Search Results

Search found 12283 results on 492 pages for 'tcp port'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 205/492 | < Previous Page | 201 202 203 204 205 206 207 208 209 210 211 212  | Next Page >

  • Which ports are needed for NTLM (Windows Authentication) to connect to SQL Server?

    - by Adam Bellaire
    I've got SQL server running on a machine which is not in a domain, and which is not operating in mixed mode (it's running with "Windows Authentication"). I'm trying to connect to it from a Linux web server running freetds via TCP/IP, using NTLM to authenticate. The firewall on the SQL server is very restrictive. 1433 is open to my web server, but I'm getting conflicting information from the web on what additional ports (TCP/UDP) are needed for NTLM to succeed. It is currently fail; I can talk on 1433 to request NTLM, but the actual authentication always fails. One source says 137, 138, 139, but those are just the NetBIOS ports. Do I really need those? Another source says 135. Still others seem to say 1434... I can't make heads or tails of it. Dammit Jim, I'm a programmer, not a network administrator! EDIT: The exact error message: Msg 18452, Level 14, State 1, Server , Line 0 Login failed for user '(null)'. Reason: Not associated with a trusted SQL Server connection. Msg 20002, Level 9, State -1, Server OpenClient, Line -1 Adaptive Server connection failed I am attempting to connect with a remote machine username, i.e. 'servername\username'. Some sources recommend that I set up mirrored accounts on the local and remote machines, but the local machine is running Linux, not IIS under Windows.

    Read the article

  • Windows 7 network performance tuning for LAN

    - by Hubert Kario
    I want to tune Windows 7 TCP stack for speed in a LAN environment. Bit of background info: I've got a Citrix XenServer set up with Windows 2008R2, Windows 7 and Debian Lenny with Citrix kernel, Windows machines have Tools installed the iperf server process is running on different host, also Debian Lenny. The servers are otherwise idle, tests were repeated few times to confirm results. While testing with iperf 2008R2 can achieve around 600-700Mbps with no tuning what so ever but I can't find any guide or set of parameters that will make Windows 7 achieve anything over 150Mbps with no change in TCP window size using -w parameter to iperf. I tried using netsh autotuining to disabled, experimental, normal and highlyrestricted - no change. Changing congestionprovider doesn't do anything, just as rss and chimney. Setting all the available settings to same values as on Windows 2008R2 host doesn't help. To summarize: Windows 2008R2 default settings: 600-700Mbps Debian, default settings: 600Mbps Windows 7 default settings: 120Mbps Windows 7 default, iperf -w 65536: 400-500Mbps While the missing 400Mbps in performance I blame on crappy Realtek NIC in the XenServer host (I can do ~980Mbps from my laptop to the iperf server) it doesn't explain why Windows 7 can't achieve good performance without manually tuning window size at the application level. So, how to tune Windows 7?

    Read the article

  • Can I setup NAT for the same service, two public IPs on different routers to the same private IP?

    - by James
    This might be needlessly complex, but here goes. I've got two Firebox x550e devices. The first has a local IP of 10.0.0.1, public IP 64.x.x.x. The second has a local IP of 10.0.0.10, public IP 70.x.x.x. There is an FTP server on our LAN with a private IP of 10.0.0.55. I've set up NAT rules in each of the Fireboxes, on the first firebox it is 64.x.x.x-10.0.0.55 tcp 21, on the second 70.x.x.x-10.0.0.55 tcp 21. The first rule works fine. I can ftp to 64.x.x.x and everything's good. The second rule doesn't work. ftp to 70.x.x.x results in a connection timeout. The second firebox logs say the connection is being allowed through. The default gateway on the FTP server is 10.0.0.1 (the first firebox) If I change the default gateway on the server to 10.0.0.10, the rule on the second firebox starts working, but the rule from the first firebox stops. Is there some way to make this work for both rules?

    Read the article

  • Throughput; capacity planning help for C10K like design

    - by z8000
    I am designing a network service in which clients connect and stay connected -- the model is not far off from IRC less the s2s connections. I could use some help understanding how to do capacity planning, in particular with the system resource costs associated with handling messages from/to clients. There's an article that tried to get 1 million clients connected to the same server [1]. Of course, most of these clients were completely idle in the test. If the clients sent a message every 5 seconds or so the system would surely be brought to its knees. But... How do you do less hand-waving and you know, measure such a breaking point? We're talking about messages being sent by a client over a TCP socket, into the kernel, and read by an application. The data is shuffled around in memory from one buffer to another. Do I need to consider memory throughput ("5 GT/s" [2], etc.)? I'm pretty sure I have the ability to measure the basic memory requirements due to TCP/IP buffers, expected bandwidth, and CPU resources required to process messages. I'm a little dim on what I'm calling "thoughput". Help! Also, does anyone really do this? Or, do most people sort of hand-wave and see what the real world offers, and then react appropriately? [1] http://www.metabrew.com/article/a-million-user-comet-application-with-mochiweb-part-3/ [2] http://en.wikipedia.org/wiki/GT/s

