Knopix's Weblog

Bandwith Manajemen dengan SQUID – Delay POOLS

knopix — Tue, 12 Feb 2008 02:52:13 +0000

[LINUX] Bandwith Manajemen dengan SQUID – Delay POOLS

diposting pada 10:44:47, 2007-07-22

SQUID – Delay POOLS
Latar Belakang
Bandwidth merupakan barang yang mahal. Untuk saat ini kisaran 64 kps dihargai sekitar 4 jt perbulan. Permasalahnnya bandwith 64 kbits itu bukan nilai yang besar. Rata-rata yang didapat pelanggan adalah 64 1:2. Artinya 1 jalur 64 kbits digunakan untuk 2 pelanggan sekaligus.
Sudah bandwidthnya dibatasi terkadang pula disisi user ada yang bertingkah seenaknya. Merasa ada koneksi internet gratis, beberapa user mulai menggunakannya untuk membuka situs-situs tertentu atau mengkoleksi file-file tertentu. Tentu saja alokasi bandwidth yang tersedia semakin menyusut. Yang merasakan adalah golongan user yang biasa-biasa saja (bukan mania internet), mereka hanya bisa mengelus dada.

Untuk mengatasi hal diatas, agar setiap user mendapat bandwidth yang cukup, bisa digunakan aplikasi squid proxy server.
Pelaksanaan
Sebelum mulai mengkonfigurasi delay pools, harus dipersiapkan terlebih dahulu aplikasi squid yang sudah dikompilasi dengn support delay pools. Beberapa distro besar seperti RedHat/Mandrake biasanya sudah di atur support delay pools.
Bila tidak dapat dikompilasi sendiri sebagai berikut

# ./configure –enable-delay-pools
# make
# make install

konfigurasi
File konfigurasi squid adalah squid.conf
ada beberapa tag konfigurasi untuk delay pools di squid.conf.

1. delay_pools
menyatakan berapa banyak bagian/pool yang akan dibuat
misal delay_pools 2

2. delay_class
menentukan klas/tipe pembagian bandwith dari setiap pool. 1 pool hanya boleh memiliki 1 clas, tidak lebih atau kurang.
bagian merupakan nomer urut dari jumlah pool didelay pool, jadi ada 1 s/d n bagian dimana n merupakan angka jumlah pada delay_pools
tipe merupakan tipe class delay yang dipakai.
Secara umum tipe menyatakan bagaimana cara membagi bandwidth, ada 3 tipe:

tipe/class keterangan
1 semua bandwidth yang ada akan dibagi sama rata untuk semua user squid

ex ada bandwidth 128 dan semua bandwith dipakai untuk browsing
2 membatasi pemakaian bandwith dari total bandwidth yang ada, dan bandwith yang diperuntukan squid akan dibagi semua user dengan sama rata.

ex ada bandwidth 128 dimana 28 kbit dipakai untuk email dan sisanya (128-28) 100 kbit dipakai untuk browsing
3 membatasi pemakaian bandwidth dari total bandwidth yang ada, setiap network class C akan mendapat bandwidth sama besar, setiap user pernetwork akan mendapat bandwidth yang sama besar dari total bandwidth per network

ex: bandwidth tersedia 512 kb, untuk browsing disediakan bandwidth 384 kb, sisanya untuk aktifitas lain.
Di jaringan tersebut ada 3 departement dengan network yang berbeda misal lab (192.168.1.0/24), manajer(192.168.2.0/24), sales(192.168.3.0/24).
nah misah oleh admin di set bahwa pernetwork mendapat jatah 128 kb/s.
maka user? di sales akan mendapat pembagian bandwidth sama besar dari total 128 kb/s.
maka user? di lab akan mendapat pembagian bandwidth sama besar dari total 128 kb/s.
maka user? di manajer akan mendapat pembagian bandwidth sama besar dari total 128 kb/s.

misal:

delay_class 1 2 # pool 1 memakai clas tipe 2
delay_class 2 3 # pool 2 memakai clas tipe 3

