Re: Weakest point of a server?
Hi all, On Thu, Feb 06, 2003 at 09:13:06PM +0800, Jason Lim wrote: > Hi all, > > I was wondering what kind of failures you experience with long-running > hardware. Mostly mechanical parts like Fans, Harddisks. CPUs can normaly run arround 10Years without problems, as far as i know. > Most of us run servers with very long uptimes (we've got a server here > with uptime approaching 3 years, which is not long compared to some, but > we think it is pretty good!). > > We're looking at "extending" the life of some of these servers, but are > reluctant to replace all the hardware, especially since what is there > "works"... > > Most of these servers either have 3ware RAID cards, or have some other > sort of RAID (scsi, ide, software, etc.). The hard disks are replaced as > they fail, so by now some RAID 1 drives are actually 40Gb when only about > 20Gb is used, because the RAID hardware cannot "extend" to use the extra > size (but this is a different issue). You can detect indicies for a soon failure with smartmontools. This Tools read the SMART values/log must modern harddisk provide. Often there are messages in /var/log/messages with indicate Harddisk problems. > Now... we can replace all the fans in the systems (eg. CPU fan, case fans, > etc.). Some even suggested we jimmy on an extra fan going sideways on the > CPU heatsick, so if the top fan fails at least airflow is still being > pushed around which is better than nothing (sort of like a redundant CPU > fan system). You can monitor cpu/case temparature with the sensors package. Also Voltages of the Mainboard. (power supply) And also Speed of Fans. (often they get slower an slower before failure) > But how about the motherboards themselves? Is it often for something on > the motherboard to fail, after 3-4 years continuous operation without > failure? > > Or is there some other part(s) we should look out for instead... would the > CPU itself die after 3 years continuous operation? Or maybe RAM? Or even > the LAN cards? RAM is also not so often. NICs more often.(voltage peeks or things like this ???) You can monitor them with mii-tool ? You can build failover with the bonding driver of the kernel, as far as i know. Not all cards/drivers supply right mii informations. > We keep the systems at between 18-22 degrees celcius (tending towards the > lower end) as we've heard/read somewhere that for every degree drop in > temperature, hardware lifetime is extended by X number of years. Not sure > if that is still true? I dont think modifying cooling system of a server is a good thing, because most systems are allready optimizied for a good air flow. > Any input/suggestions would be greatly appreciated. Its allways good to monitor your systems. There are a lot more thinks you can monitor(ups, Network ...) For bigger installations you can use a centralized monitoring Server(s). They can normaly run all the previous checks and you notify you by mail, pager, sms ... A few Monitoring Servers: Nagios(NetSaint) (GPL) BigBrother (commercial) BigSister (a GPL clone) Markus _ ___ #_~`--'__ `===-, Markus Benning <[EMAIL PROTECTED]> `.`. `#.,// http://www.w3r3wolf.de ,_\_\ ## #\ `__.__`\ Open Source is a philosophy ~~\ ,###'~ not a price tag ! \##' -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Apache-SSL 'n Cert Fun
Hi, i dont now why you created a ca.crt, when you use self signed certificate later. A self signed certificate can be generated with one command: openssl req -new -x509 -newkey rsa:1024 -days 365 -keyout key.pem -out cert.pem Also you must set the extrension CA:True in the CA Certificate. -extensions v3_ca (when you use the default openssl.cfg) It's best when you configure your CAs in openssl.cfg. Then you can use the "opennssl ca" command to sign Certificates. I allways use more than one CA certificate. root CA |-> Server CA |\- CN = www.blablub.de \-> User CA \- CN = Hans Mueller You should use the FQDN in the CN field of Server Certificates. Markus On Sat, Mar 01, 2003 at 09:14:52PM -0500, Teddy Knab wrote: > I have been signing my own certs. > > Is that what you are typing about ? > > Here is a short clip of what I did: > > self signed cert > 505 openssl genrsa -des3 -out ca.key 2048 > 510 openssl req -new -x509 -days 3652 -key ca.key -out ca.crt > > 2nd try docs from http://www.apache-ssl.org/#FAQ > 545 openssl req -new > new.cert.csr > 547 openssl rsa -in privkey.pem -out new.cert.key > 548 openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey > new.cert.key -days 365 > cat new.cert.key > apache.pem > cat new.cert.cert >> apache.pem > mv apache.pem to /etc/apache-ssl/apache.pem > cp new.cert.key /etc/apache-ssl/apache.key > > Do you trust me ? > My cert. > https://webmail.washcoll.edu > > > Ted > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- _ ___ #_~`--'__ `===-, Markus Benning <[EMAIL PROTECTED]> `.`. `#.,// http://www.w3r3wolf.de ,_\_\ ## #\ `__.__`\ Open Source is a philosophy ~~\ ,###'~ not a price tag ! \##' -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Apache-SSL 'n Cert Fun
