Ίχνος
μια απόπειρα καταγραφής του τι κάνω - recording what I do - vassilis (bill) vatikiotis
Updated: 1 year 34 weeks ago
TiddlyHomeSetupPlugin
Name:TiddlyHomeSetupPluginDescription:Check and setup all componentsVersion:1.1.0Date:Aug 04, 2007Source:http://tiddlywiki.bidix.info/#TiddlyHomeSetupPluginAuthor:BidiX (BidiX (at) bidix (dot) info)License:BSD open source licenseCoreVersion:2.2.0Requires:UploadToHomeMacroversion.extensions.TiddlyHomeSetupPlugin = {
major: 1, minor: 1, revision: 0,
date: new Date("Aug 04, 2007"),
source: 'http://tiddlywiki.bidix.info/#TiddlyHomeSetupPlugin',
author: 'BidiX (BidiX (at) bidix (dot) info)',
coreVersion: '2.2.0'
};
if (!window.bidix) window.bidix = {}; // bidix namespace
bidix.checkPlugin = function(plugin, major, minor, revision) {
var ext = version.extensions[plugin];
if (!
(ext &&
((ext.major > major) ||
((ext.major == major) && (ext.minor > minor)) ||
((ext.major == major) && (ext.minor == minor) && (ext.revision >= revision))))) {
// write error in PluginManager
if (pluginInfo)
pluginInfo.log.push("Requires " + plugin + " " + major + "." + minor + "." + revision);
eval(plugin); // generate an error : "Error: ReferenceError: xxxx is not defined"
}
};
bidix.getParamsFromTiddler = function(tiddlerTitle, sliceNames) {
tiddlerTitle = (tiddlerTitle ? tiddlerTitle:this.messages.homeParamsTiddler);
if (!store.tiddlerExists(tiddlerTitle) && !store.isShadowTiddler(tiddlerTitle)) {
throw(config.macros.uploadToHome.messages.tiddlerNotFound.toString().format([tiddlerTitle]));
}
return sliceValues = store.getTiddlerSlices(tiddlerTitle,sliceNames);
};
bidix.initOption = function(name,value) {
if (!config.options[name])
config.options[name] = value;
};
bidix.checkPlugin('UploadPlugin',4,1,0);
config.macros.upload.authenticateUser = false; // authentication check by .htaccess
// default TiddlyHomeParameters in shadows
// user can overide this
merge(config.shadowTiddlers,{
'TiddlyHomeParameters':[
"|owner:|bill|",
"|site:|'Ιχνος|",
"|url:|http://www.iit.demokritos.gr/~vatikiot/|",
"|rootUrl:|http://www.iit.demokritos.gr/~vatikiot/|"
].join("\n")});
// get config from TiddlyHomeParameters
config.tiddlyHome = {};
merge(config.tiddlyHome, bidix.getParamsFromTiddler('TiddlyHomeParameters',['user','site','url','rootUrl']));
config.shadowTiddlers.TiddlyHomeParameters += [
"\n!Usefull url for your site",
"* " + config.tiddlyHome.url + "backup: List of backup files",
"* " + config.tiddlyHome.url + "download.php : to download thisTiddlyWiki",
"* " + config.tiddlyHome.url + "index.xml : your RSSFeed",
"* " + config.tiddlyHome.url + "news.php : to display your RSSFeed",
"!Access and change data",
"* " + config.tiddlyHome.rootUrl + "Site : Site properties",
"* " + config.tiddlyHome.rootUrl + "#User : User properties",
"!More Information on TiddlyHome",
"* " + config.tiddlyHome.rootUrl + " for your hosting service",
"*http://TiddlyHome.bidix.info/ for BidiX's TiddlyHome Package"
].join("\n");
// add TiddlyHomeSidebar in SideBarOptions
config.shadowTiddlers.SideBarOptions = config.shadowTiddlers.SideBarOptions.replace(/(<<saveChanges>>)/,
"$1<<tiddler TiddlyHomeSidebar>>");
merge(config.shadowTiddlers,{
// link to favicon.ico
'MarkupPreHead': [
"<!--{{{-->",
"<link rel='alternate' type='application/rss+xml' title='RSS' href='index.xml'/>",
"<link rel=\"shortcut icon\"href=\"" +
config.tiddlyHome.rootUrl +
"_th/images/favicon.ico\" type=\"image/vnd.microsoft.icon\" />",
"<link rel=\"icon\" href=\"" +
config.tiddlyHome.rootUrl +
"_th/images/favicon.ico\" type=\"image/vnd.microsoft.icon\" /> ",
"<!--}}}-->"
].join("\n"),
'SiteProxy': [
"proxy.php?url="
].join("\n"),
'SiteUrl': config.tiddlyHome.url,
// tweaks to UploadToHomeMacro parameters
'HomeParameters': [
"|UploadUserName:||",
"|UploadStoreUrl:|" + config.tiddlyHome.url + "store.php|",
"|UploadDir:|.|",
"|UploadFilename:|index.html|",
"|UploadBackupDir:|backup|"
].join("\n"),
'TiddlyHomeSidebar':[
"<<uploadToHome>><html><a href=" +
config.tiddlyHome.url + "download.php class='button'>download</a></html>"
].join("\n")
});
// Options tweaks
//config.options.txtUserName = config.tiddlyHome.user;
config.options.pasUploadPassword = '';
config.options.txtBackupFolder = "backup";
config.options.chkSaveBackups = true;
config.options.chkAutoSave = false;
config.options.chkRegExpSearch = false;
config.options.chkCaseSensitiveSearch = false;
config.options.chkAnimate = false;
config.options.chkGenerateAnRssFeed = true;
config.options.chkSaveEmptyTemplate = false;
TiddlyHomeParameters
owner:Bill Vatikiotissite:Ίχνοςurl:http://www.iit.demokritos.gr/~vatikiot/rootUrl:http://www.iit.demokritos.gr/~vatikiot/Usefull url for your site
- http://www.iit.demokritos.gr/~vatikiot/backup: List of backup files
- http://www.iit.demokritos.gr/~vatikiot/download.php : to download thisTiddlyWiki
- http://www.iit.demokritos.gr/~vatikiot/index.xml : your RSSFeed
- http://www.iit.demokritos.gr/~vatikiot/news.php : to display your RSSFeed
- http://www.iit.demokritos.gr/~vatikiot/Site : Site properties
- http://www.iit.demokritos.gr/~vatikiot/#User : User properties
- http://TiddlyHome.bidix.info/ for your hosting service
- http://TiddlyHome.bidix.info/ for BidiX's TiddlyHome Package
linux printing - a sad story, sometimes
Mostly works but when it doesn't it's a b*all buster.