3.delay_access
Memberi batasan siapa saja yang boleh mempergunakan delay pools ini.
Penting untuk diingat sebaiknya setelah menetukan batasan jangan lupa di akhiri dengan deny all.
misal:

delay_access 1 allow manajer
delay_access 1 deny all
delay_access 2 allow sales
delay_access 2 deny all

4. delay_parameters
Ini adalah bagian terpenting dari delay pools memberikan aturan main setiap delay pools yang dibentuk.
delay parameter mempunyai format yang disesuaikan dengan tipe/class yang dipakai.
Tapi disetiap tipe yang dipakai ada 1 format baku yaitu restore/max.

restore menunjukkan maksimum kecepatan data yang dapat dilewatkan bila harga max sudah terlampaui, dalam satuan bytes/second

max menunjukkan besar-nya file atau bucket yang dapat dilewatkan tanpa melalui proses delay. dalam satuan bytes.
Yang perlu diperhatikan dari satuan diatas adalah harga restore dimana kita sering menerima/menyewa/membeli bandwidth dari provider dalam satuan bits/second bukan bytes/second. Sedangkan satuan kecepatan yang ditunjukkan oleh Microsoft pada saat mendonlot file adalah bytes/sec.
Sedangkan satuan dari harga max sudah sesuai dengan kebiasaan sehari-hari, dimana kita memberi besaran bytes pada file-file.
1 byte = 8 bit.

SpesialCase: -1/-1 berarti unlimited atau tidak dibatasi pada nilai restore/max

ex: 1000/64000 harga restore sama dengan 8000 bits/sec atau 8 kbits/sec.
Yang artinya user akan mendapat donlot brustable selama file yang akan dibuka lebih kecil dari 64 kbytes, jadi kecepatan bisa diatas 8 kbit/sec.
Bila ternyata file yang dibuka melebihi 64 bytes, maka proses limitasi akan segera dimulai dengan membatasi kecepatan maksimal 8 kbits/s.

class 1
delay_parameters <#pool individual>
ex: delay_parameters 1 1000/64000
Berarti semua network akan mendapat bandwidth yang sama di pool no 1.
Sebesar 1 kbytes/sec (8 kbits/sec), dengan burstable file 64 kb.
class 2
delay_parameters <#pool agregate individual>
ex: delay_parameters 1 32000/32000 1000/64000
Berarti squid akan memakai bandwidth maksimum (32000*8) 256kbits dari semua bandwidth.
Bila terdapat lebih dari 1 network class C, maka total yang dihabiskan tetap 256 kbit/sec
dan tiap user akan mendapat bandwidth maksimum 1 kbytes/sec (8 kbits/sec), dengan burstable file 64 kb.
class 3
delay_parameters <#pool agregate network individual>
ex: delay_parameters 1 32000/32000 8000/8000 1000/64000
Berarti squid akan memakai bandwidth maksimum (32000*8) 256kbits dari semua bandwidth.
Bila terdapat lebih dari 1 network class C, maka setiap network akan dipaksa maksimum sebesar (8000*8) 64 kbits/sec
dan tiap user pada satu network akan mendapat bandwidth maksimum 1 kbytes/sec (8 kbits/sec), dengan burstable file 64 kb.

Contoh
dalam 1 network dengan penggunaan bandwidth total tidak dibatasi terdapat beberapa komputer dengan klasifikasi sebagai berikut