    Read the article

  • Remote Desktop *from* Windows 2008 R2 Server

    - by freefaller
    Summary: how do I create an RDC connection from a Windows 2008 server to another server? Our client will only allow us to connect to their server via a static IP address (which is fair enough), but unfortunately as we're a very small company we don't have one in the office. As a work around, we had the connection working through our old Windows 2003 server (dynamic-cloud from 1and1). .. however we have just rebuilt the server to run under Windows 2008 R2 (don't ask, but it was necessary), and now I simply cannot get the connection working. I have added an "Outbound Rule" to Windows Firewall with Advanced Security (TCP, All local ports, 3389 remote port - I have also tried the other way around). I have added a packet filter IP security rule with the same details. The 1and1 firewall rules (through their online control panel) allows for 3389 TCP and UDP. But it is simply not connecting (yes, the server is definitely on and able to accept connections) with the general error of... Remote Desktop can’t connect to the remote computer for one of these reasons: 1) Remote access to the server is not enabled 2) The remote computer is turned off 3) The remote computer is not available on the network Is there anything obvious I've missed - or something I can use to find out where the request is being blocked? The new server is using the exact same IP address as before, so I don't believe that would be an issue. Unless it's trying to use an IPv6 address rather than the old IPv4 address that it was before? I apologise that I am not a network person by trade, but I know more than anybody else in my office!!

    Read the article

  • CryptSvc not matched by Windows 7 Firewall rule

    - by theultramage
    I am using Windows Firewall in conjunction with a third-party tool to get notified about new outbound connection attempts (Windows Firewall Notifier or Windows Firewall Control). The way these tools do it is by setting the firewall to deny by default, and to add an auditing policy to log blocked connections into the Security event log. Then they watch the log, and display notification about newly added entries. netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound auditpol /set /subcategory:{0CCE9226-69AE-11D9-BED3-505054503030} /failure:enable With this configuration in place, I now need to craft outbound allow rules for applications and system services. Here is the rule for CryptSvc, the service frequently used for certificate validation and revocation checking: netsh advfirewall firewall add rule name="Windows Cryptographic Services" action=allow enable=yes profile=any program="%SystemRoot%\system32\svchost.exe" service="CryptSvc" dir=out protocol=tcp remoteport=80,443 The problem is, this rule does not work. Unless I change the scope to "all programs and services" (which is really unhealthy), connection denied events like the following will keep appearing in the security log: Event 5157, Microsoft Windows security auditing. The Windows Filtering Platform has blocked a connection. Application Information: Process ID: 1476 (<- svchost.exe with CryptSvc and nothing else) Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Direction: Outbound Source Address: 192.168.0.1 Source Port: 49616 Destination Address: 2.16.52.16 Destination Port: 80 Protocol: 6 (<- TCP) To make sure it's CryptSvc, I have let the connection through and reviewed its traffic; I also configured CryptSvc to run in its own svchost instance to make it more obvious: ;sc config CryptSvc type= share sc config CryptSvc type= own So... why is it not matching the firewall rule, and how to fix that?

    Read the article

  • Getting 502 instead of 503 when all backend servers are down running HAProxy behind Apache

    - by scarba05
    I'm testing running HAProxy as a dedicated load balancer behind Apache 2.2, replacing our current configuration where we use Apache's load balancer. In our current, Apache only, set-up if all the backend (origin) servers are down Apache will serve a 503 service unavailable message. With HAProxy I get a 502 bad gateway response. I'm using a simple reverse proxy rewrite rule in Apache RewriteRule ^/(.*) http://127.0.0.1:8000/$1 [last,proxy] In HAProxy I have the following (running in default tcp mode) defaults log global option tcp-smart-accept timeout connect 7s timeout client 60s timeout queue 120s timeout server 60s listen my_server 127.0.0.1:8000 balance leastconn server backend1 127.0.0.1:8001 check observe layer4 maxconn 2 server backend1 127.0.0.1:8001 check observe layer4 maxconn 2 Testing connecting directly to the load balancer when the backend servers are down: [root@dev ~]# wget http://127.0.0.1:8000/ test.html --2012-05-28 11:45:28-- http://127.0.0.1:8000/ Connecting to 127.0.0.1:8000... connected. HTTP request sent, awaiting response... No data received. So presumably this is down to the fact that HAProxy accepts the connection and then closes it.

