ba-zoo-ra

Securing OpenSSH

2011-09-23T14:20:00.000+08:00

OpenSSH (or Secure SHell) has become a de facto standard for remote access replacing the telnet protocol. SSH has made protocols such as telnet redundant due, in most part, to the fact that the connection is encrypted and passwords are no longer sent in plain text for all to see.

However, a default installation of ssh isn't perfect, and when running an ssh server there are a few simple steps that can dramatically harden an installation.

1. Use Strong Passwords/Usernames

One of the first things you'll notice if you have ssh running and exposed to the outside world is that you'll probably log attempts by hackers to guess your username/password. Typically a hacker will scan for port 22 (the default port on which ssh listens) to find machines with ssh running, and then attempt a brute-force attack against it. With strong passwords in place, hopefully any attack will be logged and noticed before it can succeed.

Hopefully you already use strong passwords, but if you are not then try to choose passwords that contains:

* Minimum of 8 characters
* Mix of upper and lower case letters
* Mix of letters and numbers
* Non alphanumeric characters (e.g. special characters such as ! " £ $ % ^ etc)

The benefits of strong passwords aren't specific to ssh, but have an impact on all aspects of systems security. Further information on passwords can be found in the CentOS documentation:

http://www.centos.org/docs/4/html/rhel-sg-en-4/s1-wstation-pass.html

If you absolutely can't prevent your users choosing weak passwords, then consider using randomly generated or difficult to guess usernames for your user accounts. If the bad guys can't guess the username then they can't brute force the password. However, this is still security through obscurity and be aware of information leakage of usernames from things such as email sent from user accounts.

2. Disable Root Logins

SSH server settings are stored in the /etc/ssh/sshd_config file. To disable root logins, make sure you have the following entry:

# Prevent root logins:
PermitRootLogin no

and restart the sshd service:

service sshd restart

If you need root access, login as a normal user and use the su command.

3. Limit User Logins

SSH logins can be limited to only certain users who need remote access. If you have many user accounts on the system then it makes sense to limit remote access to only those that really need it thus limiting the impact of a casual user having a weak password. Add an AllowUsers line followed by a space separated list of usernames to /etc/ssh/sshd_config. For example:

AllowUsers alice bob

and restart the sshd service.

4. Disable Protocol 1

SSH has two protocols it may use, protocol 1 and protocol 2. The older protocol 1 is less secure and should be disabled unless you know that you specifically require it. Look for the following line in the /etc/ssh/sshd_config file, uncomment it and amend as shown:

# Protocol 2,1
Protocol 2

and restart the sshd service.

5. Use a Non-Standard Port

By default, ssh listens for incoming connections on port 22. For a hacker to determine ssh is running on your machine, he'll most likely scan port 22 to determine this. An effective method is to run ssh on a non-standard port. Any unused port will do, although one above 1024 is preferable. Many people choose 2222 as an alternative port (as it's easy to remember), just as 8080 is often known as the alternative HTTP port. For this very reason, it's probably not the best choice, as any hacker scanning port 22 will likely also be scanning port 2222 just for good measure. It's better to pick some random high port that's not used for any known services. To make the change, add a line like this to your /etc/ssh/sshd_config file:

# Run ssh on a non-standard port:
Port 2345 #Change me

and restart the sshd service. Don't forget to then make any necessary changes to port forwarding in your router and any applicable firewall rules.

Because ssh is no longer listening for connections on the standard port, you will need to tell your client what port to connect on. Using the ssh client from the command line, we may specify the port using the -p switch:

$ ssh -p 2345 myserver

or if you are using the fish protocol in konqueror, for example:

fish://myserver:2345/remote/dir

If you are thinking that this sounds like a pain having to specify the port each time you connect, simply add an entry specifying the port in your local ~/.ssh/config file:

# Client ~/.ssh/config
Host myserver
HostName 72.232.194.162
User bob
Port 2345

~/.ssh/config must have the following permissions:

$ chmod 600 ~/.ssh/config

6. Filter SSH at the Firewall

If you only need remote access from one IP address (say from work to your home server), then consider filtering connections at your firewall by either adding a firewall rule on your router or in iptables to limit access on port 22 to only that specific IP address. For example, in iptables this could be achieved with the following type of rule:

iptables -A INPUT -p tcp -s 72.232.194.162 --dport 22 -j ACCEPT

SSH also natively supports TCP wrappers and access to the ssh service may be similarly controlled using hosts.allow and hosts.deny.

If you are unable to limit source IP addresses, and must open the ssh port globally, then iptables can still help prevent brute-force attacks by logging and blocking repeated attempts to login from the same IP address. For example,

iptables -A INPUT -p tcp --dport 22 -m recent --set --name ssh --rsource
iptables -A INPUT -p tcp --dport 22 -m recent ! --rcheck --seconds 60 --hitcount 4 --name ssh --rsource -j ACCEPT

The first rule records the IP address of each attempt to access port 22 using the recent module. The second rule checks to see if that IP address has attempted to connect 4 or more times within the last 60 seconds, and if not then the packet is accepted. Note this rule would require a default policy of DROP on the input chain.

Here's another example, this time using iptables limit module to limit the the number of connections to the ssh port to 3 per minute:

iptables -A INPUT -p tcp --dport 22 --syn -m limit --limit 1/m --limit-burst 3 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 --syn -j DROP

The first line will accept new connections on port 22 provided that IP address hasn't made more than 3 connection attempts in the last minute. If more than 3 connection attempts have been made within the last minute, then the second line will DROP the connection.

Don't forget to change the port as appropriate if you are running ssh on a non-standard port. Where possible, filtering at the firewall is an extremely effective method of securing access to an ssh server.

7. Use Public/Private Keys for Authentication

Using encrypted keys for authentication offers two main benefits. Firstly, it is convenient as you no longer need to enter a password (unless you encrypt your keys with password protection) if you use public/private keys. Secondly, once public/private key pair authentication has been set up on the server, you can disable password authentication completely meaning that without an authorized key you can't gain access - so no more password cracking attempts.

It's a relatively simple process to create a public/private key pair and install them for use on your ssh server.

First, create a public/private key pair on the client that you will use to connect to the server (you will need to do this from each client machine from which you connect):

$ ssh-keygen -t rsa

This will create two files in your (hidden) ~/.ssh directory called id_rsa and id_rsa.pub. id_rsa is your private key and id_rsa.pub is your public key.

If you don't want to still be asked for a password each time you connect, just press enter when asked for a password when creating the key pair. It is up to you to decide whether or not you should password encrypt your key when you create it. If you don't password encrypt your key, then anyone gaining access to your local machine will automatically have ssh access to the remote server. Also, root on the local machine has access to your keys although one assumes that if you can't trust root (or root is compromised) then you're in real trouble. Encrypting the key adds additional security at the expense of eliminating the need for entering a password for the ssh server only to be replaced with entering a password for the use of the key.

Now set permissions on your private key:

$ chmod 700 ~/.ssh
$ chmod 600 ~/.ssh/id_rsa

Copy the public key (id_rsa.pub) to the server and install it to the authorized_keys list:

$ cat id_rsa.pub >> ~/.ssh/authorized_keys

Note: once you've imported the public key, you can delete it from the server.

and finally set file permissions on the server:

$ chmod 700 ~/.ssh
$ chmod 600 ~/.ssh/authorized_keys

The above permissions are required if StrictModes is set to yes in /etc/ssh/sshd_config (the default).

Now when you login to the server you won't be prompted for a password (unless you entered a password when you created your key pair). By default, ssh will first try to authenticate using keys. If no keys are found or authentication fails, then ssh will fall back to conventional password authentication.

Once you've checked you can successfully login to the server using your public/private key pair, you can disable password authentication completely by adding the following setting to your /etc/ssh/sshd_config file:

# Disable password authentication forcing use of keys
PasswordAuthentication no

8. Frequently Asked Question (FAQ)

Q: CentOS uses version X of OpenSSH and the latest version is version Y. Version X contained a serious security flaw, should I upgrade?

A: No. The Upstream Vendor has a policy of backporting security patches from the latest releases into the current distribution version. As long as you have the latest updates applied for your CentOS distribution you are fully patched. See here for further details of backporting security patches:

http://www.redhat.com/advice/speaks_backport.html

9. Links

http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-openssh.html

http://www.dragonresearchgroup.org/insight/sshpwauth-tac.html

vSphere - Virtual Center Server Service Stops

2011-08-08T10:57:00.004+08:00

Problem
If your VC Database reaches 4GB, the VMware Virtual Centre Server service will stop. A restart of it will result in the service stopping again within a minute. You will also see see this event logged. Description: Could not allocate space for object 'dbo.VPX_HOST_VM_CONFIG_OPTION'.'PK_VPX_HOST_VM_CONFIG_OPTION' in database 'VIM_VCDB' because the 'PRIMARY' filegroup is full. Create disk space by deleting unneeded files, dropping objects in the filegroup, adding additional files to the filegroup, or setting autogrowth on for existing files in the filegroup
Solution
1. Download and install the Microsft SQL Server Management Studio Express. 2. Connect to Servername\SQLEXP_VIM and login with Windows Authentication. 3. Expand databases > Expand VIM_VCDB > Expand Tables > Open table dbo.VPX_PARAMETER: 4. Modify event.maxAge to a be 30 > Modify event.maxAgeEnabled to value of true. 5. Modify task.maxAge to be 30 > Modify task.maxAgeEnabled to a value of true. 5. Then run the built in stored procedure: from the VCDB > Programmability > Stored Procedures. 6. Right Click dbo.cleanup_events_tasks_proc and click "Execute Stored Procedure". 7. This will purge the data from tables: vpx_event, vpx_event_arg and vpx_task based on the date specified for maxAge. 8. When this has sucessfully completed, close the SQL Management Studio down > Then start the VMware Virtual Centre Server service.
Please be aware, all information is provided free, but it does cost me to have this site hosted, if I've helped you in any way, or saved you some time/cost please take time to make a donation. If you have anything to add to an article, or have an article you would like us to publish please feel free to contact PeteNetLive. (Please be aware I get a LOT of email, I cannot assist and fix everyone's problems, please do not be offended if you do not get a response).
References - Credits - Or External Links
All Credit to Andrew Dorrian & http://www.petenetlive.com/KB/Article/0000479.htm

How to Save Flash Games & SWF

2011-06-09T10:45:00.000+08:00

Saving Flash files from Firefox

Firefox for Newbies
a. Click Tools - Page Info
b. Click the Media Tab on the Page Info Windows
c. The media tab has a complete list (with preview) of Images, CSS Files and Shockwave Flash files that were downloaded by the Firefox browser while rendering (loading) the page.
d. Scroll down the list and locate the swf file.
e. Click the "Save As" button. Select some directory on your hard drive and save the file (No need for a third-party plug-in)

Firefox for Geeks and Power Users
a. Type about:blank in the Firefox address bar
b. Now click List cache entries or directly type about:cache?device=disk (Disk cache device)
c. Press Ctrl+F and try to location the flash file by typing some part of website URL or the flash file name or just .swf. After some hit and trial, you should be able to locate the swf file URL
d. Click the SWF URL to open the Cache Entry Information page. Right click on the link and choose "Save link as"

How to save flash in IE browser

a. Click Tools - Internet Options
b. In the General Tab, click the Settings button available in the Temporary Internet Files group.
c. Click View Files to open your Temporary Internet Files folder. Depending upon your IE settings, the Temp. folder can contain tens of thousands of files.
d. Click View - Details. Now click View - Arrange Icons By - Internet Address. Depending upon the webpage, there could one or more Flash files (Shockwave Flash Object) under the Inernet Address.
e. Once you find the right flash file, right-click and choose Copy. Then paste the swf file in any other directory. Be sure to
keep the page and IE open to avoid purging of the cache file.

For newbies, I suggest the following approaches:
1. Get a download accelerator like Flashget and tell it to automatically download the shockwave extention (*.swf)
2. Or download a free IE plug-in for saving flash files.

How to save Flash files from Opera or Google Chromebrowser
Just like IE, these browsers store the flash files in the browser cache.

source:

http://labnol.blogspot.com/2005/11/save-flash-from-firefox-and-ie.html

Converting 32bit RRD to 64bit RRD

2011-01-17T14:32:00.002+08:00

Converting 32bit RRD to 64bit RRD (moving cacti between architectures)

On the 32 bit machine in /var/www/cacti/rra/ run in SSH:

for i in `find -name "*.rrd"`; do rrdtool dump $i > $i.xml; done

Transfer xml files to the other 64 bit machine and the same location.
On the 64 bit machine run in SSH:

for i in `find -name "*.xml"`; do rrdtool restore $i `echo $i |sed s/.xml//g`; done

Disable memory ballooning in VMWare

2011-01-13T07:31:00.000+08:00

Connect directly to the ESX Server host where the virtual machine resides on, using Virtual Infrastructure Client (VI Client).
- Shut down the virtual machine.
- Right-click on the virtual machine listed on the Inventory panel and click Edit Settings.
- Click the Options tab and select General.
- Click Configuration Parameters.
- Click Add row and add the parameter sched.mem.maxmemctl in the text box.
- Click on the row next to it and add 0 in the text box.
- Click OK to save changes.

Backup Cisco IOS stored in diffent directory

2010-08-05T11:40:00.002+08:00

1. To view flash content:

3550-SW1#dir flash:

Directory of flash:/

4 -rwx 796 Mar 01 1993 02:33:32 vlan.dat
5 -rwx 2783 Mar 01 1993 01:25:54 config.text
8 drwx 192 Mar 01 1993 00:04:30 c3550-i5q3l2-mz.121-14.EA1a
7 -rwx 2683 Mar 01 1993 02:35:26 config.old
86 -rwx 5 Mar 01 1993 01:25:54 private-config.text

2. To view sub-directory content:

3550-SW1#dir flash:/c3550-i5q3l2-mz.121-14.EA1a
Directory of flash:/c3550-i5q3l2-mz.121-14.EA1a/

9 drwx 2304 Mar 01 1993 00:03:03 html
84 -rwx 4086819 Mar 01 1993 00:04:30 c3550-i5q3l2-mz.121-14.EA1a.bin
85 -rwx 255 Mar 01 1993 00:04:30 info

3. To backup:

3550-SW1#copy flash:/c3550-i5q3l2-mz.121-14.EA1a/c3550-i5q3l2-mz.121-14.EA1a.bin tftp

How to SFTP if the default ssh port is changed

2010-07-21T08:08:00.000+08:00

Usually if the SFTP is enabled in your server, it will try to use the default port SSH port 22 even though the SSH port is changed to some other custom port.

root@localhost/~$sftp root@
Connecting to ...
ssh: connect to host  port 22: Connection refused
Couldn't read packet: Connection reset by peer

Here the SSH port is changed to 2200 instead of 22. But SFTP tries to connect it with 22. In this case we can connect to SFTP with the custom SSH port by running the following command.

root@localhost/~$sftp -oPort=2200 root@
Connecting to ...
root@'s password:
sftp>

http://kb.bobcares.com

Upgrading Openssh on CentOS And Chrooting a User When Connecting via SFTP

2010-07-21T07:54:00.000+08:00

Consider a scenario, where a user needs to connect to the server via sftp and should restrict the access only to its home directory. The OpenSSH-4.x does not support chrooting facility. We need to upgrade it to OpenSSH-5.x. Before upgrading openssh, we need to make sure that pam, openssl and kerberos packages are installed. If not, run the following command to install it.

$ rpm -qa | grep -e openssl -e krb -e openssh
openssh-clients-4.3p2-36.el5_4.4
openssh-server-4.3p2-36.el5_4.4
krb5-devel-1.6.1-36.el5_4.1
openssl-0.9.8e-7.el5
openssl-devel-0.9.8e-7.el5
openssh-4.3p2-36.el5_4.4
krb5-libs-1.6.1-36.el5_4.1

$ yum install pam pam-devel krb5-devel

Yum will install all the dependency packages. Now, you are ready to upgrade OpenSSH.

Steps to Upgrade OpenSSH from 4.x - 5.x
=================================

1. Download latest OpenSSH package. You can select any mirror site from this link
or You can use the link OpenSSH
2. Run the following commands.

$ tar -zxf openssh-5.4p1.tar.gz
$ cd openssh-5.4p1
$ ./configure --prefix=/usr/local/ssh --with-md5-passwords --with-pam --with-tcp-wrappers --with-kerberos5 --with-ssl-engine
$ make
$ make install

Prefix is important. We should not install the latest openssh to the default location.
3. Open the file "/usr/local/ssh/etc/sshd_config".
4. Change the default port to a non-standard ssh port, say 1234.
5. Save and quit.
7. Run the following command.

$ /usr/local/ssh/sbin/sshd -f /usr/local/ssh/etc/sshd_config

8. Make sure that both old and new version of SSH are running on the server.

$ ps aux | grep ssh
root 31987 0.0 0.0 7164 1032 ? Ss 22:48 0:00 /usr/sbin/sshd
root 32280 0.0 0.0 5432 996 ? Ss 22:48 0:00 /usr/local/ssh/sbin/sshd -f /usr/local/ssh/etc/sshd_config

9. OpenSSH upgrade is complete.

Testing Phase
============

You should make sure that the upgraded version does not have any problem. Login to the server from your local konsole.

$ ssh test@my.testserver.com -p 1234

You should login without any problem if the installation part went fine. Now, follow the steps given below to make the upgraded openssh to listen on default port.

1. Open /usr/local/ssh/etc/sshd_config
2. Change port to default port, i.e 22.
3. Save and quit
4. Kill or terminate all the instances of sshd running on the server.
5. Start the sshd server using the command "/usr/local/ssh/sbin/sshd -f /usr/local/ssh/etc/sshd_config"

Chrooting a User When Connecting via SFTP
===================================

To restrict a user to his home directory when he connects to the server via sftp, follow the steps given below.

1. Open the configuration file "/usr/local/ssh/etc/sshd_config".
2. Append the following lines to the configuration file.

Subsystem sftp internal-sftp
Match User testuser
        ChrootDirectory /var/www/html/test
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp

3. You should comment the line: "Subsystem sftp /usr/local/ssh/libexec/sftp-server"
4. Save and quit.
5. Terminate the SSH server and start it again using the command:

/usr/local/ssh/sbin/sshd -f /usr/local/ssh/etc/sshd_config

6. Done

Test it using any FTP clients like WinSCP, FileZilla, CuteFTP and make sure that the user is restricted to his own home directory and he cannot access anything outside his home directory.

Note:- "/usr/local/ssh" is the prefix I used for new openssh installation. You should replace it with your prefix.

With the new openssh running on the server you should not start or restart the ssh using the init script. If you want to manage it via init script, edit the init script accordingly.

Open the file "/etc/init.d/sshd". Find the line 'prog="sshd"'. Below this line add "SSH="/usr/local/ssh". And replace the lines:

KEYGEN=/usr/bin/ssh-keygen
SSHD=/usr/sbin/sshd
RSA1_KEY=/etc/ssh/ssh_host_key
RSA_KEY=/etc/ssh/ssh_host_rsa_key
DSA_KEY=/etc/ssh/ssh_host_dsa_key

with the following lines:

KEYGEN=$SSH/bin/ssh-keygen
SSHD=$SSH/sbin/sshd
RSA1_KEY=$SSH/etc/ssh_host_key
RSA_KEY=$SSH/etc/ssh_host_rsa_key
DSA_KEY=$SSH/etc/ssh_host_dsa_key

Save and quit. Restart the openssh server using the command:

/etc/init.d/sshd restart

Confirm that the SSH server is started from the newly installed openssh i.e openssh 5.x.

$ ps aux | grep ssh
root 11791 0.0 0.0 5432 996 ? Ss Mar18 0:00 /usr/local/ssh/sbin/sshd

It will be better if you move the old ssh binaries and create a symlink to the new SSH binaries.

$ mv /usr/bin/ssh /usr/bin/ssh-bak
$ mv /usr/sbin/sshd /usr/sbin/sshd-bak
$ mv /usr/bin/ssh-keygen /usr/bin/ssh-keygen-bak
$ mv /usr/bin/ssh-agent /usr/bin/ssh-agent-bak
$ mv /usr/bin/ssh-keyscan /usr/bin/ssh-scan-bak
$ mv /usr/bin/ssh-add /usr/bin/ssh-add-bak
$ ln -s /usr/local/ssh/bin/ssh /usr/bin/ssh
$ ln -s /usr/local/ssh/sbin/sshd /usr/sbin/sshd
$ ln -s /usr/local/ssh/bin/ssh-keygen /usr/bin/ssh-keygen
$ ln -s /usr/local/ssh/bin/ssh-add /usr/bin/ssh-add
$ ln -s /usr/local/ssh/bin/ssh-keyscan /usr/bin/ssh-keyscan
$ ln -s /usr/local/ssh/bin/ssh-agent /usr/bin/ssh-agent

The upgrade and setup of OpenSSH is now complete.

http://kb.bobcares.com/

Turn on DMA mode on a hard drive

2010-07-21T07:53:00.003+08:00

DMA

Direct memory access (DMA) allows certain hardware subsystems within the computer to access system memory for reading and/or writing independently of the central processing unit. It uses a procedure called cycle stealing, where the central processor memory access cycles are delayed for very short times to intersperse DMA controller memory access cycles. DMA is used for transferring data between the local memory and the main memory.

You can turn On DMA mode on a hard drive

You can check whether DMA is enabled on a hard drive for the IDE harddrive.

hdparm -iv /dev/hd

If DMA is on, the output should contain the following line,

using_dma = 1 (on)

If it is off you can enable it as follows,

hdparm -d /dev/hd

This will toggle the value of "using_dma" (It will turn off the value of "using_dma" if it was already on).

http://kb.bobcares.com/

Enable quota in the server

2010-07-21T07:53:00.000+08:00

If quotas are not enabled for the partition, the following error will occur while doing a quotacheck in the server. In case of Cpanel server, /scripts/initquotas will throw the following error.

/scripts/initquotas
Quotas are now on
Updating Quota Files......
quotacheck: Can't find filesystem to check or filesystem not mounted with quota option.
quotacheck: Can't find filesystem to check or filesystem not mounted with quota option.
....Done

You need to follow the steps given below:

$ touch /quota.user /quota.group
$ chmod 600 /quota.*
$ mount -o remount /
$ quotaoff -a
$ vi /etc/fstab
( open 'fstab' file and add usrquota,grpquota to the partition where you want to have quota on. That is, for example, add the entry like:
/dev/ubd0 / ext3 defaults,noatime,usrquota,grpquota 1 0 )
$ quotaon -a

Then you can execute the script successfully without any errors. You can run a quotacheck in the server. In Cpanel server, you can run
initquotas without any errors.

http://kb.bobcares.com/

Signals, really cool!

2010-07-21T07:52:00.000+08:00

In short, its the notification sent to a process to notify it of the various events. We are familiar with signal SIGKILL (9) and it is used to terminate a process, especially when the server load becomes abnormal. There are situations where we cannot simply kill the processes away, for example, when a critical backup process overloads the server.

The kill command has signals to suspend/unsuspend a process temporarily without killing it. Here we go ...

kill -SIGSTOP 17065 ; To suspend it temporarily
kill -SIGCONT 17065 ; To unsuspend ...

If you want to see the other signals available, try kill -l

Try it out, when you get a chance

http://kb.bobcares.com/

Logging server load to /var/log/messages

2010-07-21T07:51:00.003+08:00

There can be issues when the server goes offline and you can't find any related log entries in the server. One of the issue that can cause is high load in the server. But we wont be able to conclude whether the load was the exact issue after the server reboot.

The better solution to find the load is set a cronjob to enter the load in the server to /var/log/messages for a particular amount of time. A sample cron is shown below which will log the server load every 10 minutes to /var/log/messages.

*/10 * * * * uptime | logger -t "SERVER LOAD"

Now you will be able to get the load from /var/log/messages

http://kb.bobcares.com/

Splitting a file in GNU/Linux

2010-07-21T07:51:00.000+08:00

If you want to split a file "example" with size 9.6 Mb( 10000000 b) into two, then the command to do the same is:

$ split -b 5000000 example

File "example" is now split into two files "xaa" and "xab" by default and these two files will be having the size 5000000 b. Reducing file size will lead to more number of new files generated. You can also specify the output filename. Suppose you want to use output file name as "wxz", then the following command will help you:

$ split -b 5000000 example wxz

Now how to join the splitted files? You can use the cat command to join the splitted files. For example if the new files generated by split are "xaa", "xab" and "xac", use the following command to join the splitted files.

$ cat xa* > filename

http://kb.bobcares.com/

Useful Kernel manipulation commands

2010-07-21T07:50:00.003+08:00

To find out the kernel version

$ cat /usr/include/linux/version.h

To find out the Linux version of the currently executing kernel by,

$ cat /proc/version
$ uname -a

The command used to check your architecture

$ uname -i

To find out the current Loadable kernel module from

$ /sbin/lsmod
$ cat /proc/modules

Load a kernel module (without dependency in to running kernel).

$ rmmod module name
$ insmod module name

Load a kernel module (with dependency in to running kernel).

$ /sbin/modprobe kernel module name

http://kb.bobcares.com/

Saturation of open files in the system

2010-07-21T07:50:00.000+08:00

In the server logs, you can see the message as follows.

Too many open files in system and your server is performing very slowly,try doubling the following proc variable : fs.file-max

1. Find out the current value of the concerned file.

$ sysctl -a|grep file

OR

$ cat /proc/sys/fs/file-max

2. Increase or double the current value using

echo > /proc/sys/fs/file-max

http://kb.bobcares.com/

Set up Auto-Logout for root user

2010-07-21T07:49:00.000+08:00

We can set up automatic logout for root session so that session gets logged off, if it is idle for a while. It is important to know this as any sneaker can misuse the situation, when a root user leaves the session idle. The method is very simple and as follows:

1) Login as root
2) vi ~/.bash_profile
3) Add this line: export TMOUT=300
4) Save and quit the file

Here TMOUT is an environment variable which instructs the bash shell to exit if the session is idle. Here timeout is set as 300 seconds ( 5 minutes ).

http://kb.bobcares.com/

20 Linux System Monitoring Tools Every SysAdmin Should Know

2010-05-31T15:08:00.000+08:00

from: NixCraft: http://www.cyberciti.biz/tips/top-linux-monitoring-tools.html

by Vivek Gite

Need to monitor Linux server performance? Try these built-in command and a few add-on tools. Most Linux distributions are equipped with tons of monitoring. These tools provide metrics which can be used to get information about system activities. You can use these tools to find the possible causes of a performance problem. The commands discussed below are some of the most basic commands when it comes to system analysis and debugging server issues such as:

Finding out bottlenecks.
Disk (storage) bottlenecks.
CPU and memory bottlenecks.
Network bottlenecks.

#1: top - Process Activity Command

The top program provides a dynamic real-time view of a running system i.e. actual process activity. By default, it displays the most CPU-intensive tasks running on the server and updates the list every five seconds.

Fig.01: Linux top command

Commonly Used Hot Keys

The top command provides several useful hot keys:

Hot Key	Usage
t	Displays summary information off and on.
m	Displays memory information off and on.
A	Sorts the display by top consumers of various system resources. Useful for quick identification of performance-hungry tasks on a system.
f	Enters an interactive configuration screen for top. Helpful for setting up top for a specific task.
o	Enables you to interactively select the ordering within top.
r	Issues renice command.
k	Issues kill command.
z	Turn on or off color/mono

=> Related: How do I Find Out Linux CPU Utilization?

