InvXim

…for beginners using Linux/BSD.

 You’ve found your provider, picked the package that suits your needs and now you’re ready to purchase it. But before you do, there are two things to consider; your current needs and your future needs. Although you could currently get away with running a server with bargain hardware, how well will it work when capacity needs to increase? Or a similar question, will you really need that dual quadcore processor when the system is going to be sitting idle most of the time? Running something like BOINC/SETI@Home for a day and looking at the “% of time BOINC client is running” statistic, you’ll be able to see how often you don’t need that extremely powerful processor*. Be as frugal as possible. Instead of that expensive processor, invest in RAM upgrades and fast disks, or even (KVM over IP, etc…) remote console access. The biggest benefits are usually found there.

Find out if your provider is able to upgrade your hardware or bandwidth plans at a reasonable price with minimal downtime or if there is a possibility of switching hosting companies without a hassle. You will need to plan what your needs are in terms of hardware and bandwidth now and your reasonable expectations on requirements for the future. 

The hassle of planning your infrastructure now will save you a headache later.

Now for the “meat” of the article. Two of the most important sections are security and reliability. Performance is not as important and that topic is well covered elsewhere, so I will not emphasize or cover it. Although security is as equally covered, I’ll only go over the general techniques that are worthwhile for the beginner, not those that are done by the severely paranoid. Since a beginner to system administration in this context probably isn’t doing it as his main job, he most likely doesn’t have the time to research and stay up to date with mailing lists. For that reason, I prefer to focus on passive security tools as they’re the easiest to understand and implement.

The best way to go about securing your server is with the mindset of “I’ll eventually get hacked and there is nothing I can do it to prevent it.” There is no point arguing it**, no system is 100% safe and since that’s the case, any system will eventually get hacked. Proceeding with that mindset, the thing you can do and what everyone tries to do at some level is to give the hacker a hard time. You can do that by keeping your system up to date with patches, not running unnecessary services (cups, inetd in most cases) or services with a bad security record (bind/wu-ftpd) and separating as many services from the rest of the system. By separation, I mean FreeBSD jails or other virtualization techniques. The benefit of this is when one service is compromised, your other services are still safe.

Firewalls are useful but I don’t bother with them right away since they get in the way. A good firewall policy can prevent something like a rootkit or backdoor from getting network access but there are arguably better ways of dealing with those things. My priority is fast detection and removal rather than paranoid prevention. I run chkrootkit, rkhunter, and tripwire as well as a network intrusion detection system. The first three require no knowledge of any firewall software specific syntax to use and you don’t ever have to modify any policies when you add a new service. The fourth, it’s pretty simple to understand and requires uncommenting a few lines in a configuration file and you’re done. Save the firewall policy configuration for last, when you’re done with everything else and have a bit of free time. An admin who doesn’t understand what’s going on behind the scenes of a service he’s running is a useless admin. Invest some time in understanding your firewall software, what you’re blocking and allowing before implementing it in a production environment.

I may be contradicting myself when I mention passive security and things that are easy to understand but then go on to suggest setting up virtual machines. Well, I’m not the one to deny being a hypocrite but it’s well worth the effort if you follow the same security considerations*** for the guest as you do for the host.

Reliability and uptime is something you can have issues if you don’t have an plan. I suggest installing all of the servers, their patches, all of the software you’ll need and your kernel upgrades right away. When you first get access to your server, chances are it wont be patched up and running the latest kernel so you need to fix that. The best time to do is before you move your traffic to the new server so you can avoid downtime. Kernel upgrades are especially dangerous to reliability for the inexperienced. Even a small mistake or misstep during a kernel upgrade could render your system unbootable. In certain cases, even a Grub fallback (or your boot loaders equivalent) might not work. Fallback is a feature to boot into another predefined kernel if booting into another one fails. Some people swear by it, I don’t. Fallback will not help you if you made a mistake and didn’t install your network drivers. If you’re not fully confident with installing your own kernels, just stick with the kernels your distribution provides. Although they’re not optimized for your system, they’re almost guaranteed to work. If you don’t have a choice and need to upgrade your kernel while lacking confidence, there is something an alternative. The alternative of having to wait for your hosting support staff to reboot your server and boot into a working kernel (it can take hours) is remote console access such as KVM over IP. Remote console access in invaluable during a kernel upgrade since you can reboot the server yourself and boot into a working kernel. For BSD upgrades, it’s even more useful since it’s recommended to boot into single user mode before doing an ‘make installworld’. Some hosts offer this service for free while most charge for it.

