Windows Server 2008 introduces a new type of domain controller, the read-only domain controller (RODC). An RODC provides, in effect, a shadow copy of a domain controller that cannot be directly configured, which makes it less vulnerable to attack. You can install an RODC in locations where physical security for the domain controller cannot be guaranteed.
To support RODCs, a DNS server running Windows Server 2008 supports a new type of zone, the primary read-only zone (also sometimes referred to as a branch office zone). When a computer becomes an RODC, it replicates a full read-only copy of all of the application directory partitions that DNS uses, including the domain partition, ForestDNSZones and DomainDNSZones. This ensures that the DNS server running on the RODC has a full read-only copy of any DNS zones stored on a centrally located domain controller in those directory partitions. The administrator of an RODC can view the contents of a primary read-only zone; however, the administrator can change the contents only by changing the zone on the centrally located domain controller.
Why is this functionality important?
AD DS relies on DNS to provide name-resolution services to network clients. The changes to the DNS Server service are required to support AD DS on an RODC.
Sunday, November 23, 2008
Sunday, November 16, 2008
Physical Memory Supported for RHEL
RHEL3 Limitions
- x86 - 64 GB
- x86_64 - 64 GB
- ia64 - 128 GB
RHEL4 Limitions
- x86 - 64 GB
- x86_64 - 128 GB
- ia64 - 1 TB
RHEL5 Limitions
- x86 - 64 GB
- x86_64 - 256 GB
- ia64 - 2 TB
- x86 - 64 GB
- x86_64 - 64 GB
- ia64 - 128 GB
RHEL4 Limitions
- x86 - 64 GB
- x86_64 - 128 GB
- ia64 - 1 TB
RHEL5 Limitions
- x86 - 64 GB
- x86_64 - 256 GB
- ia64 - 2 TB
Tuesday, November 11, 2008
Curbing Image/PDF spam : SpamAssassin
A lot of spam image/PDFs were slipping through my office MXs since this spamming technique has gained its popularity and it was getting really out of hands. I have decided to put an end to this madness and experimented various tactics to curb image/PDF spam. Generally, this can be achieved with spam scoring from SpamAssassin or clamav via Sanesecurity’s Phishing and Scam Signatures for ClamAV.
On this post, I will share some of the tactics that I have tried with SpamAssassin. With SpamAssassin, fighting image/PDF spam was trivial.
SpamAssassin rules
A) Built-in ruleset
TVD_PDF_FINGER01, which looks for mail matches standard pdf spam fingerprint (emails that have empty bodies
but contain PDF attachments), was added by the SpamAssassin developer. It works well by add 1.0 mark to PDF spam. However, this is too low to effectively catch PDF spam as threshold for tagging spam commonly stands at 5.0 - 10.0. Increasing the
score is a bad idea since a lot of lazy users regularly send PDF attachments with empty mail bodies, and this could lead to false positives.
B) Custom rulesets
This one goes to Ditesh as he wanted to further tighten his server by blocking attachment from stranger. I would suggest to use this ruleset with higher scoring. (Blocking is not a good idea). This custom ruleset was posted by Eric A. Hall on the SpamAssassin-Users
list recently. It uses the AWL to determine whether the sender of a binary
attachment is a stranger (Image/PDF spammers, of course, are strangers to you. ;-)). As MIMEHeader is included
by default in the SpamAssassin 3.2.x series, you can just happily add the ruleset to your local.cf.