#2: vmstat - System Activity, Hardware and System Information

The command vmstat reports information about processes, memory, paging, block IO, traps, and cpu activity.
# vmstat 3
Sample Outputs:

procs -----------memory---------- ---swap-- -----io---- --system-- -----cpu------
 r  b   swpd   free   buff  cache   si   so    bi    bo   in   cs us sy id wa st
 0  0      0 2540988 522188 5130400    0    0     2    32    4    2  4  1 96  0  0
 1  0      0 2540988 522188 5130400    0    0     0   720 1199  665  1  0 99  0  0
 0  0      0 2540956 522188 5130400    0    0     0     0 1151 1569  4  1 95  0  0
 0  0      0 2540956 522188 5130500    0    0     0     6 1117  439  1  0 99  0  0
 0  0      0 2540940 522188 5130512    0    0     0   536 1189  932  1  0 98  0  0
 0  0      0 2538444 522188 5130588    0    0     0     0 1187 1417  4  1 96  0  0
 0  0      0 2490060 522188 5130640    0    0     0    18 1253 1123  5  1 94  0  0

Display Memory Utilization Slabinfo

# vmstat -m

Get Information About Active / Inactive Memory Pages

# vmstat -a
=> Related: How do I find out Linux Resource utilization to detect system bottlenecks?

#3: w - Find Out Who Is Logged on And What They Are Doing

w command displays information about the users currently on the machine, and their processes.

# w username
# w vivek

Sample Outputs:

17:58:47 up 5 days, 20:28,  2 users,  load average: 0.36, 0.26, 0.24
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    10.1.3.145       14:55    5.00s  0.04s  0.02s vim /etc/resolv.conf
root     pts/1    10.1.3.145       17:43    0.00s  0.03s  0.00s w

#4: uptime - Tell How Long The System Has Been Running

The uptime command can be used to see how long the server has been running. The current time, how long the system has been running, how many users are currently logged on, and the system load averages for the past 1, 5, and 15 minutes.
# uptime
Output:

18:02:41 up 41 days, 23:42,  1 user,  load average: 0.00, 0.00, 0.00

1 can be considered as optimal load value. The load can change from system to system. For a single CPU system 1 - 3 and SMP systems 6-10 load value might be acceptable.

#5: ps - Displays The Processes

ps command will report a snapshot of the current processes. To select all processes use the -A or -e option:
# ps -A
Sample Outputs:

PID TTY          TIME CMD
    1 ?        00:00:02 init
    2 ?        00:00:02 migration/0
    3 ?        00:00:01 ksoftirqd/0
    4 ?        00:00:00 watchdog/0
    5 ?        00:00:00 migration/1
    6 ?        00:00:15 ksoftirqd/1
....
.....
 4881 ?        00:53:28 java
 4885 tty1     00:00:00 mingetty
 4886 tty2     00:00:00 mingetty
 4887 tty3     00:00:00 mingetty
 4888 tty4     00:00:00 mingetty
 4891 tty5     00:00:00 mingetty
 4892 tty6     00:00:00 mingetty
 4893 ttyS1    00:00:00 agetty
12853 ?        00:00:00 cifsoplockd
12854 ?        00:00:00 cifsdnotifyd
14231 ?        00:10:34 lighttpd
14232 ?        00:00:00 php-cgi
54981 pts/0    00:00:00 vim
55465 ?        00:00:00 php-cgi
55546 ?        00:00:00 bind9-snmp-stat
55704 pts/1    00:00:00 ps

ps is just like top but provides more information.

Show Long Format Output

# ps -Al
To turn on extra full mode (it will show command line arguments passed to process):
# ps -AlF

To See Threads ( LWP and NLWP)

# ps -AlFH

To See Threads After Processes

# ps -AlLm

Print All Process On The Server

# ps ax
# ps axu

Print A Process Tree

#  ps -ejH
#  ps axjf
#  pstree

Print Security Information

# ps -eo euser,ruser,suser,fuser,f,comm,label
# ps axZ
# ps -eM

See Every Process Running As User Vivek

# ps -U vivek -u vivek u

Set Output In a User-Defined Format

# ps -eo pid,tid,class,rtprio,ni,pri,psr,pcpu,stat,wchan:14,comm
# ps axo stat,euid,ruid,tty,tpgid,sess,pgrp,ppid,pid,pcpu,comm
# ps -eopid,tt,user,fname,tmout,f,wchan

Display Only The Process IDs of Lighttpd

# ps -C lighttpd -o pid=
OR
# pgrep lighttpd
OR
# pgrep -u vivek php-cgi

Display The Name of PID 55977

# ps -p 55977 -o comm=

Find Out The Top 10 Memory Consuming Process

# ps -auxf | sort -nr -k 4 | head -10

Find Out top 10 CPU Consuming Process

# ps -auxf | sort -nr -k 3 | head -10

#6: free - Memory Usage

The command free displays the total amount of free and used physical and swap memory in the system, as well as the buffers used by the kernel.
# free
Sample Output:

total       used       free     shared    buffers     cached
Mem:      12302896    9739664    2563232          0     523124    5154740
-/+ buffers/cache:    4061800    8241096
Swap:      1052248          0    1052248

=> Related: :

#7: iostat - Average CPU Load, Disk Activity

The command iostat report Central Processing Unit (CPU) statistics and input/output statistics for devices, partitions and network filesystems (NFS).
# iostat
Sample Outputs:

Linux 2.6.18-128.1.14.el5 (www03.nixcraft.in)  06/26/2009

avg-cpu:  %user   %nice %system %iowait  %steal   %idle
           3.50    0.09    0.51    0.03    0.00   95.86

Device:            tps   Blk_read/s   Blk_wrtn/s   Blk_read   Blk_wrtn
sda              22.04        31.88       512.03   16193351  260102868
sda1              0.00         0.00         0.00       2166        180
sda2             22.04        31.87       512.03   16189010  260102688
sda3              0.00         0.00         0.00       1615          0

=> Related: : Linux Track NFS Directory / Disk I/O Stats

#8: sar - Collect and Report System Activity

The sar command is used to collect, report, and save system activity information. To see network counter, enter:
# sar -n DEV | more
To display the network counters from the 24th:
# sar -n DEV -f /var/log/sa/sa24 | more
You can also display real time usage using sar:
# sar 4 5
Sample Outputs:

Linux 2.6.18-128.1.14.el5 (www03.nixcraft.in)   06/26/2009

06:45:12 PM       CPU     %user     %nice   %system   %iowait    %steal     %idle
06:45:16 PM       all      2.00      0.00      0.22      0.00      0.00     97.78
06:45:20 PM       all      2.07      0.00      0.38      0.03      0.00     97.52
06:45:24 PM       all      0.94      0.00      0.28      0.00      0.00     98.78
06:45:28 PM       all      1.56      0.00      0.22      0.00      0.00     98.22
06:45:32 PM       all      3.53      0.00      0.25      0.03      0.00     96.19
Average:          all      2.02      0.00      0.27      0.01      0.00     97.70

#9: mpstat - Multiprocessor Usage

The mpstat command displays activities for each available processor, processor 0 being the first one. mpstat -P ALL to display average CPU utilization per processor:
# mpstat -P ALL
Sample Output:

Linux 2.6.18-128.1.14.el5 (www03.nixcraft.in)   06/26/2009

06:48:11 PM  CPU   %user   %nice    %sys %iowait    %irq   %soft  %steal   %idle    intr/s
06:48:11 PM  all    3.50    0.09    0.34    0.03    0.01    0.17    0.00   95.86   1218.04
06:48:11 PM    0    3.44    0.08    0.31    0.02    0.00    0.12    0.00   96.04   1000.31
06:48:11 PM    1    3.10    0.08    0.32    0.09    0.02    0.11    0.00   96.28     34.93
06:48:11 PM    2    4.16    0.11    0.36    0.02    0.00    0.11    0.00   95.25      0.00
06:48:11 PM    3    3.77    0.11    0.38    0.03    0.01    0.24    0.00   95.46     44.80
06:48:11 PM    4    2.96    0.07    0.29    0.04    0.02    0.10    0.00   96.52     25.91
06:48:11 PM    5    3.26    0.08    0.28    0.03    0.01    0.10    0.00   96.23     14.98
06:48:11 PM    6    4.00    0.10    0.34    0.01    0.00    0.13    0.00   95.42      3.75
06:48:11 PM    7    3.30    0.11    0.39    0.03    0.01    0.46    0.00   95.69     76.89

#10: pmap - Process Memory Usage

The command pmap report memory map of a process. Use this command to find out causes of memory bottlenecks.
# pmap -d PID
To display process memory information for pid # 47394, enter:
# pmap -d 47394
Sample Outputs:

47394:   /usr/bin/php-cgi
Address           Kbytes Mode  Offset           Device    Mapping
0000000000400000    2584 r-x-- 0000000000000000 008:00002 php-cgi
0000000000886000     140 rw--- 0000000000286000 008:00002 php-cgi
00000000008a9000      52 rw--- 00000000008a9000 000:00000   [ anon ]
0000000000aa8000      76 rw--- 00000000002a8000 008:00002 php-cgi
000000000f678000    1980 rw--- 000000000f678000 000:00000   [ anon ]
000000314a600000     112 r-x-- 0000000000000000 008:00002 ld-2.5.so
000000314a81b000       4 r---- 000000000001b000 008:00002 ld-2.5.so
000000314a81c000       4 rw--- 000000000001c000 008:00002 ld-2.5.so
000000314aa00000    1328 r-x-- 0000000000000000 008:00002 libc-2.5.so
000000314ab4c000    2048 ----- 000000000014c000 008:00002 libc-2.5.so
.....
......
..
00002af8d48fd000       4 rw--- 0000000000006000 008:00002 xsl.so
00002af8d490c000      40 r-x-- 0000000000000000 008:00002 libnss_files-2.5.so
00002af8d4916000    2044 ----- 000000000000a000 008:00002 libnss_files-2.5.so
00002af8d4b15000       4 r---- 0000000000009000 008:00002 libnss_files-2.5.so
00002af8d4b16000       4 rw--- 000000000000a000 008:00002 libnss_files-2.5.so
00002af8d4b17000  768000 rw-s- 0000000000000000 000:00009 zero (deleted)
00007fffc95fe000      84 rw--- 00007ffffffea000 000:00000   [ stack ]
ffffffffff600000    8192 ----- 0000000000000000 000:00000   [ anon ]
mapped: 933712K    writeable/private: 4304K    shared: 768000K

The last line is very important:

mapped: 933712K total amount of memory mapped to files
writeable/private: 4304K the amount of private address space
shared: 768000K the amount of address space this process is sharing with others

#11 and #12: netstat and ss - Network Statistics

The command netstat displays network connections, routing tables, interface statistics, masquerade connections, and multicast memberships. ss command is used to dump socket statistics. It allows showing information similar to netstat. See the following resources about ss and netstat commands:

#13: iptraf - Real-time Network Statistics

The iptraf command is interactive colorful IP LAN monitor. It is an ncurses-based IP LAN monitor that generates various network statistics including TCP info, UDP counts, ICMP and OSPF information, Ethernet load info, node stats, IP checksum errors, and others. It can provide the following info in easy to read format:

Network traffic statistics by TCP connection
IP traffic statistics by network interface
Network traffic statistics by protocol
Network traffic statistics by TCP/UDP port and by packet size
Network traffic statistics by Layer2 address

Fig.02: General interface statistics: IP traffic statistics by network interface

Fig.03 Network traffic statistics by TCP connection

#14: tcpdump - Detailed Network Traffic Analysis

The tcpdump is simple command that dump traffic on a network. However, you need good understanding of TCP/IP protocol to utilize this tool. For.e.g to display traffic info about DNS, enter:
# tcpdump -i eth1 'udp port 53'
To display all IPv4 HTTP packets to and from port 80, i.e. print only packets that contain data, not, for example, SYN and FIN packets and ACK-only packets, enter:
# tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
To display all FTP session to 202.54.1.5, enter:
# tcpdump -i eth1 'dst 202.54.1.5 and (port 21 or 20'
To display all HTTP session to 192.168.1.5:
# tcpdump -ni eth0 'dst 192.168.1.5 and tcp and port http'
Use wireshark to view detailed information about files, enter:
# tcpdump -n -i eth1 -s 0 -w output.txt src or dst port 80

#15: strace - System Calls

Trace system calls and signals. This is useful for debugging webserver and other server problems. See how to use to trace the process and see What it is doing.

#16: /Proc file system - Various Kernel Statistics

/proc file system provides detailed information about various hardware devices and other Linux kernel information. See Linux kernel /proc documentations for further details. Common /proc examples:

# cat /proc/cpuinfo
# cat /proc/meminfo
# cat /proc/zoneinfo
# cat /proc/mounts

17#: Nagios - Server And Network Monitoring

Nagios is a popular open source computer system and network monitoring application software. You can easily monitor all your hosts, network equipment and services. It can send alert when things go wrong and again when they get better. FAN is "Fully Automated Nagios". FAN goals are to provide a Nagios installation including most tools provided by the Nagios Community. FAN provides a CDRom image in the standard ISO format, making it easy to easilly install a Nagios server. Added to this, a wide bunch of tools are including to the distribution, in order to improve the user experience around Nagios.

18#: Cacti - Web-based Monitoring Tool

Cacti is a complete network graphing solution designed to harness the power of RRDTool's data storage and graphing functionality. Cacti provides a fast poller, advanced graph templating, multiple data acquisition methods, and user management features out of the box. All of this is wrapped in an intuitive, easy to use interface that makes sense for LAN-sized installations up to complex networks with hundreds of devices. It can provide data about network, CPU, memory, logged in users, Apache, DNS servers and much more. See how to install and configure Cacti network graphing tool under CentOS / RHEL.

#19: KDE System Guard - Real-time Systems Reporting and Graphing

KSysguard is a network enabled task and system monitor application for KDE desktop. This tool can be run over ssh session. It provides lots of features such as a client/server architecture that enables monitoring of local and remote hosts. The graphical front end uses so-called sensors to retrieve the information it displays. A sensor can return simple values or more complex information like tables. For each type of information, one or more displays are provided. Displays are organized in worksheets that can be saved and loaded independently from each other. So, KSysguard is not only a simple task manager but also a very powerful tool to control large server farms.

Fig.05 KDE System Guard {Image credit: Wikipedia}

See the KSysguard handbook for detailed usage.

#20: Gnome System Monitor - Real-time Systems Reporting and Graphing

The System Monitor application enables you to display basic system information and monitor system processes, usage of system resources, and file systems. You can also use System Monitor to modify the behavior of your system. Although not as powerful as the KDE System Guard, it provides the basic information which may be useful for new users:

Displays various basic information about the computer's hardware and software.
Linux Kernel version
GNOME version
Hardware
Installed memory
Processors and speeds
System Status
Currently available disk space
Processes
Memory and swap space
Network usage
File Systems
Lists all mounted filesystems along with basic information about each.

Fig.06 The Gnome System Monitor application

Bounce: Additional Tools

A few more tools:

nmap - scan your server for open ports.
lsof - list open files, network connections and much more.
ntop web based tool - ntop is the best tool to see network usage in a way similar to what top command does for processes i.e. it is network traffic monitoring software. You can see network status, protocol wise distribution of traffic for UDP, TCP, DNS, HTTP and other protocols.
Conky - Another good monitoring tool for the X Window System. It is highly configurable and is able to monitor many system variables including the status of the CPU, memory, swap space, disk storage, temperatures, processes, network interfaces, battery power, system messages, e-mail inboxes etc.
GKrellM - It can be used to monitor the status of CPUs, main memory, hard disks, network interfaces, local and remote mailboxes, and many other things.
vnstat - vnStat is a console-based network traffic monitor. It keeps a log of hourly, daily and monthly network traffic for the selected interface(s).
htop - htop is an enhanced version of top, the interactive process viewer, which can display the list of processes in a tree form.
mtr - mtr combines the functionality of the traceroute and ping programs in a single network diagnostic tool.

How to send email from the Linux command line

2010-01-26T14:32:00.001+08:00

The Linux command line can be very powerful once you know how to use it. You can parse data, monitor processes, and do a lot of other useful and cool things using it. There often comes a need to generate a report and mail it out. It could be as simple a requirement as a notification that the day’s backup went through fine, or did not. I’ll help you get started with sending mails from the Linux command line and in shell scripts. We will also cover sending attachments from the command line. We will begin with the “mail” command.
MAIL
First run a quick test to make sure the “sendmail” application is installed and working correctly. Execute the following command, replacing “you@youremailid.com” with your e-mail address.

# mail -s “Hello world” you@youremailid.com

Hit the return key and you will come to a new line. Enter the text “This is a test from my server”. Follow up the text by hitting the return key again. Then hit the key combination of Control+D to continue. The command prompt will ask you if you want to mark a copy of the mail to any other address, hit Control+D again. Check your mailbox. This command will send out a mail to the email id mentioned with the subject, “Hello world”.

To add content to the body of the mail while running the command you can use the following options. If you want to add text on your own:

# echo “This will go into the body of the mail.” | mail -s “Hello world” you@youremailid.com

And if you want mail to read the content from a file:

# mail -s “Hello world” you@youremailid.com < /home/calvin/application.logSome other useful options in the mail command are:-s subject (The subject of the mail)-c email-address (Mark a copy to this “email-address”, or CC)-b email-address (Mark a blind carbon copy to this “email-address”, or BCC)Here’s how you might use these options:# echo “Welcome to the world of Calvin n Hobbes” | mail -s “Hello world” calvin@cnh.com -c hobbes@cnh.com -b susie.derkins@cnh.comMUTTOne of major drawbacks of using the mail command is that it does not support the sending of attachments. mutt, on the other hand, does support it. I’ve found this feature particularly useful for scripts that generate non-textual reports or backups which are relatively small in size which I’d like to backup elsewhere. Of course, mutt allows you to do a lot more than just send attachments. It is a much more complete command line mail client than the “mail” command. Right now we’ll just explore the basic stuff we might need often. Here’s how you would attach a file to a mail:# echo “Sending an attachment.” | mutt -a backup.zip -s “attachment” calvin@cnh.comThis command will send a mail to calvin@cnh.com with the subject (-s) “attachment”, the body text “Sending an attachment.”, containing the attachment (-a) backup.zip. Like with the mail command you can use the “-c” option to mark a copy to another mail id.SENDING MAIL FROM A SHELL SCRIPTNow, with the basics covered you can send mails from your shell scripts. Here’s a simple shell script that gives you a reading of the usage of space on your partitions and mails the data to you.#!/bin/bashdf -h | mail -s “disk space report” calvin@cnh.comSave these lines in a file on your Linux server and run it. You should receive a mail containing the results of the command. If, however, you need to send more data than just this you will need to write the data to a text file and enter it into the mail body while composing the mail. Here’s and example of a shell script that gets the disk usage as well as the memory usage, writes the data into a temporary file, and then enters it all into the body of the mail being sent out:#!/bin/bashdf -h > /tmp/mail_report.log
free -m >> /tmp/mail_report.log
mail -s “disk and RAM report” calvin@cnh.com < /tmp/mail_report.log

Now here’s a more complicated problem. You have to take a backup of a few files and mail then out. First the directory to be mailed out is archived. Then it is sent as an email attachment using mutt. Here’s a script to do just that:

#!/bin/bash
tar -zcf /tmp/backup.tar.gz /home/calvin/files
echo | mutt -a /tmp/backup.tar.gz -s “daily backup of data” calvin@cnh.com

The echo at the start of the last line adds a blank into the body of the mail being set out.

This should get you started with sending mails form the Linux command line and from shell scripts. Read up the “man page” for both mail and mutt for more options.

By Sukrit Dhandhania – December 1, 2008

Installing rrdtool using yum on CentOS

2009-12-04T11:38:00.002+08:00

1. Create a file called dag.repo in /etc/yum.repos.d/ just like below

# vi /etc/yum.repos.d/dag.repo

[dag]
name=Dag RPM Repository for Red Hat Enterprise Linux
baseurl=http://apt.sw.be/redhat/el$releasever/en/$basearch/dag
gpgcheck=1
gpgkey=http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt
enabled=1

and then install the package

# yum install rrdtool

That's it!

How to configure TCP/IP filtering in Windows 2000

2009-06-22T14:13:00.000+08:00

This step-by-step article describes how to configure TCP/IP Filtering on Microsoft Windows 2000-based computers. Windows 2000-based computers support several methods of controlling inbound access. One of the most simple and most powerful methods of controlling inbound access is by using the TCP/IP Filtering feature. TCP/IP Filtering is available on all Windows 2000-based computers that have the TCP/IP stack installed. TCP/IP Filtering is useful from a security standpoint because it works in Kernel mode. In contrast, other methods of controlling inbound access to Windows 2000-based computers, such as by using the IPSec Policy filter and the Routing and Remote Access server, depend on User-mode processes or the Workstation and Server service. You can layer your TCP/IP inbound access control scheme by using TCP/IP Filtering with IPSec filters and Routing and Remote Access packet filtering. This approach is especially useful if you want to control inbound and outbound TCP/IP access. TCP/IP Security controls only inbound access.
Back to the top
How to configure TCP/IP security
loadTOCNode(2, 'summary');

To configure TCP/IP security:
Click Start , point to Settings , click Control Panel , and then double-click Network and Dial-up Connections .
Right-click the interface on which you want to configure inbound access control, and then click Properties .
In the Components checked are used by this connection box, click Internet Protocol (TCP/IP) , and then click Properties .
In the Internet Protocol (TCP/IP) Properties dialog box, click Advanced .
Click the Options tab.
Click TCP/IP filtering , and then click Properties .
Select the Enable TCP/IP Filtering (All adapters) check box. When you select this check box, you enable filtering for all adapters, but you configure the filters on a per-adapter basis. The same filters do not apply to all adapters.
There are three columns with the following labels:
TCP PortsUDP PortsIP ProtocolsIn each column, you must select either of the following options:
Permit All . If you want to permit all packets for TCP or UDP traffic, leave Permit All activated. Permit Only . If you want to allow only selected TCP or UDP traffic, click Permit Only , click Add , and then type the appropriate port in the Add Filter dialog box. If you want to block all UDP or TCP traffic, click Permit Only , but do not add any port numbers in the UDP Ports or TCP Port column. You cannot block UDP or TCP traffic by selecting Permit Only for IP Protocols and excluding IP protocols 6 and 17. Note that you cannot block ICMP messages, even if you select Permit Only in the IP Protocols column and you do not include IP protocol 1. TCP/IP Filtering can filter only inbound traffic. This feature does not affect outbound traffic or response ports that are created to accept responses from outbound requests. Use IPSec Policies or packet filtering if you require more control over outbound access.

Hardening CentOS 5

2009-05-17T09:02:00.000+08:00

Configure user account. logout and relogin as user. su wherever required.
useradd
eg. useradd myodduser

passwd myodduser

Configure Default runlevel to runlevel 3
Use your favorite text editor to edit /etc/inittab
Find a line that is similar to the following:
id:3:initdefault:

Verify the no. after “id:” id-colon is 3. If it is not make it three.

To restrict virtual terminals to two:
Find out following stanza to enable only two virtual terminals available:

# Run gettys in standard runlevels
1:2345:respawn:/sbin/mingetty tty1
2:2345:respawn:/sbin/mingetty tty2
3:2345:respawn:/sbin/mingetty tty3
4:2345:respawn:/sbin/mingetty tty4
5:2345:respawn:/sbin/mingetty tty5
6:2345:respawn:/sbin/mingetty tty6

Make it to:

# Run gettys in standard runlevels
1:2345:respawn:/sbin/mingetty tty1
2:2345:respawn:/sbin/mingetty tty2
#3:2345:respawn:/sbin/mingetty tty3
#4:2345:respawn:/sbin/mingetty tty4
#5:2345:respawn:/sbin/mingetty tty5
#6:2345:respawn:/sbin/mingetty tty6

Save /etc/inittab and exit

Edit /etc/fstab . For the file systems /tmp, /var, and /home replace the "defaults" with "noexec,nodev,nosuid"

noexec : Binaries are not allowed to be executed. NEVER use this option for your root file system!
nosuid : Blocks the operation of suid, and sgid bits.
nodev : Prevent any user to mount the file system.

Disable unused services in order to save on resources and minimize potential security holes.
These Services that are to be stopped are mentioned here, check appendix A in case of custom requirements.

NetworkManager
NetworkManagerDispatacpid
apmd
autofs
avahi-daemon
avahi-dnsconfd
bluetooth
conman
cpuspeed
cups
dc_client
dc_server
dhcdbd
dund
firstboot
gpm
haldaemon
hidd
ibmasm
ip6tables
ipmi
irda
irqbalance
kdump
kudzu
mcstrans
mdmonitor
mdmpd
microcode_ctl
netfs
netplugd
nfs
nfslock
nscd
oddjobd
pand
pcscd
portmap
rdisc
restorecond
rpcgssd
rpcidmapd
rpcsvcgssd
saslauthd
setroubleshoot
smartd
smb
squid
tux
winbind
wpa_supplicant
xfs
ypbind
yum-updatesd

With following command format:

chkconfig –level 12345 off

To stop if any of the service is running:
service stop

check /etc/hosts
It must be in the format. (See the 127.0.0.1 line)
127.0.0.1 localhost.localdomain localhost
IP.AD.DR.ESS machine.domain.name machine

Edit /etc/host.conf
order bind,hosts
multi on
nospoof on

Edit /etc/sysctl.conf - tighten
1. net.ipv4.tcp_syncookies = 1 # Enable TCP SYN Cookie Protection
2. net.ipv4.conf.all.accept_source_route = 0 # Disables IP source routing
3. net.ipv4.conf.all.accept_redirects = 0 # Disable ICMP Redirect Acceptance
4. net.ipv4.conf.all.rp_filter = 1 # Enable IP spoofing protection, turn on source route verification
5. net.ipv4.icmp_echo_ignore_broadcasts = 1 # Enable ignoring broadcasts request
6. net.ipv4.icmp_ignore_bogus_error_responses = 1 # Enable bad error message Protection
7 net.ipv4.conf.all.log_martians = 1 # Log Spoofed Packets, Source Routed Packets, Redirect Packets

Edit /etc/hosts.deny
portmap: ALL

Edit /etc/hosts.allow
portmap: localhost
portmap: 127.0.0.1

SSH:
Disable RootLogin, force protocol 2, (explore restricting SSH to users/groups )
Protocol 2
HostbasedAuthentication no
PermitRootLogin no
PermitEmptyPasswords no
UsePrivilegeSeparation yes
AllowTcpForwarding no
X11Forwarding no
StrictModes yes
AllowUsers admin user1 user2 user3 (put actual users here in place of userN)

Stripping It Down

Following rpms are to be removed (You may add or remove some packages from this list in order to satisfy your environment.)

xkeyboard-config-0.8-7.fc6
dosfstools-2.11-6.2.el5
finger-0.17-32.2.1.1
dos2unix-3.1-27.1
esound-0.2.36-3
system-config-securitylevel-1.6.29.1-1.el5
NetworkManager-0.6.4-6.el5
OpenIPMI-2.0.6-5.el5.3
apmd-3.2.2-5
acpid-1.0.4-5
system-config-network-1.3.99-1.el5
gnome-python2-gtkhtml2-2.14.2-4.fc6
gnome-python2-bonobo-2.16.0-1.fc6
xorg-x11-drv-mouse-1.1.1-1.1
system-config-display-1.0.48-2.el5
xorg-x11-server-Xorg-1.1.1-48.13.0.1.el5
xorg-x11-server-Xvfb-1.1.1-48.13.0.1.el5
gnome-mime-data-2.4.2-3.1
centos-release-notes-5.0.0-2
xorg-x11-filesystem-7.1-2.fc6
xorg-x11-xauth-1.0.1-2.1
xorg-x11-xkb-utils-1.0.2-2.1
talk-0.17-29.2.2
cpuspeed-1.2.1-1.45.el5
hicolor-icon-theme-0.9-2.1
alsa-lib-1.0.12-3.el5
GConf2-2.14.0-9.el5
xorg-x11-utils-7.1-2.fc6
bluez-gnome-0.5-5.fc6
xorg-x11-xinit-1.0.2-13.el5
ypbind-1.19-7.el5
firstboot-tui-1.4.27.2-1.el5.centos.1
system-config-soundcard-2.0.6-1.el5
yp-tools-2.9-0.1
system-config-samba-1.2.39-1.el5
system-config-kdump-1.0.9-3.el5
tux-3.2.18-9.fc6
xorg-x11-fonts-base-7.1-2.1.el5
gnome-python2-canvas-2.16.0-1.fc6
gnome-mount-0.5-3.el5
xorg-x11-drv-vesa-1.2.1-5.2.el5
xorg-x11-drv-keyboard-1.1.0-2.1
xorg-x11-drv-evdev-1.0.0.5-2.el5
samba-common-3.0.23c-2.el5.2.0.2
xorg-x11-xfs-1.0.2-4
samba-client-3.0.23c-2.el5.2.0.2
xorg-x11-server-Xnest-1.1.1-48.13.0.1.el5
samba-3.0.23c-2.el5.2.0.2
gpm-1.20.1-74.1
xorg-x11-server-utils-7.1-4.fc6
redhat-menus-6.7.8-1.el5
metacity-2.16.0-8.el5
alsa-utils-1.0.12-3.fc6
OpenIPMI-libs-2.0.6-5.el5.3
portmap-4.0-65.2.2.1
nfs-utils-1.0.9-16.el5
system-config-nfs-1.3.23-1.el5
subversion-1.4.2-2.el5
gnome-python2-gconf-2.16.0-1.fc6
gnome-python2-extras-2.14.2-4.fc6
gnome-python2-gnomevfs-2.16.0-1.fc6
xorg-x11-drv-void-1.1.0-3.1

Security and management tool installations and fine tuning:

Security Tools Download, install and run:

a. chkrootkit - http://www.chkrootkit.org/download/
Download to /usr/local/src
Extract using "tar -zxf"
Compile & Install using "make sense"
Run chkrootkit

b. rkhunter - http://www.rootkit.nl/projects/rootkit_hunter.html
Download to /usr/local/src
Extract using "tar -zxf"
Install using ./install.sh
./installer.sh --layout /usr/local –install
rkhunter --update
Run "rkhunter -c --createlogfile"

Management Tool:. Download, install, configure: Webmin with SSL

Package Dependencies
Ensure openssl and openssl-devel are installed
rpm -q openssl
rpm -q openssl-devel
If they are not installed, install them using:
yum install openssl openssl-devel -y
(Mention ONLY those packages that need to be installed).