The natural transition from remote consoles is the topic of remote management access. How many different ways can you log in to completely manage your server? Most people are happy only with SSH but I think it’s a good idea to have more than just SSH. If you were convinced to get remote console access just because of the kernel upgrade issue or you already have it, pat yourself on the back and skip these next few paragraphs. However, since most of the time I don’t have remote console for budget issues, I need two different services that allow root access to the system. My recommendation is SSH and Webmin. Although I dislike control panels because they promote bad laziness and breed admins who don’t understand their services, Webmin is a bit better since most modules are only front-ends to configuration files. Chances are that nothing will happen to SSHd to prevent remote logins but it’s a good idea to have backups. Don’t go overboard with backups though since running more services is proportional to how many security vulnerabilities your server contains. 

One topic that’s bound to come up is automated patches. It’s a good idea for a anti-virus scanner but for your services, it isn’t. You should read the upgrade notes before upgrading, such is in ports after a cvsup or your distribution’s equivalent. The reason for this is sometimes, important bits of a service change and some specific configuration of a service will not work in its new version. The result is that your service will fail to run. A real world example is my clamav anti-virus software. I use it clamav to scan incoming e-mails but since clamav wasn’t configured properly after an upgrade and I didn’t have a backup anti-virus scanner, my anti-virus e-mail scanning software didn’t work and no mail was delivered for about a night before I caught and fixed the issue. Take that as a warning to read upgrade logs and to test after an upgrade to make sure everything is working.

You also have to ask yourself, other than providing network conncectivity, power and the hardware itself, how else are you depending on your hosts? Usually, either they add their in house name servers (to handle your DNS lookups) or they also provide OS patched to download locally. If the OS patch server fails, it’s not a big issue since it’s likely that your package manager has been configured to move on to the default update site provided by the distributor. However, if the hosts nameservers fail, you’re out of luck. If you take a look in your /etc/resolv.conf, you’ll see at least two nameservers listed with some local IP address. If they’re all your hosts nameservers, add a third that’s off site. I suggest the range from 4.2.2.1 to 4.2.2.6 as they’re reliable and fairly quick all over the world. Also, OpenDNS has good nameservers but with limited latency if you’re not near one of their nameservers. I suggest you review their web site first as they offer other features related to name resolution. Do latency testing on the name servers before adding them. If they’re greater than 70 ms, find another one but if your network’s latency is in general quite poor, use your own threshold. NOTE: /etc/resolv.conf can only handle 3 nameserver entries, others will be ignored and removed.

Finally, the stability of specific services is often directly related to performance type settings. Since the only general recommendation I can give is “trial and error,” a better option would first reviewing multiple optimization HOWTOs for that service and then proceeding to make the chances. Ideally, you would do your performance optimization as soon as possible to avoid downtime. Since going further into this topic is not in the scope of this article, I will not cover it. If there are questions, suggestions or more helpful tips to contribute, leave them in the comments and I’ll adjust this article appropriately.

 * Of course, I’m not advocating that you get the cheapest processor and then have your services run without an issue. A slow processor will run your services slower but you need to find the right balance of processor speed (price) and performance gains. Burstable loads also should be considered.

** But you probably will anyway with something along the lines of ”unplugging your computer from the network will make it pretty safe” but then you need to think about physical security and I’d say most systems are more secure remotely than they are with local, physical access.

*** All of the aforementioned tips are useless if you don’t follow the basic principles; don’t use easy passwords, disallow (direct) remote root login for every service, don’t use the same password for multiple accounts and across multiple systems (same root password for all virtual machines and the host), use encryption for all authentication and traffic you reasonably and legally can. 

Seems that VMWare on my computer will not boot 2.6 kernels although 2.4 works just fine. Also, I have network connectivity issues when working with FreeBSD in Workstation.  My earlier project is scrapped for now and I’ll find something else to do.

This is a brief explanation of how to use ISPAdmin.py for “everyday” administration after setting up the ISP style e-mail servers. An even more brief explanation that will get you started on using the tool is on the original page but there are a few things on using it that are left unmentioned. The first thing you should do however after downloading ISPAdmin.py from the original source or from my mirror, is editing the following line -

db_uri = ‘mysql://root:root2007@127.0.0.1:3306/mailtest’

Change the username (root) and password (root2007) accordingly as well as the database (mailtest) where the settings are stored.  When that’s done correctly, you can start ISPAdmin.py. Since I already have domains in there, it’ll look slightly different that when you’re starting it up for the first time.

