How many system administrators perform checking of IP addresses of the 13 root nameservers if they have DNS running. At least this should be checked on an annual basis.
I have Bind installed in several Linux box and yet the named.ca file is dated back to Jan 29, 2004. It is now 2007 but can you imagine there will no be change in IP addresses of the root nameservers. No, the latest named.ca has a date stamp of 1 Nov 2007. On further comparison, the IP address of L root name server is altered :
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
Instead of downloading the new file, it will be easier to type the correct IP address in the appropriate position in that file.
2007/11/13
How big a tar file can be
For those that need to use tar for tape backup, a generic question that they will ask is how big a tar file can be ? According to some online research, for Kernel version higher than 2.4.0 supporting Large File System, the maximum size of a tar file is 2TB. I think this is big enough for any enterprise backup applications. If I have a tape drive supporting 400 GB per tape, I will have to use 5 tapes.
Can we have such powerful backup tool in Windows OS ? Probably not.....
Can we have such powerful backup tool in Windows OS ? Probably not.....
2007/10/04
Port 3306 mysql probe
I found a large number of failed connection attempts to port 3306 of my FC7 server. This port is for external hosts connect to mysqld. Since I do not open mysqld for connection by other hosts, leaving this port opens is a bad vulnerability otherwise bad guys can proble mysqld root password.
Closing port 3306 can be done by amending the mysql config file. This is too complicated. I just use iptables to get this job easily done.
Closing port 3306 can be done by amending the mysql config file. This is too complicated. I just use iptables to get this job easily done.
2007/09/25
2007/09/24
dd and netcat coming together
"dd" coupled with "netcat" can allow cloning an entire hard disk to another server/PC on Intranet or Internet as binary image for forensics analysis.
This is really useful and avoid the need to open the PC case to dismantle the hard disk for the binary image replication:
Forensics(192.168.1.7)% nc -l 37337 | dd of=/dev/hda
Evidence% dd if=/dev/hdb | nc 192.168.1.7 37337
This is really useful and avoid the need to open the PC case to dismantle the hard disk for the binary image replication:
Forensics(192.168.1.7)% nc -l 37337 | dd of=/dev/hda
Evidence% dd if=/dev/hdb | nc 192.168.1.7 37337
2007/09/08
港島區立法局空缺補選
不要再作猜想了,我相信葉劉淑儀參選一定能穩操勝卷。何解,以她的知名度及行政經驗,加上中方陣營及民建聯全力支持,泛民主派還有誰可匹敵。到現時,論名氣,只有陳方安生可對衡,但陳方安生不屬任何民主黨派,以她打正泛民旗號一定引起內鬨。單看泛民遲遲未定出人選,也可肯定他們的選舉氣勢已是一敗塗地了。
2007/09/05
Protecting brute force attack on dovecot by fail2ban
Some bad guys tried thousand times to guess pop user account and password. I decided that brute force attacks on dovecot should be banned similar as what I had done on vsftpd. To start up the protection, the following lines are added in /etc/fail2ban/jail.conf
[pop-iptables]
# Option: enabled
# Notes.: enable monitoring for this section.
# Values: [true | false] Default: true
#
enabled = true
filter = pop
action = iptables[name=pop, port=pop, protocol=tcp]
sendmail-whois[name=pop, dest=root]
logpath = /var/log/secure
maxretry = 5
Fail2ban reported a failure on fail2ban-pop chain. The mistake was that there is no a port called pop in /etc/services. The correct name of the port should be pop3 instead of pop. What a careless mistake I had made. After revising as follows, fail2ban started successfully and attacks on dovecot were tested successfully banned :
[pop3-iptables]
# Option: enabled
# Notes.: enable monitoring for this section.
# Values: [true | false] Default: true
#
enabled = true
filter = pop3
action = iptables[name=pop3, port=pop3, protocol=tcp]
sendmail-whois[name=pop3, dest=root]
logpath = /var/log/secure
maxretry = 5
[pop-iptables]