I'm using HPLIP to print to a networked HP printer (P2015), which worked in gutsy but not 100% in hardy. In particular, pdfs refuse to print.
Some useful command line tools
...and stil I cannnot print pdfs :(
UPDATE: P2015 drivers (for KDE) are in package openprinting-ppds. And still, not able to print pdfs.
I'm using HPLIP to print to a networked HP printer (P2015), which worked in gutsy but not 100% in hardy. In particular, pdfs refuse to print.
Some useful command line tools
- hp-makeuri <printer-ip-address> returns the proper printer URI. For use in CUPS.
- hp-check -r to check the HPLIP runtime installation.
- check the hp-* tools.
...and stil I cannnot print pdfs :(
UPDATE: P2015 drivers (for KDE) are in package openprinting-ppds. And still, not able to print pdfs.
CustomMarkup
Sometimes it's necessary to include custom HTML markup in the <head> of a TiddlyWiki file - typically for compatibility with ad serving software, external libraries, or for custom meta tags. The CustomMarkup operation defines four shadow tiddlers whose contents are spliced into the saved HTML file. (If you do a view/source you'll see the markers referred to below).
TitleLocationMarkerMarkupPreHeadStart of the <head> section<!--PRE-HEAD-START-->MarkupPostHeadEnd of the <head> section<!--POST-HEAD-START-->MarkupPreBodyStart of the <body> section<!--PRE-BODY-START-->MarkupPostBodyEnd of the <body> section<!--POST-BODY-START-->MarkupPreHead is the only one with shadow content: a link to the default location of the RSS feed.
TitleLocationMarkerMarkupPreHeadStart of the <head> section<!--PRE-HEAD-START-->MarkupPostHeadEnd of the <head> section<!--POST-HEAD-START-->MarkupPreBodyStart of the <body> section<!--PRE-BODY-START-->MarkupPostBodyEnd of the <body> section<!--POST-BODY-START-->MarkupPreHead is the only one with shadow content: a link to the default location of the RSS feed.
Textmate-like gedit for Rails development
Most of the info compiled from http://grigio.org/pimp_my_gedit_was_textmate_linux
PluginsThey can be found at http://live.gnome.org/Gedit/Plugins
Syntax highlightingwget http://robzon.kapati.net/rails/rhtml.lang && sudo mv rhtml.lang /usr/share/gtksourceview-2.0/language-specs/ wget http://robzon.kapati.net/rails/rails.xml && sudo mv rails.xml /usr/share/mime/packages sudo update-mime-database /usr/share/mime
Color themeDarkmate for Gedit 2.2x and other themes are avalaible on http://live.gnome.org/GtkSourceView/StyleSchemes. Darkmate is inspired from Textmate colors with specific syntax highlight for Ruby.
Rails support
Where all these go?Place plugins at $HOME/.gnome2/gedit/plugins and syntax highlight xml files at gedit/styles (or from Preferences->Fonts and Colors, Add color scheme).
UPDATE: It looks so absolutely neat. No bloat. Less is more...
PluginsThey can be found at http://live.gnome.org/Gedit/Plugins
- Snippets
- File Browser
- Class Browser
- Word Completion with tabulator
- Edit shortcuts (if you need it)
Syntax highlightingwget http://robzon.kapati.net/rails/rhtml.lang && sudo mv rhtml.lang /usr/share/gtksourceview-2.0/language-specs/ wget http://robzon.kapati.net/rails/rails.xml && sudo mv rails.xml /usr/share/mime/packages sudo update-mime-database /usr/share/mime
Color themeDarkmate for Gedit 2.2x and other themes are avalaible on http://live.gnome.org/GtkSourceView/StyleSchemes. Darkmate is inspired from Textmate colors with specific syntax highlight for Ruby.
Rails support
- Download gedit-rails @ http://github.com/mig/gedit-rails/tree/master. It contains a few extra plugins and language support. Install it.
- http://tidy.sourceforge.net/docs/quickref.html contains HTML Tidy configuration options plugin. It looks good for checking HTML file validity. Using it for correcting html files is up to you.
Where all these go?Place plugins at $HOME/.gnome2/gedit/plugins and syntax highlight xml files at gedit/styles (or from Preferences->Fonts and Colors, Add color scheme).
UPDATE: It looks so absolutely neat. No bloat. Less is more...
Adding disks to eonstor and applying a new partition scheme
This is, absolutely, a work log. You've been warned.
Solaris server
In order to grow a ufs filesystem we do the following we can use the growfs(1m) utility. The growfs(1m) utility takes two arguments. The first argument, the value passed to “-M”, is the mount point of the file system to grow. The second argument is the raw device that backs this mount point.
The following example will grow the filesystem on mount point /export/raid} to the maximum size available to the raw device c2t0d0s0.
$ growfs -M /export/raid /dev/rdsk/c2t0d0s0
The argument -M is not mandatory if the filesystem isn’t mounted.
To see how many sectors will be available on c2t0d0s0 after the grow operation completes, you can run newfs with the “-N” option, and compare that with the current value of df (1m):
$ newfs -N /dev/rdsk/c2t0d0s0 /dev/rdsk/c2t0d0s0: 232331520 sectors in 56944 cylinders of 16 tracks, 255 sectors 113443.1MB in 2191 cyl groups (26 c/g, 51.80MB/g, 6400 i/g)
This will report the number of sectors, cylinders and MBs that would be allocated if a new file system was created on the device c2t0d0s0.
Linux servermkfs as usual. The new disks are...new so just make a new ext3 filesystem on the new logical drive comprising the 2 new disks..
Steps
Alas, I had to repartition.
Solaris server
- /etc/vfstab is the fstab equivalent for solaris 9./dev/dsk/c2t0d0s0 /dev/rdsk/c2t0d0s0 /export/raid ufs 2 yes logging is the eonstor entry in it.
