icinga

Posted: June 21st, 2011 | Author: | Filed under: cisco, debian, ibm, infrastructure, it, juniper, linux, networking | Tags: , , , , , , , , | No Comments »

building a large scaled monitoring system for a customer with icinga 1.4.0 + pnp4nagios 0.6 (bulk mode with npcd), db logging. it will monitor very different stuff …. from servers to network, from esx(i) to linux machines, from firewalls to printers … good to see that all the needed software comes from the debian stable repositories (non-free). once again debian FTW !

http://docs.pnp4nagios.org/pnp-0.6/start

https://www.icinga.org/


say hello debian wheezy !

Posted: June 20th, 2011 | Author: | Filed under: debian, it, linux, virtualization | Tags: , , | 1 Comment »

today i upgraded my workstation to debian testing aka wheezy with kernel 2.6.38-2-amd64. some problems with the mysql-server-5.1 and with vmware workstation 7.1.4 but overall ok. ( vmware patch : http://www.linuxinsight.com/vmware-workstation-7.1.3-runs-great-on-linux-kernel-2.6.37.html )


the blacklister

Posted: May 20th, 2011 | Author: | Filed under: it | Tags: , | No Comments »

these days i received a mail: one of my mailsystems/networks is blacklisted on an antispam system from the company http://www.sys2.de.

after some research i found news like this on http://www.sys2.de :

  • 21.04.2011 RBLSpam weiter auf Erfolgstour: 1.652.192.295 IPs geblacklisted.

that means he blacklisted 38,63% of all ipv4 addresses ! respecta ! 🙂

after some more research we found out that the webiste is really funny  ^^

parts of the “news” section:

  • 17.07.2008 Trotz mehrfacher Anfragen, bleibt Google Mail in der Blackliste
  • 25.06.2008 Google-Netz 72.14.192.0/18 auf der Blackliste.

parts of the “customer comments” section:

  • Hallo Herr Weinert – Guru des Internets (T.I.)
  • Das ging ja dann schnell!!! :)) (M.K.)
  • ui das war schnell 🙂
  • Sie sind der Beste !! (A.W.)
  • Sie sind ein Held!
  • Es funktioniert! (K.B.)

KEEP IT UP !

 


jive sbs / upgrade / postgres problem

Posted: April 9th, 2011 | Author: | Filed under: centos, database, it, linux | Tags: , , | No Comments »

after the upgrade to jive sbs 4.5.5.2 the conversion node doesn`t work anymore. solution was to alter a table on the database machine:

alter table jiveDVRevision alter column metadata type varchar(5000);

old > (3500)


Ipsec tunnel / openswan <-> juniper ssg5

Posted: February 24th, 2011 | Author: | Filed under: debian, it, juniper, linux, networking | Tags: , , , , | No Comments »

finally got it working: building a bidirectional ipsec tunnel between a juniper ssg5 and openswan@debian, both sites got static ip adresses

openswan config:


conn juniper_ssg5_01
type=tunnel
authby=secret
auth=esp
pfs=yes
rekey=yes
auto=start
keylife=8h
keyingtries=0
keyexchange=ike
ike=aes256-sha1-modp2048
esp=aes256-sha1
# Linux openswan
leftid=1.1.1.1
left=1.1.1.1 # expernal ip
leftsubnet=10.1.10.0/24
leftsourceip=10.1.10.1
# SSG 5
rightid=2.2.2.2
right=2.2.2.2 # untrust interface
rightsubnet=192.168.10.0/24