    Read the article

  • Balancing internal services using a Cisco CSS 11501

    - by Ladadadada
    First, the background to the problem: I have a Cisco CSS11501 that I am using to load balance a few web servers. These web servers have two network interfaces, one internal and one external and we are sending the requests to the internal interface. We have the CSS configured to do NAT because our webservers need to see the client's IP address. Because the TCP packets hit the webservers with a source address on the Internet, the webserver tries to send the packet back to the client over the external interface and not through the load balancer. In order to stop these requests being sent back out to the Internet via the external interface, we added a routing rule on these boxes so that all traffic with a source address on the internet will use the load balancer as the gateway. This part works fine. What I would also like to to is use the CSS as a load balancer for internal services such as our MySQL slaves. When I do this, I run into a similar problem; the TCP connection goes from the web server to the load balancer and then from the load balancer to the MySQL slave but the CSS spoofs a source address of the original webserver. The MySQL slave then tries to send the response directly to the webserver via the internal network and not via the load balancer. The ideal solution would be to tell the CSS not to do source address spoofing on the internal network and only do it for requests originating on the Internet. Is this possible ? Failing that, is there a way of directing the load balanced traffic back through the load balancer while keeping the other traffic (say SSH) purely on the internal network ? Is there another way of using the CSS11501 to load balance internal services ?

    Read the article

  • xt_TCPMSS: bad length messages

    - by Matic
    Hey! I'm getting loads of messages like: Jun 23 10:24:20 awakening kernel: [ 1691.596823] xt_TCPMSS: bad length (1492 bytes) Jun 23 10:24:21 awakening kernel: [ 1692.663362] xt_TCPMSS: bad length (1448 bytes) Jun 23 10:24:21 awakening kernel: [ 1692.663495] xt_TCPMSS: bad length (1448 bytes) Jun 23 10:24:21 awakening kernel: [ 1692.663588] xt_TCPMSS: bad length (1448 bytes) Jun 23 10:24:21 awakening kernel: [ 1692.663671] xt_TCPMSS: bad length (1440 bytes) Jun 23 10:24:26 awakening kernel: [ 1697.062914] xt_TCPMSS: bad length (474 bytes) Jun 23 10:24:26 awakening kernel: [ 1697.305525] xt_TCPMSS: bad length (1492 bytes) Jun 23 10:24:27 awakening kernel: [ 1698.946633] xt_TCPMSS: bad length (1492 bytes) Jun 23 10:24:36 awakening kernel: [ 1707.481198] xt_TCPMSS: bad length (1492 bytes) Jun 23 10:24:37 awakening kernel: [ 1708.723526] xt_TCPMSS: bad length (805 bytes) Jun 23 10:24:38 awakening kernel: [ 1709.599461] xt_TCPMSS: bad length (805 bytes) Jun 23 10:24:41 awakening kernel: [ 1712.211052] xt_TCPMSS: bad length (1492 bytes) Jun 23 10:24:41 awakening kernel: [ 1712.260588] xt_TCPMSS: bad length (1492 bytes) Jun 23 10:24:41 awakening kernel: [ 1712.976058] xt_TCPMSS: bad length (1492 bytes) Jun 23 10:24:43 awakening kernel: [ 1714.225209] xt_TCPMSS: bad length (1492 bytes) Jun 23 10:24:43 awakening kernel: [ 1714.914961] xt_TCPMSS: bad length (1492 bytes) Jun 23 10:24:55 awakening kernel: [ 1726.192696] xt_TCPMSS: bad length (1480 bytes) Jun 23 10:24:55 awakening kernel: [ 1726.192825] xt_TCPMSS: bad length (1480 bytes) In my dmesg/syslog. This linux machine is among other things used as an internet gateway. Connection is over PPPoE. I have the following line in my iptables script: $IPT -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # PPPoE fix The frequency of this messages increased 10x when I upgraded from Debian lenny with 2.6.27 to squeeze with 2.6.32 few days ago. Why am I seeing this messages and how can I fix them?

    Read the article

  • Load balancing a Windows File Share using HA-Proxy

    - by NathanE
    After pulling my hair out over DFS I just had this weird and potentially dangerous idea come into my head whereby, just possibly, I might be able to use HA-Proxy to load balance a file share between servers. I've done some remedial packet traces and it does appear that TCP port 445 is the only thing involved in using Windows file sharing. I've always thought for many years that UDP 139, 135 etc were also involved in at least establishing the connection - but apparently not! So I setup a basic test: listen SMBTest *:445 mode tcp server Smb1 172.16.61.201:445 server Smb2 172.16.61.202:445 And you'll never guess what... it works??? (!) Now obviously there is the whole concern about synchronisation between the file servers (of course). That could easily be taken care of with a little bit of Robocopy script. And considering I only need a HA read-only file share there wouldn't be any issues with regard to file locking etc. Can anyone tell me if what I'm playing with here is fire? I really didn't think it would work at all and now I'm a little shocked. What would be the downsides? Could this be relied upon for a production environment?