* admin, server dengan bandwidth unlimited
* staff dengan bandwidth 1,5 kbytes/sec, bila file yang diakses melebihi 64Kbte
* umum dengan bandwidth 1 kbytes/sec, bila file yang diakses melebihi 32 Kbyte

acl all src 0.0.0.0/0.0.0.0
acl admin src 192.168.1.250/255.255.255.255
acl server src 192.168.1.251/255.255.255.255
acl kantor src 192.168.1.0/255.255.255.0
acl staff src 192.168.1.1 192.168.1.111 192.168.1.2 192.168.1.4 192.168.1.71

delay_pools 3

delay_class 1 1
delay_parameters 1 -1/-1
delay_access 1 allow admin
delay_access 1 allow server
delay_access 1 deny all

delay_class 2 1
delay_parameters 2 1500/64000
delay_access 2 allow staf
delay_access 2 deny all

delay_class 3 1
delay_parameters 3 1000/32000
delay_access 3 allow umum
delay_access 3 deny all

Cara mencobanya paling mudah adalah dengan menggunakan donlot manajer semacam DAP?, GetRight? maka akan terlihat bandwidth sudah dibatasi.
Special case

Delay pools juga dapat digunakan untuk membatasi donlot file untuk extensi tertentu.
Gunakan ACL url_regex untuk mengatasi hal ini.
Contoh dibawah digunakan untuk membatasi donlot file multimedia hingga 1 kByte/sec.

acl multimedia url_regex -i \.mp3$ \.rm$ \.mpg$ \.mpeg$ \.avi$ \.dat$
delay_pools 1
delay_class 1 1
delay_parameters 1 1000/16000
delay_access 1 allow multimedia
delay_access 1 deny ALL

Postfixadmin / MySQL / Courier / Squirrelmail on Debian Etch (Howto/Tutorial)

knopix — Wed, 16 Jan 2008 09:17:08 +0000

Source from David Goodwin

Install Debian

No surprise there… I installed Etch via netboot, and ended up with a fairly minimal setup. You’ll probably do it a different way. I told it to install as a ‘mail server’ and a ‘web server’. The ‘mail server’ option was probably a mistake as it installs uw-imapd and exim, neither of which I wanted/needed.

You probably want to install openssh-server and molly-guard

Postfix

apt-get install postfix postfix-mysql

(Or postfix-mysql if you’re going to use that instead)

I selected the Internet Site configuration when asked to pick a configuration.

/etc/apt/sources.list

In order to have slightly more recent versions of a few packages (PHP5, ClamAV and PostgreSQL mainly), I added the following into my /etc/apt/sources.list file :

deb http://packages.dotdeb.org stable all deb http://www.mirrorservice.org/sites/backports.org/ etch-backports main contrib non-free

Install MySQL

apt-get install mysql-server

(Note: there is no requirement on using v8.2, but I’m under the impression that it’s faster than previous versions). I’d suggest you use at least v8.1 (in Etch) from a maintenance point of view.

Install PHP5

I always install the suhosin extension to PHP in the hope it will provide extra security. APC (Alternative PHP Cache) is also installed in the expectation it will improve performance.

apt-get install php5 libapache2-mod-php5 php5-mysql php5-suhosin php5-apc php-pear

(The above packages nearly all come from dotdeb.org)

Install Postfixadmin

Although I have created .deb for Postfixadmin; at the time of writing, v2.2.0 hadn’t been released; so I installed Postfixadmin from SVN. Hopefully by Jan 2008, version 2.2.0 of Postfixadmin will have been released, and you will want to see this page to download it.

cd /var/www svn co https://postfixadmin.svn.sourceforge.net/svnroot/postfixadmin/trunk postfixadmin

If you now hit http://your.server/postfixadmin you should see a slightly useful ‘welcome’ screen, follow the link through to the ’setup.php’ page. And you should get some sort of instant gratification that at least something works

Setting up PostgreSQL (or MySQL)

As postfixadmin stores all of it’s configuration within a database, we need to setup the database before we can do much further. You may find that phppgadmin or phpmyadmin help with this.

Basically – create a user (e.g. ‘postfix’) and a database (e.g. ‘postfix’). The user should own the database. Ensure there’s a password set on the user.

If security is a concern, you should probably have a user that is ‘read-only’ which is used by postfix (as it only ever queries the DB) while postfixadmin will need a read-write user account.

