Re: Cracking attempt
On Mon, 24 Feb 2003, Russell Coker wrote: > On Mon, 24 Feb 2003 07:38, Jason Lim wrote: > > Usually if we get such a report, we'll inform the client of their actions. > > Most times that discourages them from doing it. > > In any case it's a service to your client - who is the one paying you. It > always amazes me that people on the net expect you to take their side against > one of your clients for something innocent like a bit of portscanning! > > > unless someone is REALLY repeatedly hammering a server. Then if no action > > is taken we may even block them at the router/switch level. > > That's the only thing to do, if someone is excessively scanning you then you > block their IP addresses for a while. Of course you can't be too trigger > happy with this or you'll end up with half the Internet in your firewall rule > set... In the defense of the ballistic person that is complaining about the portscan, one of our servers is running a backup server that dies with no error/warning when the server is portscanned. Unfortunately, our servers can not be put behind a firewall as funding is at an all time low. This is a very inconvenient feature and the company that provides the backup server will do nothing about it so we have to manually restart the deamon from time to time because we were (innocently) portscanned. I guess my point is that there can be some wierd side-effects to obscure things that portscans/other non-normal network behaviour can create. However I will still side with you on the fact that abnormal behaviour should be handled and discarded by the software. Oh well. My two cents worth. -Tim > > -- > http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages > http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark > http://www.coker.com.au/postal/Postal SMTP/POP benchmark > http://www.coker.com.au/~russell/ My home page > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Cracking attempt
On Mon, 24 Feb 2003 10:59, Tim Spriggs wrote: > > That's the only thing to do, if someone is excessively scanning you then > > you block their IP addresses for a while. Of course you can't be too > > trigger happy with this or you'll end up with half the Internet in your > > firewall rule set... > > In the defense of the ballistic person that is complaining about the > portscan, one of our servers is running a backup server that dies with no > error/warning when the server is portscanned. Unfortunately, our servers > can not be put behind a firewall as funding is at an all time low. !?!?!? Firstly having a backup server on a public IP address is just asking for trouble. What OS are you using? Presumably if it was Linux you would have solved the problem with iptables or ipchains long ago... BTW As a rule of thumb, if you can crash it then you can probably exploit it, I hope that server isn't running as root. > This is a very inconvenient feature and the company that provides the > backup server will do nothing about it so we have to manually restart the > deamon from time to time because we were (innocently) portscanned. That sucks. Napster clients used to do the same, but you couldn't complain too much about free software that is used for unauthorised audio copying. ;) -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Cracking attempt
It's a grey area ihmo. A portscan is just a nock on a appartment door, and just waiting whom is going to openup. Besides that, it's nothing more. And you can see this as annoying, nocking on someones door and then running like hell, but.. then again, no harm is done. In comparisin with a mail adress probe, wich I recive 30 times a day if I don't completly block a couple of hongarian and chinese ISP's, the domain is useless for any commercial form, and does harm me in a financial way if I realy don't do anything about it. So.. using the Spam probe to compare it with a port scan.. well, I would report the spam probe a couple of times if I have the feeling it would make a diffrence.. but still.. it can be a lot of work. Mark On Mon, Feb 24, 2003 at 02:59:38AM -0700, Tim Spriggs wrote: > > > On Mon, 24 Feb 2003, Russell Coker wrote: > > > On Mon, 24 Feb 2003 07:38, Jason Lim wrote: > > > Usually if we get such a report, we'll inform the client of their actions. > > > Most times that discourages them from doing it. > > > > In any case it's a service to your client - who is the one paying you. It > > always amazes me that people on the net expect you to take their side against > > one of your clients for something innocent like a bit of portscanning! > > > > > unless someone is REALLY repeatedly hammering a server. Then if no action > > > is taken we may even block them at the router/switch level. > > > > That's the only thing to do, if someone is excessively scanning you then you > > block their IP addresses for a while. Of course you can't be too trigger > > happy with this or you'll end up with half the Internet in your firewall rule > > set... > > In the defense of the ballistic person that is complaining about the > portscan, one of our servers is running a backup server that dies with no > error/warning when the server is portscanned. Unfortunately, our servers > can not be put behind a firewall as funding is at an all time low. > > This is a very inconvenient feature and the company that provides the > backup server will do nothing about it so we have to manually restart the > deamon from time to time because we were (innocently) portscanned. > > > I guess my point is that there can be some wierd side-effects to obscure > things that portscans/other non-normal network behaviour can create. > However I will still side with you on the fact that abnormal behaviour > should be handled and discarded by the software. > > Oh well. > > My two cents worth. > > -Tim > > > > > -- > > http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages > > http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark > > http://www.coker.com.au/postal/Postal SMTP/POP benchmark > > http://www.coker.com.au/~russell/ My home page > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- -- Mark Lijftogt -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Cracking attempt
