Search Results

Search found 5578 results on 224 pages for 'transport rules'.

Page 123/224 | < Previous Page | 119 120 121 122 123 124 125 126 127 128 129 130 | Next Page >

Logfiles filling with iptables logging

- by Peter I

OS: Debian 6 Server Version I have different logfiles which are filling up: user@server:/var/log$ ls -lahS | head total 427G -rw-r--r-- 1 root root 267G Nov 2 17:29 bandwidth -rw-r----- 1 root adm 44G Nov 2 17:29 kern.log -rw-r----- 1 root adm 27G Nov 2 17:29 debug -rw-r----- 1 root adm 23G Oct 27 06:33 kern.log.1 -rw-r----- 1 root adm 17G Nov 2 17:29 messages -rw-r----- 1 root adm 14G Oct 27 06:33 debug.1 -rw-r----- 1 root adm 12G Nov 2 17:29 syslog -rw-r----- 1 root adm 12G Nov 1 06:26 syslog.1 -rw-r----- 1 root adm 9.0G Oct 27 06:33 messages.1 So I looked up the file /etc/iptables.up.rules which had those lines in it: -A FORWARD -o eth0 -j LOG --log-level 7 --log-prefix BANDWIDTH_OUT: -A FORWARD -i eth0 -j LOG --log-level 7 --log-prefix BANDWIDTH_IN: -A OUTPUT -o eth0 -j LOG --log-level 7 --log-prefix BANDWIDTH_OUT: -A INPUT -i eth0 -j LOG --log-level 7 --log-prefix BANDWIDTH_IN: So deleting those lines will solve my problem. But how would I edit those lines without losing their functionality?

Read the article
Is the hosts file ignored in windows if DNS Client service is running?

- by Mnebuerquo

I've seen a number of articles about how to edit the hosts file in Windows 7, but it's all about how to open notepad as administrator, not the actual behavior of the dns lookups afterward. I've read that the hosts file is ignored in XP SP2 if DNS Client service is running. I have tried this on my XP machine and it seems to be true. I can see how it is a security danger to have a hosts file that user programs could modify. If it could write to hosts, then any malware could spoof dns locally with minimal difficulty. I'm trying to use the hosts file for testing stuff on my local network without it going to the live site on the internet. At the same time I want to be able to use dns on the normal internet. Mostly though I just want to understand the rules on the newer windows systems. Thanks!

Read the article
Setting up a externally facing server on Windows. How do i setup DNS/Nameservers?

- by Jason Miesionczek

So i have a domain name that i would like to host from my static ip internet connection. I have windows server 2008 r2 installed, and dns setup. The dns server is currently behind a firewall, and i have the appropriate rules to allow traffic to reach it. My question is, what entries do i need to create in the DNS so that i can have some nameservers to use at my domain registrar, so that the domain correctly points to the server? I know that most domains have nameservers like ns1.domain.com, ns2.domain.com, etc. What would i point those to in my DNS?

Read the article
Advanced merge directory tree with cp in Linux

- by mtt

I need to: Copy all of a tree's folders (with all files, including hidden) under /sourcefolder/* preserving user privileges to /destfolder/ If there is a conflict with a file (a file with the same name exists in destfolder), then rename file in destfolder with a standard rule, like add "old" prefix to filename (readme.txt will become oldreadme.txt) copy the conflicted file from source to destination Conflicts between folders should be transparent - if same directory exists in both sourcefolder and destfolder, then preserve it and recursively copy its content according to the above rules. I need also a .txt report that describes all files/folders added to destfolder and files that were renamed. How can I accomplish this?

Read the article
How can I "filter" postfix-generated bounce messages?

