Thursday, November 30, 2006

Squid : 廣播清單

哈~ 找到廣播的網址 這些將成為 Squid Block 的清單

通常 我會讓 User 看的到網站 但又不能聽的到
以中華電信為例 讓 http://radio.hinet.net 可以過
然後用 squidGuard 檔下面的網址
radio.hinet.net/radio/player/player.jsp (第一道)
grm.cdn.hinet.net/media/radio/play.asp (第二道)


基本上 中華電信已經不提供直接用 mms 連
一定要透過 player.asp 再呼叫 play.asp 連線
最後才是 live.media.hinet.net 這整個 domain
如果第一關都進不了 就別想聽廣播了
換句話說你也可以只檔第一道就可以了


中文廣播清單(* 表示 check 中,x 疑似消失中,o 表示 check ok)
*Kiss Radio 大眾廣播=mms://203.187.31.160/khkiss
*交通網台中臺 FM 94.5 =mms://210.61.218.114/live.media.hinet.net/prs05
*台北之音線 FM107.7=mms://203.187.31.160/FM1077
*交通網台北臺 FM 94.3 FM 94.3=mms://210.61.218.114/live.media.hinet.net/prs02
*全國交通網 FM 104.9=mms://210.61.218.114/live.media.hinet.net/prs01
x音樂罐頭網路電臺=mms://wms9.elta.com.tw/music-can
o中廣新聞網=mms://live.media.hinet.net/Radio_BCC-NEWS
o中廣音樂網=mms://live.media.hinet.net/Radio_BCC-MUSIC
o中廣流行網=mms://live.media.hinet.net/Radio_BCC-POP
o中廣古典網=mms://live.media.hinet.net/Radio_BCC_CLASIC
o中廣客家頻道=mms://live.media.hinet.net/Radio_BCC-HAKKA
o Real中廣晨間新聞=http://203.69.33.10/mnews.ram
o Real中廣晚間新聞=http://203.69.33.10/enews.ram
中央廣播電臺-新聞網=mms://live.media.hinet.net/CBS1
中央廣播電臺-綜合網=mms://live.media.hinet.net/CBS2
中央廣播電臺-國際網=mms://live.media.hinet.net/CBS3
中央廣播電臺-音樂網=mms://live.media.hinet.net/CBS4
中央廣播電臺-亞洲語網=mms://live.media.hinet.net/CBS5
中央廣播電臺-方言網=mms://live.media.hinet.net/CBS6
台北之音HitFm(FM107.7)=http://203.187.31.160/FM1077
台北之音HitFm(FM91.7)=http://203.187.31.160/FM917
台北愛樂電臺=http://203.187.31.160:80/fm997
台北廣播電臺 FM93.1=mms://live.media.hinet.net/TCGRADIO
好事聯播網-台北FM98.9=mms://live.media.hinet.net/best983
東森ETFM聯播網=mms://210.58.102.100/etfm-live
News98=mms://live.media.hinet.net/news98
飛碟電臺-國語流行臺Media=mms://live.media.hinet.net/ufo_music3
飛碟電臺-國語經典臺Media=mms://live.media.hinet.net/ufo_music1
飛碟電臺-外語流行廣播Media=mms://live.media.hinet.net/ufo_music4
飛碟電臺-英語經典臺Media=mms://live.media.hinet.net/ufo_music2
飛碟電臺-網線上即時廣播Media=mms://live.media.hinet.net/ufo
漢聲電臺AM=mms://live.media.hinet.net/VHBN-AM
漢聲電臺FM=mms://live.media.hinet.net/VHBN-FM
警察廣播電臺-台北臺=mms://live.media.hinet.net/prs02
警察廣播電臺長青網=mms://live.media.hinet.net/prs03
警廣全國臺=mms://live.media.hinet.net/prs01
台中廣播電臺
FM100.4~FM100.7=mms://live.media.hinet.net/lucky7?RADIOA2815D1F-299A-480E-988A-B3FE04317B0D
正聲廣播AM819=mms://live.media.hinet.net/csbc02
正聲廣播FM1041=mms://live.media.hinet.net/csbc01
佳音電臺=http://www.voiceofhope.com/realhtml/live.ram
太陽廣播電臺FM89.1=mms://wms9.elta.com.tw/fm891
好事聯播網-山海屯電臺=mms://live.media.hinet.net/best903?RADIOA8AE6AB2-BA60-4FAF-B8AF-EB6E1205D581
環宇廣播電臺=mms://210.243.236.17:8080/
ICRT=http://live.giga.net.tw/icrt16.asx
台中大千=http://live.giga.net.tw/tcbig1000.asx
警廣台中臺=mms://live.media.hinet.net/prs05
好事聯播網-港都電臺=mms://live.media.hinet.net/best983?RADIO2E4B973F-D881-420B-B56F-59F41391569C
警廣高雄臺=mms://live.media.hinet.net/prs07
台灣新聲TNT(FM 98.5)=mms://203.187.31.160/superfm985

Wednesday, November 29, 2006

Squid : sii.tse.com.tw 連線有問題

ssi.tse.com.tw 是使用 Java Composer Server 2.1
用 Netcraft 查
-> http://toolbar.netcraft.com/site_report?url=http://sii.tse.com.tw
很多 Squid 2.5.X 版本瀏覽這種網站都會有這種問題
不過目前所知 只剩下兩三個這樣的網站


