We have following topology

Internet -> Firewall1 -> ReverseProxy(for security) -> Web Server -> firewall2 -> databse

Firewall is linux iptables hardened

We do not have any IPS or IDS in here.

Question is Is ips/ids required for web server hosting? does it gain anything? only ports that are open is 80 and 443

On a very sporadic schedule, IE does not get all the files necessary to compose the page (i.e. CSS and JS files). When I manually go to the missing files from the address bar, they come back from local cache as empty. I F5 these source files and magically they come down properly. I refresh the site after loading a few files and the cache seems to hold.

This problem has only been reproduced (again, sporadically) on IE 7 and 8 running XP. Chrome and Firefox appear to be immune.

We have set IIS to use server-side kernel caching for CSS, JS and images. We also have set to expire content for the App_Themes and Scripts directories to expire immediately. One initial thought it was a SWF loading an FLV on page load. These fixes have not remedied the problem.

We had no problems on our staging server which is using Server 2003 and IIS 6.

Any ideas would be greatly appreciated.

P.S. It sounds similar to this problem: but we do have the Static Content module installed. http://serverfault.com/questions/115099/iis-content-length-0-for-css-javascript-and-images

    Can't move '/usr/local/svn/articles/db/txn-protorevs/2002-8.rev' 
to '/usr/local/svn/articles/db/revs/2/2003': Permission denied

I checked the permissions in the repository, and they look the same as all our other repositories, yet this is the only repo that causes the error.

Any ideas how I can fix this?

SVN is running as root on Linux via svnserve, FWIW.

base dn: dc=test,dc=com

ldap server: 192.168.0.1 and no TLS encryption (need to get it running first)

on the options page

Cache user information, use shadow passwords, password hashing algorithm md5, local authorization is sufficient for local users, create home directories on the first login

But it wont let me ssh into the box with an AD account. Even when i log onto a local account there is a HUGE delay. 1-5 mins.

I keep getting these errors in /var/log/secure but googling them doesn't help.

nss_ldap: Reconnecting to LDAP server (sleeping 4 seconds)

nss_ldap: Reconnecting to LDAP server (sleeping 8 seconds)

I have installed SFU3.5 on the AD and filled out the unix tab for the testing users.

At first, only files in subdirectories would not run properly. Now though (after a restart), all files do not work.

Basically, instead of running, the source file is downloaded in my browser (unless the server isn't on - then I simply get the "Problem Loading Page" message).

When it was working, other problems occured, such as include files being echo'd instead of run.

Can someone guide me w/ regards to getting Uniserver to run cleanly and properly?

Thanks!

Edit:

Now when I browse to http://localhost, it shows a directory browsing interface like this: http://www.gobalakrishnan.com/wp-content/uploads/2008/04/directory-browsing.jpg

Edit: I reinstalled Uniserver and it's the same, except now the admin panel is working!

It runs fine for about 30 minutes, but then fails with the error:

Server Error in '/' Application.

Dynamic view compilation failed. c:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\61a09567\0ee17e160a294837a9b42f8e66a8d2c9-1.cs(6,7): error CS0246: The type or namespace name 'MvcReCaptcha' could not be found (are you missing a using directive or an assembly reference?)

MvcReCaptcha.dll is present in the bin directory, and is certainly used by the application while it's running (functionality provided by that DLL is referenced).

The application can be reliably restarted by:

1. Stopping that site
2. Deleting c:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\61a09567
3. Restarting that site

The Application Pool is set to recycle every 1740 minutes (no other conditions).

Thoughts on what might be causing the crash?

