Hostmedic Emergency Medicine for Hosting & Server Admins
Subscribe to rss feed

Posts Tagged ‘citrt’

05
June
1 Comment

how to protect your MacBook Pro

This week while at the Greater NJ Annual Conference of the United Methodist Church something sad happened at the very end.

One of the key musicians, Mark’s laptop was stolen.   He had just purchased the laptop just a few days earlier (Tuesday I believe he said.)  This happened from what we can tell right at the end of the conference – and of course there were vendors and conference folks all over the place helping tear down – thus who knows where it is…  We are hoping it was just collected up by someone who mistook it for theirs…  (alas i think we are dreaming… anyhow)

I remember a posting from @ClifGuy who had his laptop stolen right out of another #CITRT members car in Florida – and at that time Windows PC security options were discussed – but not Apple/MAC.

So – here you go MAC Fans:

  1. Never EVER leave your MacBook unattended, not even briefly. Be aware of your laptop, as you would a purse, in airports, hotel rooms, restaurants, libraries, dorm rooms, and even @ a Church gathering.
    -
  2. Always Back up your data regularly. You should do this anyway, in case of hardware failure or software bugs, but it is also critical in case or loss of theft.  Mac makes this easy with the Time Machine option – however a good online backup application would be wise to use
    -
  3. Use a security cable. Simply put – its like a bicycle chain for your machine.   They simply can’t cut it and walk off w/o someone noticing…  we would hope… and even if they could – it stops the simple opportunist from jacking your mac
    -
  4. Use motion sensors, either with hardware (Targus DEFCON, MicroSaver Alarmed Lock) or software (TheftSensor) .
    -
  5. Be less conspicuous.  Carry your MacBook in a backpack instead of a laptop case…  people might not know whats in there.
    -
  6. Choose appropriate passwords and make use of them. Don’t use guessable passwords. Log out when not using your MacBook.
    -
  7. Set a firmware password. Use EFI (Intel) or Open Firmware (PPC) to set a password that prevents booting from another disk.
    -
  8. Use encryption. Consider which data on your MacBook is most sensitive and take care to protect it. Use Apple’s FileVault feature on your home directory or utilize the Disk Utility or DropDMG for convenience.
    -
  9. Install anti-theft software. Use a software package that “phones home” on the Internet or over a phone line (Undercover, LoJack for Laptops).
    -
  10. Have separate logins. You might have one login for your routine documents but for important secure files – use FileVault on another login. By having a third login, with no password, you invite a thief to log in that way, making it more likely that they will connect to the Internet and activate the anti-theft software.
    -
  11. Recordkeeping. Record your MacBook serial number and keep this information on paper somewhere- or even better take pictures and upload them to somewhere online you can always get to – and make sure that is password protected of course.   Register your purchase. Keep track of what personal information you have on your MacBook, so you know what you’ve lost, what passwords to change, etc.
    -
  12. Insurance. Check if loss or theft of your MacBook is already covered under an insurance policy you have – such as your credit card.  If not, get renter’s insurance, a rider on a homeowner’s policy, or some other type of coverage- and make sure the deductible is low enough for it not to matter if it gets lost.
    -
  13. Be sure to Avoid viruses/adware/spyware. Install all security updates to Mac OS X or other software.  At present you don’t need any special software for Macs – I suggest using the ClamAV for MAC located here:  http://www.clamxav.com/index.php .
    -
  14. Keep your personal computer personal.In other words – NEVER LEND IT OUT.   And if you need to – use a separate login for them – thus insuring the security on your system.

Any other suggestions – please feel free to add them .

02
January
No Comments

doing your part to stop Denial of Service

its not just for twitter's protection but your ownVirtually every organization that operates a network connected to the Internet has the ability to serve as an unwitting participant in DoS (denial of Service) attacks.  There are simple steps that can be taken to ensure that you are a good net citizen in fact just two will help a great deal.

  • Implement Egress Filtering to Stop Spoofed IP Packets from Leaving Your Network
  • Stop Your Network from Being Used as a Broadcast Amplification Site

Imagine if every datacenter, broadband and Network provider implemented the broad application of these two steps:  The end result would be a significant reduction to the threat posed by DoS Attacks.

Ok – so now your convinced — but how do I implement this?  - well I am glad you asked.