On Mon, 24 Feb 2003 12:07, Mark Lijftogt wrote: > In comparisin with a mail adress probe, wich I recive 30 times a day if I > don't completly block a couple of hongarian and chinese ISP's, the domain > is useless for any commercial form, and does harm me in a financial way if > I realy don't do anything about it. Below is part of my blocking list from one server. The entries below were all put in as a direct result of spam. In the case of Kornet and chinanet every time they spammed me I blocked the netblock in question. I probably haven't blocked all of those ISPs, just the parts that spam me excessively. The DNSBL services work well for most spammers, but some of those big Asian ISPs just have too many IP addresses for them to work well for anything other than blanket blocking. # stop this machine from emailing crap to us ipchains -A input -l -j DENY -s 195.188.16.215 # kornet is a spam haven 61.72.0.0 - 61.77.255.255 blocked ipchains -A input -l -j REJECT -p tcp -s 61.72.0.0/14 -d 0.0.0.0/0 smtp ipchains -A input -l -j REJECT -p tcp -s 61.76.0.0/15 -d 0.0.0.0/0 smtp # kornet is a spam haven 211.197.188.0-211.197.200.255 blocked ipchains -A input -l -j REJECT -p tcp -s 211.197.188.0/22 -d 0.0.0.0/0 smtp ipchains -A input -l -j REJECT -p tcp -s 211.197.192.0/21 -d 0.0.0.0/0 smtp ipchains -A input -l -j REJECT -p tcp -s 211.197.200.0/24 -d 0.0.0.0/0 smtp # kornet is a spam haven 211.194.106.64-211.194.106.127 blocked ipchains -A input -l -j REJECT -p tcp -s 211.194.106.64/26 -d 0.0.0.0/0 smtp # kornet is a spam haven 211.217.138.0-211.217.143.255 blocked ipchains -A input -l -j REJECT -p tcp -s 211.217.138.0/23 -d 0.0.0.0/0 smtp ipchains -A input -l -j REJECT -p tcp -s 211.217.140.0/22 -d 0.0.0.0/0 smtp # kornet is a spam haven 211.229.24.0-211.229.36.255 blocked ipchains -A input -l -j REJECT -p tcp -s 211.229.24.0/21 -d 0.0.0.0/0 smtp ipchains -A input -l -j REJECT -p tcp -s 211.229.32.0/22 -d 0.0.0.0/0 smtp ipchains -A input -l -j REJECT -p tcp -s 211.229.36.0/24 -d 0.0.0.0/0 smtp # kornet is a spam haven 211.48.62.0-211.48.63.255 blocked ipchains -A input -l -j REJECT -p tcp -s 211.48.62.0/23 -d 0.0.0.0/0 smtp # chinanet.net is a spam haven 202.98.32.0-202.98.63.255 blocked ipchains -A input -l -j REJECT -p tcp -s 202.98.32.0/19 -d 0.0.0.0/0 smtp # hananet is a spam haven 211.200.118.0-211.200.119.255 blocked ipchains -A input -l -j REJECT -p tcp -s 211.200.118.0/23 -d 0.0.0.0/0 smtp # chinanet.net is a spam haven 218.75.128.0 - 218.77.127.255 blocked ipchains -A input -l -j REJECT -p tcp -s 218.75.128.0/16 -d 0.0.0.0/0 smtp ipchains -A input -l -j REJECT -p tcp -s 218.76.128.0/15 -d 0.0.0.0/0 smtp # chinanet.cn.net is a spam haven 61.163.224.128 - 61.163.224.135 blocked ipchains -A input -l -j REJECT -p tcp -s 61.163.224.0/24 -d 0.0.0.0/0 smtp # chinanet.cn.net is a spam haven 218.6.0.0 - 218.6.127.255 blocked ipchains -A input -l -j REJECT -p tcp -s 218.6.0.0/17 -d 0.0.0.0/0 smtp # chinanet.cn.net is a spam haven 218.28.0.0 - 218.29.255.255 blocked ipchains -A input -l -j REJECT -p tcp -s 218.28.0.0/15 -d 0.0.0.0/0 smtp # korea.com is a spam haven 210.221.83.0-210.221.83.255 blocked ipchains -A input -l -j REJECT -p tcp -s 210.221.83.0/24 -d 0.0.0.0/0 smtp # stop this broken Chinese web crawler from attacking us ipchains -A input -l -j DENY -s 139.175.250.0/24 # stop the stupid naver-mailer from attacking us ipchains -A input -l -j DENY -p tcp -s 211.218.150.0/24 -d 0.0.0.0/0 smtp -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Cracking attempt
On Mon, 24 Feb 2003, Russell Coker wrote: > On Mon, 24 Feb 2003 10:59, Tim Spriggs wrote: > > > That's the only thing to do, if someone is excessively scanning you then > > > you block their IP addresses for a while. Of course you can't be too > > > trigger happy with this or you'll end up with half the Internet in your > > > firewall rule set... > > > > In the defense of the ballistic person that is complaining about the > > portscan, one of our servers is running a backup server that dies with no > > error/warning when the server is portscanned. Unfortunately, our servers > > can not be put behind a firewall as funding is at an all time low. > > !?!?!? > > Firstly having a backup server on a public IP address is just asking for > trouble. Yes, I know. > > What OS are you using? Presumably if it was Linux you would have solved the > problem with iptables or ipchains long ago... Solaris 9 :( It does have some firewalling software but caused some major conflicts at one point with no config and honestly, I and one other person are pushing to get a firewall and seperation of tasks on different machines. The way this thing sits right now I'd be un-surprised if someone with an hour of spare time and a little talent could get in and fuck a _LOT_ up. > > BTW As a rule of thumb, if you can crash it then you can probably exploit it, > I hope that server isn't running as root. I realize that too. Unfortunately, Universities (at least around here) tend to be VERY political and getting something like linux as a main college server in place would be "making waves" with the type of people that run the money upstairs. Like I said, I'm pushing it. Debian has been an all-time favorite of mine since I left redhat at version 5.2/5.0 several years back. I'd love to put Linux on the machine and call it a day. For one, things compile MUCH easier. > > This is a very inconvenient feature and the company that provides the > > backup server will do nothing about it so we have to manually restart the > > deamon from time to time because we were (innocently) portscanned. > > That sucks. Napster clients used to do the same, but you couldn't complain > too much about free software that is used for unauthorised audio copying. ;) Yeah, but you can sure as hell complain about backup software that you BUY and then don't recieve technical support in any way without paying more and having a setup that barely works as it is. ~cough~ Veritas ~clears throught~ sorry... Just a little built up... The hardware is kinda fun though... Sun v880 with 4GB's of ram and 6 36GB Fiber Channel drives. On of the drives is dedicated to mirrors by the way. We have a debian/cpan/xfree86/sunfreeware mirror setup on the box for anyone that's in/around/close to Arizona. -Tim < PRE > ##--##--##--##--##--##--##--##--##--##--##--##--## | T I MS P R I G G S | |Assistant Sysadmin - Development| |College of Engineering and Mines| |ECE206A - (520) 621-3185| ##--##--##--##--##--##--##--##--##--##--##--##--## -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Cracking attempt
