Search Results

Search found 3147 results on 126 pages for 'debian wheezy'.

Page 87/126 | < Previous Page | 83 84 85 86 87 88 89 90 91 92 93 94  | Next Page >

  • Server Configuration / Important Parameter for 500Req/Second

    - by Sparsh Gupta
    I am configuring a server to be used as nginx server for a very heavy traffic website. It is expected to receive traffic from a large number of IP addresses simultaneously. It is expected to get 500Req/Second with atleast 20Million unique IPs connecting it. One of the problems I noticed in my previos server was related to iptables / ipconntrack. I am not aware of this behaviour and would be glad to know which all parameters of a ubuntu / debian (32/64) bit machine should I tweek to get maximum performance from the server. I can put in a lot of RAM on the server but mission critical task is the response times. We ideally dont want any connection to be hanging / timing out / waiting and want as low as possible overall response times. P.S. We are also looking for a kick ass freelancer system admin who can help us figuring / setting this all up. Reach me incase you have some spare time and interested in working on some very heavy traffic website servers.

    Read the article

  • PPTPD with PAM authentication?

    - by Richard
    I need a VPN solution for my company. One requirement is to be able to use the built-in windows VPN client. We are running a Debian Etch server. I've managed to set up PPTPD but the authentication is based on the chap-secrets file. We already have all the user accounts set up on the server, so it'd be nice to use PAM authentication to get user/pass directly from the unix login. Is this possible to achieve and how? If not, is there any other VPN solution that can do this? Don't tell me OpenVPN, it needs additional software to be installed on the Windows machines. :)

    Read the article

  • SSH Login to an EC2 instance failing with previously working keys...

    - by Matthew Savage
    We recently had an issues where I had rebooted our EC2 instance (Ubuntu x86_64, version 9.10 server) and due to an EC2 issue the instance needed to be stopped and was down for a few days. Now I have been able to bring the instance back online I cannot connect to SSH using the keypair which previously worked. Unfortunately SSH is the only way to get into this server, and while I have another system running in its place there are a number of things I would like to try and retrieve from the machine. Running SSH in verbose mode yields the following: [Broc-MBP.local]: Broc:~/.ssh ? ssh -i ~/.ssh/EC2Keypair.pem -l ubuntu ec2-xxx.compute-1.amazonaws.com -vvv OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009 debug1: Reading configuration data /Users/Broc/.ssh/config debug1: Reading configuration data /etc/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to ec2-xxx.compute-1.amazonaws.com [184.73.109.130] port 22. debug1: Connection established. debug3: Not a RSA1 key file /Users/Broc/.ssh/EC2Keypair.pem. debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: missing keytype debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: missing keytype debug1: identity file /Users/Broc/.ssh/EC2Keypair.pem type -1 debug3: Not a RSA1 key file /Users/Broc/.ssh/id_rsa. debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: missing keytype debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: missing keytype debug1: identity file /Users/Broc/.ssh/id_rsa type 1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-6ubuntu2 debug1: match: OpenSSH_5.1p1 Debian-6ubuntu2 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.2 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,[email protected],zlib debug2: kex_parse_kexinit: none,[email protected],zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,[email protected] debug2: kex_parse_kexinit: none,[email protected] debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 123/256 debug2: bits set: 500/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /Users/Broc/.ssh/known_hosts debug3: check_host_in_hostfile: match line 106 debug3: check_host_in_hostfile: filename /Users/Broc/.ssh/known_hosts debug3: check_host_in_hostfile: match line 106 debug1: Host 'ec2-xxx.compute-1.amazonaws.com' is known and matches the RSA host key. debug1: Found key in /Users/Broc/.ssh/known_hosts:106 debug2: bits set: 521/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /Users/Broc/.ssh/id_rsa (0x100125f70) debug2: key: /Users/Broc/.ssh/EC2Keypair.pem (0x0) debug1: Authentications that can continue: publickey debug3: start over, passed a different list publickey debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering public key: /Users/Broc/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey debug1: Trying private key: /Users/Broc/.ssh/EC2Keypair.pem debug1: read PEM private key done: type RSA debug3: sign_and_send_pubkey debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey debug2: we did not send a packet, disable method debug1: No more authentication methods to try. Permission denied (publickey). [Broc-MBP.local]: Broc:~/.ssh ? So, right now I'm really at a loss and not sure what to do. While I've already got another system taking the place of this one I'd really like to have access back :|