Connected to database (2 domains, 15 users, 2 aliases)
Welcome to the ispmail console!
=>> d
 [  1]  domain1.com
 [  2]  domain2.com

The ‘d’ command shows a list of all domains. If you want to add a new user to domain1.com, you would type in ‘d 1′ or ‘d domain1.com’. The number 1 comes from the domain ID, which is given by the SQL database when the domain is added for the first time. The ID is sequential for each domain added but if you remove the last one (ID #2) and add another domain, the new domain wont get ID #2 but rather ID #3. This detail isn’t terribly important but I thought I should mention it as the same property follows for users. I suppose one area where this has an impact is if you’re counting the number of users a certain domain has or how many domains are hosted by the largest ID number, you could get inaccurate results. Moving on…

=>> help

Documented commands (type help <topic>):
========================================
EOF  aliases  da  delalias   deluser  du    help  na  newalias   newuser  u
a    d        dd  deldomain  domains  exit  hist  nd  newdomain  nu       users

That is a list of all the commands available to you. We’ll start with users. To add users (or aliases), you need to switch to that domain, as mentioned earlier.

=>> d 1
[domain1.com] =>> newuser username asdf
New user: username (password: asdf)

Notice that since we’re under domain1.com, we don’t need to specify the domain part for the newuser command. This command creates the necessary entries in the SQL database but if you go to /home/vmail/domain1.com, you’ll notice the users you added aren’t listed in there. Don’t worry about this because once mail is received, Dovecot will create the file structure so you don’t have to.

Adding new aliases is exactly the same but you might be tricked into doing something like -

[domain1.com] =>> newalias elvedin@domain1.com elvedin@domain0.com
New alias: elvedin@domain1.com  -> elvedin@domain0.com

Don’t do this as it will NOT work. What this is expecting is to forward the mail from the user ”elvedin@domain1.com” to the new address and not for the user “elvedin”. The correct way of adding a new alias is -

[domain1.com] =>> newalias elvedin elvedin@domain0.com
New alias: elvedin  -> elvedin@domain0.com

The ‘users’ command will give you a list of users sorted alphabetically. Obviously, there is not much to it.

To change a users password, you could edit the SQL database yourself and and encrypt a new password but that’s too much work. The easy way is to delete the user ‘deluser username’ and then add the user again with the new password. The one problem with this is that during the few seconds the user’s account is deleted, the mail they receive will be rejected with a friendly message from Postfix to the sender mail server saying something along the lines of “That account doesn’t exist, please don’t e-mail me anymore.” Unlikely that the user is going to receive the mail over the few seconds it takes you to make the changes but you can play it safe if you want to. Modifying the password field in the database directly wouldn’t have this issue.

The final note that should be mentioned is that when logging in, the username is the full e-mail address. It looks weird in certain mail clients (such as Thunderbird) when it says it’s logging into “username@domain1.com@domain1.com” but that’s not a huge deal. This little detail can also save you lots of troubleshooting time as it took me a while to figure out why my logins were failing even though I thought I used the right username and password.

Hope this more concise documentation of ISPAdmin.py helped you as it would have helped me. I know I didn’t read everything Christoph Haas wrote thoroughly the first time around.

I couldn’t decide on which topic to write a “HOWTO” so I decided to do both. I’ll start with making a VMWare appliance based on Debian etch (and this VMWare appliance ), Postfix, Dovecot IMAP/POP3, with MySQL authentication and virtual users and domains (based on this walk through). I chose doing this first because it’s easier but also because the Java project isn’t even close to finished.

 The Java project is a GUI for a dynamic DNS update client made specifically for ODS to fix the shortcomings in some of the current clients used.   while providing the source code for everyone to improve and contribute back.

 The other project I was working on was an rFactor game server manager in PHP. As the server is Windows only, there’s only a handful of tools I could really work with, like the “PSTools” port to control (start and stop) the game server process. The server itself will run from a premade configuration file when starting it with specific parameters. If those parameters aren’t passed, the server loads its own GUI for configuration. The other thing this server manager was supposed to do is provide a friendly interface for setting the server configuration while first loading it from an existing file. After being overwhelmed with managing all the file input/output and more system command calls than any PHP script should, I decided to quit. There is no way such a thing should be made.

 My last side project, I haven’t really thought about starting but it shouldn’t take long at all is a web interface to maintain that ISP style e-mail setup. Basic stuff like adding and removing domains, users, aliases or changing passwords or allowing users to change their own passwords. Christoph Haas (the author of the HOWTO) has written a Python program which does all of the necessary things but it’s not quite a web front end and it isn’t well documented. I’ve written a few things documenting the setup and the use of ISPAdmin.py.

Everyone has seen them and opinions rarely vary from “they’re annoying” to “why wont they stop!?” or more extremely “I hope whoever made this gets AIDS and dies.” The purpose of this post is to examine the problems caused by this sort of advertising and suggestions to decrease their negative effects. Organizations such as Interactive Advertising Bureau exist to suggest technical standards but they don’t take a hard enough stance on proper use of the tools and features available to the advertiser. Even Google has a page on guidelines for use of Flash but I don’t think it covers everything so I will attempt with the help of the reader (you) to cover as much as necessary. 