ERROR
The requested URL could not be retrieved

--------------------------------------------------------------------------------

While trying to process the request:

GET / HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-icq, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: zh-TW
Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAFYAAAAYABgAbgAAAAIAAgBIAAAABQAFAEoAAAAHAAcATwAAAAAAAACGAAAABgIAAgUBKAoAAAAPVENQNDMyMzNRSlpMMVNa9fEVgWavfhlxr0rq32/47tQmQbwO7MLqoRs8FMFKX4YuAvegkV7F3s+YiELQvQd=
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; IEMB3)
Host: sii.tse.com.tw
Proxy-Connection: Keep-Alive

The following error was encountered:

Invalid Response
The HTTP Response message received from the contacted server could not be understood or was otherwise malformed. Please contact the site operator. Your cache administrator may be able to provide you with more details about the exact nature of the problem if needed.

Tuesday, November 28, 2006

WinMerge - 比對檔案工具

很早以前就有找過比較檔案的工具
最開始是在 download.com 用 win diff
(ps. 這個關鍵字已經不能用了 Araxis 不放軟體在上面了)
找到 Araxis Merge 算是功能很強大
但後來隨著 Sourceforge 日益壯大
我用了 diff 找到 WinMerge
一開始很難用 只能比對 無法做其他的事
不過 2.0 之後就可以媲美 Araxis Merge 了
很建議寫程式的人使用

使用 PAC (Proxy Auto Configuration) File 檔廣告

看到不禁感到訝異 沒想過有人這樣做

Bust Banner Ads with Proxy Auto Configuration
http://www.schooner.com/~loverso/no-ads/

下載 no-ads.zip 解開後 把 no-ads.pac 的
var normal = "DIRECT";
改成你自己在用的 proxy
直接出去不用 proxy 就保留不動

mount cd & dump image & mount iso 三部曲

如果今天有一台沒有光碟機的電腦要如何 COPY 光碟片的資料呢
這個動作剛好有三個步驟 於是就讓聯想到三部曲
就好像星際大戰三部曲 或是金庸射雕三部曲
你可以篇篇獨立 亦可以連續成一個完整的主題
Wikipedia 上還寫個 "三部曲" 的條目呢!

哎呀 我想太多了 客官還是請看吧

server A: 沒光碟機, server B: 有光碟機

1. Mount CD -> 找台有 CDROM 的電腦 Mount 起來吧
server_b# mount -r -F cdfs -o cdcase /dev/dsk/c3t0d0 /cdrom

2. Dump Image -> 用 DD 將資料存成 ISO 檔
server_b# dd if=/dev/dsk/c3t0d0 of=/mnt/rhel3_1.img

3. Mount ISO -> 用 Mount 將 ISO 掛載到 /tmp/cd1
server_a# rcp server_b:/mnt/rhel3_1.img /mnt
server_a# mount -o loop -t iso9660 /mnt/rhel3_1.img /tmp/cd1

以上稱為三步曲

reset cacti admin password to "admin"

如果忘了 cacti 的密碼 - 我常幹這種事

利用 Webmin or phpMyAdmin

在 cacti 的 database 下這個指令

update user_auth set password='21232f297a57a5a743894a0e4a801fc3'
where username='admin';

or
update user_auth set password=md('admin') where username='admin';

password 是利用 md5 的格式

ps. 這個方法 FAQ 有提 但太常用了 所以寫下來

Webmin backup

緣起:
看過很多人寫 backup script ,不過我不是這方面的專家。
我比較希望可以用一個簡單的方法,讓步驟簡單又不用改變系統太多
於是我想到的方法就是 Webmin 本身的檔案系統備份的功能,
透過 Webmin 達成系統備份,可是既簡單又可標準化。

備份機器 - ap1, 備份 user - root
備份主機 - bck, 備份 user - backup

1. 產生金鑰
[root@ap1 root]# ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/root/.ssh/id_dsa):
Created directory '/home/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/root/.ssh/id_dsa.
Your public key has been saved in /home/root/.ssh/id_dsa.pub.
The key fingerprint is:
21:dc:d8:39:ef:d0:47:df:d1:01:1b:76:78:e1:80:d0 root@ap1
[root@ap1 .ssh]# ls
id_dsa id_dsa.pub known_hosts
將做好的 public 複製到 bck server
scp id_dsa.pub backup@bck:/home/backup/.ssh/id_dsa-ap1.pub
將 public key 存放在 ~backup/.ssh/autorized_keys
[backup@bck .ssh]# cat id_dsa-ap1.pub >> authorized_keys

2. Webmin backup 設定
webmin / 系統 / 檔案系統備份
新增備份目錄 / 勾選 [In TAR foramt] / 輸入預備份的目錄
設定好備份的主機、帳號、存放目錄、時間,就完成了。

Saturday, November 25, 2006

Squid: Block Skype with squid

# Prevent Skype connecting HTTPs using CONNECT requests to IP addresses (those not using domain names)
acl numeric_IPs url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
http_access deny CONNECT numeric_IPs all
# Prevent Skype connecting http
acl Skype_UA browser Skype
http_access deny Skype_UA
# Prevent anyone to download anything from skype website
acl Skype_domain dstdomain skype.com
http_access deny Skype_domain