    Read the article

  • CIFS(Samba) + ACL = not working

    - by tst
    I have two servers with Debian 5.0. server1: samba 2:3.2.5-4lenny9 smbfs 2:3.2.5-4lenny9 smb.conf: [test] comment = test path = /var/www/_test/ browseable = no only guest = yes writable = yes printable = no create mask = 0644 directory mask = 0755 server1:~# mount | grep sda3 /dev/sda3 on /var/www type ext3 (rw,acl,user_xattr) # getfacl /var/www/_test/ # file: var/www/_test/ # owner: www-data # group: www-data user::rwx group::rwx other::r-x default:user::rwx default:user:www-data:rw- default:user:testuser:rw- default:group::rwx default:mask::rwx default:other::r-x server2: samba-common 2:3.2.5-4lenny9 smbfs 2:3.2.5-4lenny9 server2:~# mount.cifs //server1/test /media/smb/test -o rw,user_xattr,acl server2:~# mount | grep test //server1/test on /media/smb/test type cifs (rw,mand) server2:~# getfacl /media/smb/test/ # file: media/smb/test/ # owner: www-data # group: www-data user::rwx group::rwx other::r-x default:user::rwx default:user:www-data:rw- default:user:testuser:rw- default:group::rwx default:mask::rwx default:other::r-x And there is the problem: server2:~# su - testuser (reverse-i-search)`touch': touch 123 testuser@server2:~$ touch /media/smb/ testuser@server2:~$ touch /media/smb/test/123 touch: cannot touch `/media/smb/test/123': Permission denied Whats wrong?!

    Read the article

  • pam_filter usage prevent passwd from working

    - by Henry-Nicolas Tourneur
    Hello everybody, I have PAM+LDAP SSL running on Debian Lenny, it works well. I always want to restrict who's able to connect, in the past I used pam_groupdn for that but I recently got a situation where I has to accept 2 different groups. So I used pam_filter like this : pam_filter |(groupattribute=server)(groupattribute=restricted_server) The problem is that with this statement, passwd doesn't work anymore with LDAP accounts. Any idea why ? Please find hereby some links to my config files : Since serverfault.com only allow me to post 1 link, please find hereunder the link to other conf files : http://pastebin.org/447148 Many thanks in advance :)

    Read the article

  • Windows 7 won't load unless other harddrives "disconnect"ed in UEFI shell

    - by lmz
    I have three disks, one GPT partitioned containing Windows 7 and Debian, the other MBR partitioned containing CentOS, and the other one MBR partitioned, empty. It used to work (loading Windows boot manager using rEFIt) but now after installing CentOS and OpenIndiana on the second drive, Windows won't boot. The logo is displayed briefly and then a text mode scrollbar "Loading files", then back to the rEFIt menu. The only thing that makes it work is if I drop into the UEFI shell and run disconnect XX where XX is the device handle of the other hard drives (obtained from running devices). This makes me think that the bootloader is getting confused about where the Windows partition is. Is there any information on how the Windows UEFI boot loader finds the Windows partition, or is there any logging I can turn on to help troubleshoot this issue?

    Read the article

  • Running CGI With Perl under Apache Permission Problem

    - by neversaint
    I have the following entry under apache2.conf in my Debian box. AddHandler cgi-script .cgi .pl Options +ExecCGI ScriptAlias /cgi-bin/ /var/www/mychosendir/cgi-bin/ Then I have a perl cgi script stored under these directories and permissions: nvs@somename:/var/www/mychosendir$ ls -lhR .: total 12K drwxr-xr-x 2 nvs nvs 4.0K 2010-04-21 13:42 cgi-bin ./cgi-bin: total 4.0K -rwxr-xr-x 1 nvs nvs 90 2010-04-21 13:40 test.cgi However when I tried to access it in the web browser: http://myhost.com/mychosendir/cgi-bin/test.cgi They gave me this error: Forbidden You don't have permission to access /mychosendir/cgi-bin/test.cgi on this server. What's wrong with it? Update: I also have the following entry in my apache2.conf: <Files ~ "^\.ht"> Order allow,deny Deny from all </Files>