Hi, On Mon, Feb 24, 2003 at 06:08:43AM -0700, Tim Spriggs wrote: > On Mon, 24 Feb 2003, Russell Coker wrote: > > > BTW As a rule of thumb, if you can crash it then you can probably > > exploit it, I hope that server isn't running as root. > > I realize that too. Unfortunately, Universities (at least around here) > tend to be VERY political and getting something like linux as a main > college server in place would be "making waves" with the type of > people that run the money upstairs. Just rest assured that a non-firewalled box containing backups will make a /lot/ more waves upstairs when (sic!) it gets cracked. You don't need to push Linux, you just need to explain the current risks, their cost and what it costs to implement a solution (be it Debian or Windows-95 based, ultimately they won't care), and the risks associated with that. Even the people upstairs have their gut feelings or prejudices about things they don't understand -- and we all know how hard that can make things -- they do tend to be sensitive to talks that mention well founded estimates of risks and costs. Cheers, Emile. -- E-Advies / Emile van Bergen | [EMAIL PROTECTED] tel. +31 (0)70 3906153| http://www.e-advies.info pgp0.pgp Description: PGP signature
Re: Correct choise of servers
Russell Coker schrieb: > On Thu, 20 Feb 2003 23:20, echelon wrote: > >>I’m trying to get some new servers, but I’m not quiet sure that I’m >>buying the right hardware. > > > It appears from the web page that you are buying for price, this is risky as > there are many features of designed server machines that will greatly improve > reliability. Better fans, better testing and QA. > > For Linux servers I've found Dell servers to work well. Well designed and > engineered, and they perform really well under heavy load. I had a lot of trouble with Dell hardware over the las 7 years. HP Prolient and Fujitsu-Siemens Primergy servers do just fine. Both have very nice Blade servers and external storage. Oh and have a look at the Acer Altos R500 Servers. If uptime is your most importent issue than use SUN hardware. > > Another thing, I recommend making the hardware the same as much as possible. And keep enough spare parts around. > You don't really want to have three different motherboards in three different > machines. That means there's more chance of hitting bugs. If you have three > the same and there's a bug then you can often implement a work-around, or get > them returned. If there's a bug in one then you will probably take longer to > discover it, and having different work-arounds for different machines is a > pain to manage. > > If your aim is to use cheap desktop machines as servers for a small ISP then > it might be best to ask on debian-user for general hardware issues. Or use the Fujitsu-Siemens ECONEL Servers. They're value for money. We use them for a large firewall/vpn rollout right now. greets Uwe -- X-Tec GmbH Institute for Computer and Network Security WWW : http://www.x-tec.de/ IPv6: http://www.ipv6.x-tec.de/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Ciao Stella
un bacio -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Mail server
Asher Densmore-Lynn wrote: Can anyone give me any figures on how much machine I need to serve as a mail server for N users? I appreciate that every server is unique, but I can't judge these things for the life of me, and if I had baseline numbers I could modify them to suit. \: I'm looking at a thousand users, but anything would help. Depends more on the software than on the numer of users. And the number of users isn't really interesting. It's interesting how much traffic they generate. I was running sendmail+popper on a P2-500MHz, 512MB RAM with some users popping every minute - about 1 mails in/minute and 10 pop-connections/minute and had a load-average of about 1.0 - and in times with much bounces up to 20. Now we're running postfix with courier-pop/imap, AntiVir, Spamfilter on a P4-1.7GHz with 512MB RAM and an IPC-Vortex-SCSI-RAID-Controller for the spool. Also installed is a webmail, the User-Database comes from LDAP (also running local) and we have a load of nearly 0 - and slightly more traffic. I'd suggest you use qmail or postfix. On the postfix-mailinglist are some people with a _lot_ of traffic (thousands of messages / minute) and they handle this also with something with about 1GHz - mail-delivery isn't really a CPU-issue, it's highly I/O-based so fast disk give you much more performance than a faster CPU. regards -- \\\ ||| /// _\=/_ ( @ @ )(o o) +oOOo-(_)-oOOo--oOOo-(_)-oOOo--+ | Markus Schabel TGM - Die Schule der Technik www.tgm.ac.at | | IT-Service A-1200 Wien, Wexstrasse 19-23 net.tgm.ac.at | | [EMAIL PROTECTED] Tel.: +43(1)33126/316 | | [EMAIL PROTECTED] Fax.: +43(1)33126/154 | | FSF Associate Member #597, Linux User #259595 (counter.li.org) | |oOOoYet Another Spam Trap: oOOo | | ()oOOo[EMAIL PROTECTED] ( ) oOOo | +\ (( )--\ ( -( )-+ \_) ) /\_) ) / (_/ (_/ Computers are like airconditioners: They stop working properly if you open windows. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Cracking attempt