- Default filesystem is ufs.
In order to grow a ufs filesystem we do the following we can use the growfs(1m) utility. The growfs(1m) utility takes two arguments. The first argument, the value passed to “-M”, is the mount point of the file system to grow. The second argument is the raw device that backs this mount point.
The following example will grow the filesystem on mount point /export/raid} to the maximum size available to the raw device c2t0d0s0.
$ growfs -M /export/raid /dev/rdsk/c2t0d0s0
The argument -M is not mandatory if the filesystem isn’t mounted.
To see how many sectors will be available on c2t0d0s0 after the grow operation completes, you can run newfs with the “-N” option, and compare that with the current value of df (1m):
$ newfs -N /dev/rdsk/c2t0d0s0 /dev/rdsk/c2t0d0s0: 232331520 sectors in 56944 cylinders of 16 tracks, 255 sectors 113443.1MB in 2191 cyl groups (26 c/g, 51.80MB/g, 6400 i/g)
This will report the number of sectors, cylinders and MBs that would be allocated if a new file system was created on the device c2t0d0s0.
Linux servermkfs as usual. The new disks are...new so just make a new ext3 filesystem on the new logical drive comprising the 2 new disks..
Steps
- (solaris) Create /etc/nologin to disable user logins.
- (solaris) Backup.
- (eonstor) Install the new hard disks.
- (eonstor) Make a new, raid 1, logical drive out of the 2 new disks.Run this step paraller to step 2.
- (linux,solaris) Unmount the eonstor mounted filesystems on both servers, after you've stopped all related services.
- (eonstor) Shutdown the controllers to flush any cache contents.
- (eonstor) Delete the 2nd logical partition and it will merge with the 1st. Non-destructively? Will see. If not, we have the backup.
- (eonstor) Assign LUNs to the 2 logical drive.
- (solaris) gorwfs on solaris on the 1st logical drive.
- (solaris) If it's done destructively then mount and restore backup, or
- (solaris) If it's done non-destructively just mount it.
- (linux) mkfs the desired number of ext3 filesystems on the 2nd logical drive (500GB).
- (linux) Restore backup and mount it.
Alas, I had to repartition.
- format and partition the new (eonstor logical) drive.
- newfs with 4096 fragment size (-f option).
- Restore backup.
άλλοι
αλλά δικοί μας
Ο avi και το http://microdots.org radio station
O Στας kαι το περίεργο email του, ανοίξτε ένα manual του sed η απλά ρωτήστε τον.
Η Ναντίκ = 1/2 http://www.oddrecords.com
O Μανώλο στην παιδική χαρά του
Ο Παντέλος ο uber dεveloper
Ο Γιάννης Κοροβέσης στο δίκτυο του
Ο Aρκουδίνος, Ο Καβουρέτος, Ο Σκυλάκης, Ο Uberμπέμπης μας, 15 μηνών
Ο SportBillis
Ο xil
Ο uberksi, ο δάσκαλος του ΚΣΥ, κάνει αναβάθμιση σε δάσκαλος του chi.
O serg
Ο θεικός vlix και οι φωτογραφίες του.
Οι υπόλοιποι ή δεν ξέρουν να κάνουν έναν ιστότοπο ή βαριούνται (οι κόπροι, ξέρετε ποιοί είστε ). Μπορεί να τους δείτε στο Facebook
Ο avi και το http://microdots.org radio station
O Στας kαι το περίεργο email του, ανοίξτε ένα manual του sed η απλά ρωτήστε τον.
Η Ναντίκ = 1/2 http://www.oddrecords.com
O Μανώλο στην παιδική χαρά του
Ο Παντέλος ο uber dεveloper
Ο Γιάννης Κοροβέσης στο δίκτυο του
Ο Aρκουδίνος, Ο Καβουρέτος, Ο Σκυλάκης, Ο Uberμπέμπης μας, 15 μηνών
Ο SportBillis
Ο xil
Ο uberksi, ο δάσκαλος του ΚΣΥ, κάνει αναβάθμιση σε δάσκαλος του chi.
O serg
Ο θεικός vlix και οι φωτογραφίες του.
Οι υπόλοιποι ή δεν ξέρουν να κάνουν έναν ιστότοπο ή βαριούνται (οι κόπροι, ξέρετε ποιοί είστε ). Μπορεί να τους δείτε στο Facebook
bill
Bασίλης Βατικιώτης, δουλεύω σαν διαχειριστής στο Ινστιτούτο Πληροφορικής & Τηλεπικοινωνιών, στο ΕΚΕΦΕ Δημόκριτος στην Αθήνα.
Το προφίλ μου στο LinkedIn
Στη δουλειά vatikiot@iit.demokritos.gr
Το προσωπικό vvatikiotis@gmail.com
MSN o_trixlidios@hotmail.com (μόνο MSN, τα email εδώ πάνε στο /dev/null με μεγάλη ευχαρίστηση)
Skype billy_v
εγώ@Facebook, ο bill πηρε την τζουγκράνα του
Κάποτε στην Ολλανδία ήμουν (επαγγελματικά) ο Develware@Amsterdam, NL, 1999 - 2003
Τα bookmarks μου. Θα ήταν super να μπορούσα να τα έχω στο Google Browser Sync και να είναι published στο δίκτυο χωρίς να πρέπει κάθε τόσο να τα κάνω export to file.
0014852D6CC2
Το προφίλ μου στο LinkedIn
Στη δουλειά vatikiot@iit.demokritos.gr
Το προσωπικό vvatikiotis@gmail.com
MSN o_trixlidios@hotmail.com (μόνο MSN, τα email εδώ πάνε στο /dev/null με μεγάλη ευχαρίστηση)
Skype billy_v
εγώ@Facebook, ο bill πηρε την τζουγκράνα του
Κάποτε στην Ολλανδία ήμουν (επαγγελματικά) ο Develware@Amsterdam, NL, 1999 - 2003
Τα bookmarks μου. Θα ήταν super να μπορούσα να τα έχω στο Google Browser Sync και να είναι published στο δίκτυο χωρίς να πρέπει κάθε τόσο να τα κάνω export to file.
0014852D6CC2
After Google Browser Sync? Weave.