I.   Implement Egress Filtering to Stop Spoofed IP Packets from Leaving Your Network

  1. Stop Spoofed IP Packets @ the Edge:   The purpose to implement Egress Filtering to Stop Spoofed IP Packets from Leaving Your Network is so that you can prevent forged communications leaving your network.  These are often used in DoS attacks.  This is a simple process – just ensure that your routers and firewalls are configured to only forward packets if those packets have the correct Source IP address local to your network. These of course would be IP’s that are in your BGP and or ARIN (or ISP) assigned network.  While it is important to do this throughout your network, the network edge connection(s) are essential to have this protection, if you are going to be a good net-citizen.
  2. : Deny Invalid Source IP Addresses:   Imagine if all organizations only allowed the traffic leaving their network if it had a valid Source IP address that belonged to that network.   While this is not a full-proof way of stopping DoS – it would make finding the organization responsible much easier.   This is a simple process – just permit all valid IP addresses access to the Internet via your firewall, gateway and routers – and Deny all other source addresses including private and Reserved Source IP Addresses.  Keep in mind if your using NAT you want to do this on your NAT device as well.
    • 0.0.0.0/8 – Historical Broadcast
    • 10.0.0.0/8 – RFC 1918 Private Network
    • 127.0.0.0/8 – Loopback
    • 169.254.0.0/16 – Link Local Networks
    • 172.16.0.0/12 – RFC 1918 Private Network
    • 192.0.2.0/24 – TEST-NET
    • 192.168.0.0/16 – RFC 1918 Private Network
    • 224.0.0.0/4 – Class D Multicast
    • 240.0.0.0/5 – Class E Reserved
    • 248.0.0.0/5 – Unallocated
    • 255.255.255.255/32 – Broadcast

II.  Stop Your Network from Being Used as a Broadcast Amplification Site

  1. Configuring all of your systems – (from your routers, servers, workstations, etc…) so that they do not receive or forward directed broadcast traffic will assist in making sure your network is not used as a broadcast application site.   Craig Huegen has a number of papers written on this topic you may find them here.
  2. Test your network to determine if it is an amplification site.  This is as easy as using the “ping” command to send an ICMP echo request packet to the Network Base IP address of your network(s) as well as the broadcast IP address of your network(s).  I suggest that you do this not only from your own network but from an independent 3rd party such as www.DNSStuff.com – Note the basic DNS Stuff is free.
  3. The HostMedic agency refuses to purchase hardware from any vendor that does not disable IP Directed Broadcast by Default as outlined in RFC 2644.   In fact – we suggest using PFSense @ the Edge of your network if you are unsure of how to complete all of these tasks.   PFSense is FREE and offers low cost support as well as FREE Community based support.
14
August
No Comments

Master – Slave Replication

There are many reasons to use master-slave replication including but not limited to:

1) Offload some of the queries from one server to another thus helping spread the load: One of the biggest advantages to have master-slave set up in MySQL is to be able to use master for all of the inserts and send some, if not all, select queries to a slave (or even a series of slaves). This will most probably speed up your application without having to diving into optimizing all the queries or buying more hardware-  This is especially handy if your using some off the shelf application such as WebEmpoweredChurch.com / Typo3,  Magento , WordPress, Drupal, etc . . .

2) Backups can hurt a DB server @ times.   Here @ Typo3USA – We always Do backups from slave.  Most techs simply just overlook this simple but highly effective advantage.   We have some databases that are quite large – super large and others that are just a few megs – to a few gigs.   Sadly – when the size of a database becomes a big deal is when it has grown to multiple gigs and mysqldump causes the site to lag when it locks tables.  For some sites, this could mean that site goes down for few secs to minutes. If you have slave, you just take slave out of rotation (we have built this into our backup scripts now) and run backups off the slave. You can even stop slave MySQL instance and copy the /etc/mysql/mysql or /var/lib/mysql  (or whatever your database directory ) folder instead of doing mysqldump…

Recently – we moved forward into using the R1Soft.com Backup System (in fact we also had a good hand with the Vine Staff and Ron Hall in building up their new website – check it out @ www.R1soft.com ) WE ABSOLUTELY LOVE THIS SYSTEM BECAUSE IT IS SO FAST IN ITS BACKUPS FOR MYSQL

Ok let us dive into how to setup master-slave replication under MySQL. There are many configuration changes you can do to optimize your MySQL set up. I will just touch on very basic ones to get the replication to work. Here are some assumptions:

Master server ip: 10.100.1.1
Slave server ip: 10.100.1.2
Slave username: slavemysqluser
Slave pw: slavepw
Your data directory is: /usr/local/mysql/var/

Put the following in your master my.cnf file under [mysqld] section:

# changes made to do master
server-id = 1
relay-log = /usr/local/mysql/var/mysql-relay-bin
relay-log-index = /usr/local/mysql/var/mysql-relay-bin.index
log-error = /usr/local/mysql/var/mysql.err
master-info-file = /usr/local/mysql/var/mysql-master.info
relay-log-info-file = /usr/local/mysql/var/mysql-relay-log.info
datadir = /usr/local/mysql/var
log-bin = /usr/local/mysql/var/mysql-bin
# end master

Copy the following to slave’s my.cnf under [mysqld] section:

# changes made to do slave
server-id = 2
relay-log = /usr/local/mysql/var/mysql-relay-bin
relay-log-index = /usr/local/mysql/var/mysql-relay-bin.index
log-error = /usr/local/mysql/var/mysql.err
master-info-file = /usr/local/mysql/var/mysql-master.info
relay-log-info-file = /usr/local/mysql/var/mysql-relay-log.info
datadir = /usr/local/mysql/var
# end slave setup

Create user on master:
mysql> grant replication slave on *.* to slavemysqluser@'10.100.1.2' identified by 'slavepw';

Do a dump of data to move to slave
mysqldump -u root --all-databases --single-transaction --master-data=1 > masterdump.sql

import dump on slave
mysql < masterdump.sql

After dump is imported go in to mysql client by typing mysql. Let us tell the slave which master to connect to and what login/password to use:
mysql> CHANGE MASTER TO MASTER_HOST='10.100.1.1', MASTER_USER='slaveuser', MASTER_PASSWORD='slavepw';

Let us start the slave:
mysql> start slave;

You can check the status of the slave by typing
mysql> show slave status\G

The last command will let you know how up to date the slave is from the master in seconds.  I have had many folks worry about this being behind the master – it is okay if it does not say ZERO right away – if you check it you should see the number going down over time until it finally catchs up with the master.