    Read the article

  • Firefox does not load certificate chain

    - by TimWolla
    I'm running lighttpd/1.4.28 (ssl) on Debian Squeeze. I just created a http://startssl.com certificate, I runs fine at all of my Browsers (Firefox, Chrome, Opera), but my users are reporting certificate-errors in Firefox. I already nailed it down to a failing of loading of the certificate chain: Certificate at my Firefox: http://i.stack.imgur.com/moR5x.png Certificate at others Firefox: http://i.stack.imgur.com/ZVoIu.png (Note the missing StartCOM-certificates here) I followed this tutorial for embedding the certificate in my lighttpd: https://forum.startcom.org/viewtopic.php?t=719 The relevant parts of my lighttpd.conf look like this: $SERVER["socket"] == ":443" { ssl.engine = "enable" ssl.ca-file = "/etc/lighttpd/certs/ca-bundle.pem" ssl.pemfile = "/etc/lighttpd/certs/www.bisaboard.crt" } ca-bundle.pem was created like this: cat ca.pem sub.class1.server.ca.pem > ca-bundle.pem I grabbed the relevant files from here: http://www.startssl.com/certs/ www.bisaboard.crt was created like this: cat certificate.pem ssl.key > www.bisaboard.crt Where certificate.pem is my StartSSL-Class1 Certificate and ssl.key my SSL-Root-Key. Do you have any idea why the second Firefox does not correctly load the certificate-chain?

    Read the article

  • Rsyslog mail module not working

    - by Henry-Nicolas Tourneur
    Hi *, I would like to email snort alerts from my Debian Lenny fw. Syslog is sending log messages from the firewalls to a central rsyslog. On my central rsyslog, I got something like : $ModLoad ommail $ActionMailSMTPServer server.company.local $ActionMailFrom [email protected] $ActionMailTo [email protected] $ActionExecOnlyOnceEveryInterval 1 $template mailSubject,"[SNORT] Alert from %hostname%" $template mailBody,"Snort message\r\nmsg='%msg%'" $ActionMailSubject mailSubject if $msg regexp 'snort[[0-9]]: [[0-9]:[0-9]:[0-9]].*' then ommail:;mailBody But I doesn't get any mails, I even can trigger snort with something like ping -s 1400, it logs things like following but still no mail ! 2010-01-08T09:25:58+00:00 Hostname snort[4429]: [1:499:4] ICMP Large ICMP Packet [Classification: Potentially Bad Traffic] [Priority: 2]: {ICMP} ip_dest - ip_src Any idea ?

    Read the article

  • Slapd service won't start, unable to open pid file

    - by Foezjie
    I'm trying to set up a test LDAP-server for some developers but I'm running into some trouble. service slapd start errors so I run /usr/sbin/slapd -d 1 and this gives me the following error at the end: unable to open pid file "/var/run/ldap/slapd.pid": 13 (Permission denied) slapd destroy: freeing system resources. slapd stopped. The rights for /var/run/ldap are as follows: root@pec:/var/run/ldap# ls -ld drwxr-xr-x 2 openldap openldap 60 2012-07-04 20:45 So I don't get why there is still a permission denied. Syslog gives the following when running slapd: Jul 4 21:00:27 pec slapd[13758]: @(#) $OpenLDAP: slapd 2.4.21 (Dec 19 2011 15:40:04) $#012#011buildd@allspice:/build/buildd/openldap-2.4.21/debian/build/servers/slapd Jul 4 21:00:27 pec kernel: [8147247.203100] type=1503 audit(1341428427.953:64): operation="truncate" pid=13758 parent=20433 profile="/usr/sbin/slapd" requested_mask="::w" denied_mask="::w" fsuid=0 ouid=119 name="/var/run/ldap/slapd.pid" Can anyone point me in the right direction?

    Read the article

  • page allocation failure - am I running out of memory?

    - by mfriedman
    Lately I've noticing entries like this one in the kern.log of one of my servers: Feb 16 00:24:05 aramis kernel: swapper: page allocation failure. order:0, mode:0x20 This is what I'd like to know: What exactly does that message mean? Is my server running out of memory? The swap usage is quite low (less than 10%), and so far I haven't noticed any processes being killed because of lack of memory. Additional information: The server is a Xen instance (DomU) running Debian 6.0 It has 512 MB of RAM and a 512 MB swap partition CPU load inside the virtual machine shows an average of 0.25

    Read the article

  • Openfire Installation Issue - Can't Login to admin panel

    - by Lobe
    I am trying to get Openfire to install on an Ubuntu virtual machine, however upon completing the web based installer, I am unable to login to the admin panel. So far I: downloaded debian installer Installed using stock options Added database and built the structure using supplied sql file Completed web based installer I am now trying to login using username: admin and my password, however I constantly get a wrong username/password error. There is a record generated in the MySQL DB showing the admin user with an encrypted password, and changing to an unencoded password doesn't work. Can anyone help pinpoint the problem here? Thanks

    Read the article

  • Apache disable DNS lookups

    - by odeceixe
    I'm using Debian 4.3.2-1 and Apache 2 on my production server. Watching the logs, I noticed Apache is resolving client's hostnames even with HostnameLookups Off in apache2.conf. I want to avoid these lookups so I'm guessing Apache is making this DNS query because I have mod_authz_host enabled. When I try to unlink this module, I get several modules complaining because they use the Order directive. How is the clean way to go? Should I comment all Order directives like Order allow,deny Deny from all Is this the only way to stop Apache from making DNS requests? I would like to deny access to .htaccess files and some rules like that.