If you’re using PostgreSQL, the following shows what I typed in from a shell (all lines containing a $ or #)on the server

mail:~# su - postgres postgres@mail:~$ psql template1 Welcome to psql 8.2.4, the PostgreSQL interactive terminal.  Type:  \copyright for distribution terms        \h for help with SQL commands        \? for help with psql commands        \g or terminate with semicolon to execute query        \q to quit  template1=# CREATE USER postfix WITH PASSWORD 'complexpassword'; CREATE ROLE template1=# CREATE DATABASE postfix WITH OWNER postfix ENCODING 'UNICODE'; CREATE DATABASE template1=# \q

If, like me, you are useless at picking passwords, try using pwgen

Load the Postfixadmin Database Schema into your database

Currently this is still a manual step, but it should (eventually) be handled by the setup.php script.

cd /var/www/postfixadmin psql -U postfix -h localhost postfix < DATABASE_MYSQL.TXT

This may spew out a few errors about roles that don’t exist, but it should work

Configuration of Postfixadmin

Edit /var/www/postfixadmin/config.inc.php in your favourite editor (vi[m]).

Change

$CONF['configured'] = false;

$CONF['configured'] = true;

Change

$CONF['postfix_admin_url'] = '';

$CONF['postfix_admin_url'] = 'http://your.server/postfixadmin';

Change
```
$CONF['database_type'] = 'mysql';
```
Change the other database parameters to match what you used above.

You’ll want to change other parameters, but they’re not normally essential

Postfixadmin

Once your config.inc.php file has the right database credentials, and you refresh http://your.server/postfixadmin/setup.php you should a dialog box to Create superadmin account. You should treat these details a bit like the ‘root’ password for a Unix server. This user will be able to add/remove/edit any domains/users/aliases etc.

Anyway, choose an admin account, this could be (for example) it@your.domain

Submitting this form, successfully, should result in the page giving you a message like ‘Admin has been added!‘

Delete setup.php

Configuring Postfix

This always seems to be the bit that causes others trouble….

New configuration files

In my world, the following go in /etc/postfix/mysql

relay-domains.cf

(Who we relay mail for (as a backup mx))

user            = postfix password        = xxxxxxx dbname          = postfix hosts           = localhost query = SELECT domain FROM domain WHERE domain = '%s' AND backupmx = true

virtual-alias-maps.cf

(Think: /etc/aliases or similar)

user             = postfix password         = xxxxxxxx dbname           = postfix hosts            = localhost query = SELECT goto FROM alias WHERE address='%s' AND active = true

virtual-domains.cf

(Domains we accept mail for…)

user        = postfix password    = xxxxxxxx dbname      = postfix hosts       = localhost query = SELECT domain FROM domain WHERE domain='%s' AND backupmx = false AND active = true

virtual-mailbox-limit-maps.cf

(Only used if you’re checking quota etc)

user = postfix password = xxxxxxx hosts = localhost dbname = postfix query = SELECT quota FROM mailbox WHERE username = '%s'

virtual-mailbox-maps.cf

(What mailboxes exist that we can deliver to)

user      = postfix password  = xxxxxxxx dbname    = postfix hosts     = localhost query = SELECT maildir FROM mailbox WHERE username='%s' AND active = true

main.cf changes

Add in the following :

# All virtual mailboxes live somewhere in here .. virtual_mailbox_base = /var/mail/vmail  # The (virtual) domains we accept mail for virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql/virtual-domains.cf  # Lookup mailbox location, uid and gid based on email address received. virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql/virtual-mailbox-maps.cf virtual_uid_maps = static:101 virtual_gid_maps = static:101  virtual_alias_maps = proxy:mysql:/etc/postfix/mysql/virtual-alias-maps.cf  relay_domains = proxy:mysql:/etc/postfix/mysql/relay-domains.cf local_transport = virtual local_recipient_maps = $virtual_mailbox_maps

#adduser -m vmail -g mail
#id vmail ;result 101
#chown vmail:mail /var/mail/vmail