NOTE* if it shows NULL, – it could be that the slave has not started or that it has an error:  (if this is the case it should show up in Last_errno; and Last_error under the: show slave status\G )

We suggest a number of different tools as well for MySQL including:

Maatkit
Maatkit is a great set of tools for MySQL Performance Analyses and maintainence. Must know and have for any MySQL User.

mysqladmin
mysqladmin extended -i100 -r is very nice way to look how MySQL performance counters increment and it can tell you a lot about server run status.

mysqlreport
MySQL Report is a tool which would look at status variables same as mysqladmin extended but will group them together nicely and provide some hints on what are good and bad values.

mysqlsla
This is nice tool to analyze slow query log. It reads bunch of different log formats and has various stats, and it was there before mk-log-parser appeared.

innotop
Innotop is great top like tool for MySQL and is helpful even if you do not use Innodb tables. Very nice to watch what happens to server in the real time.

oprofile
oprofile is usually used for advanced MySQL tuning when the load is CPU bound – it will tell you where exactly inside MySQL or Kernel CPU time is spent.

iohist
iohist is a little tool to show histogram for IO response time. The main use for it is to see how response time is split for read and write request rather than seeing the average reported by iostat. These can be very different.

sysbench
sysbench is a tool to check performance of system and MySQL. Helpful to check different hardware and OS characteristic.

29
August
1 Comment

LoJacking your laptop for free

Recently, a friend of mine had an interesting experience – (he blogged about it – so guess I can share).

as Chuck Russel, Jason Reynolds, David Helbig, and Clif Guy discussed Internet Campus while enjoying a beautiful night on the beach just a couple hundred feet away in the beach parking lot, Jason’s car window was smashed and Clif’s briefcase/laptop bag was stolen containing his laptop, digital camera, web cam, cables, and all kinds of personal items.

Recently I purchased a Mac Powerbook Pro – and I absolutely love this machine…  I think I might need to start attending a 12 step program as I sleep with this thing, take it to church with me (ok so I use it while preaching…) and it has even made the occasional trip to the bathroom with me… it would be devastating for me to loose this or have it stolen.

I looked into purchasing the LoJack software until I read a quick tidbit on BitBud’s blog about encryption for our servers, files, laptops etc… as well as Adeona – a free Open Source LoJack software.

Adeona is the first Open Source system for tracking the location of your lost or stolen laptop that does not rely on a proprietary, central service.  Whats nice is its 3 primary properties:

  • Private: Adeona uses state-of-the-art cryptographic mechanisms to ensure that the owner is the only party that can use the system to reveal the locations visited by a device.
  • Reliable: Adeona uses a community-based remote storage facility, ensuring retrievability of recent location updates.
  • Open source and free: Adeona’s software is licensed under GPLv2. While your locations are secret, the tracking system’s design is not.

The Mac OS X version also has an option to capture pictures of the laptop user or thief using the built-in iSight camera and the freeware tool isightcapture.

So what are you waiting for?   LoJack your hardware !

28
August
4 Comments

Network Naming Conventions… gone Biblical

Recently Ian Beyer, Network Extraordinaire out @ Church of the Resurrection in Leewood KS and I had an interesting conversation about network topology and the naming convention of servers, routers, switches, and workstations.

Salvation-Topology

Salvation-Topology

We are in the process of bringing on Phase 2 of the VineHosting Data Center, complete with our new R1Soft Bare Metal Restore Servers (another blog post perhaps) and our new Virtual Infrastucture.

Since we now have so many more servers than we did in the past – and we have exhausted all the cities Paul visited in the Bible, the names of the sacraments, etc…  I reached out and asked Ian what they were doing -

He got to joking a bit – saying they used all Dr. Seuss themes @ an old employer (not sure if he meant Sun Microsystems or Sprint…) anyhow – pretty funny stuff.   Imagine that – us having Thing 1 and Thing 2 …

I sat down and had to write up an assignment for my seminary class on the vocabulary of Salvation… and suddenly thought … WOW there it is…

The Servers Host name is Salvation:  its guest machines are:

conversion, substitution, reconciliation, propitiation, remission, imputation, adoption, justification, sanctification,  glorification and regeneration (thats the PXE Booter…)

Our R1Soft Servers are called Preservation and Redemption.

Now If I could only turn this in as an assignment instead of the long term paper… I would be happy as pie.

And of course – I still have all these other servers to do…

I guess I could use a few other examples – imagine getting a welcome email being told your on the purgatory server…

What are you using for a Naming Convention?

Mac Data Recovery


Online Advertising

Powered by: VineHosting