R.I.P GBS. Enter Weave
RadRails on Ubuntu
Read the following, in this order:
NB: rubygems package in ubuntu repository is different than the one in RubyForge.
If we choose to install the rubygems package from the ubuntu repository then we do the following
To fix it, just add the line to the file /usr/bin/gem:
require 'rubygems/gem_runner'
after
require 'rubygems'
IMPORTANT Need to be carefull when apt-get updates the packages rubygems (if it's installed via apt-get and not downloaded).
MySQL, SQLite and PostgreSQL adapters are shipped with RoR 2.0. All other commercial DB adapters come in gems.
Aptana uses Java based stuff (which I don't want to know about). So, in order to have an installation that can be replicated on a production machine I always use the gem executable to manage my system gems collection, and not apt-get. I use that installation environment in Aptana, instead of the default Java-based one.
- Read https://help.ubuntu.com/community/RubyOnRails
- Then read http://www.aptana.com/docs/index.php/Installing_RadRails_on_Ubuntu_Linux
- Optional but quite informative http://amanzi.blogspot.com/2007/11/quick-ruby-and-rail-on-ubuntu-710.html
- Install libgems-ruby package from the ubuntu repository.
- Download latest rubygems from RubyForge.
- Install it
- Link gem executable to gem1.*
NB: rubygems package in ubuntu repository is different than the one in RubyForge.
If we choose to install the rubygems package from the ubuntu repository then we do the following
- sudo gem update --system. This updates the rubygems package from the Ruby repository and installs the newest package
- Using the gem1.* executable installed from the previous step, we continue with the rails installation: sudo gem1.8 rails -v version.
To fix it, just add the line to the file /usr/bin/gem:
require 'rubygems/gem_runner'
after
require 'rubygems'
IMPORTANT Need to be carefull when apt-get updates the packages rubygems (if it's installed via apt-get and not downloaded).
MySQL, SQLite and PostgreSQL adapters are shipped with RoR 2.0. All other commercial DB adapters come in gems.
Aptana uses Java based stuff (which I don't want to know about). So, in order to have an installation that can be replicated on a production machine I always use the gem executable to manage my system gems collection, and not apt-get. I use that installation environment in Aptana, instead of the default Java-based one.
- RadRails works with RoR version 2.
- Aptana uses gem, and not gem1.* to manage the installed system gems (not to be confused with the Java based ones). So link accordingly.
SSL certificates
If you need to renew an X.509 certificate use the following openssl command. The command will read the private key (private.key) and existing certificate (oldcert.pem) and generate a new certificate request (newcsr.csr) with the same information as the old certificate contained.
$ openssl x509 -x509toreq -signkey private.key -out newcsr.csr -in oldcert.pem
thx simon
Convert a DER format certificate to PEM.
openssl x509 -out exported-pem.crt -outform pem -text -in derfile.crt -inform der
Resign a key with another serial.
openssl x509 -req -days 365 -in server.csr -CA root-CA.crt -CAkey root-CA.key -set_serial XX -out server.crt
Serial must be different for each signed key.
The process of creating self signed CAs and certificates is adapted from
http://www.tc.umn.edu/~brams006/selfsign.html
thanx
Work as root.
1. First we create a CA certificate and then we sign our service certificate using our CA certificate
"The Common Name (CN) of the CA and the Server certificates should not match or else a naming collision will occur and you'll get errors later on. ... just added "CA" to the CA's CN field, to distinguish it from the Server's CN field. Use whatever schema you want, just make sure the CA and Server entries are not identical. "
Use a fully qualified domain name as CN of the certificates (both CA's and subsequent certificates)
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
2. Generate a server key and request for signing (csr)
The csr's CN should match the DNS name or the IP address. Otherwise there's a mismatch.
openssl genrsa -des3 -out server.key 4096
openssl req -new -key server.key -out server.csr
The resulting server.key in openssl genrsa -des3 ... is secure i.e. is password protected. Some services require a non password protected key. To produce one from a secure key we do the following
openssl rsa -in server.key -out server.key.insecure
3. Sign the csr with our self-created CA
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
Everytime we produce a key for a particular service we need to increment the serial number. Otherwise, we'd have a new key/request with the old serial number. One way to rectify this is certificate revocation lists.
4. Examine the keys
openssl rsa -noout -text -in server.key
openssl req -noout -text -in server.csr
openssl rsa -noout -text -in ca.key
openssl x509 -noout -text -in ca.crt
$ openssl x509 -x509toreq -signkey private.key -out newcsr.csr -in oldcert.pem
thx simon
Convert a DER format certificate to PEM.
openssl x509 -out exported-pem.crt -outform pem -text -in derfile.crt -inform der
Resign a key with another serial.
openssl x509 -req -days 365 -in server.csr -CA root-CA.crt -CAkey root-CA.key -set_serial XX -out server.crt
Serial must be different for each signed key.
The process of creating self signed CAs and certificates is adapted from
http://www.tc.umn.edu/~brams006/selfsign.html
thanx
Work as root.
1. First we create a CA certificate and then we sign our service certificate using our CA certificate
"The Common Name (CN) of the CA and the Server certificates should not match or else a naming collision will occur and you'll get errors later on. ... just added "CA" to the CA's CN field, to distinguish it from the Server's CN field. Use whatever schema you want, just make sure the CA and Server entries are not identical. "
Use a fully qualified domain name as CN of the certificates (both CA's and subsequent certificates)
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
2. Generate a server key and request for signing (csr)
The csr's CN should match the DNS name or the IP address. Otherwise there's a mismatch.
openssl genrsa -des3 -out server.key 4096
openssl req -new -key server.key -out server.csr
The resulting server.key in openssl genrsa -des3 ... is secure i.e. is password protected. Some services require a non password protected key. To produce one from a secure key we do the following
openssl rsa -in server.key -out server.key.insecure
3. Sign the csr with our self-created CA
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
Everytime we produce a key for a particular service we need to increment the serial number. Otherwise, we'd have a new key/request with the old serial number. One way to rectify this is certificate revocation lists.