    Read the article

  • how connect to local mysql server (LAN)

    - by clarkk
    I got two Debian 6 servers - one for web and one for the database.. How can I connect through the local area network? On both servers I have permanently changed the hostnames /etc/hostname /etc/hosts web => web-server db => db-server In the privileges in mysql I have set the root user to accept requests from web-server (instead of localhost) and from the web-server I connect to db-server in my.cnf I have escaped the following line: # bind-address = 127.0.0.1 error Warning: mysqli::mysqli(): (HY000/2005): Unknown MySQL server host 'db-server' (1)

    Read the article

  • Why is my IMAP port not showing as open ( yet it works? )

    - by Leo
    Ive recently setup Postfix and Dovecot IMAP on a Debian Lenny box. Sending to this domain works fine and reading the email via IMAP works fine too. I'm curious though as to why when running nmap, port 10143 is not shown as open. nmap -sS -O 127.0.0.1 Starting Nmap 4.62 ( http://nmap.org ) at 2011-11-26 21:30 GMT Interesting ports on localhost.localdomain (127.0.0.1): Not shown: 1711 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 3306/tcp open mysql Am I missing something with NMAP? Thanks Leo

    Read the article

  • Linux Mint Wireless doesn't connect [migrated]

    - by guisantogui
    I'm having a great problem, I've installed Linux mint debian edition (LMDE), and following this tutorial http://community.linuxmint.com/tutorial/view/161 I did installed the network driver. The available connections appears to me, but when i try to connect to my connection at first time, I got this message: "(4) Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken." And the following tries, I got this another message: "(32) Insufficient privileges." I'm accepting ideas. Thanks.

    Read the article

  • Ubuntu Server 12.04 LTS on Hyper-V 2012

    - by user137533
    I have the following scenario: Hyper-V 2012 server core installation. On top of this i created a virtual machine on which i tried installing Ubuntu Server 12.04 which should not have any compatibility issues according to what Microsoft and Ubuntu are saying (although it is not officially supported). I start, run the installation and everything is ok, no problems detecting the network device or the hard drive (unlike debian which didn't even detect the hard drive). Once the installation is complete it asks me to reboot, it unmounts the "dvd drive" and reboots. Once it tries to start again i get the following error: Boot failure. Reboot and Select proper Boot device or Insert Boot Media in the selected Boot device. It seems to not be booting up from the virtual hard drive. The hard drive is set up in SCSI mode, nothing mounted on the IDE controller (no iso image or anything else. Does anyone have any ideas on what i can do to solve this?

    Read the article

  • Lot of Multicast traffic on LAN

    - by Nel
    Recently the whole network at work is being hit by multicast traffic originating on the LAN itself. I did some investigating and the service which seems to be responsible is ws-discovery. I have attached a screenshot of wireshark capturing the traffic. I have tried shutting down the source machine from which it was originating, but the multicast traffic still seems to be present in the network. My network topology 2 subnets - 10.10.10.0/24 and 10.20.10.0/24. Gateway is a debian system. We have 3 switches for 3 floors. They are all unmanaged Dlink 24-port switches. Multicast blocking at switch level is out of the question. Any solutions? :(

    Read the article

  • How do I disable other monitors while running games in Wine?

    - by Michael Cheng
    My current setup is: * Dual GTS 250 video cards * 3 Monitors * Used nvidia-settings to run each monitor as a separate x session * This is all running on Linux Mint Debian Edition When running games (Starcraft II) in Wine via PlayOnLinux, I've found that the mouse does not get locked. I already tried various solutions littered across the web and none work so I'd rather just disable my other two monitors while playing. Does anyone know of a method where I can turn off my other two monitors (not my primary monitor) while running Wine and then turn then back on afterwards? I don't mind having to manually run a script before and after gaming. Thanks.

    Read the article

  • Socksify TCP connections reaching a gateway IP -- preferably without iptables

    - by Alexandra Neagu
    I have Virtualbox installed on Debian with a few virtual machines. I can't install anything in the guests, and I use host only networking, vboxnet0. The host IP in the host network is 192.168.56.1, and the guests have static IPs in 192.168.56.0/24. I access Internet with a SOCKS proxy (without authentication) and I would like the Virtualbox guests TCP connections to be sent through the SOCKS proxy. This would also be useful for socksifying external TCP reaching a gateway network card or wireless access point. I looked at transocks, tun2socks, with dante-client, etc., but I don't know how can I achieve this without enabling IP forwarding in the host and using iptables. Maybe to attach somehow the Virtualbox vboxnet0 network to the tunnel tun0 used by tun2socks? Or maybe there is a way to do NAT to tun0 in Virtualbox? I only need TCP traffic and I don't need UDP, not even for DNS.

