Knopix’s Weblog

February 12, 2008

Bandwith Manajemen dengan SQUID – Delay POOLS

Filed under: Komputer, Linux — knopix @ 2:52 am

 [LINUX] Bandwith Manajemen dengan SQUID – Delay POOLS

diposting pada 10:44:47, 2007-07-22


SQUID – Delay POOLS
Latar Belakang
Bandwidth merupakan barang yang mahal. Untuk saat ini kisaran 64 kps dihargai sekitar 4 jt perbulan. Permasalahnnya bandwith 64 kbits itu bukan nilai yang besar. Rata-rata yang didapat pelanggan adalah 64 1:2. Artinya 1 jalur 64 kbits digunakan untuk 2 pelanggan sekaligus.
Sudah bandwidthnya dibatasi terkadang pula disisi user ada yang bertingkah seenaknya. Merasa ada koneksi internet gratis, beberapa user mulai menggunakannya untuk membuka situs-situs tertentu atau mengkoleksi file-file tertentu. Tentu saja alokasi bandwidth yang tersedia semakin menyusut. Yang merasakan adalah golongan user yang biasa-biasa saja (bukan mania internet), mereka hanya bisa mengelus dada.

Untuk mengatasi hal diatas, agar setiap user mendapat bandwidth yang cukup, bisa digunakan aplikasi squid proxy server.
Pelaksanaan
Sebelum mulai mengkonfigurasi delay pools, harus dipersiapkan terlebih dahulu aplikasi squid yang sudah dikompilasi dengn support delay pools. Beberapa distro besar seperti RedHat/Mandrake biasanya sudah di atur support delay pools.
Bila tidak dapat dikompilasi sendiri sebagai berikut
(more…)

January 16, 2008

Postfixadmin / MySQL / Courier / Squirrelmail on Debian Etch (Howto/Tutorial)

Filed under: Komputer, Linux — knopix @ 9:17 am

Source from David Goodwin

Install Debian

No surprise there… I installed Etch via netboot, and ended up with a fairly minimal setup. You’ll probably do it a different way. I told it to install as a ‘mail server’ and a ‘web server’. The ‘mail server’ option was probably a mistake as it installs uw-imapd and exim, neither of which I wanted/needed.

You probably want to install openssh-server and molly-guard :)

Postfix

apt-get install postfix postfix-mysql

(Or postfix-mysql if you’re going to use that instead)

I selected the Internet Site configuration when asked to pick a configuration.

/etc/apt/sources.list

In order to have slightly more recent versions of a few packages (PHP5, ClamAV and PostgreSQL mainly), I added the following into my /etc/apt/sources.list file :

deb http://packages.dotdeb.org stable all deb http://www.mirrorservice.org/sites/backports.org/ etch-backports main contrib non-free

Install MySQL

apt-get install mysql-server

(Note: there is no requirement on using v8.2, but I’m under the impression that it’s faster than previous versions). I’d suggest you use at least v8.1 (in Etch) from a maintenance point of view.

(more…)

January 8, 2008

Wireless Networking in Windows 2003

Filed under: Microsoft — knopix @ 6:34 am
In Part 2 of my Introduction to Wireless Networking series I briefly touched on the subject of IAS in Windows 2003. Here we will look at the Internet Authentication Service in a bit more detail and also see what Windows 2003, and SP1, have to offer when it comes to Wireless Networking. I’ll also show you how to setup 802.1X based security in Windows 2003.

Service Pack 1

Enhancements for Wireless Networking

The enhancements that SP1 provide for Wireless LANS are of great benefit to enterprise wide networks. Without SP1 on Windows Server 2003, the WPA security method isn’t supported and therefore cannot be implemented – which is no longer an issue with Service Pack 1. Apart from addressing the weaknesses that the original Windows Server 2003 has, SP1 makes it easier to deploy secure large scale wireless LANS. Additionally, administrators are now able to give the users of wireless clients – with Windows XP SP2 – a choice of pre-approved digital certificates and signing authorities. This means they would only be allowed to install certificates for the network that the administrator has previously acknowledged, making them less prone to man in the middle attacks.