Mirror CentOS update

install mirrordir from http://dag.wieers.com/packages/mirrordir/


yum-arch -l /var/www/html/yum/centos/4/os/i386 /var/www/html/yum/centos/4/os/i386/CentOS/RPMS



yum-arch /var/www/html/yum/centos/4/updates/i386/RPMS

createrepo /var/www/html/yum/centos/4/os/i386/CentOS/RPMS
createrepo /var/www/html/yum/centos/4/updates/i386/RPMS

利用 ssh + tar 作備份

以前看網路上某篇文章時,節錄下來的,出處已經不可考了.它是利用 ssh + tar 來作備份,不僅安全,也兼顧了部分的效率.

$target 表示目的機器,指遠端機器
$backup_server 表示備份機器,同樣也是指遠端機器
$save 則是指備份目錄

要求遠端備份並拉回 local
ssh $target tar -cf - / --exclude /mnt | bzip2 -9 | cat > $target.tar.bz2

解開本地備份並回存到遠端去
bunzip2 -dc $target.tar.bz2 | ssh $target "cd /;tar -pxkf -"

備份 local 資料,丟到遠端去壓縮並存檔
tar cf - / --exclude xxx | ssh $backup_server "bzip2 -9 > $save/test.tar.bz2"

把遠端資料拉回 local,作解壓縮動作
ssh $backup_server "cat $save/test.tar.bz2" | bunzip2 | tar -xpkf -

Squid : Block Spyware with DNS

Squid 去 block spyware 除了用 squidGuard 之外
還可以用什麼方法?

找到一篇用 DNS 來阻斷的方法
原理很簡單 把 spyware 的 domain 加到 DNS Server
只要有人 query 就直接回 127.0.0.1
IT 就不用每台去加 /etc/hosts 了
作者還貼心提供 update script - update.sh 更新

Malware Prevention through black-hole DNS
http://www.bleedingsnort.com/blackhole-dns

或是 另外一個 sa-blacklist
http://www.sa-blacklist.stearns.org/sa-blacklist/

Friday, November 24, 2006

Solaris: fix problem with "pkginfo"

pkginfo 出現 pkginfo file is corrupt or missing

please try the following (to get the info which pkginfo-file is corrupt) in
ksh or sh (login as root):
cd /var/sadm/pkg
for i in *
do
echo "============================================"
echo $i :
pkginfo -i $i
done
Examine the output for the wrong or missing pkginfo-file (located in the
directory /var/sadm/PKGNAME/pkginfo).
Then you have different ways to solve the problem.
- you can copy a working version of pkginfo-file from another machine to
your machine
- you can try to edit the wrong file
- you can try to install a newer patch to get a working pkginfo-file.

Solaris: DiskSuite OS Mirror

這個範例 好處是 Mirror 可以做的很漂亮
老實說不太喜歡用 GUI 拉出來的結果

由於 UFS 的限制 只能有 8 個 Slice
所以扣掉 swap metadb 及 slice2 就只能切 5 個
這邊我是切了 /, /var, /opt, /usr, /export/home

There are two disk c0t0d0 and c0t1d0
After install DiskSuite_4.2.1 and patch

Following is the file system layout.
c0t0d0s0 /
c0t0d0s1 swap
c0t0d0s3 /var
c0t0d0s4 (metaDB*3)
c0t0d0s5 /opt
c0t0d0s6 /usr
c0t0d0s7 /export/home

Meta Device Map

mirror c0t0d0 c0t1d0
s0 d0 d10 d20
s1 d1 d11 d21
s2 d2 d12 d22
s3 d3 d13 d23
s5 d5 d15 d25
s6 d6 d16 d26
s7 d7 d17 d27

Login as root

a. dump c0t0d0 to c0t1d0

# prtvtoc /dev/rdsk/c0t0d0s2 > boot-vtoc.tab
# fmthard -s boot-vtoc.tab /dev/rdsk/c0t1d0s2

you can combind the two command
prtvtoc /dev/rdsk/c0t0d0s2 | fmthard -s - /dev/rdsk/c0t1d0s2

b. create metadb
# metadb -afc 3 c0t0d0s4
# metadb -afc 3 c0t1d0s4

c. create meta device

# metainit -f d1 1 1 c0t0d0s0
# metainit -f d1 1 1 c0t0d0s1
# metainit -f d3 1 1 c0t0d0s3
# metainit -f d5 1 1 c0t0d0s5
# metainit -f d6 1 1 c0t0d0s6
# metainit -f d7 1 1 c0t0d0s7

# metainit d20 1 1 c0t1d0s0
# metainit d21 1 1 c0t1d0s1
# metainit d23 1 1 c0t1d0s3
# metainit d25 1 1 c0t1d0s5
# metainit d26 1 1 c0t1d0s6
# metainit d27 1 1 c0t1d0s7