Good point. The only other problem is that our department is looking for ways to cut back and so asking for _anything_ to my immediate superiors seems risky in their eyes. Certainly there are people on their level in other departments who wholeheartedly agree with me and even the people right above me to a degree but stuff seems to be flying left and right as people do not want to lose their jobs. Hmm, maybe I should dedicate a box of my own so I don't lose mine? :) Anywho, I appreciate the concern and I do realize what a mess this entire thing is. If it were solely up to me I would have a linux firewall that routed all ssh/mail/other user services to a single box and then keep all of the system level crap on another (such as our LDAP server and backup client). As of right now, I can think of way too many ways that this thing is holier than the pope's golf clubs. -Tim < PRE > ##--##--##--##--##--##--##--##--##--##--##--##--## | T I MS P R I G G S | |Assistant Sysadmin - Development| |College of Engineering and Mines| |ECE206A - (520) 621-3185| ##--##--##--##--##--##--##--##--##--##--##--##--## On Mon, 24 Feb 2003, Emile van Bergen wrote: > Hi, > > On Mon, Feb 24, 2003 at 06:08:43AM -0700, Tim Spriggs wrote: > > > On Mon, 24 Feb 2003, Russell Coker wrote: > > > > > BTW As a rule of thumb, if you can crash it then you can probably > > > exploit it, I hope that server isn't running as root. > > > > I realize that too. Unfortunately, Universities (at least around here) > > tend to be VERY political and getting something like linux as a main > > college server in place would be "making waves" with the type of > > people that run the money upstairs. > > Just rest assured that a non-firewalled box containing backups will make > a /lot/ more waves upstairs when (sic!) it gets cracked. > > You don't need to push Linux, you just need to explain the current > risks, their cost and what it costs to implement a solution (be it > Debian or Windows-95 based, ultimately they won't care), and the risks > associated with that. > > Even the people upstairs have their gut feelings or prejudices about > things they don't understand -- and we all know how hard that can make > things -- they do tend to be sensitive to talks that mention well > founded estimates of risks and costs. > > Cheers, > > > Emile. > > -- > E-Advies / Emile van Bergen | [EMAIL PROTECTED] > tel. +31 (0)70 3906153| http://www.e-advies.info > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Mail server
That's exactly what I needed to hear. I appreciate the prompt replies. Thank you. -- Asher Densmore-Lynn <[EMAIL PROTECTED]> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Mail server
We have one machine that is currently handleing about that many users. It runs Debian 3.0 stable, sendmail, spamassassin (if anyone has a better spam fillter let me know), imap and pop, and the load average is rarely above 0.7. Most of the load comes from spamassassin. Which seems to be normal. At the moment that machine is a Duron 900 with 60GB worth of disk space adn 750MB RAM. 60GB is complete overkill for only 1000 users unless you are planing on giving them huge mail boxes. Which I wouldn't advise. Personaly I run cucipop because it seems a very fast pop server. At the moment I am running uw-imapd as we have few inap clients and the sposed speed isues that that server have I have not noticed. As I said, the most cpu hungry app is the spam filtering. Lauch On Tue, 2003-02-25 at 03:27, Asher Densmore-Lynn wrote: > Can anyone give me any figures on how much machine I need to serve as a > mail server for N users? > > I appreciate that every server is unique, but I can't judge these things > for the life of me, and if I had baseline numbers I could modify them to > suit. \: > > I'm looking at a thousand users, but anything would help. > > -- > Asher Densmore-Lynn <[EMAIL PROTECTED]> > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Mail server
Lauchlin Wilkinson dijo: > As I said, the most cpu hungry app is the spam filtering. Try Amavis on top of that! ;-) -- .''`. Girl, you gotta change your crazy ways, you hear me? : :' :Crazy by Aerosmith `. `'Proudly running Debian GNU/Linux (Sid + 2.4.20 + Ext3) `-www.amayita.com www.malapecora.com www.chicasduras.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Cracking attempt
On Mon, Feb 24, 2003 at 06:08:43AM -0700, Tim Spriggs wrote: > > What OS are you using? Presumably if it was Linux you would have > > solved the problem with iptables or ipchains long ago... > > Solaris 9 :( It does have some firewalling software but caused some > major conflicts at one point with no config and honestly, I and one > other person are pushing to get a firewall and seperation of tasks on > different machines. The way this thing sits right now I'd be > un-surprised if someone with an hour of spare time and a little talent > could get in and fuck a _LOT_ up. here's a quick-and-dirty (and cheap!) temporary solution: get an old 386/486/pentium box - there should be several gathering dust at any university. put two ethernet cards in it, and install linux (any debian with kernel 2.4.x) on the machine and configure it as a NAT firewall. plug one NIC into your network, and use a crossover cable to connect the other NIC to your solaris box. in short, what this will do is take the solaris box off the external network and put it on a second (private) network. DNAT on the linux box will allow authorised machines to connect to it and SNAT allows the solaris box to get out. if you configure the NAT stuff right, the change will be completely transparent to all users. it's pretty ugly, but it will work...and it's something you can do without spending any money or asking permission (remember it's always easier to get forgiveness than permission :). if anyone ever notices and complains, you can justify it by saying you had no choice. you had to protect the server and the backups it contained but had no budget to do it with. alternatively, build the linux box but put it between your external router and your main network. there's no need for NAT in this setup, just plain routing and iptables firewalling rules. a third alternative, (which may or may not be viable, depending on what kind of border router you have and how your network is set up) is to replace the router with the linux box. craig -- craig sanders <[EMAIL PROTECTED]> Fabricati Diem, PVNC. -- motto of the Ankh-Morpork City Watch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Cracking attempt
