with functions like eaccelerator_put, the maximum size is controlled by this setting. This value is the maximum size that can be put in the cache, the size is given in bytes (10240, 10K, 1M). The default value is “0″ which disables the limit.

This setting doesn’t affect the maximum size for a script”’

eaccelerator.shm_max = "0"

eaccelerator.shm_ttl

When eAccelerator doesn’t have enough free shared memory to cache a new script it will remove all scripts from shared memory cache that haven’t been accessed in at least shm_ttl seconds. By default this value is set to “0″ which means that eAccelerator won’t try to remove any old scripts from shared memory.

eaccelerator.shm_ttl = "0"

eaccelerator.shm_prune_period

When eAccelerator doesn’t have enough free shared memory to cache a script it tries to remove old scripts if the previous try was made more then “shm_prune_period” seconds ago. Default value is “0″ which means that eAccelerator won’t try to remove any old script from shared memory.

eaccelerator.shm_prune_period = "0"

eaccelerator.shm_only

Enable or disable caching of compiled scripts on disk. This has no effect on session data and content caching. Default value is “0″ which allows eAccelerator to use disk and shared memory cacche for scripts.

eaccelerator.shm_only = "0"

eaccelerator.compress

When using the eaccelerator_content_* api eAccelerator can compress the content before saving it to memory. By default this is set to “1″, to disable compression set it to “0″.

eaccelerator.compress = "1"

eaccelerator.compress_level

Compression level used for content caching. Default value is “9″ which is the maximum compression level.

eaccelerator.compress_level = "9"

eaccelerator.keys | session | content

These settings control the places eAccelerator may cache user content. Possible values are:

• shm_and_disk cache data in shared memory and on disk (default value)
• shm cache data in shared memory or on disk if shared memory is full or data size greater then “eaccelerator.shm_max”
• shm_only cache data in shared memory
• disk_only cache data on disk
• none don’t cache data

eaccelerator.keys     = "shm_and_disk"
eaccelerator.sessions = "shm_and_disk"
eaccelerator.content  = "shm_and_disk"

The webinterface

eAccelerator can be managed through a webinterface. From version 0.9.5 this webinterface has been fully implemented in php so the settings have been changed.

taken from : http://techgurulive.com/2009/02/02/how-to-install-and-configure-the-eaccelerator-php-cache-on-apache/

Belum sempat nerjemahin.. ntar aja soale lagi seru coba2

Pernah mengalami generate file dari script php ke pdf dan tidak berhasil?
padahal jika dilocalhost yg memakai xamp berjalan normal.

Setelah saya cek lebih lanjut ternyata jika record yg digenerate tidak begitu banyak, dibawah 100 record berhasil.
Nah lo, mulai berpikir.. apa mgkn konfigurasi buffer file atau cache file di php.ini nya atau webserver confignya.

Setelah mencoba mengulik2, alhamdulillah ketemu.Ini dia, dengan memory limit 96MB, maka generate 2ribu record berhasil dieksekusi. Tinggal disesuaikan dgn kebutuhan saja.

; Maximum amount of memory a script may consume (128MB)
; http://php.net/memory-limit
memory_limit = 96M

Snmp tiba2 ngga jalan. errornya gini :
/libexec/ld-elf.so.1: Shared object "libperl.so" not found, required by "libnetsnmphelpers.so.20"

Hmm file library ga nemu pathnya.. kalo ga abis upgrade2 paling yo kedelete..
Solusinya coba cari sbb :

server2# ldd /usr/local/sbin/snmpd
/usr/local/sbin/snmpd:
libnetsnmpagent.so.20 => /usr/local/lib/libnetsnmpagent.so.20 (0x2807e000)
libnetsnmphelpers.so.20 => /usr/local/lib/libnetsnmphelpers.so.20 (0x280b5000)
libnetsnmpmibs.so.20 => /usr/local/lib/libnetsnmpmibs.so.20 (0x280d3000)
libperl.so => /usr/local/lib/libperl.so (0x281b3000)
libm.so.4 => /lib/libm.so.4 (0x282b4000)
libcrypt.so.3 => /lib/libcrypt.so.3 (0x282ca000)
libutil.so.5 => /lib/libutil.so.5 (0x282e2000)
libnetsnmp.so.20 => /usr/local/lib/libnetsnmp.so.20 (0x282ee000)
libkvm.so.3 => /lib/libkvm.so.3 (0x2838d000)
libcrypto.so.4 => /lib/libcrypto.so.4 (0x28394000)
libc.so.6 => /lib/libc.so.6 (0x28487000)
libcrypto.so.7
server2#cp /usr/local/lib/perl5/5.8.9/mach/CORE/libperl.so /usr/local/lib

server2# snmpd
server2# ps ax | grep snmpd
8945 ?? S 0:00.11 snmpd

Alhamdulillah oke..