    Read the article

  • Should DKIM signing happen in the application or the MTA?

    - by thomasrutter
    I'm trying to weigh up whether DKIM signing should be done by the application sending mail (for instance, the mailing list software you're using) or at the mail transfer agent (sendmail, postfix etc). Do you know any good arguments either way? As far as I can see, doing it at the MTA, such as with dkim-milter, is a lot easier to set up. However, if anyone gets access to the server, even just a normal unprivileged account such as a web hosting client's login, they'd be able to send email using sendmail and get the full blessing of my DKIM signature. What do you think is the best solution for my situation? I'm using a Debian server with apache, postfix, php&mysql, etc.

    Read the article

  • Secure PHP environments with PHP-FPM and SFTP

    - by pdd
    I'd like to set up secure environments for a small number of untrusted PHP websites on a Debian server. Right now everything runs on the same Apache2 with mod_php5 and vsftpd for administrative file access, so there is room for improvement. The idea is to use nginx instead of apache, SFTP through OpenSSH instead of vsftpd and chrooted (in sshd_config), individual users for each website with their own pool of PHP processes. All these users and nginx are part of the same group. Now in theory I can set 700 permissions on all PHP scripts and 750 on static files that nginx has to serve up. Theoretically, if a website is compromised all the other users' data is safe, right? Are there better solutions that require less setup time and memory per website? Cheers