Download the Webmin RPM - http://www.webmin.com/
Download the RPM to /usr/local/src
Install using rpm -Uvh
Go to https://IP.AD.DR.ESS:10000 to configure. Login with user root, and password
1. Under Webmin -> Users -> Edit the root user. Rename root user to "admin"
2. Under Logging ensure all events by all users are logged
3. Change the port from 10000 to a suitable one above 50000 (and below 60000).
4. Under Authntication - set the idle time-out to 5 minutes.

d. Perl Libraries

Net::SSLeay - http://www.cpan.org/modules/by-module/Net/Net_SSLeay.pm-1.30.tar.gz
Download to /usr/local/src/
Extract with tar -xzf
Prepare with "perl Makefile.PL"
Compile & Install with "make install"
Test installation with "perl -e 'use Net::SSLeay'". You should be returned to the prompt. If you get errors, the installation did not succeed.

e. Portsentry -ftp://194.199.20.114/linux/freshrpms/fedora/linux/1/portsentry/portsentry-1.1-11.fr.i386.rpm
Download the RPM to /usr/local/src
Install using rpm -Uvh
Edit /etc/portsentry/portsentry.conf
Edit /etc/portsentry/portsentry.modes
Edit /etc/portsentry/portsentry.ignore
Start portsentry.

f. Checksuite - http://checksuite.sourceforge.net/
Download the RPM to /usr/local/src
Install using rpm -Uvh

g. Fine Tuning IPTABLES:
edit /etc/sysconfig/iptables

Insert rules for trusted ip addresses only which should access ssh port.

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -s -j ACCEPT

These rules are to be added before following rule:
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

Also you will have to make sure other ports are kept open (Those considered under Pre-Installation preparation)

PacMan: THE LAST FIGHT

2009-05-04T13:52:00.001+08:00

How To: Transfer your PuTTY settings between computers

2009-04-26T07:37:00.001+08:00

Exporting Your PuTTy Configuration

Putty stores its settings in the Windows registry. To save a backup of your Putty settings, you'll need to export this registry key to a file.

HKEY_CURRENT_USER\Software\SimonTatham

(Simon Tatham is the original developer responsible for PuTTy)

1. Click Start->Run and type "RegEdt32" in the "Open" dialog. Click "Ok"

2. One RegEdt32 starts, you'll be presented with an application which looks something like:

3. Press "Ctrl+F" to bring up the Find dialog. Enter the name of the key, "SimonTratham" in the "Find What" field, and make sure only "Keys" is checked in the "Look At" section of the dialog. Finally, click "Find Next"

4. The search may take a while, reminding us that the Windows Registry is a large and mysterious place where dragons be. Let's use these few seconds to reflect on the fact that you should never, ever, never change things in the registry unless you are absolutely, positively, totally, completely, 100% dead sure that you know exactly what you're doing. When the search completes we'll see the key name for which we're looking.

5. Click File->Export. Give your file an appropriate name like, "putty.reg" and click "Save"

6. We're done! Save the putty.reg file somewhere safe. The file doesn't contain any passwords or actual SSH key values so, it's relatively safe from prying eyes. Still, it does contain your configuration and that kind of data is a private matter.

Importing Your PuTTy Configuration

To import your saved PuTTy configuration on any other Windows computer simply copy your exported registry key, right click on the file and click "Merge"

Windows will ask you for confirmation that you want to import this set of registry values. We know this file is safe, because we created it but, you should never import registry information from an unknown source.

That's all you need to know about moving your PuTTy configuration from one machine to another. This can be really useful information when upgrading to a new PC or, if you're an office IT guy where your users all have a standard list of servers they need to connect via SSH, you can create a reference configuration on once machine and "share" it between every computer in the office.

source: http://www.downloadsquad.com/2007/02/01/howto-transfer-your-putty-settings-between-computers/

ip_conntrack: table full, dropping packet.

2009-04-14T07:07:00.004+08:00

www kernel: printk: 1 messages suppressed.
www kernel: ip_conntrack: table full, dropping packet.


Reason behind this error:

Iptables under Linux maintains a list of connections passing
through the router. Each connection tracking entry contains defined
characteristics of the packet, including the source and destination
IP address and port number. The connection tracking entries are
ultimately stored in a hash table with a fixed size. If the router
reaches the maximum number of connection tracking entries,it will
log an error:

"ip_conntrack: table full, dropping packet"

The maximum size of the connection tracking table can be increased.
The maximum size value is stored in the router's proc filesystem
in the file /proc/sys/net/ipv4/ip_conntrack_max. Increasing the
maximum size of the connection tracking table to a value larger than
the total number of connections will eliminate the error message
and prevent the router from dropping connections due to a lack of
space in the connection tracking table.


# This tell you how many sessions arte open right now.
cat /proc/net/ip_conntrack | wc -l
# This tells you the maximum number of conntrack entries you can have
in total
cat /proc/sys/net/ipv4/ip_conntrack_max

Once the previous number hits beyond the latter, you should start
seeing these messages. I would increase the latter number by calling:

echo "" > /proc/sys/net/ipv4/ip_conntrack_max

or if you want it to span reboots, you can place the following in
/etc/sysctl.conf

sys.net.ipv4.ip_conntrack_max =3D

Install Squid on CentOS / RHEL 5

2009-04-13T08:52:00.002+08:00

Use yum command as follows:
# yum install squid

Loading "installonlyn" plugin
Setting up Install Process
Setting up repositories
Reading repository metadata in from local files
Parsing package install arguments
Resolving Dependencies
--> Populating transaction set with selected packages. Please wait.
--> Package squid.i386 7:2.6.STABLE6-4.el5 set to be updated
--> Running transaction check

Dependencies Resolved

=============================================================================
Package                 Arch       Version          Repository        Size
=============================================================================
Installing:
squid                   i386       7:2.6.STABLE6-4.el5  updates           1.2 M

Transaction Summary
=============================================================================
Install      1 Package(s)
Update       0 Package(s)
Remove       0 Package(s)       

Total download size: 1.2 M
Is this ok [y/N]: y
Downloading Packages:
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: squid                        ######################### [1/1]

Installed: squid.i386 7:2.6.STABLE6-4.el5
Complete!

Squid Basic Configuration

Squid configuration file located at /etc/squid/squid.conf. Open file using a text editor:
# vi /etc/squid/squid.conf
At least you need to define ACL (access control list) to work with squid. The defaults port is TCP 3128. Following example ACL allowing access from your local networks 192.168.1.0/24 and 192.168.2.0/24. Make sure you adapt to list your internal IP networks from where browsing should be allowed:
acl our_networks src 192.168.1.0/24 192.168.2.0/24 http_access allow our_networks

Save and close the file. Start squid proxy server:
# chkconfig squid on # /etc/init.d/squid start

init_cache_dir /var/spool/squid... Starting squid: .       [  OK  ]

Verify port 3128 is open:
# netstat -tulpn | grep 3128

tcp        0      0 0.0.0.0:3128                0.0.0.0:*                   LISTEN      20653/(squid)

Open TCP port 3128

Finally make sure iptables is allowing to access squid proxy server. Just open /etc/sysconfig/iptables file:
# vi /etc/sysconfig/iptables
Append configuration:
-A RH-Firewall-1-INPUT -m state --state NEW,ESTABLISHED,RELATED -m tcp -p tcp --dport 3128 -j ACCEPT
Restart iptables based firewall:
# /etc/init.d/iptables restart

Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: filter                    [  OK  ]
Unloading iptables modules:                                [  OK  ]
Applying iptables firewall rules:                          [  OK  ]
Loading additional iptables modules: ip_conntrack_netbios_n[  OK  ]

Client configuration

Open a webbrowser > Tools > Internet option > Network settings > and setup Squid server IP address and port # 3128.

Update The Root Hints Data File for BIND Named Server

2009-03-25T07:26:00.002+08:00

Use wget command to retrieve file and store to /etc/bind/db.root (Debian / Ubuntu Linux), enter:
# wget --user=ftp --password=ftp ftp://ftp.rs.internic.net/domain/db.cache -O /etc/bind/db.root

Under Red Hat / CentOS / Fedora Linux, default location is /var/named/named.root, enter:
# wget --user=ftp --password=ftp ftp://ftp.rs.internic.net/domain/db.cache -O /var/named/named.root

Reload rndc to update information, enter:
# rndc reload

Another option is run dig command to fetch information:
# dig +bufsize=1200 +norec NS . @a.root-servers.net > /var/named/named.root

The root zone's nameservers change over time, don't assume this list is current. Always download a new version of db.cache once or twice year is sufficient. You can also schedule cron jon to update file. The best place to get update about this file is bind-users mailing list.

Sample updated root hints data file

;       This file holds the information on root name servers needed to
;       initialize cache of Internet domain name servers
;       (e.g. reference this file in the "cache  .  "
;       configuration file of BIND domain name servers).
;
;       This file is made available by InterNIC
;       under anonymous FTP as
;           file                /domain/db.cache
;           on server           FTP.INTERNIC.NET
;       -OR-                    RS.INTERNIC.NET
;
;       last update:    Feb 04, 2008
;       related version of root zone:   2008020400
;
; formerly NS.INTERNIC.NET
;
.                        3600000  IN  NS    A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:BA3E::2:30
;
; formerly NS1.ISI.EDU
;
.                        3600000      NS    B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET.      3600000      A     192.228.79.201
;
; formerly C.PSI.NET
;
.                        3600000      NS    C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
;
; formerly TERP.UMD.EDU
;
.                        3600000      NS    D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET.      3600000      A     128.8.10.90
;
; formerly NS.NASA.GOV
;
.                        3600000      NS    E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
;
; formerly NS.ISC.ORG
;
.                        3600000      NS    F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
F.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2f::f
;
; formerly NS.NIC.DDN.MIL
;
.                        3600000      NS    G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
;
; formerly AOS.ARL.ARMY.MIL
;
.                        3600000      NS    H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET.      3600000      A     128.63.2.53
H.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:1::803f:235
;
; formerly NIC.NORDU.NET
;
.                        3600000      NS    I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
;
; operated by VeriSign, Inc.
;
.                        3600000      NS    J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
J.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:C27::2:30
;
; operated by RIPE NCC
;
.                        3600000      NS    K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
K.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fd::1
;
; operated by ICANN
;
.                        3600000      NS    L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET.      3600000      A     199.7.83.42
;
; operated by WIDE
;
.                        3600000      NS    M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
M.ROOT-SERVERS.NET.      3600000      AAAA  2001:dc3::35
; End of File

How to view Email headers

2009-02-03T11:48:00.001+08:00

Microsoft Outlook 98, 2000, 2002, 2003

Double-click on the message to open it in a separate window.
Click on View and then Options on the drop-down menu at the top of the window.
Look for the section titled INTERNET HEADERS near the bottom of the Options window.
You can highlight the text within the INTERNET HEADERS section to copy it to a new message if you need to send these headers to someone.

Microsoft Outlook Express 5 & 6

Right-click on the message and select Properties.
Select the Details tab.
You should see a section titled Internet Headers for this message.
You can highlight the text within the Internet Headers section to copy it to a new message if you need to send these headers to someone.

Pegasus Mail Clients

Double-click on the message to open it in a separate window.
Hit the backspace key or type Ctrl-h on your keyboard to show the full headers.
If you want to forward these headers to someone, hit the F key after completing step 2.

Eudora Mail Clients

Double-click on the message to open it in a separate window.
Click on the button labeled BLAH BLAH BLAH at the top of the window. This will show the message headers.
You can then highlight and copy the headers into a new message for forwarding to someone.

Mozilla Thunderbird

Double-click the e-mail you want to view the headers on.
Click on the View drop-down menu and select Headers and then select All.
This will show the headers for any message you view.

Mail for Mac OS X

After you open the Mail app, click the on the Mail drop-down menu and select Preferences.
Click on the Viewing icon.
Click on the arrow on the Show header detail and select All.
You will now see the full headers of each message you view.

TAMU Email

Once you are logged in, right-click on the message you want to view.
From the menu that appears, choose 'Show Original.'
This will open up a new window and display the full message, including the headers.

Hotmail

Once you are logged in, click on Options
Click on Mail.
Click on Mail Display Settings.
Change the Message Headers section to Advanced.
Click OK.
Now when you read an e-mail, it should show you the full message headers.

Yahoo! Mail

Once you are logged in, click on Mail Options.
Click on General Preferences.
Under the Messages section, select Show all headers on incoming messages for the Headers option.
Click Save.
You should now see the full headers of every message you view.

Gmail

While viewing a message, click on the More options arrow in the upper-right of your message pane.
Click on Show original.
This will display the headers for that message in a new window.

Disable HTTP TRACE method in Tomcat

2009-01-26T11:40:00.003+08:00

1. Edit $TOMCAT/conf/server.xml
2. Look for "connector" element
3. Add an attribute: allowTrace="false"
4. Restart Tomcat.

Optimize bash_history

2008-11-20T13:14:00.000+08:00

Here are some tricks on how you can optimize with some simple configurations settings the usage your bash history.

1. Don’t save duplicates:
This is my favorite…

HISTCONTROL=ignoreboth

this causes any lines matching the previous history entry not to be saved.
Other options for HISTCONTROL: ignorespace, lines which begin with a space character are not saved in the history list; erasedups causes all previous lines matching the current line to be removed from the history list before that line is saved.

2. Size of the history:
HISTSIZE: The number of commands to remember in the command history. The default value is 500.

HISTSIZE=500

You can set this to 0 and disable the usage of the history file.

3. Others:
HISTFILE: The name of the file in which command history is saved. The default value is ~/.bash_history.
HISTIGNORE: A colon-separated list of patterns used to decide which command lines should be saved on the history list.

How do you set these options? Either export them in your environment in your personal bash configuration file (~/.bashrc) or in the global bash configuration file (/etc/bash.bashrc). The name of the configuration files can depend from your Linux distribution and bash version (the ones included are from Debian Linux), but you can always see your particular options using man bash. So, you can add in your configuration files the parameters you want like this:

export HISTCONTROL=ignoreboth
export HISTSIZE=500

You will need to restart your bash session in order to activate the settings. You can check if your configuration were entered correctly by typing env at the command prompt. If you donâ€™t see your configuration in the environment variables than you have done something wrong. If you see your configuration option, then all is ok, and your setting is active already.

http://www.ducea.com/2006/05/15/linux-tips-take-control-of-your-bash_history/

How to check if Sender Privacy Framework (SPF) is setup correctly ?

2008-09-19T17:26:00.000+08:00

Sender Privacy Framework (SPF) is a method used to prevent sender address forgery, i.e. someone to pretend someone he/she is not and send SPAM emails.

Open a terminal window and type:

$ host -t txt your-domain.com

You may see a message stating:

"your-domain.com has no TXT record", so DNS changes need some time to propagate.

Another approach could be to query the DNS server that your web site is using:

$ host -t txt your-domain.com ns1.your-domain.com

The output should be:

Using domain server:
Name: ns1.your-domain.com
Address: 11.22.33.44#53
Aliases:

your-domain.com descriptive text "v=spf1 a mx -all"

Notes:
your-domain.com is YOUR domain
Address: 11.22.33.44 is your domain's IP address.
the record in /var/named/data/zone.your-domain.com has contains following line.
your-domain.com. IN TXT "v=spf1 a mx -all"

How to Enable Cookies

2008-09-08T13:04:00.001+08:00

To enable cookies, follow the instructions below for the browser version you are using.

Mozilla Firefox (1.0 final release and earlier)

Go to the "Tools" menu.

Select "Options".

Select the "Privacy" icon in the left panel.

Check the box corresponding to "Allow sites to set cookies".

Click "OK" to save changes.

Netscape 7.1/Mozilla 5.0

Select "Preferences" from the Edit menu.

Click on the arrow next to "Privacy & Security" in the scrolling window to expand.

Under "Privacy & Security", select "Cookies."

Select "Enable all cookies".

Click "OK".

Microsoft Internet Explorer 6.0+

Select "Internet Options" from the Tools menu.

Click on the "Privacy" tab.

Click the "Default" button (or manually slide the bar down to "Medium") under "Settings".

Click "OK".

Microsoft Internet Explorer 5.x

Select "Internet Options" from the Tools menu.

Click on the "Security" tab.

Click the "Custom Level" button.

Scroll down to the "Cookies" section.

To enable:

Set "Allow cookies that are stored on your computer" to "Enable".
Set "Allow per-session cookies" to "Enable".

Click "OK".

Microsoft Internet Explorer 4.x

Select "Internet Options" from the View menu.

Click on the "Advanced" tab.

Scroll down to find "Cookies" within the "Security" section.

To enable:

Select "Always accept cookies".

Click "OK".

Netscape Communicator 4.x

Select "Preferences" from the Edit menu.

Find the "Cookies" section in the "Advanced" category.

To enable:

Select "Accept all cookies" (or "Enable all cookies").

Click "OK".

How to: Using Sudo

2008-07-12T06:24:00.001+08:00

What is sudo?

· Sudo is a command that allows users defined in the /etc/sudoers configuration file to have temporary root access to run certain privileged commands.

· The command you want to run must first begin with the word "sudo" followed by the regular command syntax.

· When running the command you will be prompted for your regular password before it is executed.You may run other privileged commands using sudo within a five minute period without being re-prompted for a password

· All commands run as sudo are logged in the log file /var/log/messages

Download and Install The sudo Package

Fortunately the package is installed by default by RedHat

The visudo Command

· "visudo" is the command used to edit the /etc/sudoers configuration file. It is not recommended that you use any other editor to modify your sudo parameters. "visudo" uses the same commands as the "vi" text editor.

· "visudo" is best run as user "root"

[root@aqua tmp]# visudo

The /etc/sudoers File

General Guidelines

o The /etc/sudoers file has the general format:

usernames/group target-servername = command

o Groups are the same as user groups and are differentiated from regular users by a % at the beginning

o The "#" at the beginning of a line signifies a comment line

o You can have multiple usernames per line separated by commas

o Multiple commands can be separated by commas too. Spaces are considered part of the command.

o The keyword "ALL" can mean all usernames, groups, commands and servers.

o If you run out of space on a line, you can end it with a "\" and continue on the next line.

o The NOPASSWD keyword provides access without you being prompted for your password

Simple sudoers Examples

o Users "paul" and "mary" have full access to all privileged commands

paul, mary ALL=(ALL) ALL

o Users with a groupid of "operator" has full access to all commands and won't be prompted for a password when doing so.

%operator ALL=(ALL) NOPASSWD: ALL

How To Use sudo

· In this example, user "paul" attempts to view the contents of the /etc/sudoers file

[paul@bigboy paul]$ more /etc/sudoers
/etc/sudoers: Permission denied

[paul@bigboy paul]$

· Paul tries again using sudo and his regular user password and is successful

[paul@bigboy paul]$ sudo more /etc/sudoers
Password:

...

[paul@bigboy paul]$

Using syslog To Track All sudo Commands

All sudo commands are logged in the log file /var/log/messages. Here is sample output from the above example.

[root@bigboy tmp]# grep sudo /var/log/messages
Nov 18 22:50:30 bigboy sudo(pam_unix)[26812]: authentication failure; logname=paul uid=0 euid=0 tty=pts/0 ruser= rhost= user=paul
Nov 18 22:51:25 bigboy sudo: paul : TTY=pts/0 ; PWD=/etc ; USER=root ; COMMAND=/bin/more sudoers
[root@bigboy tmp]#

courtesy: http://www.chinalinuxpub.com/doc/www.siliconvalleyccie.com/linux-hn/sudo.htm

Fix IPC$ error - Windows 98 to Windows 2000 / XP security

2008-06-17T23:21:00.002+08:00

When trying to access a network drive or printers share on a Windows 2000/XP computer from a Windows 95/98/ME computer, you may receive an IPC$ dialog box like the one above. If you do, then you need to configure security on your Windows 2000/XP computer.

When Windows 95/98/ME tries browsing the Windows 2000/XP computer, it first must log in. The username Windows tries is the name that you logged into Microsoft networking with. When your Windows 98/95/ME computer booted up, you saw a screen like this:

You must create that name in Windows 2000/XP security to allow that user access to the Windows 2000/XP shares.

Creating a Windows 2000

From the control panel, double click the admin tools icon. Next, click the Computer management icon. This will bring up a screen like the one below. From here, open the Local Users and Groups tree and add a new user by right clicking on the 'Users folder' and select 'Add new user'.

Create a user name that MATCHES the user name used to lon into your Windows 98/98/ME computer. I would sugges assigning a password to this ID. I have sometimes had trouble in the past using blank passwords. You should also UNCHECK the 'User must change password' line and CHECK 'password never expires'.

This ID will default into the USERS group. This should be enough security to access files and print shares.

Now, the next time you see that IPC$ / Enter network password thing, you can use the password speficied in the user profile you just created!

Keep your Web site online with a High Availability Linux Apache cluster

2007-07-24T13:45:00.000+08:00

Failover clusters are used to ensure high availability of system services and applications even through crashes, hardware failures, and environmental mishaps. In this article, I'll show you how to implement a rock-solid two-node high availability Apache cluster with the heartbeat application from The High-Availability Linux Project. I tested the cluster on Fedora Core 5, CentOS 4.3, and Ubuntu 6.06.1 LTS server distributions.

In a cluster environment, a high availability (HA) system is responsible for starting and stopping services, mounting and dismounting resources, monitoring the system availability in the cluster environment, and handling the ownership of the virtual IP address that's shared between cluster nodes. The heartbeat service provides the basic functions required for the HA system.

The most common cluster configuration is called standby configuration, as described here. In the standby cluster configuration, one node performs all the work while the other node is idle. Heartbeat monitors health of particular service(s) usually through a separate Ethernet interface used only for HA purposes using special ping. If a node fails for some reason, heartbeat transfers all the HA components to the healthy node. When the node recovers, it can resume its former status.

Installation and configuration

To test High Availability Linux, you need a second Ethernet adapter on each node to devote to heartbeat. Install the Apache Web server and the heartbeat program on both nodes. If the heartbeat package is not in any repository of your favorite distribution, you can download it. On my CentOS servers, I used yum to install the necessary software:

yum install -y httpd heartbeat

The configuration files for heartbeat are not in place when the software is installed. You need to copy them from the documentation folder to the /etc/ha.d/ folder:

cp /usr/share/doc/heartbeat*/ha.cf /etc/ha.d/ cp /usr/share/doc/heartbeat*/haresources /etc/ha.d/ cp /usr/share/doc/heartbeat*/authkeys /etc/ha.d/

In the /etc/hosts file you must add hostnames and IP addresses to let the two nodes see each other. In my case it looks like this:

192.168.1.1 node1.example.com node1 192.168.1.2 node2.example.com node2

Make sure you have the exact same /etc/hosts file on both nodes and that you're able to ping both nodes. You can just copy the file from one node to another using secure copy:

scp /etc/hosts root@node2:/etc/

Next, modify the configuration file /etc/ha.d/ha.cf. Edit the following entries in order to get heartbeat to work:

logfile /var/log/ha-log #where to log everything from heartbeat logfacility local0 #Facility to use for syslog/logger keepalive 2 # the time between the heartbeats deadtime 30 #how long until the host is declared dead warntime 10 #how long before issuing "late heartbeat" warning initdead 120 # Very first dead time (initdead) udpport 694 #udp port for the bcast/ucast communication bcast eth1 #on what interface to broadcast ucast eth1 10.0.0.1 #this is a 2-node cluster, so no need to use multicast here auto_failback on #we want the resources to automatically fail back to its primary node node node1.example.com #the name of the first node node node2.example.com #the name of the second node

This are the basic options necessary for heartbeat to work. The file has to be configured identically on both nodes, except for the "ucast" part where you define the IP address of peer to send packets to.

The next file is /etc/ha.d/haresources. In this file you need to define the master node name, virtual IP address (cluster IP), and which resources to start. In our case, we're starting the Apache Web server.

We need only one line of data here:

node1.example.com 192.168.1.5 httpd

Make sure the file is exactly the same on both nodes. Note that the resource name is the name of the init script located in the /etc/init.d folder. If the resource name is not exactly the same as in /etc/init.d/, heartbeat will not be able to find it when it tries to read it and both Apache and heartbeat will fail to start.

The last heartbeat-related file is /etc/ha.d/authkeys. This file must also be the same on both nodes, and it needs to be readable and writable only by the root user. If the permissions are different from what heartbeat expects, heartbeat will refuse to start. Make sure you have the file configured like this:

auth 1 1 crc

And make sure it's readable and writable by root only:

chmod 600 /etc/ha.d/authkeys

Now it's time to configure the Apache service. We want Apache to listen on the virtual IP address 192.168.1.5, and we need to point the Apache document root to the /data mount point where our Web files will be kept. Note that storage for Apache can be practically anything from the local filesystem folder to a storage area network. Of course, there is no point in a failover cluster if the same data is not available for both nodes. If you don't own an external network-attached storage device (such as a Fibre Channel storage unit) you can mount any SMB, NFS, iSCSI, or SAN filesystem as a local folder so that each node can access the data when it is active. This is done by modifying the following entries in the /etc/httpd/conf/httpd.conf file (at least for the CentOS distribution):

Listen 192.168.1.5:80 DocumentRoot "/data"

It's important for the Apache service to not start automatically at boot time, since heartbeat will start and stop the service as needed. Disable the automatic start with the command (on a Red Hat-based system):

chkconfig httpd remove

Make sure you have the same Apache configuration on both nodes.

Now we test

At this point we're done with configuration. Now it's time to start the newly created cluster. Start the heartbeat service on both nodes:

/etc/init.d/heartbeat start

Watch the /var/log/ha-log on both nodes. If everything is configured correctly, you should see something like this in your log files:

Configuration validated. Starting heartbeat 1.2.3.cvs.20050927 heartbeat: version 1.2.3.cvs.20050927 Link node1.example.com:eth1 up. Link node2.example.com:eth1 up. Status update for node node2.example.com: status active Local status now set to: 'active' remote resource transition completed. Local Resource acquisition completed. (none) node2.example.com wants to go standby [foreign] acquire local HA resources (standby). local HA resource acquisition completed (standby). Standby resource acquisition done [foreign]. Initial resource acquisition complete (auto_failback) remote resource transition completed.