There are also cheap ($100) NAT routers / "firewalls" available like D-Link or Netgear if you don't need a speed > 10Mbps You'll have to spend $100, but it won't consume you time, it takes a lot less space, and it will consume a lot less electricity. > -Oorspronkelijk bericht- > Van: Craig Sanders [mailto:[EMAIL PROTECTED] > Verzonden: dinsdag 25 februari 2003 1:38 > Aan: Tim Spriggs > CC: [EMAIL PROTECTED] > Onderwerp: Re: Cracking attempt > > > On Mon, Feb 24, 2003 at 06:08:43AM -0700, Tim Spriggs wrote: > > > What OS are you using? Presumably if it was Linux you would have > > > solved the problem with iptables or ipchains long ago... > > > > Solaris 9 :( It does have some firewalling software but caused some > > major conflicts at one point with no config and honestly, I and one > > other person are pushing to get a firewall and seperation > of tasks on > > different machines. The way this thing sits right now I'd be > > un-surprised if someone with an hour of spare time and a > little talent > > could get in and fuck a _LOT_ up. > > here's a quick-and-dirty (and cheap!) temporary solution: > > get an old 386/486/pentium box - there should be several > gathering dust > at any university. put two ethernet cards in it, and install > linux (any > debian with kernel 2.4.x) on the machine and configure it as a NAT > firewall. plug one NIC into your network, and use a > crossover cable to > connect the other NIC to your solaris box. > > in short, what this will do is take the solaris box off the external > network and put it on a second (private) network. DNAT on > the linux box > will allow authorised machines to connect to it and SNAT allows the > solaris box to get out. > > if you configure the NAT stuff right, the change will be completely > transparent to all users. > > it's pretty ugly, but it will work...and it's something you can do > without spending any money or asking permission (remember it's always > easier to get forgiveness than permission :). > > if anyone ever notices and complains, you can justify it by saying you > had no choice. you had to protect the server and the backups it > contained but had no budget to do it with. > > > alternatively, build the linux box but put it between your external > router and your main network. there's no need for NAT in this setup, > just plain routing and iptables firewalling rules. > > > a third alternative, (which may or may not be viable, > depending on what > kind of border router you have and how your network is set up) is to > replace the router with the linux box. > > craig > > -- > craig sanders <[EMAIL PROTECTED]> > > Fabricati Diem, PVNC. > -- motto of the Ankh-Morpork City Watch > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Mail server
On Mon, Feb 24, 2003 at 10:27:56AM -0600, Asher Densmore-Lynn wrote: > Can anyone give me any figures on how much machine I need to serve as a > mail server for N users? > > I appreciate that every server is unique, but I can't judge these things > for the life of me, and if I had baseline numbers I could modify them to > suit. \: > > I'm looking at a thousand users, but anything would help. pretty nearly any relatively "modern" (as in less than 5 years old) machine will be more than capable of handling mail for 1000 users. spend between $500 and $1000 USD on a decent new machine and you'll have no problems. pay attention to the brand/model of the motherboard and the disk drive(s), they are the most important components. this won't give you any crash-proofing or crash-recovery - for that you need RAID 1, 0+1 or 5 disk (it's the only form of "backup" that is any use at all for extremely transient data like email)...which will add significantly to the price. my preference is for RAID-5 with a large non-volatile write-cache...very fast & very safe. craig -- craig sanders <[EMAIL PROTECTED]> Fabricati Diem, PVNC. -- motto of the Ankh-Morpork City Watch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Mail server
Russell Coker wrote: I have been considering modifying the Qmail and maildrop code to not use fsync() etc to allow more users per server (yes I know about the reliability issues, but there are lots of more important things to worry about). Are you using mboxes under /var/spool/mail, or are you using Maildirs under /home? If you're using the latter, wouldn't it be easier (and safer) to spread your home dirs across multiple hard drives (or, more appropriately, multiple RAID partitions on different disks?) Of course, IIRC, the 2650 is a 2U server, so you're limited to what you can cram into the box. In your particular configuration, have you looked at the advantages/disadvantages of having something like two disks in RAID 1 and another 2 or more disks in another RAID set (1 or 5, depending on # of drives) with the mail spool on one RAID set and the rest of the filesystems (including /var) on the other? Just asking because I have a similar setup to yours (one big HW RAID-5) and have been wondering if that's the best way to go. --Rich _ Rich Puhek ETN Systems Inc. 2125 1st Ave East Hibbing MN 55746 tel: 218.262.1130 email: [EMAIL PROTECTED] _ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Mail server