Here is the way to disable selinux:

1-Edit /etc/selinux/config and set the SELINUX variable to 'disabled'
2-Use the setenforce command to disable on-the-fly

With solution 1, your changes are permanent but only effective if you reboot the machine.

With solution 2, your changes are NOT permanent but effective immediately.

Hope this clears it up :-).

taken from : http://www.linuxquestions.org

Install SE Linux

# apt-get install selinux-basics selinux-policy-default
# reboot
# nano /etc/default/rcS
edit FSCKFIX=yes
# nano /etc/cron.daily/mlocate (digunakan agar locate database tidak berjalan terus)
tambahkan exit 0 pd baris ke 2

Jika sudah selesai ketikkan :
# check-selinux-installation
# rm /var/run/motd
# ln -s /etc/motd.baru /etc/motd

1. Matikan dan buang service2 yang tidak perlu.
bisa install rcconf u/ mengatur startup.
dan apt-get remove packagegakpenting

2. Edit partisi, matikan eksekusi untuk partisi dimana user menaruh data (terutama web server)

3. Ubah file descriptor di sysctl.conf
your file descriptor must be beyond 65535

4. Upgrade ke kernel paling baru.

5. Atur firewall se secure mungkin. Allow port yang diperlukan saja.

6. Atur akses login user.

7. Sebisa mungkin jangan gunakan default port.

8. Disable root login from remote

9. Edit motd.

10. Coba main2 dgn sysctl.conf (beware, resiko ditanggung sendiri).

11. Secure kan service2 dan option pada program yg terinstall, misalnya : my.cnf, php.ini, httpd.conf, ftp.conf, snmpd.conf named.conf

12. Install tool pendukung monitoring :
- snmpd, ifstat, iptraf, snort, lsof, htop, deborphan, mtr, nikto. well why do i forget other tool in this critical moment..

Nanti ditambahkan kalau ada lagi.

Thx to cakri n google. u;re all da best.

# apt-get install deborphan
# deborphan -sz
# apt-get remove namapackage
atau
# apt-get remove --purge $(deborphan)
atau bisa juga
# orphaner
perintah di atas ada tampilan grafisnya ;)

# sh run
# conf term
# int Fastethernet0/1
# [config] ip address 10.10.10.1 255.255.255.240 secondary
# exit
# exit
# copy run start


# sh vlan
# conf term
# int Fastethernet0/1
dst2.. lali..

postingan ini hanya buat nyubie yg belajar cisco tanpa arah

Hari ini nyoba install via tarball, yg q jadikan eksperimen adalah pureftpd.

1. Download Source
wget http://download.pureftpd.org/pub/pure-ftpd/releases/pure-ftpd-1.0.29.tar.gz
2. Ekstrak
tar -xzvf pure-ftpd-1.0.29.tar.gz
3. masuk ke directory hasil ekstrak
4. ./configure

Nah lo..koq pas configure error. :(
Ternyata compiler gak support, jadi harus install dulu

apt-get install gcc
apt-get install g++

Ulangi lagi deh configurenya, kemudian lanjutkan dgn perintah make && make install

kelanjutannya ada di postingan ini

Bagi yang compile dgn support mysql coba install dulu mysql-devel
apt-get mysql-devel

Install snmpd cara praktis aja ya..
# apt-get install snmpd (linux)
# pkg_add -rv net-snmpd (fbsd)

Stl itu copy file konfigurasi :
# cp /etc/snmp/snmpd.conf.orig /etc/snmp/snmpd.conf (linux)
# cp /usr/local/share/snmpd/snmpd.conf.example /usr/local/share/snmpd/snmpd.conf (bsd)

Edit /etc/snmp/snmpd.conf :
com2sec local localhost public
com2sec local ipmrtgserver public

Edit /etc/default/snmpd : (freebsd ga perlu proses ini)
remove ip 127.0.0.1

Restart snmp : /etc/init.d/snmpd restart

Ketik perintah berikut :

# /usr/sbin/update-inetd --disable telnet

Untuk meremove service di linux sewaktu startup ada bbrp cara :

1. # update-rc.d -f NAMASERVICE remove
contoh :
# update-rc.d -f exim4 remove

2. Install rrconf
# apt-get install rcconf
tunggu proses selesai, ketik :
# rcconf

Tinggal check/uncheck yg ga perlu aja, kayak msconfig gitu..

Kalo di FreeBSD, tinggal cek aja isi /etc/rc.conf atau cek didirectory /usr/local/etc/rc.d

Wokeh.. selamat berbahagia..