    Read the article

  • How to find the real IP to which IPVS is routing a virtual IP

    - by Wayne Conrad
    I'm trying to find a problem server hiding behind a virtual IP (using LVS/ipvs). I've got a test program that sends requests to the virtual IP until it gets the bad response, but how can I tell to which real IP a request to the virtual IP got routed? On the box doing the virtual IP magic, here's the virtual IP configuration (for the service I care about): IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn ... TCP 10.1.0.254:5025 nq -> 10.1.0.5:5025 Route 1 0 1 -> 10.1.0.6:5025 Route 1 0 5 -> 10.1.0.7:5025 Route 1 0 2 -> 10.1.0.9:5025 Local 1 0 3 -> 10.1.0.11:5025 Route 1 0 3 ... My client program is sending TCP requests to 10.1.0.254:5025, usually getting a good response but sometimes a bad response. With this few servers, I could send my request to each server in turn until I discover the culprit, but I wonder if that technique will scale as we add servers. What means exist for me to find out where requests got routed? Kernel: Linux 2.6.32 OS: Debian testing (whatever that's called these days). ipvsadm is version 1.25, compiled with ipvs v1.2.1

    Read the article

  • How to route to a secondary interface on the same physical ethernet?

    - by sjose3612611
    INTERNET<->(wan)BRIDGED_DEVICE(lan)<->ETH_ROUTER<->LAN Problem: Need to access web server on BRIDGED_DEVICE's LAN from INTERNET via ROUTER (BRIDGED_DEVICE's web server cannot be accessed form INTERNET since it has no Public management IP). Cannot configure bridged device. It has a static IP on its LAN to which its web server binds. Attempt: Create a secondary/alias WAN Interface on ETH_ROUTER (e.g Primary: eth0.1 (for internet access) and Secondary: eth0.2 (for accessing web server on BRIDGED_DEVICE), (No VLANs). eth0.1 has a public IP; eth0.2 has a static private IP in the BRIDGED_DEVICE's subnet (e.g 10.0.X.Y). Iptables on ETH_ROUTER: Added a port forward (DNAT) from eth0.1 to eth0.2: iptables -t nat -I PREROUTING -i eth0.1 -p tcp --dport 80 -j DNAT --to-destination 10.0.X.Y iptables -t nat -I POSTROUTING -o eth0.2 -s 10.0.X.0/24 -j MASQUERADE Stateful firewall w/ overall drop policy on FORWARD chain, hence: iptables -I FORWARD -i eth0.1 -d 10.0.X.Y -p tcp --dport 80 -j ACCEPT Can ping from ETH_ROUTER to BRIDGED_DEVICE but unable to reach the web server from Internet. I see packet cont increasing for the DNAT rule but not sure where it disappears in the ETH_ROUTER after that. ETH_ROUTER is the only device that can be configured to achieve this. If familiar with this scenario, please suggest what I may be missing or doing wrong here or suggest techniques to debug?

    Read the article

  • Multiple IP's using one NIC connectivity problem - Windows

    - by Vincent
    I have a frame relay network that is directly connected to a GPRS network. I also have a ADSL high speed network and recently I have been trying to achieve the following network configuration using windows 7 (Also tried XP) with no success to date. On one server I have two NIC's NIC1 I would like the following two static IP address's 10.0.1.110 and 10.0.1.200 the cisco router has a default gateway of 10.0.1.1 the ADSL is DHCP. NIC1 and the cisco router do not have access to the internet. NIC2 is setup for DHCP with a primary DNS and secondary DNS configured to enable internet connectivity. With NIC1 all incoming TCP connections are from IP address's starting with 10.192.x.x I cannot establish a TCP connection to both 10.0.1.110 and 10.0.1.200. Its either one or the other. I have a static route implemented in windows of: route -p 10.192.0.0 mask 255.255.0.0 10.0.1.1 metric 1 I have tried leaving out the gateway in the NIC1 and many other combinations with no success. Can anyone please help? What am I doing wrong?

    Read the article

  • Change OpenVZ route to pass through ip failover

    - by Kevin Campion
    I have one dedicaced server with its own IP and another IP (failover) who refer to the first. I will wish to change the gateway of a Proxmox virtual machine (openvz) who runs on this dedicaced server to go through the failover IP rather than the ip of host main server. Once connected to a virtual machine, when I do a traceroute VE# traceroute www.google.fr traceroute to www.google.fr (209.85.229.104), 30 hops max, 60 byte packets 1 MY_SERVER_NAME.ovh.net (xxx.xxx.xxx.xxx FIRST_IP_MAIN_SERVER) 0.021 ms 0.010 ms 0.009 ms The first line tells me the ip of host main server. I would like that the traceroute display the second IP failover. VE# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.0.2.1 * 255.255.255.255 UH 0 0 0 venet0 default 192.0.2.1 0.0.0.0 UG 0 0 0 venet0 With iptables HOST# iptables -t nat -L Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- anywhere anywhere MASQUERADE all -- anywhere anywhere SNAT tcp -- anywhere 10.10.101.2 tcp dpt:www state NEW,RELATED,ESTABLISHED,UNTRACKED to:SECOND_IP_FAILOVER SNAT all -- 10.10.101.2 anywhere to:SECOND_IP_FAILOVER 10.10.101.2 is the virtual machine IP (interface venet0) Any ideas ?