- by Flimzy

We are using postfix 2.7 and custom SMTPD (based on qpsmtpd) in highly customized configuration for spam filtering. We have a new requirement to filter postfix-generated bounces through our custom qpsmtpd process (not so much for content filtering, but to process these bounces accordingly). Our current configuration looks (in part) like this: main.cf (only customizations shown): 2526 inet n - - - 0 cleanup pickup fifo n - - 60 1 pickup -o content_filter=smtp:127.0.0.2 Our smtpd injects messages to postfix on port 2526, by speaking directly to the cleanup daemon. And the custom pickup command instructs postfix to hand off all locally-generated mail (from cron, nagios, or other custom scripts) to our custom smtpd. The problem is that this configuration does not affect postfix generated bounce messages, since they do not go through the pickup daemon. I have tried adding the same content_filter option to the bounce daemon commands, but it does not seem to have any effect: bounce unix - - - - 0 bounce -o content_filter=smtp:127.0.0.2 defer unix - - - - 0 bounce -o content_filter=smtp:127.0.0.2 trace unix - - - - 0 bounce -o content_filter=smtp:127.0.0.2 For reference, here is my main.cf file, as well: biff = no # TLS parameters smtpd_tls_loglevel = 0 smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache smtp_tls_security_level = may mydestination = $myhostname alias_maps = proxy:pgsql:/etc/postfix/dc-aliases.cf transport_maps = proxy:pgsql:/etc/postfix/dc-transport.cf # This is enforced on incoming mail by QPSMTPD, so this is simply # the upper possible bound (also enforced in defaults.pl) message_size_limit = 262144000 mailbox_size_limit = 0 # We do our own message expiration, but if we set this to 0, then postfix # will try each mail delivery only once, so instead we set it to 100 days # (which is the max postfix seems to support) maximal_queue_lifetime = 100d hash_queue_depth = 1 hash_queue_names = deferred, defer, hold I also tried adding the internal_mail_filter_classes option to main.cf, but also tono affect: internal_mail_filter_classes = bounce,notify I am open to any suggestions, including handling our current content-filtering-loop in a different way. If it's not clear what I'm asking, please let me know, and I can try to clarify.

Read the article
Recommended Smartphone for Reading PDFs [closed]

- by mika

This is as much a software than a hardware question. I use a lot of public transport and perhaps the best way to spend your time there is to read while listening to music. Currently I use Nokia E90 and Adobe Reader LE 2.5 (full version). I was wondering if there are any better alternatives? Requirements: at least 640px wide screen, preferably 800px physical size of the LCD display matters, it should be large, but the phone itself should be as small as possible. This favors touchscreen models PDF reader should be of high quality. It should render most PDFs correctly. Other important features include: full screen mode, keyboard controls for Page Down and page change, multiple zoom levels to adjust to the screen, opening recent documents at the last page read Downsides of E90 + Adobe Reader LE Phone is large compared to the display It is hard to read the display at sunlight Adobe Reader crashes the phone regularly, zoom could have more levels, doesn't remember last page EDIT: Switched to iPhone and GoodReader. Smaller physical screen width compared to E90 is a disimprovement, but other than that I'm happy. GoodReader is the highest quality smartphone PDF reader I've seen so far.

Read the article
Is it possible to limit output bandwidth between eth0 and lo?

- by mmcbro

I'm trying to limit the bandwidth between my eth0 output (nginx proxy) to my loopback inteface (apache) by filtering on destination port. Incoming Packet -> Eth0 -> 0.0.0.0:80 Nginx -> tc qdisc class/iptable mangle 2525port -> 127.0.0.1:2525 Apache I don't know if it's even possible I'm just experimenting. My rules are the followings : tc qdisc add dev eth0 root handle 1:0 htb tc class add dev eth0 parent 1:0 classid 1:10 htb rate 2mbps ceil 2mbps prio 0 tc filter add dev eth0 parent 1:0 prio 0 protocol ip handle 10 fw flowid 1:10 iptables -A OUTPUT -t mangle -p tcp --dport 2525 -j MARK --set-mark 10 I also tried to with FORWARD chain but its still the same.

Read the article
Lighttpd mod_rewrite conversion from .htaccess format

- by hoball

Hello, I am using lighttpd as webserver and is having an issue about mod_rewrite. Currently I have a set of Apache .htaccess rewrite rules from a PHP script: RewriteEngine On RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_FILENAME} !-l RewriteRule ^(.*)$ index.php [QSA,L] In my understanding, if the requested URI is not a file/directory/sym-link, append it to index.php eg. www.a.com/hello/world --> www.a.com/index.php/hello/world I attempted to convert to lighttpd specification: url.rewrite-if-not-file = ( "^(.*)$" = "index.php/$1" ) However, it doesn't work. I suspect that is due to misuse of $1. I tried to use $0/%0 or something else but they fail. Would you please provide me a hint on making the syntax work? Thank you!