    Read the article

  • Disable .htaccess from apache allowoverride none, still reads .htaccess files

    - by John Magnolia
    I have moved all of our .htaccess config into <Directory> blocks and set AllowOverride None in the default and default-ssl. Although after restarting apache it is still reading the .htaccess files. How can I completely turn off reading these files? Update of all files with "AllowOverride" /etc/apache2/mods-available/userdir.conf <IfModule mod_userdir.c> UserDir public_html UserDir disabled root <Directory /home/*/public_html> AllowOverride FileInfo AuthConfig Limit Indexes Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec <Limit GET POST OPTIONS> Order allow,deny Allow from all </Limit> <LimitExcept GET POST OPTIONS> Order deny,allow Deny from all </LimitExcept> </Directory> </IfModule> /etc/apache2/mods-available/alias.conf <IfModule alias_module> # # Aliases: Add here as many aliases as you need (with no limit). The format is # Alias fakename realname # # Note that if you include a trailing / on fakename then the server will # require it to be present in the URL. So "/icons" isn't aliased in this # example, only "/icons/". If the fakename is slash-terminated, then the # realname must also be slash terminated, and if the fakename omits the # trailing slash, the realname must also omit it. # # We include the /icons/ alias for FancyIndexed directory listings. If # you do not use FancyIndexing, you may comment this out. # Alias /icons/ "/usr/share/apache2/icons/" <Directory "/usr/share/apache2/icons"> Options Indexes MultiViews AllowOverride None Order allow,deny Allow from all </Directory> </IfModule> /etc/apache2/httpd.conf # # Directives to allow use of AWStats as a CGI # Alias /awstatsclasses "/usr/share/doc/awstats/examples/wwwroot/classes/" Alias /awstatscss "/usr/share/doc/awstats/examples/wwwroot/css/" Alias /awstatsicons "/usr/share/doc/awstats/examples/wwwroot/icon/" ScriptAlias /awstats/ "/usr/share/doc/awstats/examples/wwwroot/cgi-bin/" # # This is to permit URL access to scripts/files in AWStats directory. # <Directory "/usr/share/doc/awstats/examples/wwwroot"> Options None AllowOverride None Order allow,deny Allow from all </Directory> Alias /awstats-icon/ /usr/share/awstats/icon/ <Directory /usr/share/awstats/icon> Options None AllowOverride None Order allow,deny Allow from all </Directory> /etc/apache2/sites-available/default-ssl <IfModule mod_ssl.c> <VirtualHost _default_:443> ServerAdmin webmaster@localhost DocumentRoot /var/www <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /var/www/> Options Indexes FollowSymLinks MultiViews AllowOverride None </Directory> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin"> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # A self-signed (snakeoil) certificate can be created by installing # the ssl-cert package. See # /usr/share/doc/apache2.2-common/README.Debian.gz for more info. # If both key and certificate are stored in the same file, only the # SSLCertificateFile directive is needed. SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key # Server Certificate Chain: # Point SSLCertificateChainFile at a file containing the # concatenation of PEM encoded CA certificates which form the # certificate chain for the server certificate. Alternatively # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server # certificate for convinience. #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt # Certificate Authority (CA): # Set the CA certificate verification path where to find CA # certificates for client authentication or alternatively one # huge file containing all of them (file must be PEM encoded) # Note: Inside SSLCACertificatePath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCACertificatePath /etc/ssl/certs/ #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt # Certificate Revocation Lists (CRL): # Set the CA revocation path where to find CA CRLs for client # authentication or alternatively one huge file containing all # of them (file must be PEM encoded) # Note: Inside SSLCARevocationPath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCARevocationPath /etc/apache2/ssl.crl/ #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl # Client Authentication (Type): # Client certificate verification type and depth. Types are # none, optional, require and optional_no_ca. Depth is a # number which specifies how deeply to verify the certificate # issuer chain before deciding the certificate is not valid. #SSLVerifyClient require #SSLVerifyDepth 10 # Access Control: # With SSLRequire you can do per-directory access control based # on arbitrary complex boolean expressions containing server # variable checks and other lookup directives. The syntax is a # mixture between C and Perl. See the mod_ssl documentation # for more details. #<Location /> #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ #</Location> # SSL Engine Options: # Set various options for the SSL engine. # o FakeBasicAuth: # Translate the client X.509 into a Basic Authorisation. This means that # the standard Auth/DBMAuth methods can be used for access control. The # user name is the `one line' version of the client's X.509 certificate. # Note that no password is obtained from the user. Every entry in the user # file needs this password: `xxj31ZMTZzkVA'. # o ExportCertData: # This exports two additional environment variables: SSL_CLIENT_CERT and # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the # server (always existing) and the client (only existing when client # authentication is used). This can be used to import the certificates # into CGI scripts. # o StdEnvVars: # This exports the standard SSL/TLS related `SSL_*' environment variables. # Per default this exportation is switched off for performance reasons, # because the extraction step is an expensive operation and is usually # useless for serving static content. So one usually enables the # exportation for CGI and SSI requests only. # o StrictRequire: # This denies access when "SSLRequireSSL" or "SSLRequire" applied even # under a "Satisfy any" situation, i.e. when it applies access is denied # and no other module can change it. # o OptRenegotiate: # This enables optimized SSL connection renegotiation handling when SSL # directives are used in per-directory context. #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> # SSL Protocol Adjustments: # The safe and default but still SSL/TLS standard compliant shutdown # approach is that mod_ssl sends the close notify alert but doesn't wait for # the close notify alert from client. When you need a different shutdown # approach you can use one of the following variables: # o ssl-unclean-shutdown: # This forces an unclean shutdown when the connection is closed, i.e. no # SSL close notify alert is send or allowed to received. This violates # the SSL/TLS standard but is needed for some brain-dead browsers. Use # this when you receive I/O errors because of the standard approach where # mod_ssl sends the close notify alert. # o ssl-accurate-shutdown: # This forces an accurate shutdown when the connection is closed, i.e. a # SSL close notify alert is send and mod_ssl waits for the close notify # alert of the client. This is 100% SSL/TLS standard compliant, but in # practice often causes hanging connections with brain-dead browsers. Use # this only for browsers where you know that their SSL implementation # works correctly. # Notice: Most problems of broken clients are also related to the HTTP # keep-alive facility, so you usually additionally want to disable # keep-alive for those clients, too. Use variable "nokeepalive" for this. # Similarly, one has to force some clients to use HTTP/1.0 to workaround # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and # "force-response-1.0" for this. BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # MSIE 7 and newer should be able to use keepalive BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown </VirtualHost> </IfModule> /etc/apache2/sites-available/default <VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /var/www <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /var/www/> Options -Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin"> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> Alias /delboy /usr/share/phpmyadmin <Directory /usr/share/phpmyadmin> # Restrict phpmyadmin access Order Deny,Allow Allow from all </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog ${APACHE_LOG_DIR}/access.log combined Alias /doc/ "/usr/share/doc/" <Directory "/usr/share/doc/"> Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128 </Directory> </VirtualHost> /etc/apache2/conf.d/security # # Disable access to the entire file system except for the directories that # are explicitly allowed later. # # This