# Option: enabled
# Notes.: enable monitoring for this section.
# Values: [true | false] Default: true
#
enabled = true
filter = pop
action = iptables[name=pop, port=pop, protocol=tcp]
sendmail-whois[name=pop, dest=root]
logpath = /var/log/secure
maxretry = 5
Fail2ban reported a failure on fail2ban-pop chain. The mistake was that there is no a port called pop in /etc/services. The correct name of the port should be pop3 instead of pop. What a careless mistake I had made. After revising as follows, fail2ban started successfully and attacks on dovecot were tested successfully banned :
[pop3-iptables]
# Option: enabled
# Notes.: enable monitoring for this section.
# Values: [true | false] Default: true
#
enabled = true
filter = pop3
action = iptables[name=pop3, port=pop3, protocol=tcp]
sendmail-whois[name=pop3, dest=root]
logpath = /var/log/secure
maxretry = 5
2007/08/30
Fedora Core 7 Kernel Bug
I noticed some kernel bugs in Fedora Core 7 which appear shortly after booting up.
The error log is like this :
BUG: warning at kernel/softirq.c:138/local_bh_enable() (Not tainted)
[] local_bh_enable+0x45/0x92
[] cond_resched_softirq+0x2c/0x42
[] release_sock+0x4f/0x9d
[] tcp_sendmsg+0x90b/0x9f9
[] dput+0x31/0xf7
[] inet_sendmsg+0x3b/0x45
[] sock_aio_write+0xf6/0x102
[] do_sync_write+0xc7/0x10a
[] autoremove_wake_function+0x0/0x35
[] sys_lstat64+0x1e/0x23
[] vfs_write+0xbc/0x154
[] sys_write+0x41/0x67
[] syscall_call+0x7/0xb
=======================
Other than getting an error message, I did not notice any abnormalies or application crash afterward. Just leave them for the time being until RedHat and Fedora Core issue a workaround solution or patches.
The error log is like this :
BUG: warning at kernel/softirq.c:138/local_bh_enable() (Not tainted)
[
[
[
[
[
[
[
[
[
[
[
[
[
=======================
Other than getting an error message, I did not notice any abnormalies or application crash afterward. Just leave them for the time being until RedHat and Fedora Core issue a workaround solution or patches.
2007/08/29
Reciprocal Recognition Agreement (RRA) between HKIE and IET
I have been informed by IET that HKIE does not recognize the status of IET members when IET members in Hong Kong wish to apply for HKIE membership. The applications of our IET members are subject to a review which may comprise any or all of the following :
(a) Submission of a training and experience report
(b) Interview
(c) Essay test
(d) Submission of record of continuing professional development
We are further informed that HKIE has the discretion to determine on the extent and scope of the review.
I am sure there are a large number of engineers in Hong Kong who wish to have dual membership of IET and HKIE. As a corporate member of IET, I feel frustrated to see the unnecessary restrictions/procedures imposed by HKIE. I would say that HKIE has done something detrimental to the status and professional development of all working engineers in Hong Kong.
(a) Submission of a training and experience report
(b) Interview
(c) Essay test
(d) Submission of record of continuing professional development
We are further informed that HKIE has the discretion to determine on the extent and scope of the review.
I am sure there are a large number of engineers in Hong Kong who wish to have dual membership of IET and HKIE. As a corporate member of IET, I feel frustrated to see the unnecessary restrictions/procedures imposed by HKIE. I would say that HKIE has done something detrimental to the status and professional development of all working engineers in Hong Kong.
2007/08/25
Le Tour De California
I joined the 3-hour marathon cycling class at Causeway Bay California Fitness Centre today. The event was called Le Tour De California. Certainly, this name was derived from Le Tour De France which is the best-known cycling race in the world lasting for 22 day long, 20 stage road race covering more than 3000km.
I was on the waiting list so I did not have a formal attendance certificate despite completing the challenge. Hey, it doesn’t matter. What I wanted to do is to participate in a marathon cycling challenge class with a large group of people. This is my second time. I will join again next year.
I was on the waiting list so I did not have a formal attendance certificate despite completing the challenge. Hey, it doesn’t matter. What I wanted to do is to participate in a marathon cycling challenge class with a large group of people. This is my second time. I will join again next year.
2007/08/23
JAlbum
The first web album software that I used was Album GV1.7 dated back to 2001. Album GV1.7 stayed with me for over 5 years until I switched to web album generator. Web album generator is good, easy to use but lacks of beautiful skins.
I have now moved to JAlbum. There are tens of colorful skins for me to use. Moreover, photos can be accompanied with text and comments. I think JAlbum is the best web album I have ever used.