- Original Message - From: "Russell Coker" <[EMAIL PROTECTED]> To: "Colin Ellis" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Monday, February 24, 2003 7:16 PM Subject: Re: Mail server > > If a message delivery takes 10 disk writes (actually it probably takes more > once you count writing to two files in the queue then writing it to the spool > and deleting the queue files with lots of fsync() along the way) then such a > machine can only deliver 13 messages per second. > > I'm running a number of mail servers with lots of spare disk space that are > hitting the message delivery limits, which prevents me adding more users. > I totally agree with Russel; disk speed is probably the most important limiting factor, not CPU speed or diskspace. To add some more numbers: I've just been doing some benchmarks to test different filesystem/mailserver combinations, testing with Russel's excellent Postal benchmark program. The best result on our testmachine (celeron 1700, 256 megs of RAM, 80 GB 7200 rpm IDE disk) have been a constant 30-35 messages per second. This was with a combination of XFS, Exim and Maildir storage, and with a maximum message size of 10K. A more realistic 100K maximum size still resulted in about 20-25 deliveries per second. These numbers are, however, only for mail delivery using SMTP; retrieving the mail using either POP or IMAP will add significant load. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Mail server
On Mon, 24 Feb 2003 20:59, Rich Puhek wrote: > Russell Coker wrote: > > I have been considering modifying the Qmail and maildrop code to not use > > fsync() etc to allow more users per server (yes I know about the > > reliability issues, but there are lots of more important things to worry > > about). > > Are you using mboxes under /var/spool/mail, or are you using Maildirs > under /home? Maildir's in home directories on a file system dedicated for the task. > If you're using the latter, wouldn't it be easier (and safer) to spread > your home dirs across multiple hard drives (or, more appropriately, > multiple RAID partitions on different disks?) Of course, IIRC, the 2650 > is a 2U server, so you're limited to what you can cram into the box. The 2650 contains 5 hard drives, that's a RAID-5 of 4 disks plus one hot-spare disk. Therefore only one partition for all the storage. > In your particular configuration, have you looked at the > advantages/disadvantages of having something like two disks in RAID 1 > and another 2 or more disks in another RAID set (1 or 5, depending on # > of drives) with the mail spool on one RAID set and the rest of the > filesystems (including /var) on the other? For only 4 active disks I don't expect any great performance benefit from that, and probably a performance loss at times when one array is busy and the other is idle. For 10+ disks I would probably look at a RAID-1 for the spool with the journal on a nvram device and the rest of the disks in a RAID-5 for storage. > Just asking because I have a similar setup to yours (one big HW RAID-5) > and have been wondering if that's the best way to go. If you have an excessive number of disks in the RAID-5 then the OS may not be able to send enough IO requests to it. I don't think that file systems in Linux (with the possible exception of XFS) could deliver good performance on a RAID array of 100 disks. Delivering good performance on 10 file systems that each have 10 disks is much easier to achieve if your data store can easily be striped over 10 file systems (as it can be for mail). A previous mail server I worked on had 192 disks divided into 10 RAID sets for mail storage for this reason. I am not sure how many of the 192 disks were used and how many were spare. I suspect that it was 180 disks in use and 12 spare. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Mail server
Can anyone give me any figures on how much machine I need to serve as a mail server for N users? I appreciate that every server is unique, but I can't judge these things for the life of me, and if I had baseline numbers I could modify them to suit. \: I'm looking at a thousand users, but anything would help. -- Asher Densmore-Lynn <[EMAIL PROTECTED]> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Mail server
Your question is certainly quite vague, but here are a few things to think about.. What mail delivery program are you thinking of using and are you planning on providing pop3 and/or imap service? Imap requires more processing power to display the mail folders, but it depends on the software again. What kind of disk quota are you thinking of setting for your users? Email can take up a lot of space, and outgoing mail also needs to be stored in a queue. In terms of processing/memory requirements, I'd suggest pentium II (400MHz) upwards with at least 512MB ram. Email doesn't really need much processing, but does take surprisingly large amounts of disk space. The disks are probably the limiting factor in what hardware config you are looking at. Hope this helps, Colin Ellis Solution City Ltd http://www.solution-city.com -Original Message- From: Asher Densmore-Lynn [mailto:[EMAIL PROTECTED] Sent: 24 February 2003 16:28 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Mail server Can anyone give me any figures on how much machine I need to serve as a mail server for N users? I appreciate that every server is unique, but I can't judge these things for the life of me, and if I had baseline numbers I could modify them to suit. \: I'm looking at a thousand users, but anything would help. -- Asher Densmore-Lynn <[EMAIL PROTECTED]> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Mail server
If its of any help, at my last firm, we had 1000 email domains all using different setup's their were 900 pop accounts checking their mail every 5 - 10 mins our set up was Sendmail 8.11 Debian 3.0 kernel 2.4.18 intel 550Mhz 256Mb Ram 40Gb Hd Machine load never above 0.7 Asher Densmore-Lynn wrote: Can anyone give me any figures on how much machine I need to serve as a mail server for N users? I appreciate that every server is unique, but I can't judge these things for the life of me, and if I had baseline numbers I could modify them to suit. \: I'm looking at a thousand users, but anything would help. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Mail server