# metainit d0 -m d10
# metainit d1 -m d 11
# metainit d3 -m d 13
# metainit d5 -m d 15
# metainit d6 -m d 16
# metainit d7 -m d 17
# metaroot d0
# lockfs -fa

d. modify /etc/vfstab with using meta device
#device device mount FS fsck mount mount
#to mount to fsck point type pass at boot options
#
#/dev/dsk/c0d0s2 /dev/rdsk/c0d0s2 /usr ufs 1 yes -
fd - /dev/fd fd - no -
/proc - /proc proc - no -
#/dev/dsk/c0t0d0s1 - - swap - no -
/dev/md/dsk/d1 - - swap - no -
#/dev/dsk/c0t0d0s0 /dev/rdsk/c0t0d0s0 / ufs 1 no -
/dev/md/dsk/d0 /dev/md/rdsk/d0 / ufs 1 no -
#/dev/dsk/c0t0d0s6 /dev/rdsk/c0t0d0s6 /usr ufs 1 no -
/dev/md/dsk/d6 /dev/md/rdsk/d6 /usr ufs 1 no -
#/dev/dsk/c0t0d0s1 /dev/rdsk/c0t0d0s1 /var ufs 1 no -
/dev/md/dsk/d3 /dev/md/rdsk/d3 /var ufs 1 no -
#/dev/dsk/c0t0d0s7 /dev/rdsk/c0t0d0s7 /export/home ufs 2 yes -
/dev/md/dsk/d7 /dev/md/rdsk/d7 /export/home ufs 2 yes -
#/dev/dsk/c0t0d0s5 /dev/rdsk/c0t0d0s5 /opt ufs 2 yes -
/dev/md/dsk/d5 /dev/md/rdsk/d5 /opt ufs 2 yes -
swap - /tmp tmpfs - yes -


# sync
# sync
# sync
# reboot

f. attach mirror

# metattach d0 d20
# metattach d1 d21
# metattach d3 d23
# metattach d5 d25
# metattach d6 d26
# metattach d7 d27

Sygate : LAN Enforcer Installation Guide

Sygate 可以說是 Endpoint Security Solution 很有名氣產品之一
其中 LAN Enforcer 可以裝在 Windows 或是 RHEL3
一開始裝在 Windows 很不順利 只好讓我有機可趁了

由於剛開始是在 PC 上測試 支援 SATA 硬碟就很重要囉
於是我用 CentOS 3.6 如果是裝在 Server 則 CentOS 3.1~3.X 均可

安裝過程
1. 安裝 OS , 選最小安裝即可
2. w3c-libwww-5.4.0-10.i386.rpm (不限版本)
3. 安裝 kernel
由於 Sygate 只支援 2.4.21-27.EL 及 2.4.21-4.EL 的 Kernel
所以我到 http://vault.centos.org/3.3/updates/i386/RPMS/
下載 2.4.21-27 相等的 Kernel 進行安裝
4. 以 Enforcer 支援的 Kernel 開機
安裝 Enforcer

ps. Sygate Lan Enforcer 因為有兩個 Module 分別 sylane.o 及 xxx.o
是在 2.4.21-27 及 2.4.21-4 所 build 及測試的
這也是為什麼它只支援這兩個 kernel 版本的原因


以下為原文的安裝需求
http://eval.veritas.com/mktginfo/enterprise/yellowbooks/it_compliance_03_2006.en-us.pdf


LAN Enforcer System Requirements (LAN Enforcer)
Following are the hardware and software requirements for the system on which you install
an Enforcer
Hardware Requirements
• Processor: Pentium III 750 MHz or greater
• Memory: 128 MB RAM (256 MB recommended)
• Disk space: 100 MB available disk space (required) plus 500 MB for logging
(optional)
• Monitor: Minimum 800x600 resolution with 256 colors
• Network Interface Card(s): One network interface card (with TCP/IP installed)
Note: Ensure that the RADIUS port that the switch is configured to
contact is not bound by another listening process (use the netstat .an
command to find out which ports are in use), or the Enforcer service will
refuse to start. In particular, ensure that the Internet Authentication
Service (IAS) has been disabled (may require reboot).
Software Requirements
• Operating system:
o Red Hat Enterprise Linux Version 3 Update 4 (Kernel version 2.4.21-27.EL)
o Red Hat Enterprise Linux Version 3 Original (Kernel version 2.4.21-4.EL)

Squid: Must-Read Articles

High Performance Web Caching With Squid
http://www.devshed.com/c/a/Administration/High-Performance-Web-Caching-With-Squid/
(Google Search : High Performance Web Caching With Squid)

這一篇相當經典 談了一些改進效能的文章
先預告一下 有空我會修改這篇文章補充心得

Basic Squid setup with file, domain, and ad blocking
http://mkeadle.org/?p=14
這篇寫的很簡單適合入門的人

Squid 2.6 升級指南
http://windtear.net/archives/2006/07/18/001034.html

Squid中文權威指南
http://home.arcor.de/jeffpang/squid/index.html

Tru64 OS dump

Case: Using Tape Drive
vdump -0vf /dev/ntape/tape0_d1 /
vdump -0vf /dev/ntape/tape0_d1 /var
vdump -0vf /dev/ntape/tape0_d1 /usr


Case: No Tape Drive, Using Remote Tape Drive
vdump -0 -v -u -b 60 -f - / | rsh fab2backup dd of=/dev/ntape/tape0_d1
vdump -0 -v -u -b 60 -f - /var | rsh fab2backup dd of=/dev/ntape/tape0_d1
vdump -0 -v -u -b 60 -f - /usr | rsh fab2backup dd of=/dev/ntape/tape0_d1