currently breaks the configurations that come with some web application # Debian packages. # #<Directory /> # AllowOverride None # Order Deny,Allow # Deny from all #</Directory> # Changing the following options will not really affect the security of the # server, but might make attacks slightly more difficult in some cases. # # ServerTokens # This directive configures what you return as the Server HTTP response # Header. The default is 'Full' which sends information about the OS-Type # and compiled in modules. # Set to one of: Full | OS | Minimal | Minor | Major | Prod # where Full conveys the most information, and Prod the least. # #ServerTokens Minimal ServerTokens OS #ServerTokens Full # # Optionally add a line containing the server version and virtual host # name to server-generated pages (internal error documents, FTP directory # listings, mod_status and mod_info output etc., but not CGI generated # documents or custom error documents). # Set to "EMail" to also include a mailto: link to the ServerAdmin. # Set to one of: On | Off | EMail # #ServerSignature Off ServerSignature On # # Allow TRACE method # # Set to "extended" to also reflect the request body (only for testing and # diagnostic purposes). # # Set to one of: On | Off | extended # TraceEnable Off #TraceEnable On /etc/apache2/apache2.conf # # Based upon the NCSA server configuration files originally by Rob McCool. # # This is the main Apache server configuration file. It contains the # configuration directives that give the server its instructions. # See http://httpd.apache.org/docs/2.2/ for detailed information about # the directives. # # Do NOT simply read the instructions in here without understanding # what they do. They're here only as hints or reminders. If you are unsure # consult the online docs. You have been warned. # # The configuration directives are grouped into three basic sections: # 1. Directives that control the operation of the Apache server process as a # whole (the 'global environment'). # 2. Directives that define the parameters of the 'main' or 'default' server, # which responds to requests that aren't handled by a virtual host. # These directives also provide default values for the settings # of all virtual hosts. # 3. Settings for virtual hosts, which allow Web requests to be sent to # different IP addresses or hostnames and have them handled by the # same Apache server process. # # Configuration and logfile names: If the filenames you specify for many # of the server's control files begin with "/" (or "drive:/" for Win32), the # server will use that explicit path. If the filenames do *not* begin # with "/", the value of ServerRoot is prepended -- so "foo.log" # with ServerRoot set to "/etc/apache2" will be interpreted by the # server as "/etc/apache2/foo.log". # ### Section 1: Global Environment # # The directives in this section affect the overall operation of Apache, # such as the number of concurrent requests it can handle or where it # can find its configuration files. # # # ServerRoot: The top of the directory tree under which the server's # configuration, error, and log files are kept. # # NOTE! If you intend to place this on an NFS (or otherwise network) # mounted filesystem then please read the LockFile documentation (available # at <URL:http://httpd.apache.org/docs/2.2/mod/mpm_common.html#lockfile>); # you will save yourself a lot of trouble. # # Do NOT add a slash at the end of the directory path. # #ServerRoot "/etc/apache2" # # The accept serialization lock file MUST BE STORED ON A LOCAL DISK. # LockFile ${APACHE_LOCK_DIR}/accept.lock # # PidFile: The file in which the server should record its process # identification number when it starts. # This needs to be set in /etc/apache2/envvars # PidFile ${APACHE_PID_FILE} # # Timeout: The number of seconds before receives and sends time out. # Timeout 300 # # KeepAlive: Whether or not to allow persistent connections (more than # one request per connection). Set to "Off" to deactivate. # KeepAlive On # # MaxKeepAliveRequests: The maximum number of requests to allow # during a persistent connection. Set to 0 to allow an unlimited amount. # We recommend you leave this number high, for maximum performance. # MaxKeepAliveRequests 100 # # KeepAliveTimeout: Number of seconds to wait for the next request from the # same client on the same connection. # KeepAliveTimeout 4 ## ## Server-Pool Size Regulation (MPM specific) ## # prefork MPM # StartServers: number of server processes to start # MinSpareServers: minimum number of server processes which are kept spare # MaxSpareServers: maximum number of server processes which are kept spare # MaxClients: maximum number of server processes allowed to start # MaxRequestsPerChild: maximum number of requests a server process serves <IfModule mpm_prefork_module> StartServers 5 MinSpareServers 5 MaxSpareServers 10 MaxClients 150 MaxRequestsPerChild 500 </IfModule> # worker MPM # StartServers: initial number of server processes to start # MaxClients: maximum number of simultaneous client connections # MinSpareThreads: minimum number of worker threads which are kept spare # MaxSpareThreads: maximum number of worker threads which are kept spare # ThreadLimit: ThreadsPerChild can be changed to this maximum value during a # graceful restart. ThreadLimit can only be changed by stopping # and starting Apache. # ThreadsPerChild: constant number of worker threads in each server process # MaxRequestsPerChild: maximum number of requests a server process serves <IfModule mpm_worker_module> StartServers 2 MinSpareThreads 25 MaxSpareThreads 75 ThreadLimit 64 ThreadsPerChild 25 MaxClients 150 MaxRequestsPerChild 0 </IfModule> # event MPM # StartServers: initial number of server processes to start # MaxClients: maximum number of simultaneous client connections # MinSpareThreads: minimum number of worker threads which are kept spare # MaxSpareThreads: maximum number of worker threads which are kept spare # ThreadsPerChild: constant number of worker threads in each server process # MaxRequestsPerChild: maximum number of requests a server process serves <IfModule mpm_event_module> StartServers 2 MaxClients 150 MinSpareThreads 25 MaxSpareThreads 75 ThreadLimit 64 ThreadsPerChild 25 MaxRequestsPerChild 0 </IfModule> # These need to be set in /etc/apache2/envvars User ${APACHE_RUN_USER} Group ${APACHE_RUN_GROUP} # # AccessFileName: The name of the file to look for in each directory # for additional configuration directives. See also the AllowOverride # directive. # AccessFileName .htaccess # # The following lines prevent .htaccess and .htpasswd files from being # viewed by Web clients. # <Files ~ "^\.ht"> Order allow,deny Deny from all Satisfy all </Files> # # DefaultType is the default MIME type the server will use for a document # if it cannot otherwise determine one, such as from filename extensions. # If your server contains mostly text or HTML documents, "text/plain" is # a good value. If most of your content is binary, such as applications # or images, you may want to use "application/octet-stream" instead to # keep browsers from trying to display binary files as though they are # text. # DefaultType text/plain # # HostnameLookups: Log the names of clients or just their IP addresses # e.g., www.apache.org (on) or 204.62.129.132 (off). # The default is off because it'd be overall better for the net if people # had to knowingly turn this feature on, since enabling it means that # each client request will result in AT LEAST one lookup request to the # nameserver. # HostnameLookups Off # ErrorLog: The location of the error log file. # If you do not specify an ErrorLog directive within a <VirtualHost> # container, error messages relating to that virtual host will be # logged here. If you *do* define an error logfile for a <VirtualHost> # container, that host's errors will be logged there and not here. # ErrorLog ${APACHE_LOG_DIR}/error.log # # LogLevel: Control the number of messages logged to the error_log. # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. # LogLevel warn # Include module configuration: Include mods-enabled/*.load Include mods-enabled/*.conf # Include all the user configurations: Include httpd.conf # Include ports listing Include ports.conf # # The following directives define some format nicknames for use with # a CustomLog directive (see below). # If you are behind a reverse proxy, you might want to change %h into %{X-Forwarded-For}i # LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %O" common LogFormat "%{Referer}i -> %U" referer LogFormat "%{User-agent}i" agent # Include of directories ignores editors' and dpkg's backup files, # see README.Debian for details. # Include generic snippets of statements Include conf.d/ # Include the virtual host configurations: Include sites-enabled/