Postfix SMTP Auth Support

If your users are likely to be trying to send mail through your mail server when they are not on a trusted network, you’ll need to add this to /etc/postfix/main.cf

smtpd_sasl_authenticated_header = yes smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes

And in /etc/postfix/sasl/smtpd.conf put the following :

pwcheck_method: saslauthd  saslauthd_path: /var/run/saslauthd/mux log_level: 3 mech_list: PLAIN LOGIN

(As you can see, we’ll be using SASL as a backend for authentication)

SASL

Thankfully the SASL package works a bit better under Etch than it did under Sarge/etc.

apt-get install sasl2-bin

Edit /etc/default/saslauthd so it has :

MECHANISMS="rimap" THREADS=5 OPTIONS="-r -c -O localhost -m /var/spool/postfix/var/run/saslauthd"

You’ll need to mkdir -p /var/spool/postfix/var/run/saslauthd before SASL will start

(One day, I might change to use the pam_sql module; as this would remove unnecessary IMAP logins… )

Courier

apt-get install courier-authdaemon courier-imap courier-imap-ssl courier-pop courier-pop-ssl courier-authlib-postgresql

Configuring Courier’s authdaemon

You’ll need to edit /etc/courier/authmyqlrc

MYSQL_SERVER            localhost
MYSQL_USERNAME          postfix
MYSQL_PASSWORD          knopix2006
MYSQL_PORT              3306
MYSQL_DATABASE          postfix
MYSQL_USER_TABLE        mailbox
MYSQL_CLEAR_PWFIELD     password
MYSQL_UID_FIELD         '101' #vmail id
MYSQL_GID_FIELD         '8' #mail id
MYSQL_LOGIN_FIELD       username
MYSQL_HOME_FIELD        '/home/vmail'
MYSQL_NAME_FIELD        name
MYSQL_MAILDIR_FIELD     maildir
MYSQL_QUOTA_FIELD       quota

And also edit /etc/courier/authdaemonrc, and set authmodulelist=”authmysql”

If you now create a user in a test domain on postfixadmin, you should be able to connect to your mail server successfully, and receive mail

Basic Testing (pop3)

Assuming you’ve created a domain, and a user within that domain from Postfixadmin, you should be able to do something like the following :

mail:~# tail -f /var/log/mail.log  & mail:~# echo 'test email' | mail crap@burton-mccall.co.uk mail:~#  Dec  6 22:31:56 mail postfix/pickup[11888]: A811A2B10063: uid=0 from= Dec  6 22:31:56 mail postfix/cleanup[11897]: A811A2B10063: message-id= Dec  6 22:31:56 mail postfix/qmgr[11889]: A811A2B10063: from=, size=297, nrcpt=1 (queue active) Dec  6 22:31:56 mail postfix/virtual[11902]: A811A2B10063: to=, relay=virtual, delay=0.11, delays=0.05/0.04/0/0.02, dsn=2.0.0, status=sent (delivered to maildir) Dec  6 22:31:56 mail postfix/qmgr[11889]: A811A2B10063: removed

Additionally, if you now look in /home/vmail, you should see a folder called ‘test@my.domain’. No guesses should be needed to figure out what this contains!

Squirrelmail

Squirrelmail is a mature web based mail client. It’s been around for some time now, and thankfully plugins exist for a number of additional “features”. As your author patched up the squirrelmail postfixadmin plugin, he’s going to take a small amount of time it.

```
apt-get install squirrelmail
```

wget http://squirrelmail-postfixadmin.palepurple.co.uk/files/squirrelmail-postfixadmin_2.1.0-1_all.deb

dpkg -i squirrelmail-postfixadmin_2.1.0-1_all.deb

Edit /etc/squirrelmail/plugins/postfixadmin-config.php – use the same settings from Postfixadmin
pear install MDB2
pear install MDB2#pgsql (or MDB2#mysql)
Run squirrelmail-configure and enable the Postfixadmin plugin

Wireless Networking in Windows 2003

knopix — Tue, 08 Jan 2008 06:34:04 +0000

In Part 2 of my Introduction to Wireless Networking series I briefly touched on the subject of IAS in Windows 2003. Here we will look at the Internet Authentication Service in a bit more detail and also see what Windows 2003, and SP1, have to offer when it comes to Wireless Networking. I’ll also show you how to setup 802.1X based security in Windows 2003.

