1)  Add or Edit the following in /etc/postfix/main.cf

smtp_sasl_auth_enable = yes #enables sasl authentication

smtpd_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd

relayhost = smtp.youremailserver.net OR smtp.youremailserver.net:587

2)  Add /etc/postfix/sasl/sasl_passwd

smtp.youremailserver.net       username:password

3)  # postmap /etc/postfix/sasl/sasl_passwd

4)  # chmod 600 sasl_passwd sasl_passwd.db

5) # /etc/init.d/postfix reload

This was on Ubuntu 8.04.

]]> http://thephil.wordpress.com/2010/02/23/setup-postfix-smtp-auth-to-relayhost/feed/ 0 Philip Rhee http://thephil.wordpress.com/2010/02/19/automate-rsync-using-ssh-with-keychain/ http://thephil.wordpress.com/2010/02/19/automate-rsync-using-ssh-with-keychain/#comments Fri, 19 Feb 2010 01:40:32 +0000 Philip Rhee http://thephil.wordpress.com/?p=42 ]]> This will create password enabled RSA/DSA key on localbox to log into remotebox.

1)  localbox:~#ssh-keygen OR ssh-keygen -t dsa

• This will create ~/.ssh/id_rsa (private key) and ~/.ssh/id_rsa.pub (public key)
• ssh-keygen -t dsa will create id_dsa and id_dsa.pub

2)  localbox:~#scp ~/.ssh/id_rsa.pub username@remotebox:/home/username

• This will transfer public key to remotebox.

3)  remotebox:~#cat id_rsa.pub >> ~/.ssh/authorized_keys

That is it for setting up ssh keys.

Install KEYCHAIN…

# tar xzvf keychain-1.0.tar.gz

# cd keychain-1.0

# install -m0755 keychain /usr/bin

Create ~/.bash_profile with following on localbox….

#!/bin/bash
#on this next line, we start keychain and point it to the private keys that
#we’d like it to cache
/usr/bin/keychain ~/.ssh/id_rsa
source $HOME/.keychain/${HOSTNAME}-sh
#redirect ~/.ssh-agent output to /dev/null to zap the annoying
#”Agent PID” message
source ~/.ssh-agent > /dev/null
#sourcing ~/.bashrc is a good thing
source ~/.bashrc

Logout and login… Now you are set to ssh to remotebox.  ps aux | grep ssh-agent will show that ssh-agent is running.

Create RSYNC script…

#!/bin/bash
BACKUPDIR_REMOTE=/remotedir                   # Remote backup directory
BACKUPDIR_LOCAL=/localdir    # Local backup directory

keychain $HOME/.ssh/id_rsa
source $HOME/${HOSTNAME}-sh
rsync -avz -e ssh backup@remotebox:$BACKUPDIR_REMOTE/* $BACKUPDIR_LOCAL

This was a good short thought on php session security issue.

hello.
php’s built-in session_x() functions work well enough, but there are cases where you will want to roll your own. the first to come to mind is that you’ll run into trouble when implementing a single site (domain) across multiple machines (httpd processes) as in a web server farm.
fortunately, php’s header() or setcookie() functions make this an easy task.
i have monkeyed up a function called session_begin() which takes two optional arguments: session_id, and session_key.
session_id is, of course, a string which identifies a given unique session; session_key is a string which is intended to help ensure that the provided session is indeed unique. consider the following.

http client one comes along and acquires a legitimate session, abc123. along with generating this session, the server records something unique about http client one, or about the communication itself, such as http client one’s remote ip address (not a good idea, keep reading). this can be anything at all, not necessarily limited to an http context, and this is stored as session_key. all subsequent requests from http client one will contain the session abc123. the idea is that session_key should be something determined by the server, on the server-side, not provided by the client (i.e., javascript or hidden form-field or whathaveyou), as this is trivial for an attacker to spoof.

now, sitting across the coffee shop, http client two has been watching http client one’s tcp packets and knows exactly what that session_id is. therefore, http client two does not need to poke around for usernames or passwords. no need for a phishing site. no trojan horse, spyware, keystroke logger, fraudulent phone calls, or anything else. http client two needs only to make a request to the same domain with the same session_id, while http client one is logged in. http client two now has immediate access to anything and everything available to http client one, and nobody even knows about it. that’s right, a simple, untraceable attack. this works, by my testing, with yahoo! mail, gmail, hotmail, and probably about every web site i could try it on, though ssl makes things more cumbersome – i should say, not very much more cumbersome, if the attacker can see the underlying tcp.