On Mon, 24 Feb 2003 17:27, Asher Densmore-Lynn wrote: > Can anyone give me any figures on how much machine I need to serve as a > mail server for N users? > > I appreciate that every server is unique, but I can't judge these things > for the life of me, and if I had baseline numbers I could modify them to > suit. \: > > I'm looking at a thousand users, but anything would help. It depends on who those users are and what they do. For 1000 users of a dial-up ISP you don't need anything special, no-one sells hardware that is so small it can't handle such a load. For 1000 users of a corporate LAN attaching Word and PowerPoint documents to their email you'll need a fairly decent server, get a couple of gigs of RAM and 4-5 disks in a RAID array and it should be fine. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Mail server
Asher Densmore-Lynn wrote: Can anyone give me any figures on how much machine I need to serve as a mail server for N users? I appreciate that every server is unique, but I can't judge these things for the life of me, and if I had baseline numbers I could modify them to suit. \: I'm looking at a thousand users, but anything would help. how long is a pice of string? a p120 with 32meg of ram can handle 30 users with ease. A p2-350 with 128 meg 200 with ease, depends on the use its put to. I doubt its linear scaling, give us some numbers. Thing -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Mail server
On Mon, 24 Feb 2003 18:34, Colin Ellis wrote: > Email doesn't really need much processing, but does take surprisingly large > amounts of disk space. Obviously such things differ depending on exactly who is using the service and what they are doing. But my experience is that with modern disks a mail server will run out of seek performance before it runs out of space. The fastest drives (15000rpm) will take an average of 4ms for the disk to spin to the correct location to start a transfer in addition to the seek times for moving the heads. That gives a performance of something less than 100 IO operations per second per disk. I am working on a bunch of Dell PowerEdge 2650 machines with 4*U160 15000rpm SCSI disks in a hardware RAID-5 with a battery backed write-back cache. This gives a peak performance of about 130 disk writes per second. If a message delivery takes 10 disk writes (actually it probably takes more once you count writing to two files in the queue then writing it to the spool and deleting the queue files with lots of fsync() along the way) then such a machine can only deliver 13 messages per second. I'm running a number of mail servers with lots of spare disk space that are hitting the message delivery limits, which prevents me adding more users. I have been considering modifying the Qmail and maildrop code to not use fsync() etc to allow more users per server (yes I know about the reliability issues, but there are lots of more important things to worry about). If you need more space then there's lots of good options nowadays. 200G IDE drives are getting cheap, I'll probably get a RAID-1 of them for my next home machine. 70G U160 SCSI drives give better performance, and I'm finding that their performance is a bottleneck not their size. Of course bigger drives tend to be faster if all other things are equal. For the servers I'm using I'd rather have 140G U160 drives, I'd still be using <70G of them, but the performance would be better. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
ntop strange message
Hi everyone, I resently install the ntop package in one box to tray it, since the first day I started to recive this info with the log check report. I think its related with the name servers or something but cant get why, how to fix it or where is the error, minerva2 is the server runing the ntop and pc_05 is the local network machine tis sime to be windows names. Feb 21 18:31:48 minerva2 ntop[21759]: WARNING: Malformed ICMP pkt pc_05->all-routeers.mcast.net detected (packet too short) this message repeats several times with diferent local machine names gut to the same destination. I would apreciate any help u could give. Cheers, rak -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Mail server
On Mon, 24 Feb 2003 20:59, Rich Puhek wrote: > Russell Coker wrote: > > I have been considering modifying the Qmail and maildrop code to not use > > fsync() etc to allow more users per server (yes I know about the > > reliability issues, but there are lots of more important things to worry > > about). > > Are you using mboxes under /var/spool/mail, or are you using Maildirs > under /home? Maildir's in home directories on a file system dedicated for the task. > If you're using the latter, wouldn't it be easier (and safer) to spread > your home dirs across multiple hard drives (or, more appropriately, > multiple RAID partitions on different disks?) Of course, IIRC, the 2650 > is a 2U server, so you're limited to what you can cram into the box. The 2650 contains 5 hard drives, that's a RAID-5 of 4 disks plus one hot-spare disk. Therefore only one partition for all the storage. > In your particular configuration, have you looked at the > advantages/disadvantages of having something like two disks in RAID 1 > and another 2 or more disks in another RAID set (1 or 5, depending on # > of drives) with the mail spool on one RAID set and the rest of the > filesystems (including /var) on the other? For only 4 active disks I don't expect any great performance benefit from that, and probably a performance loss at times when one array is busy and the other is idle. For 10+ disks I would probably look at a RAID-1 for the spool with the journal on a nvram device and the rest of the disks in a RAID-5 for storage. > Just asking because I have a similar setup to yours (one big HW RAID-5) > and have been wondering if that's the best way to go. If you have an excessive number of disks in the RAID-5 then the OS may not be able to send enough IO requests to it. I don't think that file systems in Linux (with the possible exception of XFS) could deliver good performance on a RAID array of 100 disks. Delivering good performance on 10 file systems that each have 10 disks is much easier to achieve if your data store can easily be striped over 10 file systems (as it can be for mail). A previous mail server I worked on had 192 disks divided into 10 RAID sets for mail storage for this reason. I am not sure how many of the 192 disks were used and how many were spare. I suspect that it was 180 disks in use and 12 spare. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Mail server