Read the article
Limiting and redirect port access with useragent

- by linuxcore

I'm trying to write iptables string match rule To block http://domain.com:8888 and https://domain.com:8888 when it matches the supplied string in the rule. And another rule to redirect the ports also from 8888 to 7777 I tried following rules but unfortunately didn't work iptables -A INPUT -p tcp -s 0.0.0.0/0 -m string --string linuxcore --algo bm --sport 8888 -j DROP iptables -t raw -A PREROUTING -m string --algo bm --string linuxcore -p tcp -i eth0 --dport 8888 -j DROP iptables -t nat -A PREROUTING -p tcp --dport 8888 -m string --algo bm --string "linuxcore" -j REDIRECT --to-port 7777 iptables -A INPUT -t nat -p tcp --dport 8888 -m string --algo bm --string "linuxcore" -j DROP I want to do this from iptables not the webserver because the server may not have a webserver and those ports are working on internal proxy or something like ..etc

Read the article
Remote Access Without Explicit Permission: Convenience or Liability?

- by routeNpingme

For outsourced professional IT remote support, one habit most new technicians get into is the "instead of getting the user to start up remote support each time, I'll go ahead and install LogMeIn / GoToMyPC / Remote Desktop / whatever so that if they call again, I can just jump on and help them". This of course opens up a potential liability because a client PC on a network that we don't own is being accessed without a user explicitly providing permission by clicking a "Yes, allow technician to control my PC" option. I realize the rules totally change when you're an IT admin over a network that you "own", but this is outsourced IT support. Just curious what others' policies are. Is this an acceptable practice for convenience and I'm turning into one of those "security is more important than anything" people, or is this really a liability?

Read the article
To decide where to crop an image, how can I highlight it's most compressible areas?

- by Umber Ferrule

I'm looking to get the most compression out of each of the most popular image formats, such as, JPEG, PNG, GIF, etc. Ideally, this would be a tool, or a series of transforms that could be performed (perhaps using a macro and then discarded) in popular image editors (Paint.NET/PaintShopPro/PhotoShop/GIMP) to highlight areas which will compress less. Alternatively, what rules of thumb can be used other than reducing colours (for PNG/GIF), reducing image dimensions, avoiding high detail areas... I'm not asking for help deciding what format to use for a particular image type as I think this is fairly common knowledge, i.e. diagram and images with few colours = PNG/GIF, photographs = JPEG.

Read the article
Can't connect to Server Manager from Windows 7

- by SAdmin317

I have a Windows 7 Pro 64bit with SP1 desktop that has RSAT tools installed. I opened Server Manager and can't connect to the server (Server 2008 R2 core). I followed the guide to enable everything on the server, added a registry key to enable read-only on the device manager as well. On the Windows 7 PC I turned on winrm, did the quick config, and added the server IP and name as trusted hosts. I still get an error when connecting. "Connecting to the remote server failed with the following error message: The WinRM client cannot process the requests. If the authentication scheme is different from Kerberos, or if the client computer is not joined to a domain, then HTTPS transport must be used or the destination machine must be added to the TrustedHosts configuration setting...." I also added the name of the server to the windows 7 /etc/hosts file. Ping the server name translates to the IP of the server. Also opened up the firewall for "Remote Volume Management" Both machines are on the same Workgroup, using the same Administrator account, with the same password. Any help appreciated.

Read the article
/proc/pid/environ missing variables

- by Josh Arenberg

google is giving no love on this one today, so I turn to the experts... I'm currently hacking together a script that relies on the /proc/pid/environ feature in Linux (RHEL 4) to check for a particular environment variable. Trouble is, it seems certain environment variables aren't showing up in there for some reason. Example: create some test vars: $ export T_1=testval TEST_1=testval T=testval TESTING_LONGEST=testval open a subshell: $bash $ cat /proc/self/environ|tr "\0" "\n"|grep testval TESTVARIABLE_LONGEST=testval T=testval hmm... where did T_1 and TEST_1 go?? what rules govern this strange universe? Thanks in advance, Josh

Read the article
How to secure an Internet-facing Elastic Search implementation in a shared hosting environment?

- by casperOne

(Originally asked on StackOverflow, and recommended that I move it here) I've been going over the documentation for Elastic Search and I'm a big fan and I'd like to use it to handle the search for my ASP.NET MVC app. That introduces a few interesting twists, however. If the ASP.NET MVC application was on a dedicated machine, it would be simple to spool up an instance of Elastic Search and use the TCP Transport to connect locally. However, I'm not on a dedicated machine for the ASP.NET MVC application, nor does it look like I'll move to one anytime soon. That leaves hosting Elastic Search on another machine (in the *NIX world) and I would probably go with shared hosting there. One of the biggest things lacking from Elastic Search, however, is the fact that it doesn't support HTTPS and basic authentication out of the box. If it did, then this question wouldn't exist; I'd simply host it somewhere and make sure to have an incredibly secure password and HTTPS enabled (possibly with a self-signed certificate). But that's not the case. That given, what is a good way to expose Elastic Search over the Internet in a secure way? Note, I'm looking for something that hopefully, will not require writing code to provide shims for the methods that I want (in other words, writing forwarders).