This is the relevant portion from the upgrade guide:

pf(4) NAT syntax change

As described in more detail in this mailing list post, PF's separate nat/rdr/binat (translation) rules have been replaced with actions on regular match/filter rules. Simple rulesets may be converted like this:

nat on $ext_if from 10/8 -> ($ext_if)
rdr on $ext_if to ($ext_if) -> 1.2.3.4

becomes

match out on $ext_if from 10/8 nat-to ($ext_if)
match in on $ext_if to ($ext_if) rdr-to 1.2.3.4

and...

binat on $ext_if from $web_serv_int to any -> $web_serv_ext

becomes

match on $ext_if from $web_serv_int to any binat-to $web_serv_ext

nat-anchor and/or rdr-anchor lines, e.g. for relayd(8), ftp-proxy(8) and tftp-proxy(8), are no longer used and should be removed from pf.conf(5), leaving only the anchor lines. Translation rules relating to these and spamd(8) will need to be adjusted as appropriate.

N.B.: Previously, translation rules had "stop at first match" behaviour, with binat being evaluated first, followed by nat/rdr depending on direction of the packet. Now the filter rules are subject to the usual "last match" behaviour, so care must be taken with rule ordering when converting.

pf(4) route-to/reply-to syntax change

The route-to, reply-to, dup-to and fastroute options in pf.conf move to filteropts;

pass in on $ext_if route-to (em1 192.168.1.1) from 10.1.1.1
pass in on $ext_if reply-to (em1 192.168.1.1) to 10.1.1.1

becomes

pass in on $ext_if from 10.1.1.1 route-to (em1 192.168.1.1)
pass in on $ext_if to 10.1.1.1 reply-to (em1 192.168.1.1)

Now, this is my current pf.conf:

#       $OpenBSD: pf.conf,v 1.38 2009/02/23 01:18:36 deraadt Exp $
#
# See pf.conf(5) for syntax and examples; this sample ruleset uses
# require-order to permit mixing of NAT/RDR and filter rules.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

ext_if="pppoe0"
int_if="nfe0"
int_net="192.168.0.0/24"

polemon="192.168.0.10"
poletopw="192.168.0.12"
segatop="192.168.0.20"

table <leechers> persist

set loginterface $ext_if
set skip on lo

match on $ext_if all scrub (no-df max-mss 1440)

altq on $ext_if priq bandwidth 950Kb queue {q_pri, q_hi, q_std, q_low}
queue q_pri priority 15
queue q_hi priority 10
queue q_std priority 7 priq(default)
queue q_low priority 0

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

nat on $ext_if from !($ext_if) -> ($ext_if)
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
rdr pass on $ext_if proto tcp to port 2080 -> $segatop port 80
rdr pass on $ext_if proto tcp to port 2022 -> $segatop port 22

rdr pass on $ext_if proto tcp to port 4000 -> $polemon port 4000
rdr pass on $ext_if proto tcp to port 6600 -> $polemon port 6600

anchor "ftp-proxy/*"

block

pass on $int_if queue(q_hi, q_pri)

pass out on $ext_if queue(q_std, q_pri)
pass out on $ext_if proto icmp queue q_pri
pass out on $ext_if proto {tcp, udp} to any port ssh queue(q_hi, q_pri)
pass out on $ext_if proto {tcp, udp} to any port http queue(q_std, q_pri)
#pass out on $ext_if proto {tcp, udp} all queue(q_low, q_hi)

pass out on $ext_if proto {tcp, udp} from <leechers> queue(q_low, q_std)

pass in on $ext_if proto tcp to ($ext_if) port ident queue(q_hi, q_pri)
pass in on $ext_if proto tcp to ($ext_if) port ssh queue(q_hi, q_pri)
pass in on $ext_if proto tcp to ($ext_if) port http queue(q_hi, q_pri)
pass in on $ext_if inet proto icmp all icmp-type echoreq queue q_pri

If someone has experience with porting the 4.6 pf.conf to 4.7, please help me do the correct changes.