Sun OS dump

請依 file system layout 為準

root@acty # more dumpsys.sh
mt -f /dev/rmt/0c rewind
LOG=/export/home/root/log/dumpsys.log
date > $LOG 2>&1
ufsdump 0uf /dev/rmt/0cn /dev/md/rdsk/d0 >> $LOG 2>&1 #/
ufsdump 0uf /dev/rmt/0cn /dev/md/rdsk/d6 >> $LOG 2>&1 #/usr
ufsdump 0uf /dev/rmt/0cn /dev/md/rdsk/d7 >> $LOG 2>&1 #/export/home
date >> $LOG 2>&1

ifconfig example

plumb:
ifoncig bge2 plumb
unplumb:
ifconfig beg2 unplumb
up:
ifconfig bge2 inet 192.168.0.1 netmask 255.255.255.0 broadcast 192.168.0.255 up
down:
ifconfig bge2 down

Sendmail: Flush specific messages from mail queue

You can flush the sendmail queue by this command.
If is useful for check the status of mail server.

1. Flush all
# /usr/sbin/sendmail -q -v

2. Flush specific domain
# /usr/sbin/sendmail -qR acty.com.tw -v

ps 一些用法

顯示 process 占 CPU 百分比及記憶體多少

hpux :

export UNIX95=XPG4
ps -el -o uid,pid,comm,cpu,vsz

linux :

ps -e -o pid,ppid,command,rss

solaris:

ps -el -o user,pid,pcpu,vsz

tru64:
ps -el -o user,pid,pcpu,vsz

HPUX - Monut CDROM

1. 沒有光碟機的 Server 1 , 借 Server 2 的光碟機
a. 借光碟機來 mount
------------------
server2# bdf
server2# ioscan -nfkCdisk | more
server2# mount /dev/dsk/cXtXdX /cdrom
server2# exportfs -i -o ro /cdrom


b. server1 用 nfs mount 到 server2

server1# mount 192.168.0.2:/cdrom /cdrom
server1# ll /cdrom
server1# swinstall -s /cdrom/DIAGNOSTICS/B.11.00
server1# umount /cdrom

3.解除
server1# exportfs -u /cdrom
server1# exportfs
server1# umount /cdrom


2. Mount Options

windows 光碟 -> CDFS
mount -F cdfs -o cdcase /dev/dsk/cXtXdX /cdrom

oracle 光碟 -> 加上 rr
mount -F cdfs -o rr /dev/dsk/cXdYtZ /cdrom

Thursday, November 23, 2006

cacti: No Graph Gen

Cacti 一直到 0.8.6g 才比較正常
以前還蠻常遇到停止畫圖的情況
發生的原因很多 通常是資料庫有些 table 對不起來
如果單一的圖停掉 則可能是設定錯誤 重新設定就可以了

下面是久病成良醫的速成方法
1. stop cacti corn job
2. issue mysql commnad at table "cacti"
truncate table poller_output
3. reboot server
4. restart cacti corn job

如果還是沒用的話 就乖乖看 cacti.log 吧

hpux snmp 正確重起法

若不照此步驟 snmp 將無法正常 work

可由 cacti 驗證, 看圖是否有畫出

1. /sbin/init.dSnmpMaster stop
2. snmpd


cerpdb:/>/sbin/init.d/SnmpMaster stop
snmpdm stopped
cerpdb:/>snmpd
Start SNMP Master Network Management daemon
SNMP Research SNMP Agent Resident Module Version 14.2.1.7
Copyright 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 SNMP Research, Inc.
cerpdb:/>Start SNMP HP-UNIX Network Management subAgent
Start SNMP MIB-2 Network Management subAgent
Start SNMP Trap Dest Network Management subAgent
Start SNMP PCI FDDI Network Management subAgent

Repair an RPM database safely

1. remove the files which hold lock state information rm -f /var/lib/rpm/__db*

2. safe to rebuild these lists,
rpm -vv --rebuilddb

http://www.rpm.org/hintskinks/repairdb/

Web MSN List

It can be a block list, or allow list.

http://webmessenger.msn.com/

http://www.e-messenger.net/ (Now is ebuddy)
http://start.e-messenger.net/
http://www.ebuddy.com/
(http://cityname.ebuddy.com)

http://www.msnger.com/index.jsp (had changed ilvoeim)
http://www.iloveim.com/
(http://x1~x44.ilvoeim.com)

http://msn.audiowatcher.com/servlets/loginPage

http://www.meebo.com/
(http://www~www38.meebo.com)

https://www.imhaha.com/webmsg/messenger.jsp

http://www.koolim.com/

http://www.messengerfx.com/

http://www.mabber.com/


以下使用困難 - 暫未列入
http://www.mabber.us

http://www.imunitive.com
http://www.imunitive.co.uk

http://www.goowy.com http://www.goowy.us
http://www.goowy.info http://www.goowy.biz

http://www.wablet.com
http://www.wablet.us

Reinstall IE6

Sometime, we install some plug-in for Internet Exploror, like toolbar, MyIE2.
They also release some dll files of Internet Exploror.