Now test the failover. Reboot the master server. The slave should take over the Apache service. If everything works well, you should see something like this:

Received shutdown notice from 'node1.example.com'. Resources being acquired from node1.example.com. acquire local HA resources (standby). local HA resource acquisition completed (standby). Standby resource acquisition done [foreign]. Running /etc/ha.d/rc.d/status status Taking over resource group 192.168.1.5 Acquiring resource group: node1.example.com 192.168.1.5 httpd mach_down takeover complete for node node1.example.com. node node1.example.com: is dead Dead node node1.example.com gave up resources. Link node1.example.com:eth1 dead.

And when the master comes back online again, he should take over the Apache service:

Heartbeat restart on node node1.example.comheartbeat
Link node1.example.com:eth1 up.
node2.example.com wants to go standby [foreign]
standby: node1.example.com can take our foreign resources
give up foreign HA resources (standby).
Releasing resource group: node1.example.com 192.168.1.5 httpd
Local standby process completed [foreign].
remote resource transition completed.
Other node completed standby takeover of foreign resources.

Conclusion

That's all it takes to build a low-cost highly available Web server cluster. There are of course many commercial products that accomplish the same goal, but for the production needs for small business or any other institution, High Availability Linux and heartbeat are an excellent alternative.

By Anže Vidmar on October 02, 2006 (8:00:00 AM)

Simple HOW TO’s … How to setup a Passwordless SSH

2007-06-20T08:08:00.000+08:00

Simple HOW TO’s …

How to setup a Passwordless SSH:

from source:

1. Generate source key on root account...

# ssh-keygen -t dsa

Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
key fingerprint is:
6f:c5:86:c7:67:69:02:1a:e4:a9:20:e6:16:13:5d:e5 admin1@gohan

2. vi /root/.ssh/id_dsa then copy all content to notepad (need to be one-liner only)

from destination:

3. Do the following

# cd
# mkdir -p .ssh
# chmod 700 .ssh
# vi .ssh/authorized_keys ;then paste key generated from source then save
# chmod 600 .ssh/authorized_keys

DONE!!!

Shortcut:
cat ~/.ssh/id_dsa.pub | ssh user@remotebox "(mkdir .ssh&>/dev/null; chmod 700 .ssh && cat - >> .ssh/authorized_keys )&&chmod 600 .ssh/authorized_keys"

Simple HOW TO’s …. How to redirect an URL

2007-06-20T08:01:00.000+08:00

Simple HOW TO’s ….

How to redirect an URL:

IIS Redirect

* In internet services manager, right click on the file or folder you wish to redirect
* Select the radio titled "a redirection to a URL".
* Enter the redirection page
* Check "The exact url entered above" and the "A permanent redirection for this resource"
* Click on 'Apply'

ColdFusion Redirect
<.cfheader statuscode="301" statustext="Moved permanently">
<.cfheader name="Location" value="http://www.new-url.com">

PHP Redirect
Header( "HTTP/1.1 301 Moved Permanently" );
Header( "Location: http://www.new-url.com" );
?>

ASP Redirect
<%@ Language=VBScript %>
<%
Response.Status="301 Moved Permanently";
Response.AddHeader("Location","http://www.new-url.com/");
%>

ASP .NET Redirect

JSP (Java) Redirect
<%
response.setStatus(301);
response.setHeader( "Location", "http://www.new-url.com/" );
response.setHeader( "Connection", "close" );
%>

CGI PERL Redirect
$q = new CGI;
print $q->redirect("http://www.new-url.com/");

Ruby on Rails Redirect
def old_action
headers["Status"] = "301 Moved Permanently"
redirect_to "http://www.new-url.com/"
end

Redirect Old domain to New domain (htaccess redirect)

Create a .htaccess file with the below code, it will ensure that all your directories and pages of your old domain will get correctly redirected to your new domain.
The .htaccess file needs to be placed in the root directory of your old website (i.e the same directory where your index file is placed)

Options +FollowSymLinks
RewriteEngine on
RewriteRule (.*) http://www.newdomain.com/$1 [R=301,L]

Please REPLACE www.newdomain.com in the above code with your actual domain name.

In addition to the redirect I would suggest that you contact every backlinking site to modify their backlink to point to your new website.

Note* This .htaccess method of redirection works ONLY on Linux servers having the Apache Mod-Rewrite moduled enabled.

Redirect to www (htaccess redirect)

Create a .htaccess file with the below code, it will ensure that all requests coming in to domain.com will get redirected to www.domain.com
The .htaccess file needs to be placed in the root directory of your old website (i.e the same directory where your index file is placed)

Options +FollowSymlinks
RewriteEngine on
rewritecond %{http_host} ^domain.com [nc]
rewriterule ^(.*)$ http://www.domain.com/$1 [r=301,nc]

Please REPLACE domain.com and www.newdomain.com with your actual domain name.

Note* This .htaccess method of redirection works ONLY on Linux servers having the Apache Mod-Rewrite moduled enabled.

How to Redirect HTML

Please refer to section titled 'How to Redirect with htaccess', if your site is hosted on a Linux Server and 'IIS Redirect', if your site is hosted on a Windows Server.

Simple HOW TO’s …. How to setup a Syslog Server

2007-06-20T07:46:00.000+08:00

Simple HOW TO’s ….

How to setup a Syslog Server:

Step #1. Configuring the client machines logging facilities.

The first step when setting up your log server is to configure your linux machines syslog daemon to send there log files to an alternate location, the logserver. /etc/syslogd.conf is the configuration file that controls how linux will log data and where it will log it. Use your favourite text editor (pico or vi for example) and add the following line:

[root@localhost]# vi /etc/syslogd.conf

*.* [hit tab a few times] @logserver

NOTE: This will tell syslogd to send logs to a machine called "logserver"

Step #2. Restart syslogd on the client machine.

After making your changes, restart syslogd so it will start with its new configuration.

[root@localhost]# killall -HUP syslogd

Step #3. Configure your client machines firewall.

If your client machine is running a firewall, then you need to add a rule that will allow outgoing udp packets from the client machine to the logserver.

[root@localhost]# /sbin/ipchains -A output -p udp -i eth0 -s 192.168.0.1 -d 192.168.0.2 514 -j ACCEPT

NOTE: this rule is only for users who are running a firewall on there machine. It allows outgoing udp packets on the client machine (192.168.0.1) on port 514 (syslog port) to the loghost (192.168.0.2). If your not running a firewall, disgard it.

Step #4. Configure the logserver for "remote reception".

Now that we have configured the client's machine to send log files to a machine called "logserver", lets setup the log server so that it accepts incoming logs from other machines. To stop the syslog daemon, you can find its process ID (PID) and kill it, then restart syslogd with "remote reception" enabled.

[root@logserver]# ps -aux | grep "syslogd"

root 1292 0.0 0.2 1404 176 ? S Aug10 0:00 /usr/sbin/syslogd

The process ID of syslogd is "1292" so we need to stop syslogd, make the change and then restart it.

[root@logserver]# kill 1292

(or try kill -9 1292 if the process did not terminate)

Now that the syslog daemon has be shutdown, we can now start it again with "remote reception" enabled.

[root@logserver]# /usr/sbin/syslogd -rm 0

NOTE: the -r means "remote reception" and the -m 0 turns of the annoying "--MARK--" timestamp.

Step #5. Verify the logserver's syslog daemon is correctly configured.

Verify that syslogd has been restarted with remote reception enabled by checking /var/log/messages (or /var/log/secure on some systems)

[root@logserver]# cat /var/log/messages

Near the bottom you should see..

Aug 11 21:20:30 logserver syslogd 1.3-3: restart. (remote reception)

Yup it worked. The linux machine called "logserver" is now setup for remote reception of log files from other machines on the network.

Step #6. Configure your firewall.

If your logserver is running a firewall, then you need to add a rule that will allow incoming udp packets from the client machine to the logserver.

[root@logserver]# /sbin/ipchains -A input -p udp -i eth0 -s 192.168.0.1 -d 192.168.0.2 514 -j ACCEPT

This rule is only for users who are running a firewall on their logserver. It allows incoming udp packets from the client machine (192.168.0.1) on port 514 (syslog port) to the logserver (192.168.0.2) If your not running a firewall, disgard it.

Step #7. Verify everything works correctly.

The last step is to verify that everything is working correctly. To do that, log out of your client machine and log back in, then go to your log server and check /var/log/messages (or /var/log/secure on some systems) and you should see the login from the client machine. If something does go wrong, make sure your network is setup correctly (ie are you able to ping other machines on your network? and is /etc/hosts setup on each machine?) make sure you have your log servers syslog daemon setup for remote recetpion (/usr/sbin/syslogd -rm 0) and make sure after you edit /etc/syslog.conf on the client machine you restart the syslog daemon (killall -HUP syslogd).

[root@localhost]# logout

Password: xxxxxxxx

Now check your logservers log file (/var/log/messages or /var/log/secure) and you should see something like this

[root@logserver]# cat /var/log/messages

Aug 14 18:36:19 slackware login[2893]: ROOT LOGIN on `tty2'

NOTE: We are logged onto the logserver and root's login on the client machine showed up in our log files. So everything is working correctly. Congrats.

***You may also try to edit your syslog script to automatically start your syslog daemon to enable remote reception:

[root@logserver]# vi /etc/rc2.d/S12syslog

# Source config

if [ -f /etc/sysconfig/syslog ] ; then

. /etc/sysconfig/syslog

else

SYSLOGD_OPTIONS="-rm 0"

KLOGD_OPTIONS="-2"

Booting Single-User Mode

2007-03-26T20:55:00.000+08:00

Booting Single-User Mode

You may be able to boot single-user mode directly. If your system boots, but does not allow you to log in when it has completed booting, try single-user mode.

If you are using GRUB, use the following steps to boot into single-user mode:

If you have a GRUB password configured, type p and enter the password.
Select Red Hat Linux with the version of the kernel that you wish to boot and type e for edit. You will be presented with a list of items in the configuration file for the title you just selected.
Select the line that starts with kernel and type e to edit the line.
Go to the end of the line and type single as a separate word (press the [Spacebar] and then type single). Press [Enter] to exit edit mode.
Back at the GRUB screen, type b to boot into single user mode.

If you are using LILO, specify one of these options at the LILO boot prompt (if you are using the graphical LILO, you must press [Ctrl]-[x] to exit the graphical screen and go to the boot: prompt):

boot: linux single
boot: linux emergency

In single-user mode, you computer boots to runlevel 1. Your local filesystems will be mounted, but your network will not be activated. You will have a usable system maintenance shell.

In emergency mode, you are booted into the most minimal environment possible. The root filesystem will be mounted read-only and almost nothing will be set up. The main advantage of emergency mode over linux single is that your init files are not loaded. If init is corrupted or not working, you can still mount filesystems to recover data that could be lost during a re-installation.

Have you ever rebuilt a kernel and, eager to try out your new handiwork, rebooted before running /sbin/lilo? If you did not have an entry for an older kernel in lilo.conf, you had a problem. If you would like to know a solution to this problem, read this section.

In many cases, you can boot your Red Hat Linux system from the Red Hat Linux boot disk [1] with your root filesystem mounted and ready to go. Here is how to do it:

Enter the following command at the boot disk's boot: prompt:

linux single root=/dev/hdXX initrd=

Replace the XX in /dev/hdXX with the appropriate letter and number for your root partition.

What does this command do? First, it starts the boot process in single-user mode, with the root partition set to your root partition. The empty initrd specification bypasses the installation-related image on the boot disk, which will cause you to enter single-user mode immediately.

Is there a negative side to using this technique? Unfortunately, yes. Because the kernel on the Red Hat Linux boot disk only has support for IDE built-in, if your system is SCSI-based, you will not be able to do this. In that case, you will have to access rescue mode using the linux rescue command mentioned above.

Terminal Services - Remote Control your W2K Server

2006-12-08T20:50:00.000+08:00

Overview

Looking for a way to remote control your Windows 2000 Server without actually sitting in front of it? If you have one of the Server editions of Windows then you're in luck. You can use Terminal Services which works quite well and it's free!

Remote Administration
Application Server Mode

We're interested in the Remote Administration mode because it is what we want to do and because the Application Server mode requires additional licensing.

Here is an overview of how Terminal Services works. You have Terminal Services run on your Server and it sits there and waits for a remote computer to connect to it. This will be referred to as "Terminal Services Server". How does a remote computer connect to Terminal Services? There are two ways.

The first way is to install a Terminal Services client on each of the computers you will use to remotely administer the server. This will be referred to as "Terminal Services Client". You will have to create client disks using a built-in program. This method works well, but you have to install the Terminal Services Client software on each computer you use to administer the server. This could be a problem if you want to have the freedom to remotely control your server from a variety of places such as school, the library, or from a friends computer. We don't think you want to install the client in all of those places. However, this method is fairly secure because the only people who can administer your server also need the Terminal Services Client.

The second way requires that you install a special module called the Terminal Services Advanced Client which can be downloaded from Microsoft.com. This will be called the "Terminal Services Advanced Client". We have no idea what Microsoft decided to call it "Advanced Client" because there is really nothing advanced about it. This module allows you to log into Terminal Services via any computer that has a web browser and Active X. Of course there are still passwords required, but you get the convenience of administering your server from any computer connected to the Internet.

These two methods of connecting to Terminal Services will be covered in different articles. Which of the two methods you use to access Terminal Services is your choice

Terminal Services Server Configuration

Install Terminal Service

Start -> Settings -> Control Panel -> Add/Remove Programs ->
Add/Remove Windows Components.

Scroll down until you see the Terminal Services listing.

Check the box that is labeled "Terminal Services". For remote administration, you DO NOT need to check the box labeled "Terminal Services Licensing".

The next window allows you to choose between "Remote Administration Mode" and "Application Server Mode". We are interested in the Remote Administration Mode so that we can manage the server from across the Internet.

Configure Terminal Service

Start -> Settings -> Control Panel -> Administrative Tools

Let's take a look at the Terminal Services Manager. Double click on the "Terminal Services Manager" icon.

Here we can see who is connected to the Terminal Services and other monitoring information. Nothing to really do here. Just to keep tabs on who is remotely administering your server.

Next, we'll look at the Terminal Services Configuration. Double click on the "Terminal Services Configuration" icon. Click on "Server Settings". Here you can change the settings of how Terminal Services runs. Everything can be safely left at the default settings. By default, Terminal Services Server and Client talk to each other over port 3389.

Now, your Terminal Service is up and running and you are ready to allow client devices to access a virtual Windows 2000 Professional desktop session and Windows-based programs running on the Server.

Terminal Services Client Configuration

On your Terminal Services Server, there is an icon labeled "Terminal Services Client Creator" which creates disks that are used to install the Terminal Services Client program on the computer you plan to use to remote administer the server. You must install this client program on each computer you plan on using to remote administer the server.

Double click on the "Terminal Services Client Creator" icon. You will see the following screen. You must choose which version of windows (16-bit or 32-bit) the client disks should support. As a gross simplification, windows 3.1 is 16-bit while windows 95 and later are 32-bit. The 16 bit version of the Terminal Services Client requires 4 disks while the 32 bit version of TS Client requires only 2 disks.

Choose which version of the client you require and follow the directions. After you are done making the Terminal Services Client disks, you can now install the Terminal Services Client on any computer you will use to remotely administer your server.

The client computer that you use to remote administer your server can be on the external WAN or the internal LAN. If you are using a LAN computer to access Terminal Services on your server, then you do not need to do anything with your router. However, if you are planning on accessing Terminal Services from a computer across the Internet, you will need to forward port 3389 to your server. This is very important since Terminal Services listens on port 3389.

Let's install the Terminal Services Client on a computer that you will use to remote administer your server. Insert the first Terminal Services Client floppy disk into your disk drive and click setup.exe. After this you are ready to connect using Terminal Services Client.

Once you connect to you server through Terminal Services, you have full control over the server. However, the desktop you see is not exactly the one that is open on the server itself. The Terminal Services logs in separately, so technically, it is a different session. However, everything you do in the Terminal Services session will be executed on the server.

Once you are done working with terminal services, how do you get out?

Go to "Start -> Shut Down". You'll see four options.

Log off This shuts down all applications and terminates your Terminal Services session.

Shut down This physically shuts down the computer and does not give you a way to restart the computer. Be careful.

Restart This physically restarts the computer and in the process breaks your Terminal Services connection. However, you will be able to reconnect once the server reboots.

Disconnect This is like logging off, but leaves your applications and open so you can reconnect and pick up work where you left off.

-----------
frm: http://www.akadia.com/services/terminal_server.html

VI (and Clone) Editor Reference Manual

2006-09-26T19:07:00.001+08:00

VI (and Clone) Editor Reference Manual

1. Introduction

This is a brief, introductory reference for vi. It is supplemental to the VI Introductory Guide and your vendor documentation. The information here also applies to all the clones of vi, such as vim, elvis, and stevie.

Vi is actually a very powerful editor, and is organized in a logical fashion. It is different from other editors or word processors, which may make learning it just a little bit tricky for some people. If you approach it analytically and fearlessly, you should become proficient with it in a short period of time.

I highly recommend experimentation. For obvious reasons you should restrict early experimentation to test files.

Some non-display character keys and other keys have special functions. These keys will be shown by placing their name (such as RETURN) in square brackets, like this: [RETURN].

Unlike most non UNIX¹ products, vi is case-sensitive. Be careful with the [CAPS LOCK] key (except in input mode). If things are acting strange, make sure [CAPS LOCK] is off. If you are unsure about this, a good test is to press the `j' key; if it moves the cursor down a line, [CAPS LOCK] is not on; if it joins the next line to the current line, [CAPS LOCK] is on.

Not all of the commands mentioned here are covered in the VI Introductory Guide. There are also far more commands available in vi than are covered here - for further information check your system documentation or get one of the books available on vi.

Special Keys
Key	Command Mode	Text Mode
Arrow Keys	cursor movement	N/A
[CTRL]	used with other keys for extra commands	insert control characters in text
[ENTER] or [RETURN]	down 1 line	normal function
[ESC]	N/A	leave text mode
Space Bar	move right 1 character	normal function
[TAB]	N/A	normal function

When a command is shown as a combination of the `^' (caret) and another character, as in ^V, this means press the [CTRL] key first, and hold it down while you press and release the other key.

2. Command Mode vs Text Mode

Vi is always either in command mode or text (input) mode. In text mode any character key pressed is enetered into the file. Most other typewriter keys have their normal effect. On some systems to enter a [CTRL] key sequence, you may first have to enter ^V before the sequence you want.

In command mode nearly every key on the keyboard performs some command or modifies the next command. Some of these commands may be difficult to recover from, so be careful in command mode to enter only the commands you wish to enter.

The [RETURN] key is not needed in command mode except with commands that begin with a `:' (colon) and with the search comands.

Mode Change Commands
a	append text after cursor
i	insert text before cursor
o	open new line after current line & add text
O	open new line before current line & add text
[ESC]	leave text mode

3. Cursor Motion

Cursor motion should nominally include use of the cursor keys. If your terminal lacks or has problems with arrow keys in vi command mode, the `h', `j', `k', and `l' keys will perform the same functions, as noted below.

Cursor Motion Commands
h	move back 1 character
l	move forward 1 character
j	move down 1 line
k	move up 1 line

b	back to beginning of word
e	forward to end of word
w	forward to beginning of next word
^	go to first displayable character of line
0	go to beginning of line
$	go to end of line

F	forward 1 screen
B	backward 1 screen
D	down (forward) 1/2 screen
U	up (backward) 1/2 screen

4. Editing Commands

These are the commands that actually manipulate text. the commands listed here include those which delete, replace, search, cut, and paste text, as well as those used for saving text and abandoning an edit session. Finally, a few miscellaneous commands are included which don't fit into the other categories.

4.1. Delete (Cut) Commands

In some editors the delete commands may be called cut commands. The last item deleted is saved in a buffer and may be put (or pasted) elsewhere in the file as noted later.

Delete Commands
x	delete character
dw	delete rest of word
d$	delete rest of line
D	delete rest of line
dd	delete line

4.2. Replace, Change and Substitute Commands

Some editors provide commands to substitute new text occurances of search strings; this is not the same thing. These following vi commands allows you to replace some number of characters, words, lines or parts of lines with new text.

The change and substitute commands, the editor puts you into insert mode until you press [ESC]. The replace command replaces 1 (or more) characters with the next character you type.

Replace Commands
r	replace character
cw	change rest of word
c$	change rest of line
C	change rest of line
Ns	substitute text for N characters

4.3. Search Commands

These commands let you search for a text string, which may include regular expressions. They must be followed by a [RETURN].

Search Commands
/text	search forward for text
?text	search backward for text
n	search in same direction for next occurance of last-searched-for text
N	search in other direction for next occurance of last-searched-for text

4.4. Undo Command

IN the real vi, the undo command only undoes the last command, even if that is an undo command. Repeated undo commands simply toggle the effect of the last command before the series of undo commands.

Some vi clones, such as vim, allow multiple undo's. These usually offer a way to set the undo level to the standard vi mode. See your editor's man page or reference manual for details.

Undo Command
u	undo last command (BE CAREFUL WITH THIS)

4.5. Saving & Exiting Commands

These commands must be followed by a [RETURN].

Saving & Exiting Commands
:w	write (save) the file
:w NAME	write the file and name it NAME
:w! NAME	rewrite the file named NAME
:wq	write the file and quit the editor
:q	quit the editor
:q!	quit the editor (abandoning any changes)

4.6. Search & Replace Command

To find & replace all occurances of a particular text string, use the command:

    :%s/text1/text2/g[RETURN]

which replaces all occurances of text1 with text2.

4.7. Yank (Copy) Commands

The vi yank command is similar to the copy command in many editors. It copies the text into a buffer. The text may be put (pasted) elsewhere in the file as described under the Put command.

Yank Commands
yw	yank rest of word
y$	yank rest of line
yy	yank entire line
Y	yank entire line

4.8. Put (Paste) Commands

The vi put command is similar to the paste command in many other editors. It will paste whatever is in the buffer from either the previous delete or yank command.

Put Commands
p	put yanked/deleted text before cursor
P	put yanked/deleted text after cursor

If you yanked/deleted a whole line (or group of lines), p and P paste the text before or after the current line, respectively; otherwise, they paste the text before or after the cursor, respectively, on the current line.

4.9. Miscellaneous Commands

Miscellaneous Commands
.	repeat last command (BE CAREFUL WITH THIS)
J	join next line to end of this line

NOTE

The period, or dot, command repeats most commands, but not quite all. It should work with all of the commands listed in this document; if you aren't sure of what you're doing, save your work before you try something.

5. Miscellaneous Notes

Most commands (other than those beginning with a colon (`:') may be preceded by a repeat count. For example,

3dd

would delete 3 lines, starting with the current one.

Vi will not let you delete more lines than are in the file, so the above example would not work on the last line; vi would beep at you instead.

Notes:

UNIX is a trademark of Western Electric, AT&T, SCO, or whoever bought it this week.

Copyright 1988, 1989, 1991, 1993, 1994, & 1998 by Susan Liebeskind (Atlanta, GA) and Miles O'Neal (Austin, TX). All rights reserved. Permission is hereby granted to redistribute this in either source or formatted form, so long as this copyright & the author's names are included, unmodified in content, and so long as no charge beyond reasonable cost of reproduction is charged. Notwithstanding, inclusion in any other work or collection which is sold, rented, or otherwise charged for, is prohibited without express consent of the authors.

2006-09-26T19:07:00.000+08:00

VI (and Clone) Editor Reference Manual

1. Introduction

I highly recommend experimentation. For obvious reasons you should restrict early experimentation to test files.

Some non-display character keys and other keys have special functions. These keys will be shown by placing their name (such as RETURN) in square brackets, like this: [RETURN].

Special Keys
Key	Command Mode	Text Mode
Arrow Keys	cursor movement	N/A
[CTRL]	used with other keys for extra commands	insert control characters in text
[ENTER] or [RETURN]	down 1 line	normal function
[ESC]	N/A	leave text mode
Space Bar	move right 1 character	normal function
[TAB]	N/A	normal function

When a command is shown as a combination of the `^' (caret) and another character, as in ^V, this means press the [CTRL] key first, and hold it down while you press and release the other key.

2. Command Mode vs Text Mode

The [RETURN] key is not needed in command mode except with commands that begin with a `:' (colon) and with the search comands.

Mode Change Commands
a	append text after cursor
i	insert text before cursor
o	open new line after current line & add text
O	open new line before current line & add text
[ESC]	leave text mode

3. Cursor Motion

Cursor Motion Commands
h	move back 1 character
l	move forward 1 character
j	move down 1 line
k	move up 1 line

b	back to beginning of word
e	forward to end of word
w	forward to beginning of next word
^	go to first displayable character of line
0	go to beginning of line
$	go to end of line

F	forward 1 screen
B	backward 1 screen
D	down (forward) 1/2 screen
U	up (backward) 1/2 screen

4. Editing Commands

4.1. Delete (Cut) Commands

In some editors the delete commands may be called cut commands. The last item deleted is saved in a buffer and may be put (or pasted) elsewhere in the file as noted later.

Delete Commands
x	delete character
dw	delete rest of word
d$	delete rest of line
D	delete rest of line
dd	delete line

4.2. Replace, Change and Substitute Commands

The change and substitute commands, the editor puts you into insert mode until you press [ESC]. The replace command replaces 1 (or more) characters with the next character you type.

Replace Commands
r	replace character
cw	change rest of word
c$	change rest of line
C	change rest of line
Ns	substitute text for N characters

4.3. Search Commands

These commands let you search for a text string, which may include regular expressions. They must be followed by a [RETURN].

Search Commands
/text	search forward for text
?text	search backward for text
n	search in same direction for next occurance of last-searched-for text
N	search in other direction for next occurance of last-searched-for text

4.4. Undo Command

IN the real vi, the undo command only undoes the last command, even if that is an undo command. Repeated undo commands simply toggle the effect of the last command before the series of undo commands.

Some vi clones, such as vim, allow multiple undo's. These usually offer a way to set the undo level to the standard vi mode. See your editor's man page or reference manual for details.

Undo Command
u	undo last command (BE CAREFUL WITH THIS)

4.5. Saving & Exiting Commands

These commands must be followed by a [RETURN].

Saving & Exiting Commands
:w	write (save) the file
:w NAME	write the file and name it NAME
:w! NAME	rewrite the file named NAME
:wq	write the file and quit the editor
:q	quit the editor
:q!	quit the editor (abandoning any changes)

4.6. Search & Replace Command

To find & replace all occurances of a particular text string, use the command:

    :%s/text1/text2/g[RETURN]

which replaces all occurances of text1 with text2.

4.7. Yank (Copy) Commands

The vi yank command is similar to the copy command in many editors. It copies the text into a buffer. The text may be put (pasted) elsewhere in the file as described under the Put command.

Yank Commands
yw	yank rest of word
y$	yank rest of line
yy	yank entire line
Y	yank entire line

4.8. Put (Paste) Commands

The vi put command is similar to the paste command in many other editors. It will paste whatever is in the buffer from either the previous delete or yank command.

Put Commands
p	put yanked/deleted text before cursor
P	put yanked/deleted text after cursor

4.9. Miscellaneous Commands

Miscellaneous Commands
.	repeat last command (BE CAREFUL WITH THIS)
J	join next line to end of this line

NOTE

5. Miscellaneous Notes

Most commands (other than those beginning with a colon (`:') may be preceded by a repeat count. For example,

3dd

would delete 3 lines, starting with the current one.

Vi will not let you delete more lines than are in the file, so the above example would not work on the last line; vi would beep at you instead.