OK, this is how far I've got:

I commented out nat-anchor and rdr-anchor, as describted in the guide:

#nat-anchor "ftp-proxy/*"
#rdr-anchor "ftp-proxy/*"

And this is how I've "converted" the rdr rules:

#nat on $ext_if from !($ext_if) -> ($ext_if)
match out on $ext_if from !($ext_if) nat-to ($ext_if)
#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
match in on $int_if proto tcp to port ftp rdr-to 127.0.0.1 port 8021
#rdr pass on $ext_if proto tcp to port 2080 -> $segatop port 80
match in on $ext_if proto tcp tp port 2080 rdr-to $segatop port 80
#rdr pass on $ext_if proto tcp to port 2022 -> $segatop port 22
match in on $ext_if proto tcp tp port 2022 rdr-to $segatop port 22

rdr pass on $ext_if proto tcp to port 4000 -> $polemon port 4000
match in on $ext_if proto tcp tp port 4000 rdr-to $polemon port 4000
rdr pass on $ext_if proto tcp to port 6600 -> $polemon port 6600
match in on $ext_if proto tcp tp port 6600 rdr-to $polemon port 6600

Did I miss anything? Is the anchor for ftp-proxy OK as it is now? Do I need to change something in the other pass in on... lines?

EDIT: To clarify: The idea is 2 seperate physical drives, 2 datastores, and no other VM to use them. Also, RDM is not an option for me in this case.

Right now I have an App that I wrote for App Engine, but I don't want it to use Google IP space for external connections. So I need to host it somewhere else with an App Engine platform.

A client of mine shipped me a Windows 7 box that I am supposed to work on. Unfortunately the machine is joined to his domain (which I cannot access - legally or physically) and the local administrator account appears to be disabled.

Is there anyway that I can get into the system and enable/create a local account with administrator level rights given that I have physical access? Or is my only choice to ship it back and get my client to enable a usable account and ship it back to me again?

For what its worth this is Windows 7 professional.

Edit

As prompted by Chunkyb2002's answer about caching of domain credentials I forgot to mention that there is a domain user as being the last login. Presumably this person also set this computer up and potentially has admin rights. So given this new info is it likely that if I get the password that Windows 7 will let me log in?

Edit 2

I'm in with cached credentials!

Is there a way to keep mod_wsgi from trying to determine the "user" associated with a particular UID? I can't find a directive anywhere that does this.

EDIT: Taking a look at the mod_wsgi.c source, it appears (near line 9700) that the conditional check for an entry in /etc/passwd is hard-coded.

In other words, this isn't possible.

How do you get apt-get to authenticate through a proxy that only supports NTLM? Do I need to change my proxy config to also support other authentication mechanisms?

Ubuntu 10.04.

I'm having a problem with the web view because it seems my server wont serve .cs or .csproject files (even though it technically isn't from the context of the hg web view)

My first instinct was to add the MIME type to the server as you can see here:

(I've added it at the root webserver level so all sites inherit it)

Anyway, after restarting the IIS Service / App pools / etc... It still is unable to serve .cs files

• http://myinternalserver/blah.txt Serves fine
• http://myinternalserver/blah.cs 404's

Am I missing a step here? Is there something funky about a .cs file? It doesn't make sense that it'd be a special type flagged as an "executable" or something because frankly .bat is servable, and it's way more prone to execution that an uncompiled C# file.

Anyone have ideas? Am I just going about this horribly wrong?

Is there a simple way to find the history of all the "sudo apt-get install" commands I have given over time? That is, dpkg -l shows me all the packages that have been installed, but not which top-level package installed them. If there is a way for dpkg to give me the installing package, I can find the unique ones there; otherwise, I want something else to say "you installed these 24 packages".

I'm setting up a hosting service & want to script the creation of the DNS entries through a web app.

Right now our DNS is hosted with Slicehost.com where they have an API and unlimited DNS entries included with every account.

I was just wondering if there was anything out there that was DNS only.

Thanks!

Is it possible to find out which company is responsible?

I know I can report to the ISP the IP but I'd like to find out who is responsible in particular.