    Read the article

  • Translating IPTables rule to UFW

    - by Dario Fumagalli
    we are using an Ubuntu 12.04 x64 LTS VPS. Firewall being used is UFW. I have setup a Varnish + LEMP setup. along with other things, including an Openswan IPSEC VPN from our office to the VPS data center. A second in house Ubuntu box is to act as MySQL slave and fetch data from the VPS through the VPN. Master's ppp0 is seen as 10.1.2.1 from the slave, they ping etc. I have done the various required tasks but I can't get the client (slave) MySQL (nor telnet 10.1.2.1 3306) to access the master through the VPN unless I issue this fairly obvious IPTables command: iptables -A INPUT -s 10.1.2.0/24 -p tcp --dport 3306 -j ACCEPT I willingly forced the accepted input to come from the last octet. With this rule everything works just fine! However I want to translate this command to UFW syntax so to keep everything in one place. Now I admit being inexperienced with UFW, I prepared rules like: ufw allow proto tcp from 10.1.2.0/24 port mysql and 2-3 variations involving specifying 3306 instead of mysql, specifying a target IP (MySQL's my.cnf at the moment is configured as 0.0.0.0) and similar but I just don't seem to be able to replicate the simple iptables rule in a functional way. Anyone could kindly give me a suggestion that is not to dump UFW? Thanks in advance.

    Read the article

  • Server 2012, Jumbo Frames - should I expect problems?

    - by TomTom
    Ok, this sound might stupid - but is there any negative on just enabling jumbo frames in practice? From what I understand: Any switch or ethernet adapter that sees a jumbo frame it can not handle will just drop it. TCP is not a problem as max frame size is negotiated in the setinuo phase. UCP is a theoretical problem as a server may just send a LARGE UDP packet that gets dropped on the way. Practically though, as UDP is packet based, I do not really think any software WOULD send a UDP packet larger than 1500 bytes net without app level configuration changes - at least this is how I do my programming, as it is quite hard to get a decent MTU size for that without testing yourself, so you fall back in programming to max 1500 packets. The network in question is a standard small business network - we upgraded now from a non managed 24 port switch to a 52 port switch with 4 10g ports (netgear - quite cheap) and will mov a file server to 10g for also ISCSI serving. All my equipment on the Ethernet level can handle minimum 9000 bytes and due to local firewalls I really want to get packets larger (less firewall processing), but the network is also NAT'ed to the internet. On top, different machines move around (download) large files (multi gigabyte area) quite often for processing. The question is - can I expect problems when I just enable jumbo frames? Again, this is not totally ignorance - I just don't see programs sending more than 1500 byte UDP packets (if that is a practical problem please tell me) and for TCP the MTU is negotiated anyway. if there is a problem I can move to a dedicated VLAN, but this has it's own shares of problems as basically most workstations must then be on both VLAN's.

    Read the article

  • how to debug when xinetd says : got signal 17 (child exited)

    - by Faizan Shaik
    I am trying to start services vsftpd and sshd using xinetd. my config files are as follows. /etc/xinetd.conf defaults { instances = 60 log_type = FILE /var/log/xinetdlog log_on_success = HOST PID log_on_failure = HOST cps = 25 30 only_from = localhost } includedir /etc/xinetd.d /etc/xinetd.d/ftp service ftp { disable = no server = /usr/sbin/vsftpd server_args = -l user = root socket_type = stream protocol = tcp wait = no instances = 4 flags = REUSE nice = 10 log_on_success += DURATION HOST USERID only_from = 127.0.0.1 10.0.0.0/24 } /etc/xinetd.d/ssh service ssh { disable = no log_on_failure += USERID server = /usr/sbin/sshd user = root socket_type = stream protocol = tcp wait = no instances = 20 flags = REUSE only_from = 127.0.0.1 10.0.0.0/24 } Even though i've included only_from attribute, vsftp server as well as ssh server are refusing connection from localhost. while vsftp and ssh servers are working fine individually when i check with "service vsftpd start" and "service ssh start". when i did debug using "xinetd -d" throug terminal i got the output as 13/10/20@00:06:08: DEBUG: 3592 {cnf_start_services} Started service: ftp 13/10/20@00:06:08: DEBUG: 3592 {cnf_start_services} Started service: ssh 13/10/20@00:06:08: DEBUG: 3592 {cnf_start_services} mask_max = 8, services_started = 2 13/10/20@00:06:08: NOTICE: 3592 {main} xinetd Version 2.3.14 started with libwrap loadavg options compiled in. 13/10/20@00:06:08: NOTICE: 3592 {main} Started working: 2 available services 13/10/20@00:06:08: DEBUG: 3592 {main_loop} active_services = 2 13/10/20@00:06:16: DEBUG: 3592 {main_loop} select returned 1 13/10/20@00:06:16: DEBUG: 3592 {server_start} Starting service ftp 13/10/20@00:06:16: DEBUG: 3592 {main_loop} active_services = 2 13/10/20@00:06:16: DEBUG: 3607 {exec_server} duping 9 13/10/20@00:06:16: DEBUG: 3592 {main_loop} active_services = 2 13/10/20@00:06:16: DEBUG: 3592 {main_loop} select returned 1 13/10/20@00:06:16: DEBUG: 3592 {check_pipe} Got signal 17 (Child exited) 13/10/20@00:06:16: DEBUG: 3592 {child_exit} waitpid returned = 3607 13/10/20@00:06:16: DEBUG: 3592 {server_end} ftp server 3607 exited 13/10/20@00:06:16: DEBUG: 3592 {svc_postmortem} Checking log size of ftp service 13/10/20@00:06:16: INFO: 3592 {conn_free} freeing connection 13/10/20@00:06:16: DEBUG: 3592 {child_exit} waitpid returned = -1 both services are getting started but neither of them is working. after banging for 3-4 hours i still don't have any clue about this error. Any help would be appreciated. thanks!