Notes:

UNIX is a trademark of Western Electric, AT&T, SCO, or whoever bought it this week.

Booting Linux into Rescue Mode

2006-09-15T15:31:00.000+08:00

Booting into Rescue Mode

Rescue mode provides the ability to boot a small Red Hat Enterprise Linux environment entirely from CD-ROM, or some other boot method, instead of the system's hard drive.

As the name implies, rescue mode is provided to rescue you from something. During normal operation, your Red Hat Enterprise Linux system uses files located on your system's hard drive to do everything — run programs, store your files, and more.

However, there may be times when you are unable to get Red Hat Enterprise Linux running completely enough to access files on your system's hard drive. Using rescue mode, you can access the files stored on your system's hard drive, even if you cannot actually run Red Hat Enterprise Linux from that hard drive.

To boot into rescue mode, you must be able to boot the system using one of the following methods[1]:

By booting the system from an installation boot CD-ROM.
By booting the system from other installation boot media, such as USB flash devices.
By booting the system from the Red Hat Enterprise Linux CD-ROM #1.

Once you have booted using one of the described methods, add the keyword rescue as a kernel parameter. For example, for an x86 system, type the following command at the installation boot prompt:

linux rescue

You are prompted to answer a few basic questions, including which language to use. It also prompts you to select where a valid rescue image is located. Select from Local CD-ROM, Hard Drive, NFS image, FTP, or HTTP. The location selected must contain a valid installation tree, and the installation tree must be for the same version of Red Hat Enterprise Linux as the Red Hat Enterprise Linux CD-ROM #1 from which you booted. If you used a boot CD-ROM or other media to start rescue mode, the installation tree must be from the same tree from which the media was created. For more information about how to setup an installation tree on a hard drive, NFS server, FTP server, or HTTP server, refer to the Red Hat Enterprise Linux Installation Guide.

If you select a rescue image that does not require a network connection, you are asked whether or not you want to establish a network connection. A network connection is useful if you need to backup files to a different computer or install some RPM packages from a shared network location, for example.

The following message is displayed:

The rescue environment will now attempt to find
your Linux installation and mount it under the
directory /mnt/sysimage.  You can then make any
changes required to your system.  If you want
to proceed with this step choose 'Continue'.
You can also choose to mount your file systems
read-only instead of read-write by choosing
'Read-only'.

If for some reason this process fails you can
choose 'Skip' and this step will be skipped and
you will go directly to a command shell.

If you select Continue, it attempts to mount your file system under the directory /mnt/sysimage/. If it fails to mount a partition, it notifies you. If you select Read-Only, it attempts to mount your file system under the directory /mnt/sysimage/, but in read-only mode. If you select Skip, your file system is not mounted. Choose Skip if you think your file system is corrupted.

Once you have your system in rescue mode, a prompt appears on VC (virtual console) 1 and VC 2 (use the [Ctrl]-[Alt]-[F1] key combination to access VC 1 and [Ctrl]-[Alt]-[F2] to access VC 2):

sh-3.00b#

If you selected Continue to mount your partitions automatically and they were mounted successfully, you are in single-user mode.

Even if your file system is mounted, the default root partition while in rescue mode is a temporary root partition, not the root partition of the file system used during normal user mode (runlevel 3 or 5). If you selected to mount your file system and it mounted successfully, you can change the root partition of the rescue mode environment to the root partition of your file system by executing the following command:

chroot /mnt/sysimage

This is useful if you need to run commands such as rpm that require your root partition to be mounted as /. To exit the chroot environment, type exit to return to the prompt.

If you selected Skip, you can still try to mount a partition or LVM2 logical volume manually inside rescue mode by creating a directory such as /foo, and typing the following command:

mount -t ext3 /dev/mapper/VolGroup00-LogVol02 /foo

In the above command, /foo is a directory that you have created and /dev/mapper/VolGroup00-LogVol02 is the LVM2 logical volume you want to mount. If the partition is of type ext2, replace ext3 with ext2.

If you do not know the names of all physical partitions, use the following command to list them:

fdisk -l

If you do not know the names of all LVM2 physical volumes, volume groups, or logical volumes, use the following commands to list them:

pvdisplay

vgdisplay

lvdisplay

From the prompt, you can run many useful commands, such as:

ssh, scp, and ping if the network is started
dump and restore for users with tape drives
parted and fdisk for managing partitions
rpm for installing or upgrading software
joe for editing configuration files

How to harden your Unix Server

2006-06-22T16:13:00.002+08:00

Mask Apache Server Information

Server headers and directory defaults usually show Apache server information. This information can be used by hackers to learn about vulnerabilities on your server if the system is not updated. You can mask server information as follows:

1. Log into server as root.

2. Open /etc/httpd/conf/httpd.conf with an editor.

3. Change the line ServerSignature on to
ServerSignature Off

4. Find the line "HostnameLookups off"
After that line, add "ServerTokens Prod"

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
RewriteCond %{REQUEST_METHOD} ^TRACK
RewriteRule .* - [F]

5. Save and exit.

6. Restart Apache with /etc/rc.d/init.d/httpd restart

Install System Integrity Monitor

System Integrity Monitor (SIM) monitors system services and provides a clean and information representation of system status. It is an essential tool for server admins to monitor servers. SIM has several modules that can be installed to help admin with common system processes. SIM will verify that system and services are online, check load averages, and maintain log files.

1. Login to server and su to root.

2. go to /usr/local 3. Get source file wget http://www.r-fx.org/downloads/sim-current.tar.gz

4. Untar file with tar -xzvf sim-current.tar.gz

5. cd sim-2.5-3 (or latest version of SIM)

6. Type ./setup -i

7. Enter and spacebar to continue.

8. Finally, get to auto-configuration script for SIM. Select options you want to install.

Security: Use SSH protocol 2

The old SSH Protocol 1 has several security leaks and faces many automated "root kits". Protocol 2 is an improvement to plug the holes. All servers with SSH 1 should use SSH 2.

1. Open /etc/ssh/sshd_config with an editor.

2. Find the line "#Protocol 2, 1".

3. Uncomment (remove #).

4. Save and exit.

5. Restart SSH with /etc/rc.d/init.d/sshd restart

: Disable direct root login

Root user is the most important account on a server. The root user has access to any file/program/application running on a server. By default, terminal services would allow the root user to login. This is a major threat to security as hackers can try to guess at the root password to gain access.

Disabling direct root login will create an extra user account before changing to root user. This will force a hacker to have try and guess 2 seperate passwords to become root user.

cPanel users/servers must add the user to 'wheel' group so that the user is allowed to su to root. Failure to do so would cause a lock out of the root account.

* A user with SSH access must already be created.

1. SSH into server as user and gain root access by 'su -'

2. Open /etc/ssh/sshd_config with an editor.

3. Find line PermitRootLogin yes

4. Uncomment it. Put no so thatPermitRootLogin no

5. Save the file and exit.

6. Restart SSH with "/etc/rc.d/init.d/sshd restart"

Security: Disabling Telnet

Telnet is a threat to server security. The protocol communicates on port 23 for both incoming and outgoing messages. Passwords and usernames are sent as clear text during logins, giving hackers the chance to tap the traffic between client and server and then gaining access. Telnet should always be disabled on web servers and replaced with a more secure platform like SSH.

To disable telnet on your server, follow these steps:

1. Login as root.

2. Open the file /etc/xinetd.d/telnet with your editor (pico/vi).

3. Find the line "disable = no" ,
replace with "disable = yes".

4. Restart the inetd service with command /etc/rc.d/init.d/xinetd restart

5. Do a quick scan to make sure port 23 telnet is closed.
nmap -sT -O localhost

Our server-side PDF to Word converter and PDF to DOC converter will help you edit your PDF's. Wehave a PDF to Excel converter too. Try our PDF converters at Investintech.com.

Install the Microsoft Loopback Adapter in Windows Server 2003

2006-06-22T12:17:00.000+08:00

A loopback adapter can be very useful for testing networking features on a server that doesn't have a network adapter already installed, and Microsoft provides this feature in Windows Server 2003.

To install the Microsoft Loopback Adapter, follow these steps:

1. Go to Start | Control Panel | Add Hardware.
2. In the introductory dialog box, click Next.
3. Select Yes, I Have Already Connected The Hardware, and click Next.
4. Scroll to the bottom of the Installed Hardware list box, select Add A New Hardware Device, and click Next.
5. Select the Install The Hardware That I Manually Select From A List (Advanced) option, and click Next.
6. Under Hardware Types, select Network Adapters, and click Next.
7. Under Manufacturer, select Microsoft.
8. Under Network Adapter, select Microsoft Loopback Adapter.
9. Click Next twice, and click Finish.

Unless there are already existing adapters, Windows will install the loopback adapter with the name Local Area Connection. If other adapters exist, Windows will name it Local Area Connection .

How To Install Microsoft Loopback Adapter in Windows 2000

2006-06-22T12:12:00.000+08:00

The Microsoft Loopback adapter is a tool for testing in a virtual network environment where access to a network is not feasible. Also, the Loopback adapter is essential if there are conflicts with a network adapter or a network adapter driver. Network clients, protocols, and so on, can be bound to the Loopback adapter, and the network adapter driver or network adapter can be installed at a later time while retaining the network configuration information. The Loopback adapter can also be installed during the unattended installation process.

Manual Installation

	Click Start, point to Settings, click Control Panel, and then double-click Add/Remove Hardware.
2.	Click Add/Troubleshoot a device, and then click Next.
3.	Click Add a new device, and then click Next.
4.	Click No, I want to select the hardware from a list, and then click Next.
5.	Click Network adapters, and then click Next.
6.	In the Manufacturers box, click Microsoft.
7.	In the Network Adapter box, click Microsoft Loopback Adapter, and then click Next.
8.	Click Finish.

After the adapter is installed successfully, you can configure its options manually, as with any other adapter. Note that if the TCP/IP properties are configured to use DHCP (the default), the adapter will eventually use an autonet address (169.254.x.x/16) because it is not actually connected to any physical media.

APPLIES TO

	Microsoft Windows 2000 Server
•	Microsoft Windows 2000 Advanced Server
•	Microsoft Windows 2000 Professional Edition
•	Microsoft Windows 2000 Datacenter Server

How to install the Microsoft Loopback adapter in Windows XP

2006-06-22T12:09:00.000+08:00

The Microsoft Loopback adapter is a testing tool for a virtual network environment where network access is not available. Also, you must use the Loopback adapter if there are conflicts with a network adapter or with a network adapter driver. You can bind network clients, protocols, and other network configuration items to the Loopback adapter, and you can install the network adapter driver or network adapter later while retaining the network configuration information. You can also install the Loopback adapter during the unattended installation process.

Manual installation

To manually install the Microsoft Loopback adapter in Windows XP, follow these steps:

1.	Click Start, and then click Control Panel.
2.	If you are in Classic view, click Switch to Category View under Control Panel in the left pane.
3.	Double-click Printers and Other Hardware, and then click Next.
4.	Under See Also in the left pane, click Add Hardware,and then click Next.
5.	Click Yes, I have already connected the hardware, and then click Next.
6.	At the bottom of the list, click Add a new hardware device, and then click Next.
7.	Click Install the hardware that I manually select from a list, and then click Next.
8.	Click Network adapters, and then click Next.
9.	In the Manufacturer box, click Microsoft.
10.	In the Network Adapter box, click Microsoft Loopback Adapter, and then click Next.
11.	Click Finish.

After the adapter is installed successfully, you can manually configure its options, as with any other adapter. If the TCP/IP properties are configured to use DHCP, the adapter will eventually use an autonet address (169.254.x.x/16) because the adapter is not actually connected to any physical media.

Note By default, TCP/IP properties are configured to use DHCP.

Microsoft Unveils Robotics Studio

2006-06-21T12:56:00.000+08:00

Microsoft Corp. on Tuesday launched a technology preview of Robotics Studio, a Windows-based development environment for creating robotic applications.

The early release targets academic, hobbyist and commercial developers with a toolset for building applications that can run on a variety of robotics computing platforms, the company said. Early partners include the LEGO Group.

"We've reached out to a broad range of leading robotics companies and academics early on in the development process and are thrilled with the positive response from the community," Tandy Trower, general manager of the Microsoft Robotics Group, said in a statement.

Key features in Robotics Studio include a visual programming tool that makes it easy to create and debug robot applications, the company said. The tools also allow users to interact with robots through Web-based or Windows-based interfaces, or simulate robotic applications using realistic 3-D models. The latter feature is powered with technology licensed from AGEIA.

Robotics Studio's programming model can be applied for a variety of robot hardware platforms, and third parties can also extend the functionality of the product by providing additional libraries and services.

Both remote PC-based and autonomous robot-based execution scenarios can be developed using programming languages found in Microsoft Visual Studio and Microsoft Visual Studio Express, JScript and Microsoft IronPython 1.0 Beta 1. Third party languages can also be used if they conform to the toolset's services-oriented, message-based architecture.

Joe Wilcox, analyst for JupiterResearch, said Microsoft appears to be interested in the growing market for robotics devices in the home, which is driving the need for operating systems and development tools.

"It's just too bad that, like other Microsoft stuff, to get there you've got to go the Windows way or the highway," Wilcox said in his blog.

Microsoft unveiled the development environment at the RoboBusiness Conference and Exposition in Pittsburgh, Penn. The toolset is available for download through the company's developer Web site.

http://www.informationweek.com

IBM runs frozen chip at 500GHz

2006-06-21T12:49:00.000+08:00

IBM researchers have pushed a silicon-based microprocessor to speeds of 500GHz, more than 250 times faster than a typical commercial chip in a cell phone.

The research shows that chip makers can reach high speeds with low-cost manufacturing techniques and commercial silicon-based chip technology, said John D. Cressler, a professor at Georgia Tech’s School of Electrical and Computer Engineering.

The new research, announced Tuesday by IBM, could also lead to more efficient chips, opening up new markets. Running at extremely high speeds, these chips could now find new applications in commercial communications systems, defense electronics, space exploration and remote sensing, according to IBM.

A team of scientists from IBM and Georgia Tech used an old hacker’s technique to avoid melting the chip at such high speeds.

Extreme video gamers chill their chips with refrigerated mineral oil stored in the garage, but this team was able to make the chip much colder.

First, the researchers built a prototype silicon-germanium (SiGe) chip that ran at 350GHz at room temperature. IBM, in Armonk, New York, has been mixing germanium with silicon since 1998, using the mixture to make chips for cell phones and other mobile devices that demand reduced power consumption.

Then they used liquid helium to freeze their microprocessor to 451 degrees below zero Fahrenheit. Nature’s coldest temperature, known as absolute zero, is just a few degrees lower, at minus 459.67 degrees Fahrenheit. With no risk of melting the chip, they pushed it to 500GHz.

By contrast, the latest commercial dual-core server chips from Intel and Advanced Micro Devices run at speeds between 2.5GHz to 3.5GHz.

The researchers now plan to return to their lab and find a way to push the chip even faster. IBM’s computer simulations show that their chip could reach speeds of 1,000GHz, known as 1 Terahertz.

http://www.macworld.com/news/2006/06/20/500ghz/index.php

How to secure windows 2000 server

2006-06-16T15:12:00.000+08:00

Windows 2000 Security Checklist

Basic Security Considerations

Provide Physical Security for the machine

Most security breaches in corporate environments occur from the inside. Culprits can be well meaning "power users" who configure their co-workers PCs, to disgruntled employees, or they can be full blown corporate spies that are working at your company. It may not be practical to physically secure every workstation in your environment, but your servers need to be in a locked room with monitored access. Consider placing surveillance cameras in your server rooms and keeping the tapes for 30 days. For desktops, install a lock on the CPU case, keep it locked, and store the key safely away from the computer at a secure location. (i.e. a locked cabinet in the server room)

Disable the Guest Account

Windows 2000 finally disables the guest account by default, but if you didn't build the image yourself, always double check to make sure the guest account is not enabled. For additional security assign a complex password to the account anyway, and restrict its logon 24x7.

Limit the number of unnecessary accounts

Eliminate any duplicate user accounts, test accounts, shared accounts, general department accounts, etc., Use group policies to assign permissions as needed, and audit your accounts regularly. These generic accounts are famous for having weak passwords (and lots of access) and are at the top of every hacker's list of accounts to crack first. This can be a big problem at larger companies with understaffed IT departments. An audit at a Fortune 10 company I worked for revealed that 3,000 of their 15,000 active user accounts were assigned to employees who no longer worked for the company. To make matters worse, we were able to crack the passwords on more than half of those inactive accounts.

Create 2 accounts for Administrators

I know this goes against the previous caveat, but this is the exception to the rule. Create one regular user account for your Administrators for reading mail and other common tasks, and a separate account (with a more aggressive password policy) for tasks requiring administrator privileges. Have your Administrators use the "Run As" command available with Windows 2000 to enable the access they need. This prevents malicious code from spreading through your network with admin privileges.

Rename the Administrator Account

Many hackers will argue that this won't stop them, because they will use the SID to find the name of the account and hack that. Our view is, why make it easy for them. Renaming the Administrator account will stop some amateur hackers cold, and will annoy the more determined ones. Remember that hackers won't know what the inherit or group permissions are for an account, so they'll try to hack any local account they find and then try to hack other accounts as they go to improve their access. If you rename the account, try not to use the word 'Admin" in its name. Pick something that won't sound like it has rights to anything.

Consider creating a dummy Administrator account

Another strategy is to create a local account named "Administrator", then giving that account no privileges and impossible to guess +10 digit complex password. This should keep the script kiddies busy for a while. If you create a dummy Administrative account, enabled auditing so you'll know when it is being tampered with.

Replace the "Everyone" Group with "Authenticated Users" on file shares

"Everyone" in the context of Windows 2000 security, means anyone who gains access to your network can access the data. Never assign the "Everyone" Group to have access to a file share on your network, use "Authenticated Users" instead. This is especially important for printers, who have the "Everyone" Group assigned by default.

Password Security

A good password policy is essential to your network security, but is often overlooked. In large organizations there is a huge temptation for lazy administrators to create all local Administrator accounts (or worse, a common domain level administrator account) that uses a variation of the company name, computer name, or advertising tag line. i.e. %companyname%#1, win2k%companyname%, etc. Even worse are new user accounts with simple passwords such as "welcome", "letmein", "new2you", that aren't required to changed the password after the first logon. Use complex passwords that are changed at least every 60 -90 days. Passwords should contain at least eight characters, and preferably nine (recent security information reports that many cracking programs are using the eight character standard as a starting point). Also, each password must follow the standards set for strong passwords .

Password protect the screensaver

Once again this is a basic security step that is often circumvented by users. Make sure all of your workstations and servers have this feature enabled to prevent an internal threat from taking advantage of an unlocked console. For best results, choose the blank screensaver or logon screensaver. Avoid the OpenGL and graphic intensive program that eat CPU cycles and memory. Make sure the wait setting is appropriate for your business. If you can get your users in the habit of manually locking their workstations when they walk away from their desks, you can probably get away with an idle time of 15 minutes or more. You can keep users from changing this setting via Group Policy.

Use NTFS on all partitions

FAT and FAT32 File systems don't support file level security and give hackers a big wide open door to your system. Make sure all of your system partitions are formatted using NTFS.
Always run Anti-Virus softwareAgain, this is something that is considered a basic tenet of security, but you would be surprised at how many companies don't run Anti-Virus software, or run it but don't update it. Today's AV software does more than just check for known viruses, many scan for other types of malicious code as well.

Secure your Backup tapes

It's amazing how many organizations implement excellent platform security, and then don't encrypt and/or lock up their backup tapes containing the same data. It's also a good idea to keep your Emergency Repair Disks locked up and stored away from your servers.

Mid Level Security Measures

Use the Security Configuration Toolset included with Windows 2000 to configure policies.

Microsoft provides a Security Configuration Toolset which provides plug in templates for the MMC that allow you to easily configure your policies based on the level of security you require. The template includes a long list of configurable options (many of which appear on this checklist) and also includes a useful security analysis tool. For more information, download the documentation here. If your workstation is not part of a domain, you can still enable policies by using the Poledit.exe file from the Windows 2000 Server CD-ROM. For more information, check out Microsoft Knowledge Base Article: 269799 - How to Secure Windows 2000 Professional in a Non-Domain Environment.

Don't allow unmonitored modems in your environment

One of the easiest hacks in the world is finding a company's phone number prefix and suffix range and wardialing for a modem that picks up. After weeding through the fax machines, you can either look for an unsecured workstation with RAS enabled, or one with Symantec's PC Anywhere loaded on it. If either one is configured incorrectly, you can easily gain access to the local machine and work up from there. If you have a digital phone system, get a list of every analog line that comes into your workplace and find out where it goes! Every PC hooked to a modem is a security risk. Make sure they're configured correctly and audited regularly.

Shut down unnecessary services

Unnecessary services take up system resources and can open holes into your operating system. IIS, RAS, and Terminal Services have security and configuration issues of their own, and should be implemented carefully if required. There are also several malicious programs that can run quietly as services without anyone knowing. You should be aware of all the services that all run on your servers and audit them periodically. The default services allowed in a Windows NT 4.0 C2 certified installation are:

Computer Browser
Microsoft DNS Server
Netlogon
NTLM SSP
RPC Locator
RPC Service
TCP/IP NetBIOS Helper
Spooler
Server
WINS
Workstation
Event Log

Windows 2000 has not been submitted for C2 certification by Microsoft, so an updated list of services is not available. What services are deemed unnecessary may vary based on the function of your server and/or workstations. Please test your specific configuration in a lab environment before enabling it in your production network. A list of services available in Windows 2000 Server (as well as their default settings) can be found here

Shut down unnecessary ports

This is a judgment call based on your needs and risks. Workstations aren't normally at risk behind a firewall, but never assume your servers are safe! A hackers first attempt at rattling the doors and windows usually involves using a port scanner. You can find out a list of open ports on your local system by opening the file located at %systemroot%\drivers\etc\services. You can configure your ports via the TCP/IP Security console located in the TCP/IP properties (Control Panel > Network and Dial Up Connections > Local Area Connection > Internet Protocol (TCP/IP) > Properties > Advanced > Options > TCP/IP Filtering) To allow only TCP and ICMP connections, configure the UDP and IP Protocol check boxes to "Permit Only" and leave the fields blank. A list of default ports for Windows 2000 Domain Controllers can be found here

Enable Auditing

The most basic form of Intrusion Detection for Windows 2000 is to enable auditing. This will alert you to changes in account policies, attempted password hacks, unauthorized file access, etc., Most users are unaware of the types of doors they have unknowingly left open on their local workstation, and these risks are often discovered only after a serious security breach has occurred. At the very minimum, consider auditing the following events:

Event >> Level of Auditing
Account logon events >> Success, failure
Account management >> Success, failure
Logon events >> Success, failure
Object access >> Success
Policy change >> Success, failure
Privilege use >> Success, failure
System events >> Success, failure

Set permissions on the security event log

The event log files are not protected by default, so permissions should be set on the event log files to allow access to Administrator and System accounts only.

Store all sensitive documents on file servers

Although most new workstations come with some very large drives, you should consider storing all of a users data (documents, spreadsheets, project files, etc.,) on a secured server, where the data is backed up regularly. Modify the parameters for the "My Documents" folder to always point to the users network share on a secured server. For laptop users, enable the "Make available offline" capabilities to synchronize the folder's content.

Prevent the last logged-in user name from being displayed

When you press Ctrl-Alt-Del, a login dialog box appears which displays the name of the last user who logged in to the computer, and makes it easier to discover a user name that can later be used in a password-guessing attack. This can be disabled using the security templates provided on the installation CD, or via Group Policy snap in. For more information, see Microsoft KB Article Q310125

Check Microsoft's web site for the latest hotfixes

Nobody writes 30 million lines of code and is going to have it perfect the first time, so updating service packs and hotfixes can go a long way to plug security holes. The problem is that hotfixes and service packs aren't regression-tested as thoroughly as service packs and can come with bugs of their own. You should always test them on a comparable, non production system before deploying them. Check Microsoft's TechNet Security Page frequently for the latest hotfixes and decide which ones you need to roll out. Tip: Our home page at LabMice.net always features
Microsoft's latest hotfix to save you time.

Advanced Security Settings

Set a power on password

This should be mandatory for all laptop users, but is rarely done in most environments for servers and workstations because it doesn't allow you to remotely log on and reboot a machine to the point that the Operating System will restart. Keep in mind that an intruder who can physically open your computer's central processing unit (CPU) can adjust hardware switches to disable the power-on password, and could also temporarily install a drive and boot another OS, bypassing all of your security settings. If this is a concern for your company, consider locking the case (if the model permits it) or using removable hard drives that are locked up every night.
Disable DirectDrawThis prevents direct access to video hardware and memory which is required to meet the basic C2 security standards. Disabling DirectDraw may impact some programs that require DirectX (games), but most business applications should be unaffected. To disable it edit the Registry HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\DCI and set the value for Timeout (REG_DWORD) to 0
Disable the default sharesWindows NT and Windows 2000 open hidden shares on each installation for use by the system account. (Tip: You can view all of the shared folders on your computer by typing NET SHARE from a command prompt.) You can disable the default Administrative shares two ways. One is to stop or disable the Server service, which removes the ability to share folders on your computer. (However, you can still access shared folders on other computers.) When you disable the Server service (via Control Panel > Administration Tools > Services), be sure to click Manual or Disabled or else the service will start the next time the computer is restarted. The other way is via the Registry by editing HKeyLocal Machine\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters. For Servers edit AutoShareServer with a REG_DWORD Value of 0. For Workstations, the edit AutoShareWks. Keep in mind that disabling these shares provide an extra measure of security, but may cause problems with applications. Test your changes in a lab before disabling these in a production environment. The default hidden shares are:
Share
Path and Function
C$ D$ E$
Root of each partition. For a Windows 2000 Professional computer, only members of the Administrators or Backup Operators group can connect to these shared folders. For a Windows 2000 Server computer, members of the Server Operators group can also connect to these shared folders
ADMIN$
%SYSTEMROOT% This share is used by the system during remote administration of a computer. The path of this resource is always the path to the Windows 2000 system root (the directory in which Windows 2000 is installed: for example, C:\Winnt).
FAX$
On Windows 2000 server, this used by fax clients in the process of sending a fax. The shared folder temporarily caches files and accesses cover pages stored on the server.
IPC$
Temporary connections between servers using named pipes essential for communication between programs. It is used during remote administration of a computer and when viewing a computer's shared resources
NetLogon
This share is used by the Net Logon service of a Windows 2000 Server computer while processing domain logon requests.
PRINT$
%SYSTEMROOT%\SYSTEM32\SPOOL\DRIVERS Used during remote administration of printers.
Disable Dump File CreationA dump file can be a useful troubleshooting tool when either the system or application crashes and causes the infamous "Blue Screen of Death". However, they also can provide a hacker with potentially sensitive information such as application passwords. You can disable the dump file by going to the Control Panel > System Properties > Advanced > Startup and Recovery and change the options for 'Write Debugging Information" to None. If you need to troubleshoot unexplained crashes at a later date, you can re-enable this option until the issue is resolved but be sure to disable it again later and delete any stored dump files.
Enable EFS (Encrypting File System)Windows 2000 ships with a powerful encryption system that adds an extra layer of security for drives, folders, or files. This will help prevent a hacker from accessing your files by physically mounting the hard drive on another PC and taking ownership of files. Be sure to enable encryption on Folders, not just files. All files that are placed in that folder will be encrypted. For more information check out our EFS Resource Center
Encrypt the Temp FolderApplications use the temp folder to store copies of files while they are being updated or modified, but they don't always clean the folder when you close the program. Encrypting the temp folder provides an extra layer of security for your files.
Lock down the RegistryIn Windows 2000, only Administrators and Backup Operators have default network access to the registry, however you may wish to tighten this down even further. To restrict network access to the registry, follow the steps listed in TechNet Article Q153183
Clear the Paging File at shutdownThe Pagefile is the temporary swap file Windows NT/2000 uses to manage memory and improve performance. However, some 3rd party programs may store store unencrypted passwords in memory, and there may be other sensitive data cache as well. You can clear the pagefile at shutdown by editing the Registry Key HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management and changing the data value of the ClearPageFileAtShutdown value to 1
Disable the ability to boot from a floppy or CD ROM on physically unsecured systems.There are a number of 3rd party utilities that pose a security risk if used via a boot disk (including resetting the local administrator password.) If your security needs are more extreme, consider removing the floppy and CD drives entirely. As an alternative, store the CPU in a locked external case that still provides adequate ventilation.
Disable AutoRun for CD-ROM drives on physically unsecured systems.One of the easiest ways for a hacker with physical access to a company's PC's to distribute malicious code is via the CD-ROM. By creating a custom CD with a payload set to launch from the autorun feature in any machine, a hacker can affect any number of unlocked systems without ever leaving a fingerprint or touching a keyboard. Or he/she can simply leave a few of these lying around the office marked "MP3's", or "Payroll Data" and wait for an unsuspecting user to simply pick it up and insert it into their machine. You can disable this function by editing the Registry and changing the HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services Cdrom subkey and set the AutoRun value to 0
Remove the OS/2 and POSIX SubsystemsIf you are not using these subsystems (and people rarely do), removing them may improve performance and also closes a potential security risk.To remove the OS/2 and POSIX subsystems:1. Delete the \winnt\system32\os2 directory and all of its subdirectories.2. Use the Registry Editor to remove the following registry entries:
Key:
HKEY_LOCAL_MACHINE\SOFTWARE
Subkey:
Microsoft\OS/2 Subsystem for NT
Entry:
delete all subkeys
Key:
HKEY_LOCAL_MACHINE\SYSTEM
Subkey:
CurrentControlSet\Control\Session Manager\Environment
Entry:
Os2LibPath
Value:
delete entry
Key:
HKEY_LOCAL_MACHINE\SYSTEM
Subkey:
CurrentControlSet\Control\Session Manager\SubSystems
Entry:
Optional
Values:
delete entry
Key:
HKEY_LOCAL_MACHINE\SYSTEM
Subkey:
CurrentControlSet\Control\Session Manager\SubSystems
Entry:
delete entries for OS2 and POSIX

The changes take effect the next time the computer is started. You might want to update the emergency repair disk to reflect these changes.
Consider using SmartCard or Biometric devices instead of passwords.The more stringent your password policy is, the more likely your users will begin keeping paper password lists in their desk drawers, or taped to the bottom of their keyboard. Windows 2000 supports these devices, so consider the costs vs. risks of your most sensitive data.
Consider implementing IPSecBasically, IPSec provides encryption for network sessions using the Internet Protocol (IP) and promises to offer transparent and automatic encryption of network connections. For more information, click here

'Spy' revealed in Microsoft security tool

2006-06-11T20:31:00.000+08:00

Microsoft has acknowledged that it needs to better inform users that its tool for determining whether a computer is running a pirated copy of Windows also quietly checks in daily with the software maker.