Install Notes

1. Apache: httpd-2.2.16-win32-x86-no_ssl.msi
2. PHP : VC6 x86 Thread Safe (2010-Jul-21 20:06:17) (ZIP)
3. adLDAP.php

Steps I've taken

1. Made sure php_ldap.dll is in C:\PHP\ext (I had to get this from http://bugs.php.net/bug.php?id=46971)
2. Made sure libeay32.dll and ssleay32.dll are in C:\PHP
3. C:\PHP has been added to PATH
4. extension=php_ldap.dll is uncommented in php.ini
5. extension_dir is set to C:\PHP\ext in php.ini
6. ran a phpinfo(); the correct php.ini is being loaded, but ldap is not initialized

I'm really at a loss for what might be happening, when I try and use the extension I get the following error (expected since it didn't load):

exception 'adLDAPException' with message 'No LDAP support for PHP. See: http://www.php.net/ldap' in C:\Website\hmis\adLDAP.php:338 Stack trace: #0 C:\Website\hmis\login.php(10): adLDAP->__construct() #1 C:\Website\hmis\index.php(2): require_once('C:\Website\hmis...') #2 {main}

Does anyone have any advice on what might be going wrong? Thanks.

Edit: So it seems like php_ldap.dll is missing from 5.3.3 VC6 builds, I got my copy from a 5.3.1 VC6 build. Could that be causing issues? I'm using apache so I can't use the official VC9 PHP builds, should I try to use ApacheLounge builds? I don't think it should be necessary because I got LDAP working with the official builds for 5.3.1

Edit 2: So the other thing I've tried is completely removing the php_ldap.dll from C:\PHP\ext . I get the exact same error as before, and apache doesn't crash as I would expect it to. Shouldn't it not be able to start with a missing extension?

cisco-2811#show ver
Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 12.4(24)T2, RELEASE SOFTWARE (fc2)

It has 4 slots installed with T1/E1 ports (three 2-port modules and one 1-port module):

cisco-2811#show diag
Slot 0:
    C2811 Motherboard with 2FE and integrated VPN Port adapter, 2 ports
    ...

    WIC Slot 0:
    VWIC2-1MFT-T1/E1 - 1-Port RJ-48 Multiflex Trunk - T1/E1
    ...

    WIC Slot 1:
    VWIC2-2MFT-T1/E1 - 2-Port RJ-48 Multiflex Trunk - T1/E1
    ...

    WIC Slot 2:
    VWIC2-2MFT-T1/E1 - 2-Port RJ-48 Multiflex Trunk - T1/E1
    ...

    WIC Slot 3:
    VWIC2-2MFT-T1/E1 - 2-Port RJ-48 Multiflex Trunk - T1/E1
    ...

I have specified the card types as T1 and rebooted. I can see the Controller interfaces in the show run output, but I still don't have any Serial interfaces in the show run or in the interface ? output. I've pasted my full configuration below. Any insight is appreciated.

Thanks, Nathan Alderson

cisco-2811#show run
Building configuration...


Current configuration : 1433 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco-2811
!
boot-start-marker
boot-end-marker
!
card type t1 0 0
card type t1 0 1
card type t1 0 2
card type t1 0 3
logging message-counter syslog
enable secret 5 $1$4REP$JN8wnnSMwWfdkWv6PDVbf/
enable password PASSWORD
!
no aaa new-model
no network-clock-participate wic 0
no network-clock-participate wic 1
no network-clock-participate wic 2
no network-clock-participate wic 3
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
voice-card 0
!
!
archive
 log config
  hidekeys
!
!
controller T1 0/0/0
 cablelength long 0db
!
controller T1 0/1/0
 cablelength long 0db
!
controller T1 0/1/1
 cablelength long 0db
!
controller T1 0/2/0
 cablelength long 0db
!
controller T1 0/2/1
 cablelength long 0db
!
controller T1 0/3/0
 cablelength long 0db
!
controller T1 0/3/1
 cablelength long 0db
!
!
interface FastEthernet0/0
 ip address dhcp
 duplex full
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
control-plane
!
!
line con 0
 speed 115200
line aux 0
line vty 0 4
 password password
 login
!
scheduler allocate 20000 1000
end