That's exactly what I needed to hear. I appreciate the prompt replies. Thank you. -- Asher Densmore-Lynn <[EMAIL PROTECTED]>
Re: Mail server
We have one machine that is currently handleing about that many users. It runs Debian 3.0 stable, sendmail, spamassassin (if anyone has a better spam fillter let me know), imap and pop, and the load average is rarely above 0.7. Most of the load comes from spamassassin. Which seems to be normal. At the moment that machine is a Duron 900 with 60GB worth of disk space adn 750MB RAM. 60GB is complete overkill for only 1000 users unless you are planing on giving them huge mail boxes. Which I wouldn't advise. Personaly I run cucipop because it seems a very fast pop server. At the moment I am running uw-imapd as we have few inap clients and the sposed speed isues that that server have I have not noticed. As I said, the most cpu hungry app is the spam filtering. Lauch On Tue, 2003-02-25 at 03:27, Asher Densmore-Lynn wrote: > Can anyone give me any figures on how much machine I need to serve as a > mail server for N users? > > I appreciate that every server is unique, but I can't judge these things > for the life of me, and if I had baseline numbers I could modify them to > suit. \: > > I'm looking at a thousand users, but anything would help. > > -- > Asher Densmore-Lynn <[EMAIL PROTECTED]> >
Re: Mail server
Lauchlin Wilkinson dijo: > As I said, the most cpu hungry app is the spam filtering. Try Amavis on top of that! ;-) -- .''`. Girl, you gotta change your crazy ways, you hear me? : :' :Crazy by Aerosmith `. `'Proudly running Debian GNU/Linux (Sid + 2.4.20 + Ext3) `-www.amayita.com www.malapecora.com www.chicasduras.com
ntop strange message
Hi everyone, I resently install the ntop package in one box to tray it, since the first day I started to recive this info with the log check report. I think its related with the name servers or something but cant get why, how to fix it or where is the error, minerva2 is the server runing the ntop and pc_05 is the local network machine tis sime to be windows names. Feb 21 18:31:48 minerva2 ntop[21759]: WARNING: Malformed ICMP pkt pc_05->all-routeers.mcast.net detected (packet too short) this message repeats several times with diferent local machine names gut to the same destination. I would apreciate any help u could give. Cheers, rak
Re: Cracking attempt
On Mon, Feb 24, 2003 at 06:08:43AM -0700, Tim Spriggs wrote: > > What OS are you using? Presumably if it was Linux you would have > > solved the problem with iptables or ipchains long ago... > > Solaris 9 :( It does have some firewalling software but caused some > major conflicts at one point with no config and honestly, I and one > other person are pushing to get a firewall and seperation of tasks on > different machines. The way this thing sits right now I'd be > un-surprised if someone with an hour of spare time and a little talent > could get in and fuck a _LOT_ up. here's a quick-and-dirty (and cheap!) temporary solution: get an old 386/486/pentium box - there should be several gathering dust at any university. put two ethernet cards in it, and install linux (any debian with kernel 2.4.x) on the machine and configure it as a NAT firewall. plug one NIC into your network, and use a crossover cable to connect the other NIC to your solaris box. in short, what this will do is take the solaris box off the external network and put it on a second (private) network. DNAT on the linux box will allow authorised machines to connect to it and SNAT allows the solaris box to get out. if you configure the NAT stuff right, the change will be completely transparent to all users. it's pretty ugly, but it will work...and it's something you can do without spending any money or asking permission (remember it's always easier to get forgiveness than permission :). if anyone ever notices and complains, you can justify it by saying you had no choice. you had to protect the server and the backups it contained but had no budget to do it with. alternatively, build the linux box but put it between your external router and your main network. there's no need for NAT in this setup, just plain routing and iptables firewalling rules. a third alternative, (which may or may not be viable, depending on what kind of border router you have and how your network is set up) is to replace the router with the linux box. craig -- craig sanders <[EMAIL PROTECTED]> Fabricati Diem, PVNC. -- motto of the Ankh-Morpork City Watch
Re: Mail server
On Mon, Feb 24, 2003 at 10:27:56AM -0600, Asher Densmore-Lynn wrote: > Can anyone give me any figures on how much machine I need to serve as a > mail server for N users? > > I appreciate that every server is unique, but I can't judge these things > for the life of me, and if I had baseline numbers I could modify them to > suit. \: > > I'm looking at a thousand users, but anything would help. pretty nearly any relatively "modern" (as in less than 5 years old) machine will be more than capable of handling mail for 1000 users. spend between $500 and $1000 USD on a decent new machine and you'll have no problems. pay attention to the brand/model of the motherboard and the disk drive(s), they are the most important components. this won't give you any crash-proofing or crash-recovery - for that you need RAID 1, 0+1 or 5 disk (it's the only form of "backup" that is any use at all for extremely transient data like email)...which will add significantly to the price. my preference is for RAID-5 with a large non-volatile write-cache...very fast & very safe. craig -- craig sanders <[EMAIL PROTECTED]> Fabricati Diem, PVNC. -- motto of the Ankh-Morpork City Watch