ifplugin Mail::SpamAssassin::Plugin::MIMEHeadermimeheader __L_C_TYPE_APP Content-Type =~ /^application/i
mimeheader __L_C_TYPE_IMAGE Content-Type =~ /^image/i
mimeheader __L_C_TYPE_AUDIO Content-Type =~ /^audio/i
mimeheader __L_C_TYPE_VIDEO Content-Type =~ /^video/i
mimeheader __L_C_TYPE_MODEL Content-Type =~ /^model/i
meta L_STRANGER_APP (!AWL && __L_C_TYPE_APP)
score L_STRANGER_APP 1.0
tflags L_STRANGER_APP noautolearn
priority L_STRANGER_APP 1001 # defer till after AWL
describe L_STRANGER_APP Application file sent by a stranger
meta L_STRANGER_IMAGE (!AWL && __L_C_TYPE_IMAGE)
score L_STRANGER_IMAGE 1.0
tflags L_STRANGER_IMAGE noautolearn
priority L_STRANGER_IMAGE 1001 # defer till after AWL
describe L_STRANGER_IMAGE Image file sent by a stranger
meta L_STRANGER_AUDIO (!AWL && __L_C_TYPE_AUDIO)
score L_STRANGER_AUDIO 1.0
tflags L_STRANGER_AUDIO noautolearn
priority L_STRANGER_AUDIO 1001 # defer till after AWL
describe L_STRANGER_AUDIO Audio file sent by a stranger
meta L_STRANGER_VIDEO (!AWL && __L_C_TYPE_VIDEO)
score L_STRANGER_VIDEO 1.0
tflags L_STRANGER_VIDEO noautolearn
priority L_STRANGER_VIDEO 1001 # defer till after AWL
describe L_STRANGER_VIDEO Video file sent by a stranger
meta L_STRANGER_MODEL (!AWL && __L_C_TYPE_MODEL)
score L_STRANGER_MODEL 1.0
tflags L_STRANGER_MODEL noautolearn
priority L_STRANGER_MODEL 1001 # defer till after AWL
describe L_STRANGER_MODEL Model file sent by a stranger
endif
PDFInfo
Grab PDFInfo.pm and pdfinfo.cf from PDFInfo plugin site. Place pdfinfo.cf in the SpamAssassin’s configuration directory (/usr/local/etc/mail/spamassassin/) and PDFInfo.pm in the SpamAssassin plugin directory (/usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/). To load the plugin, you should add loadplugin Mail::SpamAssassin::Plugin::PDFInfo to init.pre (or v310.pre). Alternatively, you could use loadplugin Mail::SpamAssassin::Plugin::PDFInfo /path/to/your/plugin for placing PDFinfo.pm file in directory other than your SpamAssassin plugin directory. With that in place, you restart your Spamassassin and verify that PDFInfo plugin was loaded properly with debug output from Spamassassin
spamassassin --lint -D
You should get similar lines as below:-
[32487] dbg: config: read file /usr/local/etc/mail/spamassassin/pdfinfo.cf
[32487] dbg: plugin: loading Mail::SpamAssassin::Plugin::PDFInfo from @INC
FuzzyOcr
I’ve installed FuzzyOcr plugin from the FreeBSD ports. /usr/ports/mail/p5-FuzzyOcr-devel/ FuzzyOcr development is recommended as stable release was way too old. It’s easy to maintain. However, manual installation is relatively easy as the tarball contains FuzzyOcr pearl module plugin, configure files and some sample test Image/PDF test mails. Just copy FuzzyOcr.cf and FuzzyOcr.words to the SpamAssassin’s configuration directory (If you installed from ports, the configuration file is located at /usr/local/share/examples/FuzzyOcr/. I created a directory in /var/db called “fuzzyocr” for all FuzzyOcr database and words list. My configuration file looks like this:-
focr_enable_image_hashing 2
focr_global_wordlist /var/db/fuzzyocr/FuzzyOcr.words
focr_scansets $gocr -i $pfile, $gocr -l 180 -d 2 -i $pfile, $ocrad -s 0.5 -T 0.5 $pfile
focr_digest_db /var/db/fuzzyocr/FuzzyOcr.hashdb
focr_db_hash /var/db/fuzzyocr/FuzzyOcr.db
focr_db_safe /var/db/fuzzyocr/FuzzyOcr.safe.db
focr_hashing_learn_scanned 1
Again verify if the plugin is loaded properly in spamassassin.
Other tactics
There are other tactics of fighting Image/PDF spam which I have not tried. As I’m aware of at this point of writting; PDFText and botnet plugin with patch.