If you find you need to reinstall Internet Explorer from the XP CD
or if you want to do it for troubleshooting purposes:

1) Insert the Win XP CD

2) Open Start / Run and type:
rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 c:\windows\inf\ie.inf

Notice: If dialog ask you "Do you want replace with older file?"
please choice "NO". Because we have the newest files.

Simple method to disable usb disk on linux

There are many way in the internet. But I think of this way.
You can disable the usb disk, and you can still use the keyboard.

1.
find /lib/modules/-name "storage"

/lib/modules/2.6.9-34.ELsmp/kernel/drivers/usb/storage
/lib/modules/2.6.9-34.0.2.EL/kernel/drivers/usb/storage
/lib/modules/2.6.9-34.EL/kernel/drivers/usb/storage
/lib/modules/2.6.9-34.0.2.ELsmp/kernel/drivers/usb/storage

2.
you can change "usb-storage.ko" to another name in these folder

or delete "usb-storage.ko".
( or rm /lib/modules/`uname -r`/kernel/drivers/usb/storage)

If you restore "usb-storage.ko" , system will connect usb without reboot.

HP-UX Sendmail without DNS

好像很多人因為系統裝了 sendmail
就以為 sendmail 只能當 mail server 來用
卻不知 sendmail 也可以直接寄信 - 如果你只想寄出去而已
甚至信寄不出去 就認定 sendmail 有問題
其實是 DNS 或是 HOSTS Files 沒設好而已

ex. mail -s "test1" user1@acty.com.tw < /tmp/somefile
它會去問 acty.com.tw 的 DNS 的 MX 或是 HOST File 的 IP
假設今天用 HOSTS FILE 也在裡面 acty.com.tw 的 IP
它就會寄到那個 IP 去

Step:
1)
use SAM for looking up "Name Service Switch"
for hosts (in Networking and Communications).
On the working 11.0 node i found /etc/hosts as first source,
in the 11.11 node there was DNS as first, NIS as second
and /etc/hosts as third source configured.

Please change /etc/hosts as first and none as second source.

don't reboot the machine but restarted sendmail

2) or
cp -p /etc/nsswitch.file /etc/nsswitch.conf

HPUX SNMP Installation Notice

HP-UX SNMP must install the newest patch for SNMP

ITRC recommend PH_26138 or the newest PH_27858

HP-UX CIFS mount

ex
Windows SERVER: SERVER1 share folder /share

mount -F cifs -o username=user1,password=passwd1 SERVER1:/share /share
#su - user1 -c "cifslogin SERVER1 user1 -P passwd1"

umount /share

HP-UX JetDirect Software Download Link

Title: HP-UX JetDirect Software Download Link


http://h20180.www2.hp.com/apps/Lookup?h_query=jet+direct+
printer+installer&h_tool=software&h_lang=en


or you can go HP "Support & Drivers" , search "jet direct printer installer"

vsftpd 使用 xinetd 限制 ip 連線的方法

vsftpd 要限制特定 ip 連線必須使用 xinetd

1. 編輯 vsftpd.conf
/etc/vsftpd/vsftpd.conf


1. listen=NO
2. tcp_wrappers=YES



2. 編輯 xinetd 的 vsftpd
# vi /etc/xinetd.d/vsftpd


# default: off
# description: The vsftpd FTP server serves FTP connections. It uses \
# normal, unencrypted usernames and passwords for authentication.
service ftp
{
disable = no
socket_type = stream
wait = no
user = root
server = /usr/sbin/vsftpd
server_args = /etc/vsftpd/vsftpd.conf
nice = 10
only_from = 127.0.0.1 192.168.0.1 192.168.0.2
}

3. 將舊的停掉
cd /etc/init.d/
mv vsftpd vsftpd.old

4. 重新啟動服務
chkconfig vsftpd on
service vsftpd start

架設整合 AD 帳號的 Linux FTP and File Serve

在Linux 作業系統,加上 SAMBA 與 VSFTPD ,架設一個可以整合 AD 帳號的 FTP and File Server

架設方法:

OS → CentOS 4.2 (與 Redhat Enterprise 4 Update 2 相等),最小安裝即可

Package → samba , samba-common , vsftpd, 及ntp

1. AD Server 加 /etc/hosts

#vi /etc/hosts
192.168.0.1 dc01 acty.com.tw
192.168.0.2 dc01 acty.com.tw

#vi /etc/resolv.conf
search acty.com.tw
nameserver 192.168.0.1
nameserver 192.168.0.2

設定校時

#ntpdate dc01

#vi /etc/ntp.conf

加入 server dc01

#chkconfig ntpd on
#service ntpd start

使用 setup 設定 Linux 可以吃 AD 帳號

#export LANG=C #設定語係為 C 避免畫面亂掉
#setup

A. 選 Authentication Configuration

B. 把 Use Winbind 及 Use Winbind Authentication 然後按 Next

C. 設定 Winbind Setting

把 Domain , Domain Controllers 及 ADS Realm 填進去。

Template Shell 使用 /sbin/nologin 可讓 User 無法用 telnet 或 ssh 登入系統

D. 需入 Domain Administrator 及 Password 把這台機器加入 AD 的 Domain


1. 建立 User home foder

#vi mknthome.awk

USERLIST=`ls -1d /home/ACTY/p[0-9][0-9][0-9][0-9] | awk '{FS="/";print $4}'`
for LIST in `ls -1d /home/ACTY/p[0-9][0-9][0-9][0-9] | awk '{FS="/";print $4}'`
do
echo "ACTY\\"$LIST >> /etc/vsftpd/chroot_list
done

exit


3. 檢查所有的服務

設定下列服務開啟

#chkconfig smb on
#chkconfig winbind on
#chkconfig vsftpd on
#chkconfig ntpd on

確認所有服務已啟動,若無請執行下面指令

#service start smb
#service start winbind
#service start vsftpd
#service start ntp