The company said the undisclosed daily check is a safety measure designed to allow the tool, called Windows Genuine Advantage, to quickly shut down in case of a malfunction.

For example, if the company suddenly started seeing a rash of reports that Windows copies were pirated, it might want to shut down the program to make sure it wasn't delivering false results.

"It's kind of a safety switch," said David Lazar, who directs the Windows Genuine Advantage program.

Lazar said the company added the safety measure because the piracy check, despite widespread distribution, is still a pilot program. He said the company was worried that it might have an unforeseen emergency that would require the program to terminate quickly.

But he acknowledged that Microsoft should have given users more information about the daily interactions.

"We're looking at ways to communicate that in a more forward manner," he said.

Lazar also said the company plans to tweak the program soon so that it will only check in with Microsoft every two weeks, rather than daily.

The tool, part of the company's bid to thwart widespread piracy, is being distributed gradually to people who have signed up to receive Windows security updates. The company expects to have offered it to all users worldwide by the end of the year.

Lazar said that so far, about 60 per cent of users who were offered the piracy check decided to install it. Once installed, the program checks to make sure the version of Windows a user is running is legitimate, and gathers information such as the computer's manufacturer and the language and locale it is set for.

That information-gathering is disclosed in a licensing agreement. But the agreement does not make clear that the program also is designed to "call home" to Microsoft's servers, to make sure that it should keep running.

At least every 90 days, the tool also checks again to see if the copy of Windows is legitimate. Lazar said that's because the company sometimes discovers that a copy of Windows that it thought was legitimate is actually pirated.

When Microsoft believes a copy of Windows is pirated, the user begins to get a series of reminders that the copy isn't genuine. Such users also are barred from downloading noncritical updates, such as the new version of its Internet Explorer browser. But anyone who has signed up to automatically receive security updates, which repair flaws to prevent Internet attacks, will still get those fixes.

Lauren Weinstein, who is co-founder of People for Internet Responsibility and was one of the first people to notice the daily communications to Microsoft, said he understands and sympathises with Microsoft's desire to control piracy. But he said it's problematic that Microsoft did not disclose all the program's communications with the company.

Weinstein said he also was surprised that Microsoft decided to release so widely a tool that it says is in a "pilot" mode and might need to be suddenly shut down.

"Really what you're talking about is someone saying, 'Look we've put something on your computer and it might go screwy, so we're going to kind of check in every day,'" he said.

http://www.smh.com.au/news/

Fujitsu spins 1.8 inch monster

2006-06-06T23:35:00.000+08:00

Fujitsu will launch its first 1.8-inch hard-disk drive in the middle of next year, a company engineer said at the Computex trade show Tuesday.

The Japanese company already makes 3.5-inch drives for desktop computers and servers and 2.5-inch drives for laptops and is getting into the market for smaller drives because it anticipates strong growth over the next few years.

In January Fujitsu said that it expected worldwide demand for 2.5-inch mobile PC drives to rise from 81 million in 2005 to 210 million units in 2010, and for 1.8-inch drives to rise from 16 million units to 90 million units over the same period.

The sector is expected to see strong growth because 1.8-inch drives are small enough to be used in portable consumer electronic devices. Notable uses of such drives at present include Apple's iPod music players.

Fujitsu's first drive will likely be launched in June or July 2007, said Kenji Nakajima, a senior marketing engineer with Fujitsu's hard-disk business division. The drive will have a capacity of around 60G bytes per platter and a prototype will be available to customers in the April to June period, he said.

That's right in line with the April to September launch date Fujitsu predicted earlier this year when it disclosed its 1.8-inch drive development.

Fujitsu already has a prototype 1.8-inch drive, which Nakajima carefully removed from a box in his pocket to show a reporter. The prototype has a 30G byte capacity and uses a controller chip from a 2.5-inch drive. Development of a smaller chip for the new drive is one of the tasks still in front of the engineering team.

The prototype shown Tuesday has a parallel ATA interface but Fujitsu's first two commercial drives will come with Serial ATA and CE-ATA, the latter for the consumer electronics industry.

Australia's meteoric rise from Gondwana

2006-06-04T18:02:00.000+08:00

A METEOR believed to have caused the biggest mass extinction in Earth's history, long before dinosaurs roamed the planet, may have also spawned the Australian continent, US scientists have revealed.

A geological team from Ohio State University, which collaborated with NASA, said it was likely the impact of the meteor about 250 million years ago jump-started the break-up of the Gondwana supercontinent that led to the creation of modern Australia.

Australia separated from Gondwana about 100 million years ago and began drifting northward, pushed away by the expansion of a rift valley into the eastern Indian Ocean.

"Its size and location — (of the impact) in the Wilkes Land region of East Antarctica, south of Australia — suggest that it could have begun the break-up of Gondwana supercontinent by creating the tectonic rift that pushed Australia northward," the team's leader Ralph von Frese said in a statement.

"The rift cuts directly through the crater, so the impact may have helped the rift to form."

The crater, which is about 483 kilometres wide and hidden more than 1.6 kilometres beneath the East Antarctic ice sheet, is twice the size of the Chicxulub crater in Mexico's Yucatan peninsula that marks the impact that scientists say may have ultimately killed the dinosaurs 65 million years ago.

"The Wilkes Land impact is much bigger than the impact that killed the dinosaurs, and probably would have caused catastrophic damage at the time," Professor von Frese said.

The scientists presented their preliminary findings at a recent American Geophysical Union Joint Assembly meeting. They used gravity fluctuations measured by NASA's satellites to peer beneath Antarctica's icy surface, finding a 321-kilometre-wide plug of mantle material — a mass concentration, or "mascon" in geological parlance — that had risen up into the Earth's crust.

Mascons are the planetary equivalent of a bump on the head. They form where large objects slam into a planet's surface. Upon impact, the denser mantle layer bounces up into the overlying crust, which holds it in place beneath the crater.

When the scientists overlaid their gravity image with airborne radar images of the ground beneath the ice, they found the mascon perfectly centred inside a circular ridge some 483 kilometres wide — large enough to hold Tasmania.

Taken alone, the ridge structure wouldn't prove anything. But to Professor von Frese, the addition of the mascon means "impact".

http://www.theage.com.au/

3G Embedded Modems the Latest Craze in Wireless

2006-05-26T14:35:00.000+08:00

3G vendors started to develop these services before the advent of WiFi and widespread availability of broadband connections. Consequently, they envisioned a bevy of users who would need high speed data services. The market seems much smaller today.

At one time, users had to buy Ethernet adapters, install them in their desktop computers, and then upgrade them as they moved to a faster version of the networking option. Now when users buy a desktop system, it comes with an integrated adapter that supports a variety of transmission speeds. A similar transition is beginning with 3G wireless data services.
"Laptop vendors are interested in embedded 3G modems because it offers them the potential to differentiate their products and cellular carriers think it may encourage a few more users to rely on their services," noted Allen Nogee, a principal analyst with market research firm In-Stat/MDR.

Whether or not their hopes will become reality is uncertain. Prices for these devices are high, and currently, the modems lock customers into specific carriers' services, an unappealing option. Since cellular services have not been as functional as alternatives, such as broadband and WiFi , they have not garnered widespread acceptance.

To address the last problem, 3G carriers have been upgrading their networks, so they support faster transmission speeds. Many have made the transition from GPRS, which works at 115K bps, to EDGE, which operates 384K bps. On the docket are upgrades to HSDPA and UMTS (W-CDMA), which have the potential to support multi-M bps transmission rates.

Trying to Spur Sales
As speeds increase, cellular data services should become a more viable option for laptop users. Bundling the modems with the system is designed to make it entice enterprises to provide their users with 3G connectivity. "The uptick with cellular data services has not been as significant as carriers had hoped, so they have been looking for different ways to market their services," said Ken Dulaney, an industry analyst with market research firm Gartner . Bundling has been so successful with WiFi links that now almost all laptops come with an embedded WiFi modem.
Simpler management may be another benefit. Since employees are working with the same modem and same cellular carrier, corporate IT staff should have less trouble pinpointing problems.

In addition, the built-in WAN connections could lead to lower costs for the cards. "3G modem cards have been expensive, ranging in price from US$200 to $300," stated Jack Gold, president of consultancy J. Gold Associates. Users who often pay less than $1,000 for the laptop can find it difficult to justify such purchases. Theoretically, the integrated modems reduce the number of needed components, which cuts pricing, and should appeal to a wider range of users, thus driving up shipment volume.

Notebook Vendors Pick Partners
Consequently, there has been a lot of activity in this space. Lenovo has begun shipping its Z, T and X Series ThinkPads with Verizon Wireless data connections. Hewlett-Packard's (NYSE: HPQ) nc6140 Notebook PC also has a Verizon link, and in April, the computer company said it plans to develop an embedded modem for Cingular's cellular networks. Dell (Nasdaq: DELL) integrated Cingular Wireless UMTS/HSDPA and Verizon Wireless EV-DO mobile WAN connections into its Latitude notebooks.

While there has been plenty of activity among laptop vendors and cellular carriers, however, user interest does not seem as keen for a variety of reasons. One problem with the current cards is they are tied to specific vendors. Switching from one service to another now requires a hardware alternation. The upgrade would require that users turn their systems in for at least a brief period as the new equipment is installed.

External modems can simply be unplugged. Even sticking with the same carrier does not solve the problem: many are moving to higher speed networks, which require new cards. "Since most users plan to keep their laptops for two to three years, they would have to upgrade their computers a couple of times, so we are recommending that they avoid the internal cards at this time," J. Gold Associates' Gold told TechNewsWorld.

Vendors are working to make the upgrade process simpler. Embedded modems that work with a variety of networks and support a range of speeds are on the drawing board, but they probably won't arrive for a few years.

Short Lived Differentiation
Once the multifunctional internal modems are shipped, hardware vendors will no longer have a feature to differentiate their hardware from competitors' products. "I don't think the imbedded modems will lead to many additional sales for hardware vendors," In-Stat/MDR's Nogee told TechNewsWorld.

Also, cellular data services tend to be expensive, costing at least $50 per month. "If you think about it, how often would most users work with a cellular data service: maybe an hour or two when they are sitting at an airport," noted Gartner's Dulaney. "There are faster, less expensive options available to them, such as WiFi and broadband, if they really need to access to data.'"
3G vendors started to develop these services before the advent of WiFi and widespread availability of broadband connections. Consequently, they envisioned a bevy of users who would need high speed data services.

Securing the Niche
The market seems much smaller today. The embedded modems will likely appeal to highly mobile employees, those in sales, field service , real estate, or public safety. If the number of users is small, the promised savings from increases in shipment volumes may not materialize. so vendors remain caught in a chicken-and-egg scenario: prices are high because shipments are low and shipments are low because pricing is high.

Consequently, analysts expect only limited use of these new modem in the next few years. "Eventually, the embedded modems will become more common, but in the short term, there does not seem to be many compelling reasons to buy them," concluded In-Stat/MDR's Nogee.

http://www.technewsworld.com

Hi-tech bid for joggers to reboot

2006-05-26T14:30:00.001+08:00

THESE shoes are made for walking – and so much more.Sports giant Nike and computer titan Apple have joined forces to unveil a running shoe that tells runners the distance they've covered, their pace, time and how many calories they've burned.
But fitness fanatics and part-time plodders will have to wait until October for the Nike+iPod system.
They will also have to be prepared to fork out some big bucks, with the entire set-up expected to cost at least $370.
The system consists of a sensor kit, a special Nike shoe and an iPod nano.
The sensor is slipped into the shoe and measures a runner's activity, sending the information wirelessly to a receiver attached to the iPod.
The information can then be displayed on the iPod screen and audio progress reports given through the headphones at the touch of a button.
Runners can also call up a pre-programmed motivational song to give them a boost when their energy starts to flag.
"The result is like having a personal coach or training partner motivating you every step of your workout," Apple chief executive Steve Jobs said at the slick New York launch of the system yesterday.
After the workout, the iPod can be plugged into a home computer so the information can be downloaded and stored for performance comparisons.
A Nike spokeswoman in Australia said the first of the iPod compatible shoes, the Air Zoom Moire, was expected to reach our stores in October.
She said price had not been decided but the shoe was expected to retail for $100 in the US.
An iPod nano costs between $219 and $359, depending on memory space and the sensor kit, which is expected to be available from the Apple website within 60 days, costs $49.

http://www.heraldsun.news.com.au

2006-05-26T14:30:00.000+08:00

Hi-tech: Nike and Apple have joined forces to unveil a running shoe that tells runners the distance they've covered, their pace, time and how many calories they've burned.

Secrets of US spying revealed on Web site

2006-05-24T18:26:00.000+08:00

A technology news Web site has published documents that it said appear to have been filed under seal in a lawsuit accusing AT&T of taking part in a secret government program to track Americans' phone and Internet communications.

The site, Wired.com, said the documents included a statement by former AT&T technician Mark Klein claiming that the telecommunications company built a "secret room" at one of its buildings in San Francisco that he believes housed equipment that allowed the federal government to monitor Internet traffic flowing on its network.
The documents that Wired posted online also include eight pages of technical drawings and tables, most of which are marked "AT&T Proprietary" that Klein said describe how to "spy on fiber-optic circuits."

A former chief technologist at the Federal Communications Commission, Dale Hatfield, said the documents posted on the Wired site appeared to be authentic and to describe a way to monitor traffic on a high-speed fiber-optic circuit.

A class-action lawsuit filed this year by the nonprofit Electronic Frontier Foundation and others claims AT&T took part "in a secret and illegal government program to intercept and analyze vast quantities of Americans' telephone and Internet communications, surveillance done without the authorization of a court."

In court filings, AT&T has argued, without confirming or denying it carried out any of the activities alleged, that Congress and the courts have given blanket immunity to telephone firms that "respond to apparently lawful requests for national security assistance" from the government. The company has argued the lawsuit should be immediately dismissed.
The judge last week refused AT&T's request that certain documents filed under seal in the case be returned to the company, and he ordered the plaintiffs and their lawyers not to disclose those documents to anyone.

THE WASHINGTON POST

MacBook: What you need to know

2006-05-20T06:48:00.000+08:00

The inside scoop on Apple's low-cost Intel laptop

The release of the MacBook Pro was big news: It was Apple’s first laptop with two processing cores, the first to use Intel chips, and had the feature set and price tag professional users are accustomed to. The new MacBook, on the other hand, replaces both the iBook and the 12-inch PowerBook G4 in Apple’s product line. As you might expect from a product that replaces both a consumer and professional system, the MacBook is a fascinating hybrid of high-end features and cost-conscious engineering. Now that we’ve spent several days with these new laptops, here are some answers to several burning MacBook questions.

How does the MacBook fit into Apple’s portable lineup?

With the release of the MacBook, Apple has discontinued its last two PowerPC-based laptop models: the 12-inch PowerBook G4 and both sizes (12.1-inch and 14.1-inch) of iBook. The 12-inch PowerBook was in many ways a souped-up iBook with a metal skin, so merging the two products together wasn’t that much of a stretch.

So only one size for the MacBook?

Currently, yes. There’s no word on if Apple will ever consider making a larger-screened version of the MacBook. For now, if you want a screen larger than 13 inches diagonal in a Mac laptop, you’ll need to move up to the MacBook Pro.

The MacBook is quite a bit bigger than the 12-inch PowerBook. What if I want a truly tiny Apple laptop?

We can imagine a day when Apple will come out with an ultra-small subnotebook. In fact, we daydream about it on a regular basis. Historically, Apple has shown very little interest in designing very small laptops. But things change, and the transition to Intel has opened up a new world of possibilities in terms of what parts Apple can use to assemble its computers. So you never know.

Why did Apple raise the price of the entry-level laptop? I used to be able to buy one for under $1000.

It’s true that Apple no longer has a $999 laptop, a fact that some have lamented already, as much for the psychological aspect as any other. But if you ignore everything else, this is a consumer-level laptop with a dual-core processor—a feature that can probably justify the price increase all by itself.

Apple could have chosen to release a cheap, underpowered MacBook with an underpowered Intel Core Solo processor—the same approach it took with its Intel-based Mac mini models—but it didn’t go down that path. (Apple’s MacBook product manager told us that the company wanted to simplify its portable product line, and tossing in one model that ran a different chip would have complicated matters.) As a result, even the lowest-priced MacBook is a remarkably powerful system.

So there’s a black MacBook model—what’s it like?

If you’re an old Mac hand, you’ll find the black MacBook quite reminiscent of the “Wall Street” generation of G3 PowerBooks. Unlike the white MacBook (or previous iBooks), the black MacBook has a matte finish. After less than a day of use, the trackpad on the black model was smudged with fingerprints, although the rest of the case remained in pretty good shape.

Other than the color, is there anything special about the black model?

When you get beyond the sheer blackness, the only difference between it and the 2.0GHz white model is a slightly bigger hard drive (80GB versus 60GB)—and a $200 price increase.

Wait, the hard drive upgrade is a $50 option, so does that mean Apple is charging $150 just for the color?

You subtracted correctly. If price is your main concern, then the black model is not a good deal. But with the U2 Special Edition iPod, Apple proved that it could charge more for a tweaked design. And people were ready to storm the Cupertino campus and throw cash at Steve Jobs’ feet when Apple released the iPod mini, which cost nearly as much as a full-size iPod, but with only a fraction of the storage space. Of course, the iPod mini went on to become the most popular iPod model ever. Since it also replaces the 12-inch PowerBook, Apple says the MacBook’s new and different look will appeal to the more professional customer who prefers the MacBook’s small size. Clearly, Apple is banking on the fact that its customers are still willing to pay a premium for a different design.

I hear Apple is using a glossy screen on the MacBook—isn’t that a bad thing? Won’t I just see my reflection all the time?

If you’ve ever walked past a PC laptop (or your TV, for that matter) and noticed that its screen was incredibly reflective, you’ve seen the same type of screen that’s been incorporated in the MacBook. In the right conditions the glossy screen looks absolutely gorgeous; blacks are blacker, whites are whiter, and colors are more intense. However, the screen is also remarkably reflective when compared to Apple’s previous laptop displays. If you frequently work in glare-filled environments, the MacBook might not be for you. It’s safe to say that some people will love it, and others will hate it.

But I liked the old screen—why did Apple change it?

According to Apple, iBook customers have been asking for a glossy screens for about as long as they’ve been available for PC laptops—and that’s been quite some time. But Apple says that it’s only now that the glossy-screen technology has advanced enough so that the company was comfortable adding the feature to its laptops. Apple’s MacBook product manager told us that the two big improvements in the glossy screens were a reduction in reflection levels and the elimination of color-distortion problems. When you consider that the screen is also 79 percent brighter than the one on the iBooks and 12-inch PowerBook, this new screen type might end up pleasing a whole lot of people.

How is the MacBook’s keyboard not like other keyboards?

The MacBook features an entirely new keyboard style for Apple. The biggest change is with its look. Previous Apple laptops have featured keyboards with keys that are wide at the base, but narrower at the top. As a result, even though there are fairly large spaces between the square areas where your fingers contact the keys, there are only tiny gaps down at the base of the keys.

This new MacBook keyboard does away with that approach. The MacBook’s keys don’t get wider at their base. Instead, they’re short, perfectly square key caps—although you can still pop them off if you want to, Apple says it’ll be harder for kids to do so, which is a good news for schools.

Although the feel of the MacBook’s keyboard is hard to describe, it’s definitely different. However, it’s quite usable, and we adapted to the new keyboard almost immediately. It doesn’t feel cheap at all—just different.

I see the MacBook uses the same GMA 950 integrated graphics as the Mac mini—should I be worried?

This is a consumer laptop, and as a result Apple has made some technological sacrifices. One is the MacBook’s lack of a graphics chip with dedicated video RAM. It’s the same graphics as you’ll find in the Mac mini. For most tasks, you probably won’t notice the lack of a video card at all—but if you try to play a 3-D game, you’ll see the difference. And the MacBook’s Core Duo processor can overcome many of the limitations of its graphics system. For example, we played back numerous 1080p high-definition videos with nary a hiccup on both the 1.83GHz and 2.0GHz models. And don’t forget that the MacBook improves on the resolution of the models it replaces.

Why does Apple only sell MacBooks with RAM in pairs that use up both RAM slots? The MacBook Pro ships with one RAM module instead of two.

Like the other Intel-based Macs, the MacBook uses dual-channel memory. Although you can put RAM in just one slot, when installed in matched pairs, the RAM can achieve its maximum throughput. According to Apple, you probably wouldn’t notice much of a difference on the MacBook Pro, which has a discrete graphics card. But on the MacBook, which shares up to 80MB of its main memory with the onboard graphics system, the extra speed you pick up by interleaving two separate RAM modules is vital.

Sounds like the 512MB of include RAM isn’t enough—should I custom-order a MacBook with more RAM?

We wouldn’t use a Mac with 512MB of RAM, so take that as a strong recommendation to upgrade. Apple usually charges a lot more for RAM than you can buy it for by searching a site such as Ramseeker. In the case of the upgrade to 1GB, however, Apple’s prices are pretty much in line with the industry. If that’s all you need, it’s probably best to let Apple do it. But if you want a MacBook stocked with 2GB of RAM, you could save as much as $300 by ordering your system with the stock 512MB, pulling those RAM modules out, and replacing it with modules you bought elsewhere.

How difficult is it to upgrade the RAM myself?

Not very hard at all. If you’re comfortable with a screwdriver and pushing and pulling RAM modules with a little force, you shouldn’t have any trouble. Just flip over the MacBook, remove the battery, unscrew the three screws holding the L-shaped aluminum strip in place, and you have access to the two RAM slots. Push the levers to pop out the modules, and put new modules in their places. (Want to see it in action? Check out our video.)

How about the hard drive?

The hard drive’s just about as easy. Once you’ve removed the same L-shaped aluminum strip that you need to remove to access the RAM, you’ve also exposed the front of the hard drive, tucked away on the left side of the battery bay. Just untuck out the white plastic tab that’s looped under the drive and then use it to slide the drive out into the bay. You can then unscrew the special metal drive enclosure, remove the drive, and attach the enclosure to a different Serial ATA laptop drive. (Our video covers this process too.)

What other goodies are inside the MacBook?

All models include a built-in iSight video camera, Front Row software with an Apple Remote, a MagSafe Power Adapter, AirPort Extreme and Bluetooth 2.0 wireless networking, Gigabit Ethernet, and analog and digital audio input and output.

Speaking of wireless networking, I’ve heard the MacBook has greater AirPort range than previous Apple laptops, and also sees more networks?

In our testing, both of those have been true. We’ve been able to stretch an AirPort Base Station signal a bit farther, and have noticed more networks popping up when clicking on the AirPort icon in the menu bar. Apple says the MacBook’s antennae (there are two, both located by the MacBook’s display: one placed horizontally on the left side and another placed vertically on the right) were designed specifically for the MacBook, and it definitely appeared to have better reception than older models. Although Apple officially supports connections only to 802.11b and 802.11g networks, the MacBook can actually connect to 802.11a networks, too.

I probably sound like a broken record, but there’s no modem, right?

Correct. As with all other Intel-based Macs, Apple has dropped the internal modem, and offers a $49 external USB version for those who need one.

What if I want to attach the MacBook to an external monitor?

You can do it, but you’ll need to buy one (or both) of two $19 video adapters. The MacBook’s video-out port is the same mini-DVI port found on the old 12-inch PowerBook G4. Apple sells a mini DVI-to-DVI adapter, as well as a mini DVI-to-VGA adapter. You’ll need one of those to hook it up to the external monitor of your choice (up to 1,920-by-1,200 pixels).

Won’t hooking the MacBook up to an external monitor just display the same thing that I’m seeing on my MacBook screen?

No. Although the MacBook can do video mirroring (where both monitors display the same thing), it also supports desktop extension—in other words, it can drive two monitors at once, no problem. You can even boot the MacBook with its lid closed, attached to an external monitor, if you want. Although the 12-inch PowerBook has the same capabilities, this is all new ground for iBook users.

I already own a MacBook Pro—can I use the power supply that came with it on a MacBook?

If you hold the two power supplies side by side, you’ll notice that the MacBook Pro’s is larger. That’s because the MacBook Pro uses an 85-watt power supply, while the MacBook uses a 60-watt power supply. Apple says you can use the more powerful, 85-watt power supply with a MacBook without any problems, and that in 80 percent to 90 percent of situations, you can use the MacBook’s power supply with the more-demanding MacBook Pro as well. If you’re really taxing the MacBook Pro’s processor with some heavy-duty work, the MacBook’s adapter will still be able to power the MacBook Pro—but it may not have any power left over to charge its battery.

Speaking of batteries, what’s the battery life like on the MacBook?

We haven’t had a chance to let it run dry yet, but Apple told us that the battery life is close to that of the iBook. Apple claims that in light use, the MacBook can run up to six hours on one charge. With more normal use, you could expect between three and three-and-three-quarters hours.

courtesy of: macworld.com

Apple Mac back in black!