CONCLUSIONS
There has been a lot of discussion/experience sharing on SpamAssassin-users and Maia-users list. One notable comment/experience (with the title : [Maia-users] PDF spam solutions) was posted by Robert LeBlanc on Maia-users list. It is comprehensive enough to give you an edge of fighting image/PDF spam. Nevertheless, new spam tactics are evolved day by day. Who knows we might be seeing M$ word / powerpoint spam soon.
On this post, I will share some of the tactics that I have tried with SpamAssassin. With SpamAssassin, fighting image/PDF spam was trivial.
SpamAssassin rules
A) Built-in ruleset
TVD_PDF_FINGER01, which looks for mail matches standard pdf spam fingerprint (emails that have empty bodies
but contain PDF attachments), was added by the SpamAssassin developer. It works well by add 1.0 mark to PDF spam. However, this is too low to effectively catch PDF spam as threshold for tagging spam commonly stands at 5.0 - 10.0. Increasing the
score is a bad idea since a lot of lazy users regularly send PDF attachments with empty mail bodies, and this could lead to false positives.
B) Custom rulesets
This one goes to Ditesh as he wanted to further tighten his server by blocking attachment from stranger. I would suggest to use this ruleset with higher scoring. (Blocking is not a good idea). This custom ruleset was posted by Eric A. Hall on the SpamAssassin-Users
list recently. It uses the AWL to determine whether the sender of a binary
attachment is a stranger (Image/PDF spammers, of course, are strangers to you. ;-)). As MIMEHeader is included
by default in the SpamAssassin 3.2.x series, you can just happily add the ruleset to your local.cf.
ifplugin Mail::SpamAssassin::Plugin::MIMEHeadermimeheader __L_C_TYPE_APP Content-Type =~ /^application/i
mimeheader __L_C_TYPE_IMAGE Content-Type =~ /^image/i
mimeheader __L_C_TYPE_AUDIO Content-Type =~ /^audio/i
mimeheader __L_C_TYPE_VIDEO Content-Type =~ /^video/i
mimeheader __L_C_TYPE_MODEL Content-Type =~ /^model/i
meta L_STRANGER_APP (!AWL && __L_C_TYPE_APP)
score L_STRANGER_APP 1.0
tflags L_STRANGER_APP noautolearn
priority L_STRANGER_APP 1001 # defer till after AWL
describe L_STRANGER_APP Application file sent by a stranger
meta L_STRANGER_IMAGE (!AWL && __L_C_TYPE_IMAGE)
score L_STRANGER_IMAGE 1.0
tflags L_STRANGER_IMAGE noautolearn
priority L_STRANGER_IMAGE 1001 # defer till after AWL
describe L_STRANGER_IMAGE Image file sent by a stranger
meta L_STRANGER_AUDIO (!AWL && __L_C_TYPE_AUDIO)
score L_STRANGER_AUDIO 1.0
tflags L_STRANGER_AUDIO noautolearn
priority L_STRANGER_AUDIO 1001 # defer till after AWL
describe L_STRANGER_AUDIO Audio file sent by a stranger
meta L_STRANGER_VIDEO (!AWL && __L_C_TYPE_VIDEO)
score L_STRANGER_VIDEO 1.0
tflags L_STRANGER_VIDEO noautolearn
priority L_STRANGER_VIDEO 1001 # defer till after AWL
describe L_STRANGER_VIDEO Video file sent by a stranger
meta L_STRANGER_MODEL (!AWL && __L_C_TYPE_MODEL)
score L_STRANGER_MODEL 1.0
tflags L_STRANGER_MODEL noautolearn
priority L_STRANGER_MODEL 1001 # defer till after AWL
describe L_STRANGER_MODEL Model file sent by a stranger
endif
PDFInfo
Grab PDFInfo.pm and pdfinfo.cf from PDFInfo plugin site. Place pdfinfo.cf in the SpamAssassin’s configuration directory (/usr/local/etc/mail/spamassassin/) and PDFInfo.pm in the SpamAssassin plugin directory (/usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/). To load the plugin, you should add loadplugin Mail::SpamAssassin::Plugin::PDFInfo to init.pre (or v310.pre). Alternatively, you could use loadplugin Mail::SpamAssassin::Plugin::PDFInfo /path/to/your/plugin for placing PDFinfo.pm file in directory other than your SpamAssassin plugin directory. With that in place, you restart your Spamassassin and verify that PDFInfo plugin was loaded properly with debug output from Spamassassin
spamassassin --lint -D
You should get similar lines as below:-
[32487] dbg: config: read file /usr/local/etc/mail/spamassassin/pdfinfo.cf