4. Examine the keys
openssl rsa -noout -text -in server.key
openssl req -noout -text -in server.csr
openssl rsa -noout -text -in ca.key
openssl x509 -noout -text -in ca.crt
gogrid hosting
Virtual data center from a web interface. Keep it in mind.
http://blog.gogrid.com/2008/06/10/trending-various-computing-terms-clouds-are-getting-congested/
http://blog.gogrid.com/2008/06/10/trending-various-computing-terms-clouds-are-getting-congested/
work 2DO
- Diskoi gia eonstor
- SPAM filter. copy and then redirect
Redirecting system-wide SPAM
Problem: I want to redirect incoming, system-wide spam to another email address.
First thoughts: header_checks could be used. header_checks is part of the Postfix builtin content inspection mechanism and it's implemented in the cleanup(8) server.
Caveat: We shouldn't set header_checks in main.cf because that would force header content inspection before and after amavis inspection. No harm done but resource-wise this is not optimal. main.cf stores the global configuration.
The following snippet specifies the amavis to postfix reinjection service from master.cf.
localhost:10025 inet n - n - - smtpd -o content_filter= -o smtpd_delay_reject=no -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_milters,no_unknown_recipient_checks # smtpd doesn't support the following header_checks option # -o header_checks=pcre:/etc/postfix/check_for_spam_subject -o smtpd_recipient_restrictions=permit_mynetworks,reject # all email comes from amavis which runs on localhost -o mynetworks=127.0.0.0/8 I thought of specifying header_checks in the reinjection path. The idea was to have header inspection only in master cf for the after inspection part of the pipeline. But this isn't possible since smtpd doesn't understand the option header_checks.
On the other hand, if header inspection is turned on in main.cf, it'll applied before and after amavis. Not optimal.
The solution would be to have 2 cleanup service specified in master.cf, one before content inspection by amavis and one after it. header_checks could be turned on for the 2nd one. Go to http://www.ijs.si/software/amavisd/README.postfix.html for a detailed analysis of using 2 cleanup services.
/^X-Spam-Flag: YES/ WARN tospamaddr This is the header check. The last step would be to REDIRECT instead of WARN.
First thoughts: header_checks could be used. header_checks is part of the Postfix builtin content inspection mechanism and it's implemented in the cleanup(8) server.
Caveat: We shouldn't set header_checks in main.cf because that would force header content inspection before and after amavis inspection. No harm done but resource-wise this is not optimal. main.cf stores the global configuration.
The following snippet specifies the amavis to postfix reinjection service from master.cf.
localhost:10025 inet n - n - - smtpd -o content_filter= -o smtpd_delay_reject=no -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_milters,no_unknown_recipient_checks # smtpd doesn't support the following header_checks option # -o header_checks=pcre:/etc/postfix/check_for_spam_subject -o smtpd_recipient_restrictions=permit_mynetworks,reject # all email comes from amavis which runs on localhost -o mynetworks=127.0.0.0/8 I thought of specifying header_checks in the reinjection path. The idea was to have header inspection only in master cf for the after inspection part of the pipeline. But this isn't possible since smtpd doesn't understand the option header_checks.
On the other hand, if header inspection is turned on in main.cf, it'll applied before and after amavis. Not optimal.
The solution would be to have 2 cleanup service specified in master.cf, one before content inspection by amavis and one after it. header_checks could be turned on for the 2nd one. Go to http://www.ijs.si/software/amavisd/README.postfix.html for a detailed analysis of using 2 cleanup services.
/^X-Spam-Flag: YES/ WARN tospamaddr This is the header check. The last step would be to REDIRECT instead of WARN.
Postfix access restriction lists
There are 7 access restriction lists and they all use the same syntax. Their difference is their evaluation time and the effect of a REJECT or DEFER result
Each restriction list is evaluated from left to right until some restriction produces a result of PERMIT, REJECT or DEFER (try again later). The end of the list is equivalent to a PERMIT result.
The following table shows all the access restriction lists in order of evaluation.
Restriction list nameStatus Effect of REJECT or DEFER resultsmtpd_client_restrictions Optional Reject all client commandssmtpd_helo_restrictions Optional Reject HELO/EHLO informationsmtpd_sender_restrictions Optional Reject MAIL FROM informationsmtpd_recipient_restrictions Required Reject RCPT TO informationsmtpd_data_restrictions Optional Reject DATA commandsmtpd_end_of_data_restrictions Optional Reject END-OF-DATA commandsmtpd_etrn_restrictions Optional Reject ETRN command
All about SMTP access lists in http://www.postfix.org/SMTPD_ACCESS_README.html
Each restriction list is evaluated from left to right until some restriction produces a result of PERMIT, REJECT or DEFER (try again later). The end of the list is equivalent to a PERMIT result.
The following table shows all the access restriction lists in order of evaluation.
Restriction list nameStatus Effect of REJECT or DEFER resultsmtpd_client_restrictions Optional Reject all client commandssmtpd_helo_restrictions Optional Reject HELO/EHLO informationsmtpd_sender_restrictions Optional Reject MAIL FROM informationsmtpd_recipient_restrictions Required Reject RCPT TO informationsmtpd_data_restrictions Optional Reject DATA commandsmtpd_end_of_data_restrictions Optional Reject END-OF-DATA commandsmtpd_etrn_restrictions Optional Reject ETRN command
All about SMTP access lists in http://www.postfix.org/SMTPD_ACCESS_README.html
vpn scrap
ston pix-vpn
ston pix-SystemProperties
vpnc umsl.conf
route del default gw 0.0.0.0
route add default gw 192.168.15.1
route add -net 134.124.0.0 netmask 255.255.0.0 dev tun0
resolvconf -d tun0
resolvconf -u
To anw den xreaiazetai dioti douleuoume me to kvpnc kai to routing table ginetai push apo ton server ston client.
PROSOXH Ta route prepei opwsdhpote na allaksoun. opws eipe to tupaki "ti ginetai an 1o) den allaksoun to route kai 2o) anoiksoun meta kana emule??? kolash"
TO anw statement exei nea proseggish. DEs pio katw
Check MTU setting
https://honor.trusecure.com/pipermail/firewall-wizards/2005-October/018945.html
I am trying to configure a cisco pix as a vpn endpoint for the cisco vpn client and would like to force the client to use the corporate network for internet access. I don't want to allow split-tunnel. I cant find any info on how to do this. Is split tunnel the only way to give a vpn client internet access once they are connected?