2006-05-16T22:37:00.000+08:00

Apple officially ditches iBook in favour of a slinky new MacBook, that’s also available in panther black. Grrr…

Now you can colour coordinate your black video iPod or nano with your notebook. Which is the most important thing, of course... [more images]

Slap yer thighs and yell “come ’ere boy!” because Apple has just launched the MacBook. Replacing the trusty iBook, MacBook swaggers onto the notebook scene packing a 13-inch widescreen, Intel Core Duo chip, iSight webcam, Wi-Fi and the all important new MagSafe power cable as standard.

But if like us you’ve fallen for the black version, this sultry shade is only available if you go for the ultimate model which comes with a 2.0GHz Intel Core Duo, 80GB hard drive and SuperDrive for DVD burning. Bit cheeky, nonetheless we’re there with bells on. This version will set you back a modest £1,029. Whereas if you go for the white entry-level beauty with its 1.83GHz Intel Core Duo chip, 60GB HDD and standard CD Combo drive you’ll only have to shell out £749. A genuine grade-A steal, bargain hunters.

We’ll be bringing you the first hands-on verdict tomorrow, so be sure to check back.

Xbox 360: Feel the Power

2006-05-16T00:11:00.000+08:00

We all know that Xbox 360™ blows the doors off today's consoles in the power department. But just how much power does Xbox 360 have, and why do developers and gamers agree that it's the system to beat? Glad you asked!

By now you've already heard how Xbox 360 puts you at the center of the most powerful games on the planet—hence the "360," as in 360 degrees (geometry students will recognize that as the number of degrees in a circle). To accomplish this feat, Microsoft® has brought together a full circle of powerful factors.

Behold your future—Xbox 360 has the power!

Processing Powerhouse

The custom-designed Xbox 360 central processing unit (CPU) runs at a breakneck speed, thanks to its three separate core processors that clock in at 3.2 GHz each.

Xbox 360 boasts a custom ATI graphics processor that clocks in at a blistering 500 MHz. If you want to get even more technical (and who doesn't?) Xbox 360 can take advantage of more than four times as many polygons as the original Xbox® console, and more than four times (seeing a pattern here?) the number of pixels per second.

"Xbox 360 is the best. So we should

wait with a great anticipation."

—Ninja Gaiden creator Tomonuba Itagaki

The 512 MB of RAM in Xbox 360 is eight times more powerful than the original Xbox, in terms of simple arithmetic. The system RAM gives developers a unified memory architecture. Game creators decide how to partition it, and all of the hardware components (like the CPU and GPU) can access the memory.

The HD Era

High definition is upon us, and Xbox 360 is ready. Games are required to be authored for 720p and 1080i, and all games are optimized for the 16:9 widescreen viewing ratio. That doesn't mean you have to have an HDTV to play Xbox 360 games. Xbox 360 games always look good, but they look spectacular on your high-definition display.

Hard Drive

The elegantly styled hard drive is physically very small and detachable, but it still boasts a whopping 20 GB of space. The sheer amount of downloadable content that fits on such a hard drive is staggering, and now you can rip more music onto your hard drive and play your own tunes as a soundtrack in any Xbox 360 game.

Smart Power

Xbox 360 utilizes 48 parallel shader pipelines in the GPU that developers can optimize to get the performance they want.. A huge battlefield in Kameo™: Elements of Power™ and a shadow-laden firefight in Perfect Dark Zero™ look completely different and show the diverse ways just one developer, Rare®, took advantage of the GPU's flexibility.

"You know if you have a 360 it will look

as good as it can possibly look."

—Pete Hines from developer Bethesda

Developers tell the smart Xbox 360 which graphics engines to use to make visuals as sharp as they can be. The console depicts the vastness of a space fleet engaged in a battle hundreds of miles across or a single human face with equal aplomb.

More than Games

Xbox 360 is first and foremost a gaming machine, and the number of amazing launch games and the intense focus on the gamer's experience cannot be denied. But Xbox 360 is also the center of your digital entertainment world. Not only will it play DVDs, but the system supports CDs, DVD-ROMs, DVD-R/RW, MP3s, JPEGs, and more.

Xbox 360 Online

Xbox Live®, the premier console online gaming service with more than two million members, is getting even better, with a huge new center of online commerce called Xbox Live Marketplace, and best of all, Xbox 360 is always online with your high-speed Internet connection.

"It's the best development environment

I've seen on a console."

—id Software's John Carmack

Xbox Live Silver, available to anyone with an Xbox 360 or Xbox 360 Core System console, a hard drive or a memory unit, and a broadband connection, provides many free features, including messaging and downloads. The second level of service—Xbox Live Gold, with the option to play multiplayer games online—costs the same as your original Xbox Live subscription.

USB? U Bet!
Xbox 360 boasts three multi-purpose USB ports (two in front, one in back), so there is almost no end to the various accessories and other pieces of hardware that will connect to the console and interact with it. The keyword here is versatility.

You can connect and stream media from a wide range of portable music players and digital cameras, or stream your digital music, photos, and more from your connected PC with Microsoft Windows XP or Windows XP Media Center 2005 Edition. For more information go to www.xbox.com/media.

No More Wires

Wireless integration is one of the most important aspects of Xbox 360. Right out of the box, the lightweight wireless controller—in fact, up to four lightweight wireless controllers—connect instantly to the console with no other peripherals needed.

Thanks to a cycling signal that avoids other wireless hardware in your house (such as telephones), there is never any delay between your thumb and the game.

The dedication to versatility even carries over to recharging your controller—with the Play & Charge Kit, you not only have a rechargeable controller battery, but a charge cable that actually recharges your battery pack while you're playing, or while Xbox 360 is in standby mode.

The wireless Xbox 360 controller is actually lighter than the wired Xbox Controller-S. Carry the wireless experience over to Xbox Live by plugging in the pocket-sized Wireless Networking Adapter.

Gamers First

Lest there be any doubt, one of the sharpest aspects of Xbox 360 power is somewhat unquantifiable—and that is the slate of fantastic games you play on the system and the way the inner workings of the console are all dedicated to making Xbox 360 the ultimate gaming experience. In addition to eagerly anticipated Microsoft titles like Kameo: Elements of Power, Project Gotham Racing® 3, and Perfect Dark Zero, you can also anticipate the exclusive QUAKE™ 4, The Elder Scrolls IV: Oblivion™, and Call of Duty® 2, to name a few—and that's just the beginning.

Xbox 360 with the hard drive is backward-compatible for an array of original Xbox titles too, which means both original and Xbox 360 gamers will be able to play in the same matches online with Xbox Live.

The Competition? Meh.

Don't want to take our word for it? Check out the GameSpot.com "Tech Head-to-Head" article published during E3, where they said, "The real power of the 360 is in its networking ability. We can't forget that Bill Gates's new system can also reach across the network to access media from local, Windows-based PCs."

Then there's Major Nelson, who did a nifty comparison (with charts and everything) where he concludes, "When you break down the numbers, Xbox 360 has provably more performance than PS3."

What the Developers Say

Who could be better judges of hardware than the game developers themselves?

"It's a wonderful machine to work with. I never lied about my impression of the hardware. It's definitely software-friendly hardware. From a developer's perspective, it's exactly the kind of hardware you want to work with."

—Tomonobu Itagaki, leader of Team Ninja and creator of Ninja Gaiden® and the Dead or Alive® series, quoted at E3 2005.

"It's the best development environment I've seen on a console."

—id Software's John Carmack on Xbox 360, quoted at QuakeCon 2005 (reported on GameSpy).

"The advantage of the Xbox 360 is that it's designed to run our game, period. You know if you have a 360 it will look as good as it can possibly look."

—Pete Hines from developer Bethesda, quoted on 1up.com.

"I can't speak much for Sony right now—yeah, we're working on stuff for the PS3 but honestly I'm so busy with Gears [of War] that it's all I'm seeing and I can tell you—Microsoft is giving you a hell of a system. This thing is a BEAST and is capable of MUCH GREATNESS."

—Cliff "Cliffy B" Bleszinski, creator of the Xbox 360 shooter Gears of War™, on his 1up.com blog.

That Indefinable Quality

Talk about numbers all day—and without a doubt, the numbers on Xbox 360 show how powerful the new console is. But beyond simple numbers, there's the power of having one system that serves as the center of your entertainment lifestyle.

Xbox 360 isn't just about swinging its stats around like a club, it's about bringing you into the club. The Media Center Extender, wireless adaptability, an endless variety of USB-compatible hardware, and of course the greatest games in the world make the power of Xbox 360 crystal clear.

Welcome to the next generation of gaming with Xbox 360.

Windows Media Player 11

2006-05-15T22:33:00.000+08:00

Apple has been amazingly successful at winning over PC users and infiltrating their machines via iTunes, but with Windows Media Player 11 (WMP 11), Microsoft says "No more."

The new release, launched today as a beta download, beats Apple iTunes in many aspects. It acts as a repository and player for all your music, video, and images, unlike Apple's popular player. And while WMP 11 doesn't integrate with the iTunes Music Store, it also doesn't lock you in to one purchasing source. In fact, it integrates numerous stores including Napster, audible.com, Movielink, and MTV's new Urge service.

This release represents a major departure from the feel and navigation styles of WMP 10 and iTunes. With many other media players, you scroll through a list of files; WMP 11 lets you browse your library by cover. Some other players, like Yahoo! Music include the capability, but none do it as well. Bringing art to navigation makes the process much more appealing visually—your music collection no longer looks like a spreadsheet.

You'll also find the Word Wheel search technology Microsoft has implemented with Vista. Its speed is stunning—start to enter the first few letters of a track, album, or artist into the search bar, and the appropriate music will be waiting for you before you stop typing. Although iTunes has the same basic feature, seeing album art pop up is much more compelling than getting a list of tracks.—Continue reading

All Together Now

Navigation is also more unified than with iTunes, which still hasn't found a smooth way to integrate video files and podcasts into a general media library. With the Apple player, you use entirely different interfaces for the different media types. In WMP 11, though, the interface looks the same for all content types in all locations, so you browse, search, add, and delete photos no differently than music or videos. Searching for and editing content on portable devices works the same way as well. Windows Media Player 10 has a poorly integrated navigation system, so I'm pleased to see such a consistent one now.

During setup, the new media player searches your entire PC for compatible files and adds them to your library. If you're like me, though, you've got all kinds of cruddy audio files on your drive, and as happened with me, they'll end up in your library. I cleared out the whole list and started over, but on the second try, I specified the folders to be searched. The process wasn't as intuitive as iTunes' Add Folder command but was easy enough.

Once the player has built your library, the default view divides your music by album, with the artwork and artist info on the left, followed by track information. I love being able to browse by artwork, but in these days of Bit Torrents, indie music, and downloaded singles, large chunks of your collection will probably be missing such images. No worries: Half of my collection had no art, but when I started WMP the next day, Presto! It was magically there. Of course, if you don't want to browse by artwork, you can always use a simple List view.

In a few instances, WMP didn't find album art or had incomplete ID3 info, forcing me to search the database myself—a bit cumbersome, as I had to associate tracks to the album one by one. But as I did so, the software kept updating metadata, so most albums worked themselves out on their own. I was surprised by the depth of the ID3 catalog, supplied by All Music Guide. An album by my own band, Mere, automatically retrieved album art and ID3 info, despite having sold only 3,000 copies or so.

There was a hubbub a few months ago concerning privacy with the iTunes Mini Store because it phones home to transmit info about your listening (as do several of the popular players). For those with such concerns, the WMP 11 setup asks you if you'd like to disable the auto-connect capabilities, which are set on by default. At any time, you can turn off features that require connecting to the Internet.

The window layout is fairly straightforward. The familiar tree navigation, reminiscent of WMP 10 and iTunes, sits on the far left side and lets you select among views: Album, Artist, Song,, and others. Back and Forward buttons that look like those in Internet Explorer 7 reside at the top left and greatly simplify navigation.—Continue reading

Cheese and Other Features

The cheesy visualizations of the previous version remain—why, I don't know—and the equalizer is still just as hard to find. I was intrigued by the Display Lyrics and Captions option but wasn't able to get it to work, even when I chose ultra-poppy songs like The Beach Boys' "Surfin' USA," Michael Jackson's "Beat It," and Kelly Clarkson's "Since U Been Gone."

Windows Media Player 11 also includes easy-to-use ripping and burning features. You can compile and burn either audio or data CDs—you can even burn collections that span several discs. Very cool. I found the ripping options to be fairly extensive. You can rip to MP3, WAV, WMA (with several bit-rate options—full quality, variable bit rate, or up to 192 kbps). MP3 ripping maxes out at 320 kbps.

Syncing and loading portable players is much, much, much easier than with WMP 10, and is as smooth as what any of the other services, including iTunes, offer. Surprised? So was I. Getting music onto a portable player using the previous version was a truly awful experience, but this one lets you hook up your player, then simply drag files and drop them into the right-hand pane. As the media player scans your library, a meter lets you know how much room the device will have left when the files are copied onto it. When you get close to the limit, just hit sync to actually transfer the files.

The iTunes transfer feature has one advantage—it loads your device as you drag and drop, but that's the only way it's better. And there's a trade-off —WMP 11 lets you see what you're loading without switching views; iTunes doesn't. And with WMP 11's reverse sync you can easily get pictures or voice recordings off of your portable device and into your library. Still no iPod compatibility, though. If you've been holding your breath waiting for it, I'd exhale. It'll never happen.

As with music album covers, the folder view of photos shows the pictures in each folder in the form a virtual stack, with the top image visible. Clicking on a folder takes you inside. Clicking on an individual image blows it up to full size and starts a slide show of all the folder's images.

Microsoft still has some work to do before it launches Windows Media Player 11 for real. Metadata lookup could be faster, and the interface, while good, needs tweaking—for example, some of the buttons you use most often are too small. But this media player is a lot more fun to use than any other, and just as powerful. To check it out for yourself, go to http://www.microsoft.com/windowsmedia/player/11 (the link will be live on Wednesday, May 17th).

U.S. Dismisses Google Complaint, Says IE 7 Plays Fair

2006-05-15T22:32:00.000+08:00

Government regulators on Friday dismissed claims that Microsoft's newest browser, Internet Explorer 7, gives the Redmond, Wash. company's own search engine an unfair advantage, knocking aside objections that Google recently raised.

The Justice Department has evaluated the search box -- a new feature in IE 7 that lets users initiate searches -- and concluded it "respects users' choices" and "is easily changed," according to a status report released Friday by federal and state officials.

Earlier this month Google complained that IE 7, which will ship later this year for Windows XP and within Microsoft's new operating system, Windows Vista, in January 2007, wasn't letting users pick a default search engine when it was installed.

"We don't think it's right for Microsoft to just set the default to MSN on install," Marissa Mayer, vice president for search products and user experience at Google, said then.

Microsoft's counterattack charged that Google wanted the default spot, and last week chief executive Steve Ballmer dismissed Google's complaint as sour grapes.

The Justice Department report said that although IE 7 may default to MSN's search service in some cases, it concluded the feature didn't violate the terms of Microsoft's antitrust agreement with the federal and state governments.

"OEMs are allowed to set the default search engine when the machine is first sold to a user, and Internet Explorer 7 itself includes a relatively straightforward method for the user to select a different search engine from the initial system default," the report read.

The number of steps to change the default search engine in IE 7 and Firefox, the open-source browser supported by Google with advertising revenue, are in fact identical: five.

Google has also raised the issue with European Union's antitrust regulators, who remain locked in a long-running case about Windows XP that recently went to appeal. The EU's Competition Commission has said it is looking into concerns that Windows Vista might also violate antitrust laws when it's released in 2007.

In the U.S., however, the matter appears closed. "Plaintiffs have concluded their work on this matter," Friday's report said.

Apple Computer wins apple logo lawsuit

2006-05-14T21:48:00.000+08:00

Apple Computer has a cartoon-like apple with a neat bite taken out.Apple Corps uses a shiny green apple as its logo.(file photo)

BEIJING, May 14 (Xinhuanet) -- A U.S. judge ruled on Monday in favor of Apple Computer Inc. in the latter's right to use the apple logo on its iTunes Music Store.

Early on Apple Corps Ltd., the guardian of the Beatles' commercial interests, filed a lawsuit, charging the U.S. company of having broken a 1991 agreement in which each agreed not to infringe on the other's field of business.

Judge Edward Mann ruled that Apple Computer used the apple logo in association with the store, not the music, and thus did not breach the agreement.

"I conclude that the use of the apple logo ... does not suggest a relevant connection with the creative work," Mann said in his written judgment. "I think that the use of the apple logo is a fair and reasonable use of the mark in connection with the service, which does not go further and unfairly or unreasonably suggest an additional association with the creative works themselves."

While Apple Computer CEO Steve Jobs was pleased with the turnout, Neil Aspinall, the manager of Apple Corps, vowed that his company would immediately appeal.

"We felt that during the course of the trial we clearly demonstrated just how extensively Apple Computer has broken the agreement," Aspinall said in a statement.

Lawyers for U.S.-based Apple Computer had argued that the logos used by the two Apples are different. While Apple Corps uses a shiny green apple as its logo, Apple Computer has a cartoon-like apple with a neat bite taken out, the lawyers said.

The two Apples have been in dispute for the past 25 years. The 1991 agreement ended previous lengthy litigation over the logo.

Apple Corps was started by the Beatles in 1968 and the Cupertino, California-based Apple Computer was formed in 1976 by two college dropouts Steve Jobs and Steve Wozniak on April Fools' Day.Enditem

Softbank and Apple to develop iPod phones

2006-05-14T21:28:00.000+08:00

The Japanese Internet service company and the U.S. computer company are expected to launch handsets with the iPod functions as early as this year in Japan.

Softbank Corp. and Apple Computer Inc. are planning to jointly develop mobile phones that have built-in iPod digital music players and can download songs directly from Apple's iTunes Music Store, news reports said Saturday.

The Japanese Internet service company and the U.S. computer company are expected to launch handsets with the iPod functions as early as this year in Japan, Japanese business daily Nihon Keizai reported, citing unnamed sources.

The two companies also plan to develop a phone that can download songs using Softbank's wireless communication network next year, the paper said. Kyodo News agency had a similar report.

Officials of the two companies were not available for comment Saturday.

Softbank entered the mobile phone business in April after it acquired British mobile phone company Vodafone's struggling Japan unit. The acquisition allows Softbank to take over the more than 15 million Japanese uses who have signed on to the carrier, as well as its mobile network, instead of building it from scratch.

The reported plan comes amid intensifying competition in the mobile phone business.

On Thursday, NTT DoCoMo, Japan's biggest mobile carrier, and Microsoft Corp. announced to jointly provide music services for mobile phones this summer. The second largest mobile phone company KDDI Corp. has drawn users through its music download feature.

Nokia to add Google Talk to tablet device

2006-05-13T14:13:00.000+08:00

Nokia Corp. is adding the Google Talk application to a Nokia handheld Internet browsing device, in a move that could help boost the search company's reach in mobile communications.

Finland-based Nokia on Tuesday plans to announce that an upgraded version of its Internet Tablet device will come ready loaded with Google Inc.'s Talk service, which enables users to have voice conversations and exchange instant messages, according to a person familiar with the plans.

The device, which relies on short-range technology known as WiFi rather than cell phone networks, isn't a cell phone.

Google goes after Microsoft

2006-05-13T12:49:00.000+08:00

Google Inc. took direct aim at rival Microsoft Corp. on Wednesday by unveiling several search products while simultaneously calling the Redmond, Wash., software giant a "convicted monopoly."

Sergey Brin, Google's co-founder, made the unusually harsh comments about Microsoft at his company's annual press day in Mountain View.

He voiced concerns that Microsoft may use illegal tactics to give its own search engine preferential treatment in an upcoming release of its Windows Vista operating system for computers. He then recalled Microsoft's past legal battle with the now-defunct Netscape Communications Corp. over Internet browsers in which Microsoft was found by a federal court to have abused its power.

"We certainly see a history with that particular company, Microsoft, behaving anti-competitively, being a convicted monopoly," Brin said. He then talked about Google taking preemptive action against any future abuse by Microsoft, including lobbying the Justice Department.

Microsoft has denied any intentions to engage in anti-competitive behavior.

Brin's comments contrasted sharply with what was otherwise a get-along theme at Wednesday's event. Google executives repeatedly downplayed any rivalry with Microsoft -- or with Web portal Yahoo Inc., for that matter -- and emphasized that they're focusing on their own products.

Google's new features Wednesday, many released as tests, are intended to help users find and organize information. The products illustrate Google's dual strategy of connecting users with information through their Internet browsers, and a more recent initiative to get users to download desktop software onto personal computers.

Desktop software is Microsoft's traditional turf. Google's increasing interest in the area has ratcheted up an already formidable rivalry.

Google Notebook, to be released next week, will allow users to keep notes on a scratch pad. Users will be able to store text, links or images as they sift through results while shopping or for school research; users can then review the information privately or share it.

Google Co-op, another new product, makes searching more of a social event. Users can help others by labeling Web pages or creating specialized links to which others can subscribe.

Already, Google has signed up a number of partners to annotate Web pages about health and city guides. A few businesses have also contributed. Google said the companies do not pay to be included.

Users who subscribe may see results from a business of their choice above the traditional Google results. The theory is that such results will be more relevant and therefore deserve to be in a more prominent location.

Google also unveiled Google Trends, a product that allows users to see the popularity of specific search results over time. A user who enters "full moon," for example, will see a trend line showing that the popularity of the query spikes about once a month, but because of proprietary concerns, users cannot actually see the number of individual searches of specific terms.

In addition, Google upgraded its desktop search engine to allow users to more easily download so-called widgets, tiny programs that reside on desktop computers. They allow users to get information such as weather reports, for example, without having to open a browser.

Andy Beal, chief executive of Fortune Interactive, an online advertising company, said none of the products Google unveiled Wednesday is revolutionary. Many have been available from other companies, either for free or for a fee, he said.

"There wasn't really anything today that was groundbreaking technology," Beal said. "It was great to see Google offer them, but they have been offered by other companies for at least a couple years."

A new PlayStation generation -- for $499

2006-05-09T19:25:00.000+08:00

Los Angeles -- The highly anticipated PlayStation 3 video game console will be available for $499 in the United States starting Nov. 17, Sony executives said Monday.
In a news conference one day before the start of the Electronic Entertainment Expo, Sony officials sought to build momentum for the fall launch by providing hard information about their next-generation platform and displaying new games that showcased the visual and audio breakthroughs made possible by PlayStation 3 technology.
Kaz Hirai, president of Sony Computer Entertainment America, and Phil Harrison, president of Sony Computer Entertainment Worldwide Studios, hoped gamers would be impressed by the pricing of the new unit and its next-generation controller, which will feature "six-degree" sensing capability to enhance gameplay.
The pair also showed off an array of games from their studios and third party developers that are part of Sony's response to Microsoft's Xbox 360, which launched last fall.
"We have said the next generation doesn't start until we say it does," Hirai said. "Today the PlayStation 3 is real. The future is today."
Hirai concluded the Sony news conference by announcing pricing information, which many considered the most pressing detail. At $499, Sony's 20-GB PlayStation 3 is $100 more than a fully equipped Xbox 360. Hirai said a 60-GB version will be available for $599 at the Nov. 17 launch.
During the news conference, Harrison showed off the new PS3 controller, which, while looking like the PS2 controller, has a built-in sensor that follows the movement of the controller and translates that into gameplay.
When used in a game like WarHawk, which was demonstrated at the event, the user pulls up and down on the controller and controls the pitch and rolls of a fighter jet in a manner reminiscent of the new gyroscope-equipped controller for Nintendo's Wii platform.
"This controller allows me to unlock the most fluid movement in games," Harrison said. "It feels very intuitive. I'm very excited what it means not only for developers, but what it means for consumers."
Earlier in the news conference, Hirai touted the networking capability of the PlayStation 3, which will allow players to connect online with other users for free and buy additional levels and enhancements. With a built-in hard drive, the PlayStation 3 will support broader downloadable games, said Hirai.
Hirai said the Blu-ray DVD format will not only allow users to play next-generation high-definition movies but also will create more capacity for game developers to pack on to game discs.
Ankarino Lara, vice president for video game Web site GameSpot, said Sony failed to hit one out of the park with its announcements. He said the game demonstrations, while impressive, did not seem markedly different from what is available on the Xbox 360. And he said the price of the PlayStation, with a second controller and its first game, will be out of reach for all but early adopters.
Sony has enjoyed a strong historical lead over its console rivals, commanding more than 50 percent of platform sales. But Microsoft gained an edge last year by releasing its Xbox 360 a full year ahead of the PlayStation 3. Analysts believe Microsoft will have sold 8 million to 10 million Xbox 360s by the time the PlayStation 3 hits the shelves.
But that lead isn't insurmountable. With the Blu-ray DVD player included, Sony could get a big bump in sales. Much as it helped jump-start the DVD revolution with its PlayStation 2, the new PlayStation could lead movie fans into the high-definition DVD era with the relatively low price of its Blu-ray DVD player. Some standalone Blu-ray players are due to sell later this year for $1,000.

FAQ's on 3GP for Mobile phones

2006-05-09T04:17:00.000+08:00

What is 3G?

3G stands for third generation, a generic wireless industry term for high-speed mobile data delivery over cellular networks. 3G networks allow users to send and receive bandwidth-intensive information such as video, video conferencing, high quality audio and web data on-demand, virtually anytime and anyplace.

What is 3GP?

3GP - is the new mobile phone video file format.
3GPP, 3GPP2 are the new worldwide standard for the creation, delivery and playback of multimedia over 3rd generation, high-speed wireless networks. Defined by the 3rd Generation Partnership Project and 3rd Generation Partnership Project 2 respectively, these standards seek to provide uniform delivery of rich multimedia over newly evolved, broadband mobile networks (3rd generation networks) to the latest multimedia-enabled wireless devices. Tailored to the unique requirements of mobile devices, 3GPP and 3GPP2 take advantage of MPEG-4, the standard for delivery of video and audio over the Internet.

Extensions:
.3gp 3GPP standard, GSM Network, Video: MPEG-4, H.263, Audio: AAC, AMR
.3g2 3GPP2 standard, CDMA2000 Network, Video: MPEG-4, H.263, Audio: AAC, AMR, QCELP.

The evolution of high-speed wireless digital networks is based on two predominant technologies � GSM and CDMA2000. Both types of 3G networks are currently being deployed worldwide to offer consumers a variety of on-the-go multimedia services.

3GPP and 3GPP2 Mobile Infrastructure Solutions � Many of the world�s largest telecommunications infrastructure companies provide 3GPP and 3GPP2 mobile content delivery products and services to operators. Examples include:
* Alcatel
* Ericsson
* Nokia
* Siemens Mobile
* Sun Microsystems

3GPP and 3GPP2 Mobile Phones � Many of today's new mobile phones offer 3GPP and 3GPP2 content capture and playback capabilities. Leading providers of these standards-based multimedia phones include:
* Motorola
* NEC
* Nokia
* Panasonic
* Sanyo
* Sharp
* Sony Ericsson
* Toshiba
* Qualcomm

Intel Announces New Brand Name for Chips

2006-05-09T04:13:00.000+08:00

Core 2 Duo will debut this summer, replacing Conroe and Merom code names.

Intel will sell its new generation of 65-nanometer desktop and laptop chips under the brand name Core 2 Duo when it launches them this summer, the company says. Intel plans to launch its desktop chip, code-named Conroe, in July and its laptop chip, code-named Merom, in August.

"You could kind of say we're core crazy," company spokesperson Bill Kircos explains. "It's a way of saying 'Hey, this isn't your grandfather's PC'."

Both chips will be built with Intel's new 65-nanometer Core Microarchitecture design. After their launch, Intel will have a common architecture for its consumer, gaming, notebook, and business-desktop lines.

More Cores, More Efficiency

Chip vendors such as Intel and AMD have designed their latest processors with multiple cores in each chip as an energy-efficient way to process more software code without increasing clock speed, heat, and electricity demands. Just like cars, faster chips are generally less efficient.