[32487] dbg: plugin: loading Mail::SpamAssassin::Plugin::PDFInfo from @INC
FuzzyOcr
I’ve installed FuzzyOcr plugin from the FreeBSD ports. /usr/ports/mail/p5-FuzzyOcr-devel/ FuzzyOcr development is recommended as stable release was way too old. It’s easy to maintain. However, manual installation is relatively easy as the tarball contains FuzzyOcr pearl module plugin, configure files and some sample test Image/PDF test mails. Just copy FuzzyOcr.cf and FuzzyOcr.words to the SpamAssassin’s configuration directory (If you installed from ports, the configuration file is located at /usr/local/share/examples/FuzzyOcr/. I created a directory in /var/db called “fuzzyocr” for all FuzzyOcr database and words list. My configuration file looks like this:-
focr_enable_image_hashing 2
focr_global_wordlist /var/db/fuzzyocr/FuzzyOcr.words
focr_scansets $gocr -i $pfile, $gocr -l 180 -d 2 -i $pfile, $ocrad -s 0.5 -T 0.5 $pfile
focr_digest_db /var/db/fuzzyocr/FuzzyOcr.hashdb
focr_db_hash /var/db/fuzzyocr/FuzzyOcr.db
focr_db_safe /var/db/fuzzyocr/FuzzyOcr.safe.db
focr_hashing_learn_scanned 1
Again verify if the plugin is loaded properly in spamassassin.
Other tactics
There are other tactics of fighting Image/PDF spam which I have not tried. As I’m aware of at this point of writting; PDFText and botnet plugin with patch.
CONCLUSIONS
There has been a lot of discussion/experience sharing on SpamAssassin-users and Maia-users list. One notable comment/experience (with the title : [Maia-users] PDF spam solutions) was posted by Robert LeBlanc on Maia-users list. It is comprehensive enough to give you an edge of fighting image/PDF spam. Nevertheless, new spam tactics are evolved day by day. Who knows we might be seeing M$ word / powerpoint spam soon.
Sunday, November 9, 2008
A first look at Internet Information Services 7.0
While Microsoft Internet Information Services 6.0 (IIS) was already a very good Web server, the product now has a number of improvements with IIS 7.0. Some of these enhancements are related to security and server management, while others are geared toward Web developers. Let's take a look at some the new features that matter most to network administrators.
Improved management tools
It may seem trivial, but my favorite improvement has got to be the new management tools. If you look at Figure A, you can see that the user interface has been completely redesigned from scratch. One of Microsoft's reasons for doing this was to create a management interface that allows you to manage Internet Information Services and ASP.NET through a single console.
As with most things in Windows Server 2008, IIS 7.0 has been tied into Windows PowerShell, which means you can perform various management tasks from the command line or through a PowerShell script. Microsoft has also created a new command line tool named APPCMD.EXE that helps automate common management tasks. In doing so, Microsoft has done away with the IIS 6.0-style administration scripts.
Improved troubleshooting
If you have ever tried to troubleshoot a problem with Internet Information Services 6.0, then you know that the troubleshooting process can be difficult, to say the least. Fortunately, Microsoft has finally taken some steps to make the troubleshooting process easier. The log file entries that IIS 7.0 produces are much more detailed than those created by IIS 6.0, and they include more status codes. These improvements should help administrators troubleshoot problems much faster.
Compartmentalized installation
One of the things about Internet Information Services that always bugged me was that it always seemed a bit bloated. Sure, Windows Server 2003 allows you to pick which IIS components you want to install, but many of these components are made of sub-components that cannot be disabled. Granted, IIS isn't that large of an application, but there is something to be said for reducing the potential attack surface of a Web server.