eth0:            69.164.214.146
                 ( li129-146.members.linode.com )
Gateways:        69.164.214.1
Netmask:         255.255.255.0
Private eth0:    192.168.140.217
Netmask:         255.255.128.0
DNS Servers:     97.107.133.4
                 207.192.69.4
                 207.192.69.5

and here's my /etc/network/interfaces file:

auto lo
iface lo inet loopback

auto eth0 eth0:0
iface eth0 inet static
 address 69.164.214.146
 netmask 255.255.255.0
 gateway 69.164.214.1

iface eth0:0 inet static
 address 192.168.140.217
 netmask 255.255.128.0

On the linode I'm setting up, I can ping 192.168.140.217 just fine. The other linode will not, though.

Yes, the other Linode is in the same data center.

Perhaps there is something I need to do with iptables? Perhaps my configuration isn't right? Any help is appreciated.

My question is what is the best way to migrate the SQL cluster from one network to the other? It would reside in the same cluster, same name, just dependent on another subnet.

My instinct tells me to just reinstall sql into the cluster, specifying the other subnet on the install, then clean up the mess afterwards.

But I was wondering if maybe there was any other ways, perhaps a best practice that I'm not aware of.

Thanks

There's squid in the front which caches images. Then there is apache httpd with mod_rewrite enabled. httpd then talks to apache tomcat(with mod_jk) for dynamic requests and servers static stuff like js,css on it's own. Apache httpd rewrites clean urls to raw ones(with ugly url params) that tomcat deals with. There are over 100 rewrite rules in the mod_rewrite config. We also have certain php stuff that we hacked together to work with facebook. the php files are served by apache, but the load is significantly less.

So the goal is to able to cache static files(js,css,images) aggressively and give the dynamic stuff directly to tomcat. We need url rewriting(that probably can be done in tomcat itself), gzip/deflate support as well as support for php.

So, given our needs, can a caching server like squid/varnish be placed directly in front of tomcat to make this work or Would we need a web server like nginx/lighttpd in between because we need php ?

I'd like to have it set up where if the first server goes down I can change the ip of the second server and have all the users, files, databases etc. ready to go.

Does anyone have any suggestions on the easiest / best way to go about this?

Considerations

• Users
• Databases
• Apache Configuration
• Files
• Making sure the same software is installed on both boxes. (probably need to do this up front)

Before exploring an in-house development solution is anyone aware of off-the-self products or other solutions?

We once looked at using Penrose as a proxy with it's MySql facilities but no longer have the resource to implement it.

How well has the e-mail server worked for you? Can you get your e-mail on a variety of (Mac and Windows) clients?

Do you have the ability to share calendars?

How does all this work with Microsoft Outlook?

HP MediaSmart Server

My desire is to get rid of all the media capabilities by removing Windows Home Server, and installing a full blown Windows Server OS on it.

Given that it doesn't have a video-out port, it might prove difficult. I know that the machine comes with a restore disc that will wipe or recover the machine to factory defaults. Perhaps that needs some 'tweaking'. Unattended installation, likely

Perhaps Windows Home Server can accommodate the installation of SQL Server, IIS, and ASP.NET. Has anyone heard or learned how to run the WISA stack on this beautiful machine?

The idea here is for a server at home. The incredible ease of adding hard disks to this machine make it very attractive, as well as its small footprint.

Thanks!

But, is there any reason to defrag Linux file systems (ext2/3/4, ReiserFS, etc) ?

If yes, what tools are available for that ?

The response speed varies from resolver to resolver and I periodically modify /etc/resolv.conf to get the best performance.

On two occasions I found one of my public websites was taking far too long to load and this was, in part, related to it depending on backend web services that were taking around 15s to resolve a domain to an IP.

To ensure the most responsive resolvers are always specified, I'd like to automate the process of modifying /etc/resolv.conf.

I can script it if need be, however that would inevitably feature an obscure bug and I want to minimise the risk of an automated process making a mess of /etc/resolv.conf. Any pre-existing solution that has been tested for a long time and shown to be stable will be more reliable than my own solution.