    Read the article

  • Postfix: how to use simple file for SASL authentication?

    - by Jonathan
    I'd like to run Postfix on a Debian VPS to send e-mails from my application. The application (running on other VPSes) would connect to Postfix via SMTP. Postfix does not have to handle incoming email; it's just about sending the outgoing messages. To prevent being an open relay, SASL authentication should be used. However, I don't want to run Dovecot or MySQL for SASL authentication. How can I setup SASL authentication using a simple file (containing usernames and passwords)? I already found a similar question; however, no satisfying answers where given there.

    Read the article

  • Adobe Reader seems to use wrong lpr command when printing to CUPS

    - by zebonaut
    Hi, on my debian lenny box, printing via CUPS works fine, e.g. using OpenOffice. When printing from Adobe Reader, however, stuff doesn't work. It appears the problem happens during the first step of the process, when Adobe Reader talks to lpr. I guess this is the reason because I get an error message from Adobe Reader like: The following error occurred while printing... 'usage: lpr [-cdfghlmnpqrstv] [-#num] [-1234 font] [-C class] [-i [numcols]] [-J job] [-Pprinter] [-T title] [-U user] [-wnum] [name ...]' Looks like lpr complains about the way Adobe Reader talks to it, doesn't it? This happens no matter if I print to my laser or to CUPS-PDF. It seems like Adobe Reader sends a command like lpr -P CUPS-PDF -o PageSizeA4 -o blah -o blah Is there anything I can configure to make things work?

    Read the article

< Previous Page | 83 84 85 86 87 88 89 90 91 92 93 94  | Next Page >