juniper screenos config / route based config


set interface "tunnel.2" zone "Untrust"
set ike p1-proposal "g14-esp-aes256-sha" preshare group14 esp aes256 sha-1 second 28800
set ike p2-proposal "g14-esp-aes256-sha" group14 esp aes256 sha-1 second 3600
set ike gateway "Gateway for 10.1.10.0/24" address 1.1.1.1 Main local-id "2.2.2.2" outgoing-interface "ethernet0/0" preshare "mysecretpsk" proposal "g14-esp-aes256-sha"
set ike gateway "Gateway for 10.1.10.0/24" nat-traversal
set ike gateway "Gateway for 10.1.10.0/24" nat-traversal udp-checksum
set ike gateway "Gateway for 10.1.10.0/24" nat-traversal keepalive-frequency 0
set ike accept-all-proposal
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "VPN for 10.1.10.0/24" gateway "Gateway for 10.1.10.0/24" replay tunnel idletime 0 proposal "g14-esp-aes256-sha"
set vpn "VPN for 10.1.10.0/24" id 0x3 bind interface tunnel.2
set vpn "VPN for 10.1.10.0/24" proxy-id local-ip 192.168.10.0/24 remote-ip 10.1.10.0/24 "ANY"
set policy id 34 from "Trust" to "Untrust" "Any" "10.1.10.0/24" "ANY" permit log count


ruby on rails

Posted: February 11th, 2011 | Author: | Filed under: database, it, linux | Tags: , | No Comments »

playing with ruby on rails (ror) – web application development framework; all the structure behind it, looks very nice (mvc). it`s possible to build really fast and easy something like “website with database backend and some functions” what “traditional” is made by php,css,html,*sql and/or….  maybe ror is a topic for our next summer training in bodman – OH ! we got to plan this …

learn:

http://tryruby.org/

http://railsforzombies.org/

http://rubyonrails.org/screencasts/rails3

http://rubyonrails.org/

funny merchandise statement (ror – website):

“Ruby on Rails is astounding. Using it is like watching a kung-fu movie, where a dozen bad-ass frameworks prepare to beat up the little newcomer only to be handed their asses in a variety of imaginative ways.”
-Nathan Torkington, O’Reilly Program Chair for OSCON


Debian 6.0 “Squeeze” released

Posted: February 6th, 2011 | Author: | Filed under: debian, it, linux | Tags: , | No Comments »

say hello to squeeze – time to go wheezy !


vmware / centos 5 network settings

Posted: January 29th, 2011 | Author: | Filed under: centos, it, networking, virtualization | Tags: , , , | No Comments »

copied vm centos 5 machines with fixed ip settings to a different esxi server. put the machines in a vm net with an active dhcp server. the centos machines switched at boot-time to dhcp and automatically disabled the fixed ip settings. centos creates a new interface configuration file with dhcp settings. the old config file is backed. why ? the mac adress has changed ! (vmware moving). to prevent this you should probably configure the mac adresses from the old esxi system or adjust the network cfg files on centos.


routing mail with exim4 to different mailservers

Posted: January 29th, 2011 | Author: | Filed under: debian, it, linux, other | Tags: , | No Comments »

must do this to migrate mailboxes from exchange2k3 to exchange2010
i prefer postfix to do mta stuff but here we got exim4 …

the transport still exists (remote_smtp > 30_exim4-config_remote_smtp)

router:

special_routes:
driver = manualroute
domains = ! +local_domains
transport = remote_smtp
host_find_failed = defer
same_domain_copy_routing = yes
route_data = ${lookup{$domain}lsearch{/etc/exim4/routes}}

/etc/exim4/routes :
email@dumb.com: newmailserver.com
dumb.com: oldmailserver.com


snort / openvas / cain

Posted: January 24th, 2011 | Author: | Filed under: debian, it, linux, networking | Tags: , , | No Comments »

installed snort-mysql  / acidbase on debian testing and did a base configuration in 5 minutes; after installing the necassary sql files, i only had to uncomment one line in the snort configfile, set the subnet to scan, define the nic – done. always really impressive what you can do/see with this piece of free software after 10 minutes. also installed a openvas server – it seems like there is no windows client out there. nice so see that the cain & abel toolkit is still under development.   i need these systems for a demo / lecture on wednesday …

edit: the openvas-client using macports under os x works pretty good.