The elementary purpose behind advertising and its various techniques is to grab attention and in the traditional places of advertising such as printed publications, TV, radio, sports, etc, the traditional techniques work well. However, the Internet requires a different approach.

Advertising on the Internet can be incredibly useful, reaching countless people at a low cost. Knowing that, nefarious entities that are responsible for spam, spyware and adware have made legitimate and solicited advertising on the Internet something that has to be handled delicately. For text based ads such as Google Ads, it’s hard to get it wrong but most still prefer using graphical advertisements. Flash based ads are most popular as they give the advertiser more tools to work with compared to the basic (animated) GIFs. 

As web browsing is an interactive experience compared to the other passive forms of media, any unwarranted intrusion into the experience has to be done properly. This leads us to our first offender…

1. The Full Screen Ad

Everyone has encountered this type of ad.  Whether you’re looking at a page for your search result or logging into your MySpace homepage, this type of ad pops up immediately after the page loads. There are at least three problems here; one is that you might be going to click on a link before the ad pops up and right as you click, the ad pops up and you click on it and the other problem is that they’re often hard to close.

The first problem is a major annoyance. Think carefully before attempting this or you’ll suffer from having your ads blocked. Also something I call as “click stealing” can happen here as in the situation described earlier. It’s not quite a stolen click but it wasn’t a legitimate one, which means the advertiser will be paying for a click that a user didn’t look at since the user is most likely going to either close the page or hit the back button on the browser as soon as they can.

The second problem is very much similar to the first and it’s also a major annoyance. Closing the ad isn’t as simple as closing a “pop under” ad window. Because the ones I’ve seen don’t automatically close after a certain amount of time, you need to find the area that closes it which is usually marked by an “X” or the word “Close”. This whole process can take almost half a minute the first time it’s done and quite a few less when you really get to know (and dislike) a particular ad.

The last problem I could think of is for people with slower computers, a full screen ad will slow their computer to a crawl. What’s the benefit of getting that extended viewing time when the user can’t even click on your ad? The user will be more irritated with your ad for causing the problem than actually looking at your ad.

2. The MouseOver Pop Up

This is ad that normally sits contained in a small box but once you move your mouse cursor over it, it pop ups to a much bigger size until you move your cursor out of a certain area where it pops back down. On a slow computer, this is terrible form of torture. How many times do you think the user will deal with that sort of ad popping up before being driven up the wall?

3. The MouseOver Game

Usually some game like “Shoot the Red Rat and Win a Ringtone” that is activated when your cursor goes over the ad but then your cursor is captured and you can’t get it out the game. Some of the worse ones keep it there until you win or lose and pop up a new window leading you to the site the ad wants you to go to. A great amount of web surfers have seen this type of ad to know to avoid it which means make an ad like this is a waste of time.

4. The Annoying and Loud Sounds Ad

This type of ad uses the MouseOver event where a user must point their mouse cursor at a specific part of the screen (such as the ad itself) to play a sound. On Facebook, there was one ad for a horror movie that did this. If the reader is familiar with the Facebook interface, the advertisement are below the Search and Applications section and to the left of your actual profile. So when you’re looking at your wall and decide you want to visit one of your Facebook applications, you may inadvertently go over the ad, hearing an incredibly annoying sound. This particular ad was popular that one day and as a result, Facebook wasn’t popular with me for the next few days. MySpace has several equivalents of this, the most annoying being the one for the “next generation emoticons”.

The other type of ad that falls under this category is the one that just plays some sound the whole time the page is open. This is the type of ad that forced me to get an “Internet browsing checklist” which is checking that the volume on my speakers is down before starting a session of web surfing. This is the worst offender in this category because the attention getting “benefit” is greatly overwhelmed by the annoyance to the user. Under no circumstances should sound automatically start playing in an ad, not even when initiated by a MouseOver. The movie ads on MySpace have the right idea where you need to click on a specific button in the ad to hear the sound. It should be standard practice.  

5.

 I left #5 empty since I will leave that number and the subsequent ones for the reader to add through the comment system which I will append to the original post later.

The only positive aspect of these types of ads is that they do have a higher click through rate which greatly benefits the web site that gets paid per impression or click but they do alienate the users which would disenchant them from both the web site the ads are on and the company or product being advertised. All around, the negatives of these types of ads far outweigh the positives.

As my first post, I think it’s a good idea to describe what I’ll be talking about on this blog. Well, it’s going to be about the Internets. And stuff. All sorts of stuff.