The short answer is yes. PIX-fu rule #1: the PIX is not a router. It can't take traffic that arrives on one interface and pass it back out that same interface, even when the traffic arrives via VPN tunnel.
Prepei na xrhsimopoihsoume split DNS kai split tunneling!!!!!!!!
trexontas to kvpnc kanei su-to-root gia na 8esei ta swsta routing entries
DNS setup. Rule ston pix gia na epitrepetai sto vpn diktuo na kanei dns lookup. Pros8esh tou vpn diktuou etsi wste o dns server na eksuphretei kai auto to diktuo (kai oxi na to blepei san outside diktuo).
NAT traversal NAT traversal enables ESP packets to pass through one or more NAT devices. Pou shmainei oti to xreiazomaste on otan to vpn endpoint einai pisw apo enan NAT device. Sthn prokeimnenh periptwsh oxi. telika xreiazetai to NAT-T ston client
Secondary DNS pou einai eksw apo to pedio eu8unhs den mpainei mesa sto split dns dioti meta den kseroume pws na to kanoume route. px vpnclient->domain DNS kseroume. omws vpnclient->SEC DNS den kseroume
TO BASTARDO FTIAXNEI IKE SA, TO IKE NEGOTIATION GINETAI OK, ANOIGEI TO IPSEC TUNNEL, APO TO DEBUG STO SSH SESSION TOU PIX (KAI TO GRAPH STO PDM) DEIXNEI OTI TO VPN EXEI ANOIKSEI ALLA TZIFOS!!!!!!!!!!!!
GIATI OTAN KANOUME DISC TON VPNC CLIENT MENEI (MERIKES FORES) TO IPSEC SA STON FW?????
To let traffic flow from a high security level to a lower level, use the nat and global commands. For the opposite direction, from lower to higher, use the static and access-list commands. We suggest using nat and global when going from any non-outside interface to the outside interface (Internet usually unless the PIX is used as a border between business units) which is a little different than the first sentence above. We also suggest using statics from any non-outside interface to any other non-outside interface
refshttp://www.netcraftsmen.net/welcher/papers/pix04.html PIX 6.1
http://www.netcraftsmen.net/welcher/papers/pix01.html PIX 6.1 Kalo basic
http://www.netcraftsmen.net/welcher/papers/ipsec1.html IPSEC kai terminology explained
- IPsec rule Pros8etoume kai ena ena ipsec rule. Protect = encypt. Inside - > Outside vpn pool. Kai epilegoume kai tunnel policy pou 8a xrhsimopoieitai se auto to rule
- Tunnel Policy A tunnel policy is static when it applies to one or more remote peers that can be accurately identified by IP address or DNS host name. A tunnel policy is dynamic when it applies to an unknown remote peer that seeks to initiate an IPSec connection with the firewall. A static policy is more secure than a dynamic policy. However, a dynamic policy is necessary when a remote IPSec peer has a dynamically assigned IP address or when the firewall is configured to allow connections from unknown remote hosts. Select a trnsform set also
- Transform Set Make a transform set (specifies the IPSec protocol, encryption algorithm, and hash algorithm to use on traffic matching the IPSec policy. ). Tunnel mode is the normal way in which IPSec is implemented between two firewalls . This method of implementing IPSec is typically done with L2TP to allow authentication of remote Windows 2000 VPN clients.
- IKE Policies select the symmetric encryption algorithm used to establish the Phase 1 SA for protecting Phase 2 negotiations. select the hash algorithm used for authentication and ensuring data integrity. Selet method of authentication( pre-share kai rsasig). We use pre-shared key. rsa-sigs requires certificates. Enable the outside interface for IKE
- IKE XAUTH/Mode Config. Choose outside interface Choose RADIUS. Mode config : Initiate—This indicates that the firewall initiates the config mode with the client and then waits for the client to respond before it sends information to the client. Respond—This indicates that the client initiates the configuration mode with the firewall. The firewall then responds to the remote access client with the IP address it allocates for that client.
- 2 pools, mia gia admin mia gia tous users
- pros8etoume 2 vpn client groups. Enable to PFS (Perfect Forward Secrecy (PFS) provides additional security by means of a Diffie-Hellman shared secret value. With PFS, if one key is compromised, previous and subsequent keys are secure because they are not derived from previous keys. This statement is optional.). Bazoume kai ta DNS. Split Tunneling gia argotera, einai gia performance afou den kruptografei ta panta
ston pix-SystemProperties
- Sto AAA servers bazoume to IP tou radius server + kleidi pou moirazontai o pix kai o radius. Prepei na mpei kai sot clients.conf tou radius
vpnc umsl.conf
route del default gw 0.0.0.0
route add default gw 192.168.15.1
route add -net 134.124.0.0 netmask 255.255.0.0 dev tun0
resolvconf -d tun0
resolvconf -u
To anw den xreaiazetai dioti douleuoume me to kvpnc kai to routing table ginetai push apo ton server ston client.
PROSOXH Ta route prepei opwsdhpote na allaksoun. opws eipe to tupaki "ti ginetai an 1o) den allaksoun to route kai 2o) anoiksoun meta kana emule??? kolash"
TO anw statement exei nea proseggish. DEs pio katw
Check MTU setting
https://honor.trusecure.com/pipermail/firewall-wizards/2005-October/018945.html
I am trying to configure a cisco pix as a vpn endpoint for the cisco vpn client and would like to force the client to use the corporate network for internet access. I don't want to allow split-tunnel. I cant find any info on how to do this. Is split tunnel the only way to give a vpn client internet access once they are connected?
The short answer is yes. PIX-fu rule #1: the PIX is not a router. It can't take traffic that arrives on one interface and pass it back out that same interface, even when the traffic arrives via VPN tunnel.
Prepei na xrhsimopoihsoume split DNS kai split tunneling!!!!!!!!
trexontas to kvpnc kanei su-to-root gia na 8esei ta swsta routing entries
DNS setup. Rule ston pix gia na epitrepetai sto vpn diktuo na kanei dns lookup. Pros8esh tou vpn diktuou etsi wste o dns server na eksuphretei kai auto to diktuo (kai oxi na to blepei san outside diktuo).