Read the article
Messages going missing from Apple mailboxes

- by Ho Li Cow

A colleague has noticed random messages being deleted from her Apple Mailboxes. e.g. Message sent to client - client replies - original message nowhere to be found. Not in sent items/sent messages/junk/trash. No rules set up. Have tried rebuilding mailboxes but message doesn't show up. Quite worrying really as it was only noticed by chance so don't know how long/how widespread it is. Mail is controlled by Exchange 2003 server. Anyone come across this before or know what's happening? Many thanks MBP 2.53GHz OS X 10.5.8 Mail 3.6

Read the article
Is it possible to use rsync over sftp (without an ssh shell) ?

- by Tom Feiner

Rsync over ssh, works great every time. However, trying to rsync to a host which allows only sftp logins, but not ssh logins, provides the following error: rsync -av /source ssh user@remotehost:/target/ protocol version mismatch -- is your shell clean? (see the rsync man page for an explanation) rsync error: protocol incompatibility (code 2) at compat.c(171) [sender=3.0.6] Here's the relevant section from the rsync man page: This message is usually caused by your startup scripts or remote shell facility producing unwanted garbage on the stream that rsync is using for its transport. The way to diagnose this problem is to run your remote shell like this: ssh remotehost /bin/true > out.dat then look at out.dat. If everything is working correctly then out.dat should be a zero length file. If you are getting the above error from rsync then you will probably find that out.dat contains some text or data. Look at the contents and try to work out what is producing it. The most com- mon cause is incorrectly configured shell startup scripts (such as .cshrc or .profile) that contain output statements for non-interactive logins. Trying this on my system produced the following in out.dat: ssh-dummy-shell: Command not allowed. As I thought, the host is not allowing ssh logins. The following link shows that it is possible to accomplish this task using fuse with sshfs - however it is extremely slow, and not fit for production use. Is there any chance of getting rsync sftp to work?

Read the article
Block a machine from accessing the internet

- by Simon Rigby

After some confirmation that I have thinking right in this scenario. We have a number of wired and wireless machines which presently have direct internet access. I also have a Linux (Ubuntu) server which is used as a file server for the network. Essentially I would like to be able to turn internet access on and off for machines. My plan is to block these machines by MAC address at the router. I would then set up a proxy server on the Linux box (ie Squid) so that the machines I wish to restrict can access the internet via the proxy. As I can adjust access via ACLs in squid, I would be able to switch on or off a machines access to the internet without having to further adjust the router's MAC rules. And of course I could go further and create a few scripts to assist with this admin task. Does this seem sound and have I over looked anything? Any help greatly appreciated. Simon.

Read the article
Rejecting new HTTP requests when server reaches a certain throughput

- by Sam

I have a requirement to run an HTTP server that rejects new HTTP requests (with a 503, or similar) when the global transfer rate of current HTTP responses exceeds a certain level. For example, if the web server is transferring at 98Mbps, and a new HTTP request arrives, we would want to reject this (as we couldn't guarantee a good speed). I've had a look at mod_cband for Apache, limit_req for nginx, and lighttpd's rate limiting features, but none of them seem to handle my (rather contrived, granted) use case. I should add that I'm open to using pretty much any web server, and am open to implementing this in iptables rules if someone can craft such a rule! (Refusing the TCP connection is fine, it doesn't have to respond with an HTTP 503). Any suggestions?

Read the article
Outlook 2007 Script that sends new form email when a message is dragged and dropped into a folder

- by Mark

Is it possible to write a script that will allow Outlook to automatically send out a new email to a distribution list when you drag and drop and previously opened email into a specified folder? The rules only let you apply them to received and sent messages. They do not allow you to apply it to anything that is dragged and dropped after being opened. It baffles me that Novell Groupwise had this functionality but Outlook 2007 does not. If someone can assist me in writing a script/macro to provided this functionality, it would be greatly appreciated. Thank you.

