richweb's blog

We have been rolling out nginx to help scale up our websites that use apache and php:

http://www.richweb.com/nginx

Setup/installation instructions:
http://www.richweb.com/postfix_dovecot_ssl

Works well for a small to medium sized installation (5 to 50 accounts). A database backend would be better for larger installations to make provisioning easier. This is good for clients that want a small mail server + web site.

Caused by incorrect time on sending SMTP client (PC). Mail was relayed thru an SMTP auth postfix server which had correct time. Yahoo is scanning all of the SMTP headers, not just the host that is sending the email inbound to their MX.

Place these settings in the ssh server (sshd) configuration file and restart sshd:
/etc/ssh/sshd_config

ClientAliveInterval 120
ClientAliveCountMax 3
TCPKeepAlive yes

The other way, and easier and safer way is for your desktop machine to send those keep alive messages. As root on your desktop (or client) machine, edit /etc/ssh/ssh_config and add the line:

ServerAliveInterval 60

In this case 2 swap partitions on 2 SATA drives had been accidentally forced into a RAID1 array.

We stop the array:
mdadm --stop /dev/md1

Delete the array:
mdadm --remove /dev/md1

Zero the superblocks:
mdadm --zero-superblock /dev/sdc2
mdadm --zero-superblock /dev/sdb2

Return the paritions to be usable as swap:
mkswap /dev/sdb2
mkswap /dev/sdc2

echo "#New RAID SCAN" >> /etc/mdadm/mdadm.conf
mdadm --examine --scan >> /etc/mdadm/mdadm.conf

Edit with a text editor, and place the new scanned arrays under:the section:
# definitions of existing MD arrays

Installed in an ipsec lan 2 lan tunnel environment:

Riverbed uses Type 76 which falls in the Unassigned Type range 28-252.

Some firewall configurations will strip TCP options or else drop packets with these options. (For example, Cisco PIX Firewall IOS 7.0 may block the auto-discovery probe.)

access-list riverbed_tcp extended permit tcp any any
class-map tcp-traffic
 match access-list riverbed_tcp

tcp-map allow-probes
tcp-options range 76 78 allow
policy-map global_policy
class tcp-traffic
set connection advanced-options allow-probes

Problem Description:

ASA 5510 is the central site FW, multiple IPSEC tunnels present to ASA5505 remotes. One of the remote is acting funny; the ipsec tunnel can be initiated from a ping inside cmd on the ASA5510, but the 5505 cannot initiate the tunnel. Once the tunnel is ip, traffic is 2-way. After checking all the crypto map and no nat acls, and a reboot, I was left diffing (comparing) a working 5505 config with one that was not working. There were no differences other than the ip addresses. Both tunnel setups were identical on the central site ASA5510 as well.

If your ASA 5505 has the security bundle license it has the DMZ capabilities. You can define the interface in the command line:

interface fa0/7
switchport access vlan 3
no shut

interface vlan 3
ip address 192.168.110.1 255.255.255.0
nameif dmz
security-level 50
no shut

If you don't have the security bundle license you will get this error:

ERROR: This license does not allow configuring more than 2 interfaces with
nameif and without a "no forward" command on this interface or on 1 interface(s)
with nameif already configured.

This is an excerpt of the show ver output:

Recently we have seen some issues with apache2 and php memory usage in Debian Lenny (stable) vservers growing higher than expected. Restarting apache2 (something that is probably a good idea once a day anyway just to clear the apc cache) was one option. But we wanted a mechanism that would allow us to monitor the usage of resources inside the vserver context and allow a nagios alert to be generated if usage was greater than say, 85% of RSS (resident memory usage) or if the number of processes was above a certain limit.

Content guard / filtering devices like Surf Control, Websense, and now the Barracuda filter are often placed inline with the network, between the firewall and the local LAN. In this mode they act like a transparent (but intelligent) bridge or switch. They can block packets such as icmp echo requests (pings) and tcp/http gets, and smtp connections if they find that the destination ipv4 address matches an entry in the block or drop list that the devices download from their parent database.