I have now moved to JAlbum. There are tens of colorful skins for me to use. Moreover, photos can be accompanied with text and comments. I think JAlbum is the best web album I have ever used.
2007/08/18
spam statistics
I found that I marked down some spam statistics, but forgot from which sites. Quite interseting figures :
1. The average PC user receives over 2,000 and counting spammed emails per year.
2. The average computer user receives about 10 spams per day.
3. Spam is expected to increase by about 63% in 2007.
4. About 28% of people answer spam emails.
5. 15-20% of corporate email is spam and it is ever-growing.
6. 25% of spam is product-related.
7. About 90 billion spam emails are sent per day.
8. Nearly 80% of spam emails are sent from zombie networks or botnets.
9. China has the highest rate of spamvertized websites.
10. 63% of take my email off your list are not fulfilled.
11. 86% of emails posted on websites end up receiving spam.
1. The average PC user receives over 2,000 and counting spammed emails per year.
2. The average computer user receives about 10 spams per day.
3. Spam is expected to increase by about 63% in 2007.
4. About 28% of people answer spam emails.
5. 15-20% of corporate email is spam and it is ever-growing.
6. 25% of spam is product-related.
7. About 90 billion spam emails are sent per day.
8. Nearly 80% of spam emails are sent from zombie networks or botnets.
9. China has the highest rate of spamvertized websites.
10. 63% of take my email off your list are not fulfilled.
11. 86% of emails posted on websites end up receiving spam.
2007/08/07
2GB file limit
I find that there is a limit of 2GB on the size of file to be listed in a web directory if directory listing is enable in the web server settings. If a file is bigger than 2GB, it can not be shown in the directory through http access. I guess this is the reason why Fedora Core and Centos mirror sites which distribute DVD iso images can only be accessed by FTP. As far s I know, this problem will not be overcome in the coming new releases of Apache.
2007/08/05
夏天坐的士
不要以為夏天坐的士一定比坐巴士或小巴舒服。何解 ?
正午時份,的士的前後排坐位都受到猛烈陽光正面照射,正因為車箱細小而令所吸收的熱力聚集,縱使是泠氣車亦不能有效地降溫。巴士及小巴沒有這問題,而現時的泠氣巴士及小巴,每個乘客坐位處都有出風位,比起的士的出風位在前排位置,實在涼快及舒服得多。
正午時份,的士的前後排坐位都受到猛烈陽光正面照射,正因為車箱細小而令所吸收的熱力聚集,縱使是泠氣車亦不能有效地降溫。巴士及小巴沒有這問題,而現時的泠氣巴士及小巴,每個乘客坐位處都有出風位,比起的士的出風位在前排位置,實在涼快及舒服得多。
2007/08/03
Generating 10 million numbers
I need to have a text file containing 10 million sequential numbers. This is the script I use :
#!/bin/bash
for i in {20000000..29999999};
do
echo $i >> numbers;
done
On a P4 3GHz machine, how much time is needed to generate such huge numbers ?
The answer is 53 minutes.
#!/bin/bash
for i in {20000000..29999999};
do
echo $i >> numbers;
done
On a P4 3GHz machine, how much time is needed to generate such huge numbers ?
The answer is 53 minutes.
2007/07/17
Upgrade from FC4 to FC7
I had one server that needed to be upgraded from FC4 to FC7. I did the DVD upgrade version by version, that is FC4 > FC5, then FC5 > FC6 followed by FC6 > FC7.
At FC5, sendmail failed to start due to some changes in shared objects. This could be remedied by "yum install sendmail". Another process failed was httpd. As I still had serveral upgrades to continue, I decided not to fix this yet.
The upgrades from FC5 > FC6 > FC7 were smooth and easy. Orginally, in FC4, my httpd was running static page with no php and other added modules. At FC7, when httpd start, the first error was :
Syntax error on line 209 of /etc/httpd/conf/httpd.conf: Syntax error on line 10 of /etc/httpd/conf.d/perl.conf: API module structure `perl_module' in file /etc/httpd/modules/mod_perl.so is garbled - perhaps this is not an Apache module DSO?
I figured out this could be solved by yum install mod_perl.
Afterward, another failure appeared :
Syntax error on line 6 of /etc/httpd/conf.d/php.conf:
Cannot load /etc/httpd/modules/libphp5.so into server: /usr/lib/libcurl.so.3
This could be due to lack of php. The working solution was yum install php.