4. 測試

FTP:

ftp://xxx.xxx.xxx.xxx

網路磁碟

\\192.168.0.1\P9999

AD和LINUX帳號整合簡易的方法

Linux用winbind與AD認證 簡易版

(*註: 只在CentOS, Fedora 測試過, Redhat 9 以下沒測過)
很多人都希望自己的 Linux 可以與 AD 整合
不過目前看到的設定教學都需要設定很多檔案
一開始我也是看旗標出的「 Linux 與 Windows 共舞」
搞了很久才弄出來了

不過後來不小心弄出一個很簡易方法
順便重新整理之前回覆的 POST


假設 AD 環境如下
AD Domain 為 TW
AD Realm 為 TW.COMP.CORP
AD Controls (即 DC )為 192.168.1.1, 192.168.1.2 兩台
AD Time Server 在 192.168.1.1

1. 校時
與 AD 做認證 機器必須與 AD 的時間需一致
請安裝 ntp
執行 ntpdate 192.168.1.1. (請與 AD校時)

設定 /etc/ntpd.conf
加入 server 192.168.1.1
chkconfig ntpd on
service ntpd start

2. 請確定已經安裝 samba 及 samba-common

若如直接執行 yum install 或 rpm -ivh 等等
#yum install samba samba-common

3. 打 setup
#setup

選 Authentication configuration
進去選 Use Winbind 及 Use Winbind Authentication
再進去輸入你 AD 的 Information 即可
如果不要讓 user 登入 請選 /sbin/nologin 作為使用者的 logon shell


下面是參考
Security Model: (*) ads
Domain: TW
Domain Controllers: 192.168.1.1,192.168.1.2
ADS Realm: TW.TOPCOMP.CORP
Template Shell: (*) /bin/bash

接著再敲 Administartors 的帳號及密碼即可

你所做的設定最後會寫到
a. /etc/samba/smb.conf
b. /etc/krb5.conf
c. /var/kerberos/krb5kdc/kdc.conf
d. /etc/nssswitch.conf

最後請確認 winbind 有啟動之後就可以使用 AD account
chkconfig winbind on
server start winbind
(ps. smb 服務不需要,除非你要做分享檔案,否則也不用安裝 samba-server)

4. 測試
假設你有的帳號為 test 密碼為 test123
你可以用 TW/test 登入 密碼為 test123


ps. 軟體清單
krb5-libs
krb5-workstation
ntp
samba
samba-common
setuptool

Wednesday, November 22, 2006

Squid and Media Player

acl wmp browser -i ^.*Windows-Media-Player.*
acl wmp browser -i ^.*NSPlayer.*
acl wmp browser -i ^.*player.*
acl umv rep_mime_type ^video/* ^audio/*
http_access deny wmp http_reply_access deny umv


acl WMP browser Windows-Media-Player/*
acl XMMS browser xmms/*
acl GATOR browser gator/*
acl MPLAYER browser MPlayer/*
acl NSPLAYER browser NSPlayer/*
acl QTIME browser QuickTime*/*
acl WINAMP browser Winamp/*

Tuesday, November 21, 2006

Squid and User Agent of MSIE

For secuirty issue, I need to limit the kind of browser.
Only IE can access Internet with squid proxy.

I use Mtracer to write the fallowing Regular Expression.
Mtracer is a Regular Expression Compose adn Test Tool.

^Mozilla/4.0.\(compatible;.MSIE.(5\.05\.015\.56\.0);.Windows.(98NT.5\.0NT.5\.1)(\);.DigExt\);.SV1\);.\.NET.CLR.1\.0\.3705\);.\.NET.CLR.1\.1\.4322\);.Q312461\);.SV1;.\.NET.CLR.1\.1\.4322\))


Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)
Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)
Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)
Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)
Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Q312461)
Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; .NET CLR 1.1.4322)

Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)


User Agent Tools
http://www.104testing.com.tw/proxyTest.jsp

http://under-linux.org/forums/configuracao/87780-problemas-squidguard.html

Install Clamav on CentOS

1. Download clamav for CentOS

http://dag.wieers.com/packages/clamav/

Current Clamav for CentOS
http://dag.wieers.com/packages/clamav/clamav-0.88.6-1.el4.rf.i386.rpm
http://dag.wieers.com/packages/clamav/clamav-db-0.88.6-1.el4.rf.i386.rpm
http://dag.wieers.com/packages/clamav/clamd-0.88.6-1.el4.rf.i386.rpm
http://dag.wieers.com/packages/clamav/clamav-devel-0.88.6-1.el4.rf.i386.rpm
option ->
http://dag.wieers.com/packages/clamav/clamav-millter-0.88.6-1.el4.rf.i386.rpm

rpm -ivh clamav-0.88.6-1.el4.rf.i386.rpm clamav-db-0.88.6-1.el4.rf.i386.rpm \
clamav-devel-0.88.6-1.el4.rf.i386.rpm clamd-0.88.6-1.el4.rf.i386.rpm