With Internet Information Services 7.0, Microsoft broke down IIS into dozens of modular components, each of which can be individually enabled or disabled. In Figure B, you can see just how granular the installation process has become.
SSL-encrypted FTP
Although IIS has supported Secure Sockets Layer (SSL) encryption for websites for many years now, for some reason, Microsoft never offered the ability to encrypt FTP traffic. In Internet Information Services 7.0, the company has completely rewritten its FTP server module to bring it up to date. Not only does it now support SSL encryption, but it also makes it easy to create FTP publishing points for Web applications, using either an independent authentication method or authentication via Microsoft Active Directory.
One thing I want to mention about the new FTP publishing service is that it is not actually included with Internet Information Services 7.0 -- although it is considered to be an officially supported IIS 7.0 feature. You can download the FTP publishing service here.
Delegated administration
Another cool new feature is something called delegated administration. The basic idea behind this feature is to make a single IIS server capable of hosting multiple websites. In the past, if admins could administer one website, they could manage every site hosted by the server. Internet Information Services 7.0 allows you to perform delegations so that administrators are limited to managing only specific websites or even individual parts of a website.
Remote administration
Traditionally, if an administrator wanted to manage Internet Information Services, then the tool of choice was usually the IIS Manager console. However, IIS 7.0 contains a new remote management tool called Web Management Services (WMSVC) that you can use to manage the server over the Web by using HTTPS. It is important to keep in mind that Web Management Services is not installed by default. You can find detailed instructions for installing this new component here.
All of these improvements go a long way toward making Internet Information Services 7.0 a lot more secure and easier to manage than IIS 6.0Wednesday, November 5, 2008
Quick Guide to compress / decompress files
tar (tar) | |
tar Packaging | tar cvf archive.tar / archive / May / * |
Unpack | tar xvf archive.tar |
See the content (not extract) | tar tvf archive.tar |
tar.gz -. tar.Z -. tgz (tar with gzip) | |
Pack and compress | tar czvf archive.tar.gz tar / archive / May / * |
Unpack and decompress | tar xzvf archive.tar.gz |
See the content (not extract) | tar tzvf archive.tar.gz |
gz (gzip) | |
Compress | gzip file-q (The file compresses it and rename it as "archive.gz") |
Unzip | gzip-d archive.gz (The file unzip it and leave it as a "file") |
Note: gzip only compresses files, not directories | |
bz2 (bzip2) | |
Compress | bzip2 file bunzip2 file (The file compresses it and rename it as "archive.bz2") |
Unzip | bzip2-d archive.bz2 bunzip2 archive.bz2 (The file unzip it and leave it as a "file") |
Note: only bzip2 compressed files, not directories | |
tar.bz2 (tar with bzip2) | |
Compress | tar-c files | bzip2> archive.tar.bz2 |
Unzip | bzip2-dc archive.tar.bz2 | tar-xv tar jvxf archive.tar.bz2 (recent versions of tar) |
View content | bzip2-dc archive.tar.bz2 | tar-tv |
zip (zip) | |
Compress | zip archive.zip / May / files |
Unzip | unzip archive.zip |
View content | unzip-v archive.zip |
rar (rar) | |
Compress | rar-a archive.rar / May / files |
Unzip | rar-x archive.rar |
View content | rar-v archive.rar rar-l archive.rar |
Sunday, November 2, 2008
Ubuntu…8.04 LTS Server
Take a look at the LTS version of the server. When it released it did not have LVM2, it did not have all of the updated software raid tools, it did not have acls installed either. Each of these is a standard option that any administrator would want available, especially in the LTS version. They could be installed manually once you installed 8.04 but they were later installed via the update process. The point is, Ubuntu should have released a solid up to date server version in 8.04, not build it as you go with updates. Administrators depend on their servers being up to speed when they install. In addition, adding LVM2, raid tools and acls at a later date after the installation are problematic.
Subscribe to:
Comments (Atom)