…however, since the server is also using session_key to store and retrieve it’s sessions, http client two must appear to the server as identical to http client one. for example, say the server stores http_client_id (”mozilla” or “ie” or whathaveyou) in the session_key. now, http client two must make it’s request to the server not only with the same session as http client one, but also with the same browsing software. or, say, session_key is remote_addr: now http client two must also spoof his victim’s ip.

the obvious argument to this is that, in our scenario, http client two sees the whole http request made by his victim. therefore, it is entirely probable that he will spoof his request to match his victims to the greatest extent possible, in trying to make his hijack. therefore, the server would see the same http_client_id (or accept_charset or whatever else you could think of). and using the client-provided ip address or any function of the underlying ip connection as a session_key would be stupid on the server’s part since the server may not know about http tunnels, proxy servers, ip-masquerading firewalls, or anything else which could (and inevitably would) obfuscate the reliability of such a method.

so, here is my post in a nutshell: what would serve as a good spoof-proof session_key? that is, what can a web server (or the system running a web server) see about a web client that is not likely (even better, not possible) to be reproduced in an attacker’s hijack request? answer that, and you’ll have a secure, unbreakable session management implementation. you will no longer need ssl, even when dealing out credit card numbers and social security numbers and the like.

it’s not a rhetorical question. i don’t expect anybody to be able to answer, or else yahoo! and hotmail, gmail at least, would not be quite so easy to break into. if you can answer, though, you would be well-advised to seek a patent.

1. Log in as root
2. run /usr/sbin/visudo (it will be opened with vim editor)
3. add a line at the end,   %groupname   ALL=(ALL)  ALL
   
   • please change “groupname” to the groupname of the user you are trying to add as sudoer.
   • note that all users in this “groupname” will be in able to use sudo

/proc/misc: No entry for device-mapper found
Is device-mapper driver missing from kernel?
Failure to communicate with kernel device-mapper driver.

I solved the problem by doing the following.

root@linux:~#modprobe dm_mod
root@linux:~#modprobe dm_mirror
root@linux:~#modprobe dm_snapshot

It should be fine now. Verify by :
root@linux:~#lsmod | grep dm_*

It should look like :
dm_mirror 24448 0
dm_snapshot 18980 0
dm_mod 58816 5 dm_mirror,dm_snapshot

This is essential in understanding what network is about and why there is a need to manage them, or at least implment them well-designed.

http://www.techexams.net/technotes/networkplus/networkcomponents.shtml

I use emacs often in linux environment.  It is more comfortable for me then vi.

Below are few configuration settings that I use to make emacs more friendlier.

Just create .emacs file in  your home directory, then copy and paste the following for your liking…

;; ========== Line by line scrolling ==========
(setq scroll-step 1)
;; ======== Place Backup Files in Specific Directory =========

;; Put autosave files (ie #foo#) in one place, *not*
;; scattered all over the file system!
(defvar autosave-dir
 (concat "/tmp/emacs_autosaves/" (user-login-name) "/"))

(make-directory autosave-dir t)

(defun auto-save-file-name-p (filename)
  (string-match "^#.*#$" (file-name-nondirectory filename)))

(defun make-auto-save-file-name ()
  (concat autosave-dir
   (if buffer-file-name
      (concat "#" (file-name-nondirectory buffer-file-name) "#")
    (expand-file-name
     (concat "#%" (buffer-name) "#")))))

;; Put backup files (ie foo~) in one place too. (The backup-directory-alist
;; list contains regexp=>directory mappings; filenames matching a regexp are
;; backed up in the corresponding directory. Emacs will mkdir it if necessary.)
(defvar backup-dir (concat "/tmp/emacs_backups/" (user-login-name) "/"))
(setq backup-directory-alist (list (cons "." backup-dir)))


;;====== Set Basic Colors =========

• upload_max_filesize : 2M is default.  set it higher.
• memory_limit : set it higher to match your needs. 128M is default
• max_input_time : default is 60 (seconds).  change needed as you prefer.
• post_max_size : setting this to match upload_max_filesize is a good idea.  8M is default.
• max_execution_time : DONT CHANGE THIS.  it is a good idea to set this in your script using “set_time_limit(0)”.  Zero means no time limit.  Default is 30 (seconds).  More details HERE… 

Play around with the above settings to match what you’ll need.  This is based on PHP version 5.2.3

Hopefully some of you will find it interesting, beneficial, or maybe absolutely absurd.

In any case, please feel free to share your opinions and comments.