Under Intel's new marketing plan, both the desktop and laptop chips will be called Core 2 Duo, with each chip distinguished by a following five-part alphanumeric code.

The first element will be a letter connoting the power draw of the chip: "U" for ultralow voltage (below 15 watts); "L" for low voltage (15 to 24 watts); "T" for standard mobile (25 to 55 watts); E for standard desktop (55 to 75 watts); and "X" for extreme (above 75 watts).

The next four elements will be a numeric code, with Conroe chips in the 4000 and 6000 series and Merom chips in the 5000 and 7000 series. Additional numbers will represent other features--for instance, the chips' suitability for Intel platforms such as Centrino for mobile PCs, Viiv for home entertainment, or vPro for business desktops.

Still Room for Extreme CPU

As an example of this nomenclature, a high-end desktop chip might be called the Core 2 Duo E6800. However, Intel will call its high-end gaming desktop processor the Core 2 Extreme.

The new Core 2 Duo nomenclature will supersede the Pentium D dual-core brand for desktops, and eventually take over for future chip designs such as four-core and eight-core processors, Kircos says.

Cisco to update Wi-Fi setup

2006-05-07T16:59:00.000+08:00

Cisco Systems is planning to announce a new wireless module for its Catalyst 6500 Ethernet switch that will provide more centralized management and enhanced features for Cisco's Wi-Fi product.

According to one analyst, the capabilities provided by the module will put Cisco's gear on par with products from start-ups such as Airespace and Aruba Wireless Networks.

"Cisco is catching up to offering capabilities that other companies introduced a year ago," said Dave Passmore, research director for the Burton Group. "So in that respect, it's a big deal for them."

Cisco's wireless product is made up of three parts. Its Aironet wireless access points transmit the Wi-Fi radio frequency signals. The Wireless LAN Solution Engine (WLSE) provides centralized management of the access nodes. And the Catalyst 6500 Ethernet switch provides the link from the wireless network to the customer's data network.

These products are all a part of Cisco's SWAN (Structured Wireless Aware Network) architecture, introduced last year. The concept is designed to enable current Cisco customers to integrate wireless services into networks already running Cisco networking gear.

The new module will fit into the Catalyst 6500 Ethernet switch and is designed to provide more intelligence so that more functionality can be centrally controlled by the WLSE. The new module will offer several new features, including dynamic selection of radio frequency and automatic power adjustment on the Aironet access points.

The addition of these features is important as more companies rely on Wi-Fi for network access. One problem with many Wi-Fi installations is that performance suffers when a user gets close to the edge of a coverage area. The performance degradation not only affects the user who is wandering out of range, it also affects every other user attached to that access point. To mitigate this problem, companies have begun installing more access points in denser configurations.

But this has caused another problem for system administrators. Because there are more access points set up closer together, it's more likely that radio-frequency signals from one access point could overlap with a neighboring node. Administrators also must make sure the power level on the access points is adjusted properly. Before Cisco added these new capabilities to the Catalyst 6500, administrators had to manually configure every access point.

"It's a very labor intensive process," said Passmore. "It's more an art than a science in trying to get all channels assigned properly and making sure the power was adjusted right."

Cisco is one of the first large companies to incorporate these features into its wireless products. Others such as Extreme Networks and Foundry Networks are supposedly working on similar functionality.

But start-ups including Airespace and Aruba have been offering these features for about a year. While Cisco and the rest of the established Ethernet switch market have been scrambling to catch up, these start-ups have moved forward, adding even more features like client location tracking. This feature becomes important as mobile voice-over-Internet Protocol (VoIP) phones are added to the network. It allows for services such as E911 to work.

Cisco doesn't offer this feature yet, according to Passmore.

But even with a richer and more mature feature set, Wi-Fi start-ups will likely struggle to win deals among Cisco's customers, many of whom are willing to wait for Cisco to add new features to its portfolio.

Along with the new module, Cisco's Wednesday announcement will provide more information about its strategy for wireless networking. The company declined to comment on the specifics of the announcement for this story.

Microsoft may delay Vista again

2006-05-03T09:28:00.000+08:00

SEATTLE, Washington (Reuters) -- Microsoft Corp.'s long- awaited release of the upgrade to its flagship Windows operating system will likely be delayed again by at least three months, research group Gartner Inc. said Tuesday.

The research note, released to clients Monday, said the new Windows Vista operating system is too complex to be able to meet Microsoft's targeted November release for volume license customers and January launch for retail consumers.

A Microsoft spokeswoman said the company disagreed with the Gartner report and it was still on track to meet its launch dates.

Vista is the first major overhaul of its operating system, which sits on 90 percent of the world's computers and accounts for nearly a third of Microsoft's total revenue, since Microsoft rolled out Windows XP nearly five years ago.

Microsoft originally targeted a 2005 launch for the new Windows, then pushed the release out to 2006 before announcing in March that Vista would again be delayed to improve the product's quality.

Gartner targets a Windows Vista release in the April-June quarter of 2007, nine to 12 months after Microsoft conducts a second major test, or "beta," release for Vista during the current quarter.

"Microsoft still wants to get it out as soon as possible, but slipping from January to March is nowhere near as bad as slipping from shipping before the holidays to after the holidays," a group of Gartner analysts wrote in the report.

Gartner said Windows XP took five months to go from a second test release to the start of production, but the magnitude of technological improvement in Vista is closer to Windows 2000, which took 16 months between the second test and production.

Once production starts, it usually takes between six- to eight-weeks for PC manufacturers to load the operating system onto new computers, Gartner said.

Mac Vulnerability Tops List of Security Flaws

2006-05-03T09:25:00.000+08:00

Apple (Nasdaq: AAPL) computer users have long been immune from the Internet nasties that infect users of Microsoft (Nasdaq: MSFT) Windows PCs, but that's beginning to change, according to a report released Monday by the SANS Institute.

The institute said in a statement that in light of recent attacks on Apple's Safari browser, SANS experts agree that Apple's operating system, OS X , still remains safer than Windows, but its reputation for offering a bullet-proof alternative to the Microsoft OS is in tatters.

As attackers are increasingly turning their attention to Apple, OS X vulnerabilities are being discovered at a rapid pace, the statement noted.

Hackers Favor Macs

"Users often feel invincible when they have their shiny silver-colored Apple and they're surfing the Net with it," observed Ed Skoudis, a senior security analyst with Intelguardians in Middletown, N.J.

"They think, 'All these vulnerabilities are out there for Windows, and I'm not using Internet Explorer so I must be safe,' and that's not true," he said at a telephone news conference held by SANS on Monday.

He revealed that the Macintosh , especially since it became an Intel-based machine, has become a favorite of hackers. "If you go to a hacker conference, you'll see that when they're doing presentations there, about 70 percent of the time they're presenting off a Macintosh," he said.

Drive-By Infections

He explained that recent flaws discovered in the Apple platform facilitate "drive-by infections."

"If you surf to a given Web site, it will hack your machine, install malicious code on it and let an attacker remotely control it," Skoudis said.

"Given all the research and all the use of this by the computer underground, I expect to see a whole lot more of this," he added.

Slow Patching

Apple's maintenance of the open source components of its code may be contributing to its platform's vulnerabilities, noted Johannes Ullrich, chief technology officer with the SANS Internet Storm Center in Boston.

"Apple uses a lot of open source products, but Apple is late in implementing some of the patches for vulnerabilities in these products," he said.

"What's happening is vulnerabilities are being disclosed and fixed in open source products, but the fix is not being implemented for OS X users. As a result, the window of vulnerability is extended to OS X users," he concluded.

Internet Exploiter

In addition to the increase in OS X attacks, SANS identified seven other major Internet vulnerability trends:

A substantial decline in the number of critical vulnerabilities in Windows Services and a corresponding increase in attacks through flaws in client-side software.
"In the 90-odd services that are installed on Windows XP in the last six months, only about four critical vulnerabilities have been found," observed Amol Sarwate, manager of the vulnerability management lab at Qualys in Redwood Shores, Calif.
Continuing multiple zero-day vulnerabilities in Internet Explorer. A zero-day vulnerability is one that can be exploited before it can be fixed.
"I think it's almost time to rename the Internet Explorer to Internet Exploiter, because rather than it exploring the Internet for you, the chances of you being exploited using Internet Explorer are much higher," quipped Rohit Dhamankar, security research manager for the TippingPoint Division of 3Com (Nasdaq: COMS) in Austin, Texas.
Rapid growth in Firefox and Mozilla vulnerabilities.
"We see as many exploits or vulnerabilities in Firefox as we do see in Internet Explorer," noted Ullrich, of the Internet Storm Center. "So Firefox is a bit safer but it's not the cure all for safe Net browsing.

"The one advantage you have with Firefox is that it's typically patched much faster," he added. "For critical vulnerabilities, patches arrive for Firefox within a week; with Microsoft, you have to wait for the monthly cycle."
Surge in the number of zero-day attacks used for monetary gain.
Skoudis of Intelguardians noted that information highwaymen have been busy refining their business models. He cited one technique where malicious code hidden on a machine will scrape the advertising from Web pages and replace it with a spammer's ads.

"When you do a search at your favorite search engine, those ads that come back might not be from Google (Nasdaq: GOOG) itself but edited locally by spyware on your machine," he explained.
Rapid growth in vulnerabilities that allow unauthorized access to database, data warehouse and data backup information.
"I don't see that trend as having surged, but I do see this one as a trend that's taking shape," observed SANS Director of Research Alan Paller.
A surge in file-based attacks, especially attacks using media files.
"What hackers are trying to find is, if they can make a bad Excel file or a bad Word file, does the program crash and allow them to compromise the system," explained Ullrich, of the Internet Storm Center.
Spreading use of "spearphishing" attacks, especially among defense and nuclear energy sites.
"These attacks are much less for money and much more for stealing sensitive information," SANS Research Director Paller said. "There's a massive spreading scourge of spearphishing."

WiFi Setup Can Be Tricky

2006-04-29T22:36:00.000+08:00

Before you can unplug and play with a WiFi network, you have to set up your wireless gear. And, despite recent improvements, it's not quite a simple and safe path yet on the PC, as we found while testing new WiFi access points from D-Link, Linksys, Netgear and Microsoft.

All four devices sell for less than $140; two are under $100. They include firewalls to stop online break-in attempts and double as Ethernet routers, which means that any PCs in the same room as an access point can share an ultra-fast wired connection while the access point broadcasts a WiFi signal to elsewhere in the house.

Their biggest improvement, however, consists of replacing cumbersome network-setup screens with only slightly confusing installation wizards that configure an access point in minutes. (Apple's pricier AirPort, by contrast, has offered a simple setup for years.)

But although these four WiFi devices all did fine with the core job of distributing an Internet connection throughout a house, they left plenty of ways for things to go awry.

D-Link's Enhanced 2.4-GHz Router DI-614+, $99, doesn't even need an installation CD-ROM. Plug the boxy device into your PC's Ethernet point, open a Web browser and type in the access point's Internet protocol address to run its embedded installer routine, which copies the necessary network settings over for you. The access point can be managed with Macs and Linux machines as well as those running Windows.

The only confusing installation moment came when the manual indicated we'd have to enter some configuration information that the access point had already found on its own.

If all of the PCs in your house use the right model of D-Link hardware, the access point supports the company's faster "AirPlus" modification of WiFi. We saw transfer speeds maybe a third faster than normal WiFi using this proprietary technology, which alone may make D-Link an appealing choice among techies -- if, that is, their machines don't already include WiFi receivers from other vendors.

Microsoft's Wireless Base Station MN-500 ($139, Win 98 or newer) was almost as simple to set up. Its CD installation software detected our setup quickly and correctly. But it needs a live broadband connection to do this. Otherwise, you have to puzzle through things "by hand" in Microsoft's Base Station Management Tool software. Microsoft provides a full, printed manual rather than an electronic copy, plus the option of saving your new wireless network's settings to a floppy disk to save time later on -- but only floppy, not USB key chain, e-mail, CD-R or any other medium. So if your laptop lacks a floppy drive this will be of limited use.

The Linksys EtherFast Wireless AP + Cable/DSL Router (Win 95 or newer, $130) can be set up in two ways. If your broadband connection is up, a CD-based install wizard will sniff out its settings for you. Otherwise, the setup guide shows where you need to click in Windows 95 through Millennium Edition, 2000 and XP. It's not pretty, but it's well explained and it won't leave you hanging.

Netgear's Cable/DSL Wireless Router MR814, $70, allows the same no-software setup as D-Link, but an install assistant supplements it, and a helpful printed guide to Internet service providers comes in the box. Netgear's setup tools are comprehensive but busy, trying to explain too many things at once. But the overall friendliness of this setup makes it the best pick for a beginner.

Once you have a WiFi network up, you should also guard it against snooping. But many WiFi kits neglect to turn on WEP (Wired Equivalent Privacy) encryption, which, although flawed and sometimes a drain on performance, is better than nothing. Of the four we tried, only Microsoft starts with WEP enabled.

Microsoft is right and the other vendors are wrong; there's no excuse for companies to ship their WiFi equipment with WEP inactive. D-Link gets some credit for offering a stronger, 256-bit level of WEP encryption -- but you have to turn it on yourself, a step that most people (to judge from the immense number of open access points we routinely see around town) won't do on their own.

Setting up an access point at the center of a wireless network is, unfortunately, only half the point. You still need to get other machines on the network and then get them sharing files and access to your printer. And that's where WiFi gear for Windows lets the user down.

The problem isn't adding a WiFi receiver to each PC -- you just stick a PC Card into a laptop or plug an adapter into a desktop's USB port. Nor is sharing Internet access difficult; most WiFi receivers will log on without a problem.

But file and printer sharing under Windows remains a maze of mysterious settings buried in different parts of the system, all of which must be set just so. Microsoft hasn't made a network as simple to set up as, say, a printer, and none of the manuals, Microsoft's included, contain a first-rate guide to configuring your first network. That's a shame, because for most home users, a WiFi system will be their first network.

'Cheap' microjets take to the skies

2006-04-28T06:37:00.000+08:00

HAYWARD AIRPORT, Calif.--Eclipse Aviation has what must be a pleasant problem: Too many people want to buy its new and inexpensive jet.

When it comes to high-performance aircraft, of course, inexpensive is a relative term. The Eclipse 500 very light jet, sometimes called a microjet, costs about $1.5 million but boasts the same performance as rivals that can cost two or three times as much to purchase and operate.

Translated, this means a remarkable backlog of orders. At a recent aviation expo here, a representative said the Albuquerque, N.M.-based company already has orders for 2,400 of the Eclipse 500 jets that won't be filled until August 2008 for deposits placed today.

"We've really identified five primary market segments," said Matt Brown, an Eclipse sales manager. Those include corporations that may not want or be able to afford a more expensive jet, pilot training and air taxi services.

The last category is the most interesting--and the most controversial. The Federal Aviation Administration has predicted that the use of private business jets will triple because of microjets' lower costs. In theory, at least, that could mean more crowded skies and increased delays at larger airports where microjets would share space with commercial carriers.

Even without microjets, delays are on the rise. "In the first quarter of 2005, arrival delays were up 17 percent over the first quarter of 2004, and affected more than 25 percent of all flights," Kenneth Mead, the Transportation Department's inspector general, told a U.S. Senate panel.

Mead warned that microjets such as the Eclipse 500 have the "potential to further crowd dense airspace" and predicted that 4,500 of them will be in use by 2016.

One large user could be DayJet, which said last year that it had already ordered 239 Eclipse 500s with an option to buy 70 more. "This is a transportation system that adapts to your needs," Ed Iacobucci, founder of software maker Citrix Systems and the man behind DayJet, said at the time. "It is not about serving New York to Atlanta. It is more about serving the secondary and tertiary markets with a point-to-point network."

Microjet proponents dismiss concerns about congestion as unfounded, arguing that advances in technology will permit planes to depart airports in quicker succession and saying that small jets can land at general aviation airports that larger planes simply can't.

The Eclipse 500, for instance, is believed to be the first jet to fly into San Carlos Airport located just south of San Francisco, during a test flight in December. San Carlos' runway is 2,600 feet long and the Eclipse requires just 2,155 feet for takeoff and landing in normal sea level conditions--a fraction of what a 757 requires. (The Eclipse 500 is awaiting certification from the Federal Aviation Administration, which the company expects by the end of the second quarter of this year. Eclipse CEO Vern Raburn is a Microsoft alum and Bill Gates is a large investor.)

Eclipse is not alone in trying to find ways to tap the $1.5 million to $3 million market for very light jets, which generally means six to eight seat planes that can fly for about 1,400 miles without refueling, at speeds of 400 to 500 mph.

A production version of Adam Aircraft's A700 microjet made its first flight in February and is expected to cost $2.25 million. Embraer's forthcoming Phenom 100 jet will cost $2.85 million and have a range of 1,160 nautical miles.

Cessna, meanwhile, is testing a six-seat microjet called the Citation Mustang. Delivery is expected by the end of 2006 with a cost of about $2.4 million, and specifications include a cruise speed of 391 mph and a takeoff distance of 3,120 feet.

Survey Finds 97 Percent of Web Users a Click Away From Infection

2006-04-28T06:29:00.000+08:00

Spyware continues to grow on the Web because the Net is becoming an increasing source of entertainment for netizens, according to Ron O'Brien, a senior security analyst with Sophos. "The proliferation of applications on the Internet that resemble entertainment serve as an incentive for people to download them onto their PC without realizing there's this spyware element to them," he said.

Some 97 percent of Web surfers are just a click away from infecting their computers with adware and spyware, according to anti-malware software maker McAfee , of Santa Clara, Calif.

McAfee came to that conclusion after analyzing 14,464 responses to a spyware quiz taken by consumers at its SiteAdvisor Web site.

"Of the 14,000 people who took the spyware quiz, three percent got perfect scores, 97 percent got at least one wrong," McAfee SiteAdvisor Market Strategist Shane Keats told TechNewsWorld.

"So I think it's fair to say," he continued, "that the vast majority in a typical month of clicking will end up on a Web site that potentially exposes them to spyware."

Wandering Into Dark Alley

The quiz at the site, which has been available since March, presents users with pairs of Web pages from locations on the Net and asks them to choose which is a safe site and which is not. A second part of the test asks users to make similar distinctions among several file-sharing sites.

Keats admitted that he was a bit disconcerted by the study's findings.

"Given the amount of coverage the media has given spyware, we were surprised by the number of people who got multiple answers wrong," he said.

"Folks are overestimating their ability to spot spyware," he maintained. "The bad guys have gotten good at making their sites look very professional, very slick, and it's becoming even harder to know when you're wandering into a dark alley."

Black Chips Exploit Blue Chips

One way malefactors disguise their intentions is by exploiting the brands of companies with blue-chip reputations.

Researchers observed that quiz takers did particularly poor on the comparison of two lyrics sites. "One possible reason," they deduced, "the unsafe site had advertising from well-known brands like Circuit City (NYSE: CC) and Monster.com that may have served to legitimize it."

Keats contended that "almost certainly" these companies don't know how their brands are being abused. He explained that a company will hire an ad agency that acts with its interactive division that hires an online media buyer that works with an affiliate network that works with another ad network and so on.

"They're so many steps removed from the actual placement decision that, realistically, headquarters at any Fortune 500 company probably doesn't know where their brand is appearing," he said.

Massive Project

"A lot of companies don't know you can get spyware by going on a lyrics site," he added. "They think you're only searching for text.

"Because of the way SiteAdvisor does its Web crawl, we can find that stuff out so we can tell people here's a site that you didn't think had spyware, but it really does," he noted.

SiteAdvisor is a massive project mounted by McAfee to analyze and test the behavior of all Web sites on the Internet on an ongoing basis.

The results of that testing can be accessed by consumers by installing a browser plug-in from the SiteAdvisor site.

The plug-in appears as a button on a browser's status line. When a user enters a Web site, the button will change color -- green for a safe site, yellow for proceed with caution and red for a malware site.

A detailed analysis of the site can be viewed by clicking a menu arrow beside the button.

System Level Infection

If detecting a spyware site is hard without the aid of a tool like SiteAdvisor, identifying spyware once it reaches a computer can be even harder, according to Patrick Hinojosa, chief technology officer for Panda Software, a security technologies, products and services company in Glendale, Calif.

He cited instances of spyware masquerading as legitimate system-level files, such as the registering itself as a Layered Systems Provider (LSP) in Windows, to avoid detection.

"Even most power users are not going to know how to inspect the LSP layer and know what should or should not be there," he told TechNewsWorld. "And even if they found something they weren't sure about and they yanked it, it could totally kill their Internet connection indefinitely until they rebuild that stack."

Firefox zealots offer users money to switch from IE

2006-04-26T13:08:00.000+08:00

A group of Firefox advocates from Massachusetts is offering website publishers and bloggers $1 for each Internet Explorer visitor to their sites they can convince to switch to the Mozilla Firefox browser.

Google has recently announced that it will pay websites $1 for each referred download of Firefox it receives via the Google Toolbar. The four anti-Microsoft activists from Massachusetts have developed a series of free scripts that website owners can add to their sites that will detect whether visitors are running Internet Eplorer. Depending on the script, the website will either show a splash page telling them to switch to Firefox or it will put a big switch banner at the top of the page.

The group, which explains its actions in an open letter on their website at http://www.explorerdestroyer.com/open_letter.php, says: "Firefox is one of the most important software applications in the world because it can play a big part in determining the future of the web. It is crucial that an open-source, standards-based web browser becomes the most popular browser, and Firefox has a shot at being that. Google has just set the stage for Firefox to literally "take back the web" and go from 11% of browsers to over 50%. If people can now spread Firefox, stick it to Microsoft, and make money for each user switched, an aggressive strategy just got more appealing."

The activitists have designed three levels of scripts that website owners can use depending on their commitment level to converting Internet Explorer users: one is a banner at the top of the page, another is a splash page with a link to the Mozilla download page and the most extreme is a page that informs visitors that they need to switch to Firefox to view the site.

According to the group, getting users to switch to Firefox has never been more urgent: "There's a big chance right now to switch people to Firefox and it might not last very long-- Microsoft has a new version of Internet Exlporer on the way and lord knows what they'll be doing in Vista to force people to use it. Firefox has to get a big foothold right now."

What the group did not make clear, however, is what its attitude is to other alternative browsers, such as Opera.

Scientists Conclude That Black Holes Are Energy Efficient

2006-04-25T06:37:00.000+08:00

"The black holes are actually preventing galactic sprawl from taking over the neighborhood," said NASA astrophysicist Kim Weaver. She said there's no harm in too many stars, just a mystery as to why these several billion old galaxies aren't loaded with even more stars.

With gasoline hitting US$3 per gallon, scientists have just found the most energy-efficient engines in the universe: black holes, those whirling super-dense centers of galaxies that suck in nearly everything.

The jets of energy spurting out of older, ultra-efficient black holes also seem to be playing a crucial role as zoning cops in large galaxies, preventing too many stars from sprouting. That explains why there aren't as many burgeoning galaxies chock full of stars as previously expected, said scientists citing results from NASA's Chandra X-ray Observatory.

Mass of Gas

For the first time, scientists measured both the mass of hot gas that is being sucked into nine older black holes and the unseen super-speedy jets of high energy particles spit out, which essentially form a cosmic engine. Then they determined a rate of how efficient these older black hole engines are and were awestruck.

These black holes are 25 times more efficient than anything man has built, with nuclear power being the most efficient of man-made efforts, said study lead author Steve Allen of Stanford University and the Stanford Linear Accelerator Center.

"If you could make a car engine that was as efficient as one of these black hole engines, you could get about a billion miles per gallon of gas," Allen said. "In anyone's book, that would be pretty green."

The galaxies in which these black holes live are bigger than ours, the Milky Way, and 50 million to 400 million light-years away. One light-year is nearly 5.9 trillion miles. The black hole at the center of our galaxy wasn't studied because it wasn't gas-rich and big enough, so scientists couldn't measure what was going in and coming out, Allen said.

The results were surprising because the types of black holes studied were older, less powerful and generally considered "boring," scientists said. However, they ended up being more efficient than originally thought -- possibly as efficient as their younger, brighter and more potent black hole siblings called quasars.

Blinding Light

Quasars spit out blinding light, so scientists can't measure individual energy efficiency for them, said study co-author Christopher Reynolds of the University of Maryland. If they could, they'd probably be even more efficient, based on indirect calculations, he said.

One of the ways scientists measured the efficiency of black holes was by looking at the jets of high energy spewed out. Those jets produce bubbles of heat nearby, which tend to keep hot gas from cooling and forming stars in large galaxies.

Allen and Weaver said in interviews the unseen hot jets appears to answer the question about what's stopping galaxies from growing too big, he said.

"What this does is give us a step toward understanding why the galaxies in the universe look the way they do," Allen said.

Courtesy of http://www.technewsworld.com

ba-zoo-ra

Securing OpenSSH

vSphere - Virtual Center Server Service Stops

Problem

Solution

References - Credits - Or External Links

How to Save Flash Games & SWF

Saving Flash files from Firefox

How to save flash in IE browser

Converting 32bit RRD to 64bit RRD

Converting 32bit RRD to 64bit RRD (moving cacti between architectures)

Disable memory ballooning in VMWare

Backup Cisco IOS stored in diffent directory

How to SFTP if the default ssh port is changed

Upgrading Openssh on CentOS And Chrooting a User When Connecting via SFTP

Turn on DMA mode on a hard drive

Enable quota in the server

Signals, really cool!

Logging server load to /var/log/messages

Splitting a file in GNU/Linux

Useful Kernel manipulation commands

Saturation of open files in the system

Set up Auto-Logout for root user

20 Linux System Monitoring Tools Every SysAdmin Should Know

#1: top - Process Activity Command

Commonly Used Hot Keys

#2: vmstat - System Activity, Hardware and System Information

Display Memory Utilization Slabinfo

Get Information About Active / Inactive Memory Pages

#3: w - Find Out Who Is Logged on And What They Are Doing

#4: uptime - Tell How Long The System Has Been Running

#5: ps - Displays The Processes

Show Long Format Output

To See Threads ( LWP and NLWP)

To See Threads After Processes

Print All Process On The Server

Print A Process Tree

Print Security Information

See Every Process Running As User Vivek

Set Output In a User-Defined Format

Display Only The Process IDs of Lighttpd

Display The Name of PID 55977

Find Out The Top 10 Memory Consuming Process

Find Out top 10 CPU Consuming Process

#6: free - Memory Usage

#7: iostat - Average CPU Load, Disk Activity

#8: sar - Collect and Report System Activity

#9: mpstat - Multiprocessor Usage

#10: pmap - Process Memory Usage

#11 and #12: netstat and ss - Network Statistics

#13: iptraf - Real-time Network Statistics

#14: tcpdump - Detailed Network Traffic Analysis

#15: strace - System Calls

#16: /Proc file system - Various Kernel Statistics

17#: Nagios - Server And Network Monitoring

18#: Cacti - Web-based Monitoring Tool

#19: KDE System Guard - Real-time Systems Reporting and Graphing

#20: Gnome System Monitor - Real-time Systems Reporting and Graphing

Bounce: Additional Tools

How to send email from the Linux command line

Installing rrdtool using yum on CentOS

How to configure TCP/IP filtering in Windows 2000

Hardening CentOS 5

PacMan: THE LAST FIGHT

How To: Transfer your PuTTY settings between computers

ip_conntrack: table full, dropping packet.

Install Squid on CentOS / RHEL 5

Squid Basic Configuration

Open TCP port 3128

Client configuration

Update The Root Hints Data File for BIND Named Server

Sample updated root hints data file

How to view Email headers

Disable HTTP TRACE method in Tomcat

Optimize bash_history

How to check if Sender Privacy Framework (SPF) is setup correctly ?

How to Enable Cookies

How to: Using Sudo

Fix IPC$ error - Windows 98 to Windows 2000 / XP security

Keep your Web site online with a High Availability Linux Apache cluster