Moving cPanel services and /home/virtfs

2009-10-28 08:10 UTC | No comments

We are currently moving our customer hosting platform from our old colo to our new one. The servers run cPanel on CentOS 4. The process of moving these services goes something like this:

  1. install new servers at new location of same or similar model as the old servers, and load them with a basic CentOS install
  2. rsync oldserver:/ to newserver:/ including customer files
  3. reboot new server and fix whatever goes wrong (MAC addresses changing, etc)
  4. move BGP announcement of hosting IP range to new colo
  5. shut down and remove old servers

The actual process is more complicated. During step 2, I hit a problem with cPanel’s /home/virtfs directory tree.

Read the rest of this entry »

Tags: ,

Replacing Bacula with BackupPC

2009-10-08 22:26 UTC | 7 comments

We recently moved our primary backup machine to another location, and have overhauled a lot of our network infrastructure. This meant a lot of work updating the Bacula configurations on those machines. I’ve been unhappy with Bacula for some time, so I replaced it with BackupPC.

Read the rest of this entry »

Tags: , ,

Why I use a 27 MHz cordless mouse

2009-09-29 20:11 UTC | 1 comment

I recently switched my primary mouse from a Logitech V450 to a much simpler Logitech RX650. The RX650 is a basic OEM mouse. It is larger than the V450 and doesn’t have the useful space below the mouse to store the compact USB receiver. It only has a range of 1.5m from the receiver, compared to 10m for the V450. So why did I switch? Because the RX650 uses 27 MHz for communication, whereas nearly every other cordless mouse on the market today, including my old V450, uses 2.4 GHz.

Read the rest of this entry »

Tags: ,

Logging out of HTTP Authentication with Firefox

2009-09-08 20:44 UTC | 2 comments

Firefox has a very annoying “feature” – it remembers any HTTP authentication tokens for as long as Firefox remains open. Any by “open”, I mean “the browser is running”, not “the tab/window is open”.

Why is this bad? For several reasons. Read the rest of this entry »

Tags: ,

Using Webmin on a smartphone

2009-09-06 11:07 UTC | 2 comments

Although I administer most servers via SSH, I also use Webmin. Webmin is convenient for almost any simple administrative task, and is often better for some jobs. For instance, it is the easiest way I have found to browse Postfix email queues. Perhaps most importantly, it can save you from having to learn yet another daemon’s unique configuration language and syntax.

It can also be very handy if you have to fix something from your smartphone, where the command line isn’t always the best choice of tool. Enter: the Virtualmin Mobile/iPhone Theme.

Read the rest of this entry »

Tags: ,

Using SSH agent and setting key access limits

2009-09-05 08:59 UTC | 1 comment

You really shouldn’t allow SSH logins via password. This is doubly true for root. On most of my hosts we allow SSH for normal users with a password, but restrict root to SSH keys only. And we always protect against brute force attacks with fail2ban.

If you aren’t already using SSH keys and SSH agent, you should. SSH agent forwarding allows for secure sideways authentication. For example:

Read the rest of this entry »

Tags: ,

kregexpeditor now in repo

2009-08-22 15:39 UTC | No comments

Cleaning up after the KDE 4 upgrade continues. Today I tried to port kregexpeditor from hardy, but pbuilder stopped with a library conflict:

kdelibs5-dev: Conflicts: kdelibs4-dev but 4:3.5.10.dfsg.1-1ubuntu8 is to be installed

I’m sure I could have resolved this, but I decided to test the hardy package before spending any more effort. The package installed without complaint, and the binary runs. I’ve added the amd64 and i386 packages from hardy-backports to the repo for jaunty.

Read the rest of this entry »

Tags: , , ,

Upgrading from Kubuntu 8.04 to 9.04

2009-08-18 20:42 UTC | 1 comment

Until last week I still ran Kubuntu 8.04 (Ubuntu with KDE) on my personal desktop. We also use this on all our corporate desktops, and my wife’s PC at home. I wanted to wait for KDE 4 to mature a bit more before upgrading, so intrepid wasn’t an option.

I waited 4 months after the release of jaunty, so the problems should be either documented or resolved, and the release notes didn’t mention anything that seemed too serious. So I decided to give it a test.

Read the rest of this entry »

Tags: , , , ,

Stopping spam botnets with fail2ban

2009-07-15 19:26 UTC | No comments

In the last 3 weeks our company mail servers have been slammed with a massive increase in spam relay attempts. Logs showed many failures like so.

Jul 12 14:15:26 mailserver.example.com postfix/smtpd[19885]: NOQUEUE: reject: RCPT from 206.12.0.10.in-addr.arpa[10.0.12.206]: 554 5.7.1 <symons@yahoo.co.uk>: Relay access denied; from=<yyjaqveh@lpsb.com> to=<symons@yahoo.co.uk> proto=ESMTP helo=<206.12.0.10.in-addr.arpa>

IP addresses have been obscured to protect the guilty (or ignorant, as this is certainly a botnet). Unfortunately, a large number of the IP addresses in question belonged to my own satellite customers. Mail servers for our other domains were almost entirely unaffected. Which tells me that some bastard has written a botnet spam client that looks up its own public IP, finds the reverse DNS entry, looks up the MX record of the corresponding domain, and then attempts to relay mail through that server. This is particularly mean, as it will encourage your own ISP to shut you down.

Read the rest of this entry »

Tags: ,

Reverse-path filter part 2: OpenVPN and traceroute

2009-07-14 21:59 UTC | 2 comments

After my recent adventure with reverse-path filtering, I didn’t expect to see it again so soon. And then I took another look at a long-standing annoyance in our OpenVPN network.

I set up OpenVPN so our offices and laptops could securely access internal resources. This lets me print documents directly to another office, for instance. Or access web-based applications that we don’t make available to the public. Or remotely SSH into a PC and fix a problem. Read the rest of this entry »

Tags: , , ,

« Older entries § Newer entries »

All content © 2008-2010 Tyler J. Wagner