NAT traversal NAT traversal enables ESP packets to pass through one or more NAT devices. Pou shmainei oti to xreiazomaste on otan to vpn endpoint einai pisw apo enan NAT device. Sthn prokeimnenh periptwsh oxi. telika xreiazetai to NAT-T ston client
Secondary DNS pou einai eksw apo to pedio eu8unhs den mpainei mesa sto split dns dioti meta den kseroume pws na to kanoume route. px vpnclient->domain DNS kseroume. omws vpnclient->SEC DNS den kseroume
TO BASTARDO FTIAXNEI IKE SA, TO IKE NEGOTIATION GINETAI OK, ANOIGEI TO IPSEC TUNNEL, APO TO DEBUG STO SSH SESSION TOU PIX (KAI TO GRAPH STO PDM) DEIXNEI OTI TO VPN EXEI ANOIKSEI ALLA TZIFOS!!!!!!!!!!!!
GIATI OTAN KANOUME DISC TON VPNC CLIENT MENEI (MERIKES FORES) TO IPSEC SA STON FW?????
To let traffic flow from a high security level to a lower level, use the nat and global commands. For the opposite direction, from lower to higher, use the static and access-list commands. We suggest using nat and global when going from any non-outside interface to the outside interface (Internet usually unless the PIX is used as a border between business units) which is a little different than the first sentence above. We also suggest using statics from any non-outside interface to any other non-outside interface
refshttp://www.netcraftsmen.net/welcher/papers/pix04.html PIX 6.1
http://www.netcraftsmen.net/welcher/papers/pix01.html PIX 6.1 Kalo basic
http://www.netcraftsmen.net/welcher/papers/ipsec1.html IPSEC kai terminology explained
LDAP scrap
- OpenLDAP εγκατασταθηκε και τρεχει
- phpldapadmin to idio
- ftiaxnoume ena neo template. PROSOXH: to neo template mpainei sto dir templates/creation kai OXI sto template, opws leei to manual tou phpldapadmin
- migrate ta accounts, kati prepei na paizei me to passwd encryption apo solaris se linux
- Edit to /usr/share/perl5/migrate_common.ph kai bazoume to diko mas BASE, 8etoume to EXTEND_SCGEMA se 1 kai kanoume comment out oti exei me Kerberos. Epishs allazoume ta NAMINGCONTEXTS gia na sumfwnoun me to schema mas
- Allages sto migration_passwd gia na ferei ta idia pou 8a ferei kai to template pou 8a ftiaksoume gia to phpldapadmin. *****Ayto to shmeio ksanadesto, xreiazetai? *****
- Ta migration tools ftiaxnoun DNs ths morfhs uid, ou
- to User Account template tou phpldapadmin ftiaxnei DN ths morfhs cn, ou
- To template pou eftiaksa lunei to prob. Allazw to DN kata boulhsh
- Sto migrate_passwd, otan EXTEND_SCHEMA=1 bazei 3 structural classes, Ta 2 (person kai organisationPerson) ta ekana comment out. Ola ta attributes apo ta parent classes uparxoun sto class pou afhsa (inetOrgPerson). Reccomendation apo 2o link (oxi polla structural classes sta entries)
- Sto migrate_passwd, tupwnw kai mia timh displayName (=cn), sumfwna me to link 2
- Anadiataksh ektupwshs twn objectClass me to top sthn arxh, to inteOrg Person (structural) meta kai akolou8oun ta auxilliary
- xrhsimopoioume ta migrate_passwd/group/shadow
- Toi installation exei hdh dhmiourghsei to entry tou domain mas dc=iit,dc=demok....
- Ta 2nd lvl entries, People, Group, app kai adm ta ftiaxnoume me to xeri san ou entries
APOLUTWS APARAITHTO: ta users directories sto ldap, kai ta uid gid, einai apoluta!!!!!! Dhladh o xrhsths test me uid 1001 kai gid 1001 kai homedir /path/ti/homedir efarmozetai se OLA ta mhxanhmata pou o xrhshths autos exei access
phpLDAPADMIN
- $config->custom->cache['template'] = false;
- $config->custom->appearance['tree_display_format'] = '%displayName'; To displayName einai suggestion apo to 2o link
auth-client-config -a -p lac_ldap ( to profile auto brisketai sto /etc/auth-client-config/profile.d/ldap-auth-config )
To -r kanei revert
auth-client-config, ldap-auth-client (metapackage), ldap-auth-config,libpam-ldap,libnss-ldap
ldap-auth-config : Can be managed by debconf (to debconf se rwtaei kapoia pramata gia to configuration)
conf arxeia(Just as quick aside, you should be aware by now that modifying /etc/ldap.conf really only affects the pam_ldap and nss_ldap modules, not OpenLDAP itself. OpenLDAP is typically configured elsewhere.)
to /etc/ldap.conf to diabazoun oi ldap client ka8e fora pou kalounte (opws ta commands ldapadd, ldapmodify, ldapsearch - apo to paketo ldap-utils)
All of the OpenLDAP client programs share one common configuration file, /etc/ldap/ldap.conf
Bazoume HOST sto /etc/ldap/lda.conf
Sta ldap-utils, o diakopths -d{1,2) kanei debugginf. Opws to debug {0,1,2_ sto /etc/ldap.conf
EPITELOUS
To documentation gia to /etc/ldap.conf gia oti afora to pam einai sto man pam_ldap. Gia to nss einai sto man nss_ldap
Whilst pam_ldap is generally configured in the system LDAP naming configuration file (ldap.conf), some options can be configured in the PAM configuration file, to allow for per-service granularity. These options include the path to the LDAP naming configuration file to use, so in effect all options can be configured on a per-service basis. Options are listed below under PAM Configuration.
NAI!!!!!!!!!!!!!!!!!!!!!!!!!!
8eloume ta local accounts KAI ta ldap accounts KAI apo ta LDAP accounts na isxuoun mono osa einai sto devices group tou LDAP gia sugkekrimeno mhxanhma. To kolpo einai na dhlwsoume sto account type tou pam kai to pam_unix kai to pam_ldap ws required kai na dhlwsoume sto pam_ldap ta orismata ignore_authinfo_unavail kai ignore_unknown_user.
The 'groupdn' parameter should be the dn of a *groupOfUniqueNames*,
not of a posixGroup. Where is that documented?