Just when I though problems had been cleared, another one came up :
Cannot load /etc/httpd/modules/mod_python.so into server: /etc/httpd/modules/mod_python.so:
The error actually prompted me to do a "yum install mod_python".
The last error was as follows :
Cannot load /etc/httpd/modules/mod_ssl.so into server: /etc/httpd/modules/mod_ssl.so: cannot open shared object file: No such file or directory.
This said I had to found mod_ssl to Apache. I did a yum install mod_ssl.
Finally, httpd 2.2.4 started running on FC7. The whole fault-finding process was full of pain.
At FC5, sendmail failed to start due to some changes in shared objects. This could be remedied by "yum install sendmail". Another process failed was httpd. As I still had serveral upgrades to continue, I decided not to fix this yet.
The upgrades from FC5 > FC6 > FC7 were smooth and easy. Orginally, in FC4, my httpd was running static page with no php and other added modules. At FC7, when httpd start, the first error was :
Syntax error on line 209 of /etc/httpd/conf/httpd.conf: Syntax error on line 10 of /etc/httpd/conf.d/perl.conf: API module structure `perl_module' in file /etc/httpd/modules/mod_perl.so is garbled - perhaps this is not an Apache module DSO?
I figured out this could be solved by yum install mod_perl.
Afterward, another failure appeared :
Syntax error on line 6 of /etc/httpd/conf.d/php.conf:
Cannot load /etc/httpd/modules/libphp5.so into server: /usr/lib/libcurl.so.3
This could be due to lack of php. The working solution was yum install php.
Just when I though problems had been cleared, another one came up :
Cannot load /etc/httpd/modules/mod_python.so into server: /etc/httpd/modules/mod_python.so:
The error actually prompted me to do a "yum install mod_python".
The last error was as follows :
Cannot load /etc/httpd/modules/mod_ssl.so into server: /etc/httpd/modules/mod_ssl.so: cannot open shared object file: No such file or directory.
This said I had to found mod_ssl to Apache. I did a yum install mod_ssl.
Finally, httpd 2.2.4 started running on FC7. The whole fault-finding process was full of pain.
2007/07/15
My First Touch on Shorewall
Last week, I performed installation and configuration of Shorewall on Fedora Core 6. I made a host-based firewall and some people called it a one-interface firewall. No difficulties encountered and the documentation gave sufficient details for me to understand.
I try to compare FC6's default installed iptable-based firewall functions with Shorewall. For stateful packet inspection of incoming packets, both are more or less the same. However, Shorewall offers additional functions of whitelists, blacklists and limiting the rates of incoming packets. There is no doubt that Shorewall is a perfect choice for people who find it difficult to learn and write some iptables scripts.
I try to compare FC6's default installed iptable-based firewall functions with Shorewall. For stateful packet inspection of incoming packets, both are more or less the same. However, Shorewall offers additional functions of whitelists, blacklists and limiting the rates of incoming packets. There is no doubt that Shorewall is a perfect choice for people who find it difficult to learn and write some iptables scripts.
2007/07/10
An Old Unix Proverb
An Old Unix Proverb
"He who has never hacked sendmail.cf has no soul;
he who has hacked sendmail.cf more than once has no brain."
"He who has never hacked sendmail.cf has no soul;
he who has hacked sendmail.cf more than once has no brain."
2007/07/08
zen.spamhaus.org
Spamhaus has combined the SBL, XBL and the PBL blocklist into one single powerful and comprehensive DNSBL called zen blocklist to make querying faster and simpler. As advised by Spamhaus, I have changing the settings in my server to query zen instead of SBL and XBL.
There is an interesting story on the name "Zen". Zen was guard dog and for many years it guarded Spamhaus's base in England. After giving the name to the most powerful DNSBL, Zen now guards our networks and customers.
2007/07/07
FTP test
I connected to an FTP Server and uploaded all files in a directory by means of mget *.*. Which file will be uploaded first. At first, I thought the file upload sequence would be in alphabetical order of file names. This is wrong. The upload sequence was in accordance with date and time of the files.
This is an interesting fact re-discovered. I should have learnt this some time ago.
This is an interesting fact re-discovered. I should have learnt this some time ago.
Subscribe to:
Comments (Atom)