Hi, i dont now why you created a ca.crt, when you use self signed certificate later. A self signed certificate can be generated with one command: openssl req -new -x509 -newkey rsa:1024 -days 365 -keyout key.pem -out cert.pem Also you must set the extrension CA:True in the CA Certificate. -extensions v3_ca (when you use the default openssl.cfg) It's best when you configure your CAs in openssl.cfg. Then you can use the "opennssl ca" command to sign Certificates. I allways use more than one CA certificate. root CA |-> Server CA |\- CN = www.blablub.de \-> User CA \- CN = Hans Mueller You should use the FQDN in the CN field of Server Certificates. Markus On Sat, Mar 01, 2003 at 09:14:52PM -0500, Teddy Knab wrote: > I have been signing my own certs. > > Is that what you are typing about ? > > Here is a short clip of what I did: > > self signed cert > 505 openssl genrsa -des3 -out ca.key 2048 > 510 openssl req -new -x509 -days 3652 -key ca.key -out ca.crt > > 2nd try docs from http://www.apache-ssl.org/#FAQ > 545 openssl req -new > new.cert.csr > 547 openssl rsa -in privkey.pem -out new.cert.key > 548 openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey > new.cert.key -days 365 > cat new.cert.key > apache.pem > cat new.cert.cert >> apache.pem > mv apache.pem to /etc/apache-ssl/apache.pem > cp new.cert.key /etc/apache-ssl/apache.key > > Do you trust me ? > My cert. > https://webmail.washcoll.edu > > > Ted > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- _ ___ #_~`--'__ `===-, Markus Benning <[EMAIL PROTECTED]> `.`. `#.,// http://www.w3r3wolf.de ,_\_\ ## #\ `__.__`\ Open Source is a philosophy ~~\ ,###'~ not a price tag ! \##'
Re: isp
On Thu, Dec 06, 2001 at 11:18:28AM -0500, [EMAIL PROTECTED] wrote: > i need a bulk friendli isp for about $30.00 a month Let us know if you find any... so we can blackhole them. :) Mark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: isp
On Thu, Dec 06, 2001 at 11:18:28AM -0500, [EMAIL PROTECTED] wrote: > i need a bulk friendli isp for about $30.00 a month Let us know if you find any... so we can blackhole them. :) Mark
Re: relay protection for Postfix
Le sam 19/06/2004 à 01:29, Aaron Goulding a écrit : > Okay, there's a lot of talk on -user about spam control, and I'd like to > make sure my own server is properly secured. Could anyone recomend basic > steps for Debian STABLE running Postfix for the MTA, to make sure it's not > being used as a relay point? I want to be able to deliever mail from the > box itself (to keep SquirrelMail working) but other than that, no one > should be able to deliver mail through my machine. > > I figure this is a pretty simple item, and I'm just missing the steps in > the docs. Thanks in advance! If you just want to allow sending mail from the machine itself (including Squirrelmail), only allow 127.0.0.1, which is default, I think. That's all. > -Aaron, Dreamchaos.net administrator -- Jérôme Warnier Consultant BeezNest http://beeznest.net
Re: IMAP before relay (was: pop before smtp relay)
Le dim 20/06/2004 à 08:26, Nate Duehr a écrit : > Ward Willats wrote: > > > Yeah, everyone _should_ use AUTH (and heck, SSL), but for a boutique > > server with few relayers, pop-before-smtp still works very well, thank > > you, with no existing client configuration changes. > > Anyone know of any good way to implement IMAP before relay for those of > us that left POP3 in the 80's where it belongs? ;-) I would recommend using EXACT[1] for example. IMAP-before-SMTP will not work as well as POP-before-SMTP, though. The reason is simple: with POP3, you connect, download the e-mails and de-connect. With IMAP, you connect and keep connected until you leave your e-mail client (or your connection explicitely). [1] http://www.britishsteal.com/dist/exact/ I have Debian packages if you need so. > Nate Duehr, [EMAIL PROTECTED] -- Jérôme Warnier Consultant BeezNest http://beeznest.net
Re: IMAP before relay
Le lun 21/06/2004 à 02:31, Conny Brunnkvist a écrit : > Nate Duehr wrote: > > > Ward Willats wrote: > > > >> Yeah, everyone _should_ use AUTH (and heck, SSL), but for a boutique > >> server with few relayers, pop-before-smtp still works very well, thank > > > > Anyone know of any good way to implement IMAP before relay for those of > > us that left POP3 in the 80's where it belongs? ;-) > > The recently mentioned pop-before-smtp script works quite good, albeit a > bit contradictory, for IMAP-logins as well. And it's already packaged in > Debian together with (IIRC) a couple of good examples for well known > IMAP-servers. > > But just as Jérôme also points out, the nature of IMAP makes this method > less fit for control of relaying. You *will* start noticing one or both > of the following side-effects after prolonged use: > * Your users curse loudly and call you up to "fix the mail server" > each time they finish writing a long e-mail > * Your users, after being educated several times, develop an > instictive "Save draft, restart mail client, Edit draft, Send"-routine, > which in the end makes them feel reluctant towards using your system as > a whole ;-) Well, I have a "go offline" button in Evolution, which does the job. It is not optimal, though. > //conny -- Jérôme Warnier Consultant BeezNest http://beeznest.net