    Read the article

  • iptables secure squid proxy

    - by Lytithwyn
    I have a setup where my incoming internet connection feeds into a squid proxy/caching server, and from there into my local wireless router. On the wan side of the proxy server, I have eth0 with address 208.78.∗∗∗.∗∗∗ On the lan side of the proxy server, I have eth1 with address 192.168.2.1 Traffic from my lan gets forwarded through the proxy transparently to the internet via the following rules. Note that traffic from the squid server itself is also routed through the proxy/cache, and this is on purpose: # iptables forwarding iptables -A FORWARD -i eth1 -o eth0 -s 192.168.2.0/24 -m state --state NEW -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A POSTROUTING -t nat -j MASQUERADE # iptables for squid transparent proxy iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.2.1:3128 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 How can I set up iptables to block any connections made to my server from the outside, while not blocking anything initiated from the inside? I have tried doing: iptables -A INPUT -i eth0 -s 192.168.2.0/24 -j ACCEPT iptables -A INPUT -i eth0 -j REJECT But this blocks everything. I have also tried reversing the order of those commands in case I got that part wrong, but that didn't help. I guess I don't fully understand everything about iptables. Any ideas?

    Read the article

  • iptables rules to allow HTTP traffic to one domain only

    - by Emily
    Hi everyone, I need to configure my machine as to allow HTTP traffic to/from serverfault.com only. All other websites, services ports are not accessible. I came up with these iptables rules: #drop everything iptables -P INPUT DROP iptables -P OUTPUT DROP #Now, allow connection to website serverfault.com on port 80 iptables -A OUTPUT -p tcp -d serverfault.com --dport 80 -j ACCEPT iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT #allow loopback iptables -I INPUT 1 -i lo -j ACCEPT It doesn't work quite well: After I drop everything, and move on to rule 3: iptables -A OUTPUT -p tcp -d serverfault.com --dport 80 -j ACCEPT I get this error: iptables v1.4.4: host/network `serverfault.com' not found Try `iptables -h' or 'iptables --help' for more information. Do you think it is related to DNS? Should I allow it as well? Or should I just put IP addresses in the rules? Do you think what I'm trying to do could be achieved with simpler rules? How? I would appreciate any help or hints on this. Thanks a lot!

    Read the article

  • Postfix "loops back to myself" error on relay to another IP address on same machine

    - by Nic Wolff
    I'm trying to relay all mail for one domain "ourdomain.tld" from Postfix running on port 2525 of one interface to another SMTP server running on port 25 of another interface on the same machine. However, when a message is received for that domain, we're getting a "mail for loops back to myself" error. Below are netstat and postconf, the contents of our /etc/postfix/transport file, and the error that Postfix is logging. (The high bytes of each IP address are XXXed out.) Am I missing something obvious? Thanks - # netstat -ln -A inet Proto Recv-Q Send-Q Local Address Foreign Address State ... tcp 0 0 XXX.XXX.138.209:25 0.0.0.0:* LISTEN tcp 0 0 XXX.XXX.138.210:2525 0.0.0.0:* LISTEN # postconf -d | grep mail_version mail_version = 2.8.4 # postconf -n alias_maps = hash:/etc/aliases allow_mail_to_commands = alias,forward bounce_queue_lifetime = 0 command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 default_privs = nobody default_process_limit = 200 html_directory = no inet_interfaces = XXX.XXX.138.210 local_recipient_maps = local_transport = error:local mail delivery is disabled mail_owner = postfix mailbox_size_limit = 0 mailq_path = /usr/bin/mailq manpage_directory = /usr/local/man message_size_limit = 10240000 mydestination = mydomain = ourdomain.tld myhostname = ourdomain.tld mynetworks = XXX.XXX.119.0/24, XXX.XXX.138.0/24, XXX.XXX.136.128/25 myorigin = ourdomain.tld newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix readme_directory = /etc/postfix recipient_delimiter = + relay_domains = ourdomain.tld relay_recipient_maps = sample_directory = /etc/postfix sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtpd_authorized_verp_clients = $mynetworks smtpd_recipient_limit = 10000 transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 450 # cat /etc/postfix/transport ourdomain.tld relay:[XXX.XXX.138.209]:25 # tail -f /var/log/maillog ... Aug 2 23:58:36 va4 postfix/smtp[9846]: 9858A758404: to=<nicwolff@... >, relay=XXX.XXX.138.209[XXX.XXX.138.209]:25, delay=1.1, delays=0.08/0.01/1/0, dsn=5.4.6, status=bounced (mail for [XXX.XXX.138.209]:25 loops back to myself)