Read the article
Nginx proxy to Apache - resolve HTTP ORIGIN

- by Fratyr

I have a server setup with nginx serving static content and proxy all PHP/dynamic requests to apache on 127.0.0.1 I'm building an API for my databases, and I need to allow clients by their origin (domain name), rather than just IP. Based on CORS rules. So when I send an HTTP header header("Access-Control-Allow-Origin: www.client-requesting.myapi.com"); from my API server, I have to tell it which origin I allow, otherwise client side requests won't work to my API due to same-origin policy. The question is how can I know which domain name (if any) called my API? What should be the nginx and apache configuration to pass the origin parameter? I tried to google, and all I found is some possible solution with mod_rpaf, but I wanted to be sure. Thanks!

Read the article
Permission to see the expandable list of ISA Server 2006

- by Hossein Mobasher

I am working on ISA Server 2006 in Windows Server. I want to add some policy rules to my server, I followed this link. But It points to In the Microsoft Internet Security and Acceleration Server 2006 management console, expand the array name, and then click the Firewall Policy node. When I open the ISA Server 2006 Management Console, I can not show the expand list, how can I force ISA to show the expandable tree to start Firewall Policy? Could any one please help me to do this ? Note : I have administrator permission for my account. Thanks in advance :)

Read the article
Taking stock of an existing ASA Firewall

- by Nate

Imagine you are given an existing network using an ASA firewall. The network works, but you aren't sure of anything else. The firewall may be completely improperly configured, with "outside" actually being inside and "inside" actually being outside, for all you know. My question is this: what are the commands to take stock of an existing ASA firewall setup? With only CLI access, how do I figure out: What interfaces are available The names of the interfaces The security levels attached to the interfaces The access-lists attached to the interfaces, including rules and directions I know how to set these things (interface, nameif, security-level, and access-list/access-group), but I don't know how to figure them out given an existing system. On a related note, is there anything else that I should worry about checking to make sure that the network isn't wide open? Thanks!

Read the article
Reverse Proxy (mod_rewrite) and Rails (absolute paths)

- by SooDesuNe

I have front end rails app, that reverse proxies to any of a number of backend rails apps depending on URL, for example http://www.my_host.com/app_one reverse proxies to http://www.remote_host_running_app_one.com such that a URL like http://www.my_host.com/app_one/users will display the contents of http://www.remote_host_running_app_one.com/users I have a large, and ever expanding number of backends, so they can not be explicitly listed anywhere other than a database. This is no problem for mod_rewrite using a prg:/ rewrite map reverse proxy. The question is, the urls returned by rails helpers have the form /controller/action making them absolute to the root. This is a problem for the page served by mod_rewrite because links on the proxied page appear as absolute to the domain. i.e.: http://www.my_host.com/app_one/controller/action has links that end up looking like /controller/action/ when they need to look like /app_one/controller/action mod_proxy_html seems like the right idea, but it doesn't seem to be as dynamic as I would need, since the rules need to be hard coded into the config files. Is there a way to fix this server-side, so that the links will be routed correctly?

Read the article
Understanding connection tracking in iptables

- by Matt

I'm after some clarification of the state/connection tracking in iptables. What is the difference between these rules? iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT Is connection tracking turned on when a packet is first matched containing -m state --state BLA , or is connection tracking always on? Can/Should connection state be used for fast matching like below? e.g. suppose this is some sort of router/firewall (no nat). # Default DROP policy iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # Drop invalid iptables -A FORWARD -m state --state INVALID -j DROP # Accept established,related connections iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow ssh through, track connection iptables -A FORWARD -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT

Read the article
is there any valid reason for users to request phpinfo()

- by The Journeyman geek

I'm working on writing a set of rules for fail2ban to make life a little more interesting for whoever is trying to bruteforce his way into my system. A good majority of the attempts tend to revolve around trying to get into phpinfo() via my webserver -as below GET //pma/config/config.inc.php?p=phpinfo(); HTTP/1.1 GET //admin/config/config.inc.php?p=phpinfo(); HTTP/1.1 GET //dbadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1 GET //mysql/config/config.inc.php?p=phpinfo(); HTTP/1.1 I'm wondering if there's any valid reason for a user to attempt to access phpinfo() via apache, since if not, i can simply use that, or more specifically the regex GET //[^>]+=phpinfo\(\) as a filter to eliminate these attacks

Read the article

< Previous Page | 119 120 121 122 123 124 125 126 127 128 129 130 | Next Page >