Pws allazoume password?
- Se opoio mhxanhma einai ldap client kanoume apla passwd. To nss_ldap analambanei ta upoloipa.
BTW nss and pam should make use of the /etc/ldap/ldap.conf file but it seems they expect it in /etc/openldap/... as the /etc/ldap.conf file states. Its important fact if you want to use ldaps(SSL/TLS encyption).
Mporei na xreiastei auth h plhroforia
Palioteres ekdoseis apo 7.10 gutsy
Ubuntu uses /etc/ldap.conf as libnss-ldap's configuration file
SHMANTIKO - /usr/share/doc/libnss-ldap/README.gz
I think its extremly important that you have a
/etc/shadow file so that an ObjectClass shadowAccount
will be created in the ldap database. My experience is
that without shadowAccount nss_ldap does not work on
solaris!!
Notes about Debian's libldap2 package
It has been reported that using libnss-ldap can cause a failure to
unmount /usr on system shutdown.
nss-updatedb 'h nscd
Provides a script which maintanins local caches of user/group dris. Used by DB NSS module (libnss-db) to provide name service when system is offline
'H nscd
ena apo ta 2
The bind_policy soft option forbids nss_ldap from retrying failed LDAP queries. If the default bind policy is used, LDAP will retry a query several times when the LDAP server is not present. This can cause a pause of several seconds during routine operations.
bind_policy hard retry with exponential backoff
Default bind_timelimit :30 seconds. To ;allaksa se 10sec kai aghnw to bind_policy se hard. Mporei na xreiazetai na allax8ei
libldap2: /etc/ldap/ldap.conf. man ldap.conf anaferetai se auto to ldap.conf
ldap-auth-config VERSION 0.4: /etc/ldap.conf, /etc/auth-client-config/profile.d/ldap-auth-config (DEBCONF confiures this)
auth-client-config - Script for modifying nsswitch.conf and pam: /etc/auth-client-config/profile.d/acc-default
https://help.ubuntu.com/community/LDAPClientAuthentication Einai kapws outdated bebaia.
https://wiki.ubuntu.com/LDAPAuthentication einai ena overview pou ekshgei pws einai organwmena ta paketa gia ldap client auth sto ubuntu
https://wiki.ubuntu.com/AuthClientConfig. Ekshgei ti kanei to paketo auth-client-config
http://www.derkeiler.com/Mailing-Lists/FreeBSD-Security/2007-09/msg00000.html To post ekshgei giati den douleuei to pam_groupdn. H seira pam_ldap.so, pam_unix so einai la8os. ANA8EWRHSH Swsth einai alla to post FreeBSD specific. Tsekare to epomeno link kai to NAIIIIIIII header pio panw
http://marc.info/?l=pamldap&m=105575914618199&w=2
DIT Design from LDAPCon07
LDAP Schema Design
On the fly group assignment
auth optional pam_group.so
kai bazoume sto /etc/security/group.conf entries opws ta parakatw
login;*;*;Al0000-2400;users,cdrom,floppy,plugdev,audio,dip
kdm;*;*;Al0000-2400;users,cdrom,floppy,plugdev,audio,dip,video
Warnings when we run slapd with default ACL configuration:
"cannot assess the validity of the ACL scope within backend naming context"
Works as intended. That's a reminder that ACLs (may) scope outside the
backend they're defined in. For instance,
access to *
by * read
can appear anywhere, but it's not quite good inside a backend because it
also scopes outside. A more appropriate statement would be
access to dn.subtree=<suffix>
by * readslapd -g openldap -u openldap -f /etc/ldap/slapd.conf
In some cases (e.g. when using fancy submatches in regex clauses) slapd
can't quite get the actual scope of a rule; different warnings may
appear in that case.
TLS conf
- Ta certificated prepei na einai readable apo ton xrhsth pou trexei o slapd
- Epishs gia ton client prepei na einai readable to certificate
- To key DEN prepei na einai password protected
- sto slapd.conf bazoume security tls=1 gia na ginei enforce to tls
- Sto /etc/ldap.conf twn clients bazoume start_tls, pou douleuei sto standard ldap port 389
- Sto /etc/ldap.conf exei ena tls_cacerfile alla mallon den douleuei. To arxeio pou prepei na mpei to tls_cacert einai to .etc/ldap/ldap.conf
- sto /etc/ldap/ldap.conf bazoume to baze. Asxeto me tls einai auto
- sto /etc/ldap/ldap.conf bazoume to host. SHMANTIKO Gia na ginei swsta to tls certificate checking prepei to CN tou server certificate tou LDAP server na einai idio me to spec tou HOST sto /etc/ldap/ldap.conf. DIKLEIDA ASFALEIAS bazoume to fqdn tou LDAP server sto /etc/hosts KA8E client, giati an uparxei mono ston DNS kai o DNS server pesei tote to certificate verification apotugxanei kai ton pinei to conne.
- TO EPANALAMBANOUME. To /etc/ldap/ldap.conf to xrhsimopoioun ta ldap tools. To /etc/ldap.conf to xrhsimopoipoun to LDAP NSS library kai to LDAP PAM module
- Anoigoume to TLS gia to phpldapadmin
Indexing
cn,sn,givenName,email ta kanoume index gia equality kai substring matching
Sto /etc/ldap.con
8etoume kai ta nns_base_(passwd,shadow,group) gia xrhsh sta sugkekrimena maps
Maintenance.
Set readonlu
Backup the berkleyDB file in /var/lib/ldap
or/and
slapcat gia ldif output. Auto mporei na ginei ena polu wraio cron job
To slapcat den xreiazetai authenticate ktl ktl. Einai root only ergaleiaki,afou to slapd.conf einai readable mono apo ton root
ldapsearch options
-x simple bind
-W prompt for passwd
-D binddn
-Z(Z) initiate tls/ssl connection
To monitor backend exei energopoih8ei.
Xrhsimopoioume to ldapsearch me base cn=Monitor, scope (-s) base/sub/one kai filter '*' (all user app attrs) kai '+' (all operational attrs)
Link to openldap doc
This is only informative, not prescriptive, and it's been in HEAD for at
http://ubuntuforums.org/showthread.php?t=597056&highlight=pam+nss+ldap