    Read the article

  • Preventing DDOS/SYN attacks (as far as possible)

    - by Godius
    Recently my CENTOS machine has been under many attacks. I run MRTG and the TCP connections graph shoots up like crazy when an attack is going on. It results in the machine becoming inaccessible. My MRTG graph: mrtg graph This is my current /etc/sysctl.conf config # Kernel sysctl configuration file for Red Hat Linux # # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and # sysctl.conf(5) for more details. # Controls IP packet forwarding net.ipv4.ip_forward = 0 # Controls source route verification net.ipv4.conf.default.rp_filter = 1 # Do not accept source routing net.ipv4.conf.default.accept_source_route = 0 # Controls the System Request debugging functionality of the kernel kernel.sysrq = 1 # Controls whether core dumps will append the PID to the core filename # Useful for debugging multi-threaded applications kernel.core_uses_pid = 1 # Controls the use of TCP syncookies net.ipv4.tcp_syncookies = 1 # Controls the maximum size of a message, in bytes kernel.msgmnb = 65536 # Controls the default maxmimum size of a mesage queue kernel.msgmax = 65536 # Controls the maximum shared segment size, in bytes kernel.shmmax = 68719476736 # Controls the maximum number of shared memory segments, in pages kernel.shmall = 4294967296 net.ipv4.conf.all.rp_filter = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.all.rp_filter = 1 net.ipv4.tcp_max_syn_backlog = 1280 Futher more in my Iptables file (/etc/sysconfig/iptables ) I only have this setup # Generated by iptables-save v1.3.5 on Mon Feb 14 07:07:31 2011 *filter :INPUT ACCEPT [1139630:287215872] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1222418:555508541] Together with the settings above, there are about 800 IP's blocked via the iptables file by lines like: -A INPUT -s 82.77.119.47 -j DROP These have all been added by my hoster, when Ive emailed them in the past about attacks. Im no expert, but im not sure if this is ideal. My question is, what are some good things to add to the iptables file and possibly other files which would make it harder for the attackers to attack my machine without closing out any non-attacking users. Thanks in advance!

    Read the article

  • CentOS iscsi initiator has session but there is no block device

    - by jcalfee314
    I have installed the scsi-target-utils package on CentOS and I used it to perform a discovery. The discovery did give me an active session. I restarted the iscsi service but I do not see any new devices (fdisk -l). I see in /var/log/messages that my connection is operational now. I'm not sure how to debug this further. Can someone direct me into fixing this? discovery: iscsiadm -m discovery -t sendtargets -p 192.168.0.155 returns: 192.168.0.155:3260,-1 iqn.2009-02.com.twinstrata:cloudarray:sn-1d07c1b62d4ec8f3 Just to verify it actually worked: iscsiadm -m session returns tcp: [1] 192.168.0.155:3260,1 iqn.2009-02.com.twinstrata:cloudarray:sn-1d07c1b62d4ec8f3 restarting as the directions say to do: service iscsi restart output written to /var/log/message Stopping iscsi: Sep 20 12:14:22 localhost kernel: connection1:0: detected conn error (1020) [ OK ] Starting iscsi: Sep 20 12:14:22 localhost kernel: scsi1 : iSCSI Initiator over TCP/IP Sep 20 12:14:22 localhost iscsid: Connection1:0 to [target: iqn.2009-02.com.twinstrata:cloudarray:sn-1d07c1b62d4ec8f3, portal: 192.168.0.155,3260] through [iface: default] is shutdown. Sep 20 12:14:22 localhost iscsid: Could not set session2 priority. READ/WRITE throughout and latency could be affected. [ OK ] [root@db iscsi]# Sep 20 12:14:23 localhost iscsid: Connection2:0 to [target: iqn.2009-02.com.twinstrata:cloudarray:sn-1d07c1b62d4ec8f3, portal: 192.168.0.155,3260] through [iface: default] is operational now Ran a login command: iscsiadm -m node -T iqn.2009-02.com.twinstrata:cloudarray:sn-1d07c1b62d4ec8f3 -p 192.168.0.155 -l No errors, no logging occurred. Next I compared the output from "fdisk -l|egrep dev" both with the iscsi session and without. There is no difference. I suppose I could just look in /etc/mtab. Any ideas on how I can get an iscsi device?