Centralized Management

The Active Directory Group Policy console allows for centralized management of the Wireless Zero Configuration client which makes it easier and faster to connect wireless client to a secure network. WPA TKIP and AES encryption settings can now be configured and any wireless client with Windows XP Service Pack 2, or Service Pack 1 and the WPA patch, can be centrally configured to use the more secure WPA TKIP or AES methods to connect to the wireless LAN.

Wireless Setup Wizard

As did Windows XP SP2, Windows 2003 SP1 comes with a Wireless Network Wizard that will help you to configure secure wireless networks. Configuration settings can be stored on removable media (such as a USB pen drive) and then copied over to other machines.

PEAP Authentication Scheme

The LEAP (Lightweight Extensible Authentication Protocol) is a popular non-TLS (Transport Layer Security) authentication scheme introduced by Cisco in later versions of their firmware belonging to the Aironet access point product range. This protocol lacks point to point protection which leaves it open to dictionary attacks at the credentials authentication stage. With the inauguration of PEAP (Protected Extensible Authentication Protocol) authentication in the IAS (Internet Authentication Service) component of Windows Server 2003, these weaknesses are addressed. Furthermore, a server-side digital certificate is able to support many clients single handedly – without the use of an installed certificate on the client-side.

(more…)

Setting up a wireless network with Windows Server 2003 and PEAP/EAP

Filed under: Microsoft — knopix @ 6:29 am

Setting up a wireless network with Windows Server 2003 and PEAP/EAP

PEAP with IAS is a great way to setup wireless networks that require:
a)Their security to be top notch.
b)Lot’s of Access Points (greater than 10 or so).
c)Minimal administrative maintenance overhead.

It brings your wireless security up to a level that is acceptable for use on a security sensitive domain. It is approximately as secure as domain logon is on a wired network.

The whole IAS management of your AP’s as Radius Clients makes it very simple to make changes to your infrastructure without having to reprogram every AP on site to reflect a simple change (which is the case in most WPA setups). You don’t need to worry about keeping WPA keys up to date as the encryption keys are generated dynamically each time a client connects.

Below I have detailed the steps that I take when setting on of these networks up. Screenshots are on their way (I will get them next time I set up one of these networks) but most of the steps are fairly self explanatory.

Install IAS from the Add/ Remove Windows Components area in the control panel.

Install Certificate Services from the Windows Components area in the control panel.

When prompted you want to install an “Enterprise Root CA”.

Load up the “Certificates” plugin for mmc and then submit a request for a new domain controller certificate.

Create a group in Active Directory called “WirelessUsers”.

Inside the administrative tools section load up the IAS plugin and create a “new remote access policy”. Call it “Wireless Access Policy”. Follow the wizard which is reasonably intuitive and when prompted for access restrictions you want to allow only computers and users that are a member of the “Wireless Users” group you created previously. Also make sure when prompted for the authentication method that you select EAP/PEAP.

Then right click on the policy you just created and goto “Properties”. Then click on the “Edit Profile” button and make the following changes:

1.Encryption tab: Make sure “No Encryption” is not ticked.
2.Authentication tab: Tick MSCHAP-V2.
3.Advanced tab: Add Ignore_User_Dial_In_Properties = true and also Terminate-Action = Radius-Request.

(more…)

December 7, 2007

spam blocker use rblsmptd on qmail

Filed under: Linux — knopix @ 8:47 am

(install using qmailrocks)

edit /var/qmail/supervise/qmail-smtpd/run (more…)

Compile kernel on debian

Filed under: Linux — knopix @ 8:38 am 
  • debian:~# apt-get install kernel-package libncurses5-dev (more...)