I'm interested in knowing if anyone has tackled this type of problem before and whether there are any stable scripts/processes/methods for handling this.

• NetComm NP200AV
• D-Link DHP-300
• NETGEAR HDXB101

This is for a situation where network cabling and wi-fi are not viable options.

What are its requirements and how do you set up this feature?

Hardware is assembled here at the office but the hardware face plates are screen printed at my house by my mom. She has this stick about things and requires a Purchase Order to be delivered from the office. Printing one out herself via email isn't an option (it just isn't, don't ask for a reasonable answer).

Because I happen to live in the same house, It's up to me to deliver these Purchase Orders, and I'm just not good at it. I forget, or she's not home, or I don't go directly home or whatever.

Actual Question: I would like to send a document to a printer here at the office, and have the result spat out by the Canon Print Device at home. There is at least one Linux and one Windows computer at both ends (Ubuntu or XP). Is this possible?

So do I need to defrag my disk? And if, How would I do that?

The problem is that traffic between LAN PCs and VPN clients doesn't route correctly. LAN clients can ping VPN clients, but VPN clients cannot ping LAN clients (using Wireshark I see the ping gets to the client, but the client cannot respond).

I have a routing entry on the main gateway to point all traffic to the VPN subnet to the VPN gateway. However, that doesn't seem to do the trick. The only solution I've found is to add a static routing entry on the all the PCs on the LAN to point them to the VPN gateway for its subnet. However, this doesn't work for embedded devices that don't allow you to do static routing.

What am I doing wrong?

Here are the IPs/subnets in question (the public addresses are faked for the sake of privacy):

LAN: 192.168.0.0 VPN clients: 192.168.1.0

LAN Gateway: 192.168.0.1 (WAN: 1.1.1.1) VPN Gateway: 192.168.0.2 (WAN: 1.1.1.2)

The LAN Gatway has a route for 192.168.1.0 -> 192.168.0.2

I have partial success with each PC having a static route for 192.168.1.0 -> 192.168.0.2.

Edit:

The VPN gateway is a Netgear ProSafe VPN Firewall FVS338, and the main gateway is an Actiontec MI424-WR (for Verizon FiOS).

Put 2 100mbps cards in, same deal. %20-40 used.

What Gives?

As SQL server can backup a database to a file would we be better scheduling SQL server to create a backup file and then backing up these files to tape? Also if we use this method is it possible to somehow create a log of transactions that have been completed since the last backup so we can recreate the database and apply the additional transactions?

We have System Center Essentials set up to keep all the computers up to date as far as Windows Update. We also have Trend Micro which has protected us well so far, so the issue is only of preventative maintenance at this time.

What is the best way that we ensure that everyone's computers are kept up to date with the latest versions of Flash and Java? Can we use some sort of automated check to scan everyone's computers, akin to Mozilla's Plugin Check but on a widespread scale? Can System Center Essentials come in handy for this? Those of you who manage computers like this, how do you keep everyone's plugins up to date?

Has anyone seen this and been able to solve it?

Has anyone tried this? Can I just use a 2.6.24 Xen kernel? Do I need to recompile the domU kernel to match anything in my dom0?

Or is it necessary to upgrade the dom0?

Thanks!

We've tracked this down to Sophos checking for updates as soon as the user logs in - the checking process eats cycles on the workstation, and the network access of 100+ PCs to check the server at the start of the day eats the bandwidth.

Is it possible to stop the Sophos auto-updating service from doing this, and make it wait to the next scheduled check time (which gets randomised over time)?

On a related note, what is a good barebones set of packages that will give me the essentials, without fluff that I'll probably never run?

Please provide reasoning behind your recommendations

Edit: Just to clarify, I already have over 70 Virtual SQL servers in separate clusters using an ISCSI equallogic San -

What I am really looking for are those advanced configurations like:

How you configured your disks / RDM's

Do you make use of settings like Mem.ShareScanGHz - http://communities.vmware.com/thread/143828 - that are not well documented