2. start Clamav Service
/etc/rc.d/init.d/clamd start

3. update patten
freshclam


ps. dependencies rpms
curl-7.12.1-8.rhel4.i386.rpm
libidn-0.5.6-1.i386.rpm

Friday, November 17, 2006

squidGuard 檔 webmail

喜歡使用 squidGuard 的朋友
可以參考下面的範例

http://staff.avonside.school.nz/cf/squidGuard2.tar.bz2

裡面 webmail 內容如下
這個範例 可能會誤檔很多 甚至連 mail.gif 之類也會被檔掉
另外 ssl webmail 無法使用 squidGuard 阻擋 請注意

((^|//)[-_.0-9a-zA-Z/]*)mail([-_.\?+=/_0-9])
([-_./0-9])mail
((^|//)[-_.0-9a-zA-Z/]*)pop3([-_.\?+=/_0-9])
([-_./0-9])pop3
((^|//)[-_.0-9a-zA-Z/]*)mailer([-_.\?+=/_0-9])
([-_./09])mailer
((^|//)[-_.0-9a-zA-Z/]*)freemail([-_.\?+=/_0-9])
([-_./0-9])freemail
((^||//)[-_.0-9a-zA-Z/]*)webmail([-_.\?+=/_0-9])
([-_./0-9])webmail
((^|//)[-_.0-9a-zA-Z/]*)email([-_.\?+=/_0-9])
([-_./0-9])email
login\.asp$
message\.cgi$
^217\.72\.193
^213\.165\.64
(pop3web|pop2web|pop2http|pop3http)

--------------------------------------------------

[野人獻曝] squid block webmail exmaple - squid.conf

squid.conf

acl PASSWORD proxy_auth REQUIRED
acl GrpWebAccess external NT_global_group "/etc/squid/usergroup"



## block webmail
# 0. define non webmail sites which cotain some characteristics of webmail urls
acl goodsites dstdomain "/etc/squid/goodsites"

# 1. block domain contain mail
# http://*mail*.*/ or http://*.mail.*.*
acl webmail_domain url_regex -i ^.*mail\.*\./*

# 2. blcok webmail urlpath contain mail program
# ex. http://xxx.xxx.xxx/*mail*/
#acl webmail_urlpath urlpath_regex -i (/mail/|/.*mail/|/mail)$
# ex. http://xxx.xxx.xxx/*mail*(index|login|login/)
acl webmail_urlpath urlpath_regex -i mail.*(index|login|login/)$
# ex. http://xxx.xxx.xxx/..mail..(index|login).(asp|cgi|do|html?|jhtml|jsp|nsf|perl|php|pl|shtml|woa|?)
acl webmail_urlpath urlpath_regex -i mail.*(index|login)\.(asp|cgi|do|html\?|jhtml|jsp|nsf|perl|php|pl|shtml|woa|\?)

# for Horde imp -> http://../imp, http://../horde/imp, http://../horde/imp/login.php
# /imp maybe match other sites, we dont use
acl webmail_urlpath urlpath_regex -i [a-zA-Z0-9]/horde/imp
# for SquirrelMail -> http://../imp, http://../imp/src, http://../imp/src/login.php
acl webmail_urlpath urlpath_regex -i [a-zA-Z0-9]/imp/src[a-zA-Z0-9]
# combind Horde & SquirrelMail -> http://../imp/login.php
acl webmail_urlpath urlpath_regex -i ^.*/imp.*login\.php$
acl webmail_urlpath urlpath_regex -i ^.*/imp.*login\.php\?
# for MAC webmail
acl webmail_urlpath urlpath_regex -i webmail\.woa

3. block other ssl webmail domain
#acl sslwebmail url_regex -i "/etc/squid/sslwebmail"

http_access allow goodsites PASSWORD GrpWebAccess
http_access allow connect goodsites PASSWORD GrpWebAccess

http_access deny webmail_domain
http_access deny connect webmail_domain
http_access deny webmail_urlpath
deny_info ERR_WEBMAIL_ACCESS_DENIED webmail_domain
deny_info ERR_WEBMAIL_ACCESS_DENIED webmail_urlpath


這是我在公司為了檔 webmail 所寫的
大概可以檔掉不少網站 雖然會誤掉一些網站
但可以省下很多買 SurfControl 等之類的東西

這是我在公司為了檔 webmail 所寫的
大概可以檔掉不少網站 雖然會誤掉一些網站
但可以省下很多買 SurfControl 等之類的東西


大概說明一下
我是把 domain 和 url path 分開 block
另外 使用 ssl 的 webmail 需要另外 block
因為ssl 的網站對 proxy 來說 他只看到目的地 domain 不無法看到 url
而且 block ssl 的 webmail 要用 deny connect 喔
所以這也是為什麼會把 domain 和 url 分開 block
不想檔的網站就放在 goodsite 裡面

另外 regex 我不太會寫 寫的不好 請指教

也順便幫我改一下 謝謝