November 29, 2007

Membuat Certificate untuk web server

Filed under: Linux — knopix @ 7:44 am

Keterangan:

$VALID_DAYS : 3650 hari
$PRIVATE_KEY : cert.key
$CERTIFICATE_FILE : cert.crt

    • Buka console as root, ketikkan perintah seperti berikut

      openssl req -new -days $VALID_DAYS -key $PRIVATE_KEY -x509 -out $CERTIFICATE_FILE

        HTB-GEN cara mudah memanage Bandwidth

        Filed under: Linux — knopix @ 7:31 am

         

        Implementasi bandwidth management biasanya di terapkan pada main-gw (gateway utama) dimana main-gw menghandle beberapa klien yang mempunyai jatah bandwidth yang telah di tetapkan. Disini kita akan menggunakan tool bantu yang bernama HTB-GEN.
        Pada distro linux kebanyakan sebenarnya htb/cbq sudah include di kernel default masing-masing distro, tinggal kita saja yang kurang familiar dengan perintah tc yang digunakan sebagai standar tool shaping bandwith. Untuk itulah kita menggunakan HTB-GEN disini.
        Yang perlu diingat adalah :
        Lisensi GPLv2 or later
        Syarat dan kebutuhan untuk menjalankannya:
        -bash
        -QoS htb kernel support
        -iproute2 tc
        -iptables
        -htb-init script (optional)

        Ok kita mulai aja meng-implementasikan HTB-GEN ke mesin main-gw kita, langkah-langkahnya adalah sebagai berikut:
        Langkah 1: Download

        htb-gen-0.8.4.tar.gz Source tarball
        htb-gen_0.8.4_all.deb Debian package
        htb-gen-0.8.4–1.noarch.rpm Aliened RPM package

        Archive at http://www.praga.org.ar/dev/htb-gen/packages/

        sesuaikan dengan distro based yang dipakai, disini saya pake mandriva cooker, otomatis harus download yang versi .rpm

        Langkah 2: Install
        untuk menginstall htb-gen di mandriva, tinggal menjalankan perintah
        #urpmi htb-gen-0.8.4-1.noarch.rpm

        Langkah 3: Konfigurasi
        setelah langkah instalasi dilalui dengan sukses ) maka akan terdapat file konfigurasi standar htb-gen di direktori /etc/htb-gen.
        Edit file /etc/htb-gen/htb-gen.conf, dengan editor kesayangan anda )

        #vim /etc/htb-gen/htb-gen.conf

        perhatikan baris berikut ini:

        iface_down=”eth1″ # Server LAN iface
        iface_up=”eth0″ # Server INET iface
        total_rate_down=1024 #Total download bw
        total_rate_up=512 #Total upload bw

        Kemudian di file /etc/htb-gen/htb-gen-rates.conf, perhatikan baris berikut :

        # down down up up
        # min max min max
        #ip (rate) (ceil) (rate) (ceil)
        192.168.1.2 0 64 0 32
        192.168.1.3 0 128 0 64
        192.168.1.4 0 256 0 128
        10.0.0.1/30 256 512 128 256
        200.80.22.2 256 256 256 256

        Seperti yang terlihat

        mudah sekali untuk membatasi suatu host atau network

        ip beda network juga bisa digunakan

        penulisan format ip dan network mengikuti aturan standar

        mendukung fixed rate b/w

        nilai nol atau “0″ artinya secara otomatis akan menggunakan b/w yang ada atau b/w yang tersisa.

        Selanjutnya….

        Langkah 4: Menjalakannya

        Untuk menjalankan htb-gen sangat mudah, secara umum htb-gen dapat di jalankan dengan opsi sebagai berikut

        #htb-gen tc_all

        lebih lanjut dengan opsi htb-gen, bisa di cek dengan perintah

        #htb-gen –help

        Situs terkait dan resmi dari htb-gen bisa di cek di http://www.praga.org.ar/wacko/DevPraga/htbgen/

         

        sumber : http://fsdoei.wordpress.com/2007/10/30/htb-gen-cara-mudah-memanage-bandwidth/

        Blog at WordPress.com.