    Read the article

  • Microsoft Licensing Scenario/Questions [closed]

    - by user17455
    Possible Duplicate: Can you help me with my software licensing question? I am a member of a team developing a third party application (APP) that listens for and services connections from remote devices via TCP. Also, some of these remote devices allow 1 or more users to interact with the remote device. On some of the remote devices, it is impossible for a user to interact with the device. The user/remote device makes no use of any Windows Server service - not DHCP, not IIS, not File Server, not Print Serer, not AD. The remote device's only connection to the Windows Server machine is through the APP's TCP ports. Our company has no interaction with Microsoft. We do not have a Microsoft sales team. Past inquiries have determined that it is cheaper for us to buy Microsoft software (and CALs) retail than to enter into any kind of "arrangement" with Microsoft. I have many questions about SQL Server CALs and Windows Server 2008 CALs. How can I obtain authoritative/legally binding answers? I am not looking for FREE legal advice. I AM looking for FREE advice about who/what/where I can responsibly spend my money to get meaningful information. I fear that passing this on to the local company law firm will just mean that I will be paying them to educate themselves on Microsoft licensing. And if that's like writing code to a new Microsoft API - they are not going to get it right the first time. Going to Microsoft for answers sounds like swimming up to a hungry shark and asking "One leg or two?" I am hoping someone has been down this road before and knows a law firm/lawyer that is experienced in these matters. Any help/suggestion welcome. Thanks.

    Read the article

  • xauth, ssh and missing home directory

    - by flolo
    We have several servers, and normaly everything works fine, except now... we get a new aircondition installed. This takes 36 hours and for this time almost all servers got shutdown, only 2 remaining servers run for the most important tasks (i.e. accepting incoming email, delivering some important websites, login-server). Everybody was informed that when they need appropiate data from the homedirs they should fetch it before take down. Long story short: Someone realized that he have run a certain program on one of the servers. No Problem, he can remote login into our login server and run the programm there without home directory (binaries are local and necessary information can be copied to the /tmp). That works like a charm until... ... the user needs to run a GUI programm. I find no easy way to make it running, usually ssh -Y honk@loginserver is enough but now the homedirectory is missing and ssh is not able to copy the cookies into ~/.Xauthority (as the file server with the home directories is down). Paranoid as all systemadmins all X-Server just listen locally not on tcp ports, so no remote X connection possible SSH config is waterproof - i.e. no way to set environment variables. My Problem is, that the generated proxy MIT cookie from ssh get lost as the .Xauthority doesnt exist. If I could retrieve it somehow I could reenter it a .Xauthority in /tmp. The only other option (besides changing the config) which came to my mind is, makeing a tunnel (netcat, or better ssh) from the remote host to the loginserver and copy the cookie manually (not sure if it the tcp-unix domain socket stuff works as expected). Any good suggestions (for the future - now our servers are already up)?

    Read the article

  • OpenVPN Keeps Crashing

    - by Frank Thornton
    Oct 20 21:00:44 sb1 openvpn[2082]: <MY_IP>:28523 [vpntest] Peer Connection Initiated with [AF_INET]<MY_IP>:28523 Oct 20 21:00:44 sb1 openvpn[2082]: vpntest/<MY_IP>:28523 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled) Oct 20 21:00:44 sb1 openvpn[2082]: <MY_IP>:28522 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1576', remote='link-mtu 1376' Oct 20 21:00:44 sb1 openvpn[2082]: <MY_IP>:28522 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1532', remote='tun-mtu 1332' Oct 20 21:00:45 sb1 openvpn[2082]: <MY_IP>:28522 [vpntest2] Peer Connection Initiated with [AF_INET]<MY_IP>:28522 Oct 20 21:00:45 sb1 openvpn[2082]: vpntest2/<MY_IP>:28522 MULTI_sva: pool returned IPv4=10.8.0.10, IPv6=(Not enabled) Oct 20 21:00:46 sb1 openvpn[2082]: vpntest/<MY_IP>:28523 send_push_reply(): safe_cap=940 Client File: client dev tun proto tcp remote <IP> 443 resolv-retry infinite nobind tun-mtu 1500 tun-mtu-extra 32 mssfix 1410 persist-key persist-tun auth-user-pass comp-lzo SERVER: port 443 #- port proto tcp #- protocol dev tun tun-mtu 1500 tun-mtu-extra 32 reneg-sec 0 #mtu-disc yes mssfix 1410 ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt cert /etc/openvpn/easy-rsa/2.0/keys/server.crt key /etc/openvpn/easy-rsa/2.0/keys/server.key dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem plugin /etc/openvpn/openvpn-auth-pam.so /etc/pam.d/login #plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login #- Comment this line if you are using FreeRADIUS #plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf #- Uncomment this line if you are using FreeRADIUS client-to-client client-cert-not-required username-as-common-name server 10.8.0.0 255.255.255.0 push "redirect-gateway def1" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 3 30 comp-lzo persist-key persist-tun What is causing the VPN to keep dropping the connection and then reconnecting?

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

< Previous Page | 201 202 203 204 205 206 207 208 209 210 211 212  | Next Page >