Service Pack 1

Enhancements for Wireless Networking

The enhancements that SP1 provide for Wireless LANS are of great benefit to enterprise wide networks. Without SP1 on Windows Server 2003, the WPA security method isn’t supported and therefore cannot be implemented – which is no longer an issue with Service Pack 1. Apart from addressing the weaknesses that the original Windows Server 2003 has, SP1 makes it easier to deploy secure large scale wireless LANS. Additionally, administrators are now able to give the users of wireless clients – with Windows XP SP2 – a choice of pre-approved digital certificates and signing authorities. This means they would only be allowed to install certificates for the network that the administrator has previously acknowledged, making them less prone to man in the middle attacks.

Centralized Management

The Active Directory Group Policy console allows for centralized management of the Wireless Zero Configuration client which makes it easier and faster to connect wireless client to a secure network. WPA TKIP and AES encryption settings can now be configured and any wireless client with Windows XP Service Pack 2, or Service Pack 1 and the WPA patch, can be centrally configured to use the more secure WPA TKIP or AES methods to connect to the wireless LAN.

Wireless Setup Wizard

As did Windows XP SP2, Windows 2003 SP1 comes with a Wireless Network Wizard that will help you to configure secure wireless networks. Configuration settings can be stored on removable media (such as a USB pen drive) and then copied over to other machines.

PEAP Authentication Scheme

The LEAP (Lightweight Extensible Authentication Protocol) is a popular non-TLS (Transport Layer Security) authentication scheme introduced by Cisco in later versions of their firmware belonging to the Aironet access point product range. This protocol lacks point to point protection which leaves it open to dictionary attacks at the credentials authentication stage. With the inauguration of PEAP (Protected Extensible Authentication Protocol) authentication in the IAS (Internet Authentication Service) component of Windows Server 2003, these weaknesses are addressed. Furthermore, a server-side digital certificate is able to support many clients single handedly – without the use of an installed certificate on the client-side.

Wireless Provisioning Services

This new technology makes it easier for mobile workers to connect to hotspots or corporate LANS by eliminating the need for manual configuration of the network connection. Enterprises can better manage guest access on their network and provide payment plans such as pay-per-use or monthly Internet access to customers.

Securing Wireless in Windows 2003

When configured incorrectly, wireless connections are probably one of the most vulnerable points of a network. A simple password based authentication method is not enough, especially over a wireless connection. By means of the Internet Authentication Service in Windows 2003, Administrators are able to setup 802.1X based secure network.

In order to take advantage of the 802.1X in Windows 2003, you will require the use of the following services:

DHCP and DNS
Active Directory Service
RADIUS Server (Internet Authentication Service)
Certificate based infrastructure (referred to as PKI – Public Key Infrastructure)

I will cover the following steps and show you how to setup an 802.1X based security structure using the Internet Authentication Service in Windows 2003.

Configuring your access point
Windows 2003 Certification Authority
Windows 2003 Active Directory Service Configuration
Windows 2003 IAS Configuration

Configuring your access point

Your Access Points must support 802.1X and WEP authentication. If it doesn’t then check for a firmware upgrade before you proceed. 802.1X and RADIUS provide automatic generation of session keys so they will not have to be entered manually into the Access Point. However, some access points do support manual inputting of keys for simulation (testing) purposes.

Firstly, from your access point configuration web interface, you must set which machines act as RADIUS servers on your network. There may be slight variations but the idea is the same – go to the RADIUS servers list from either the ‘Wireless Security’ or ‘Wireless Settings’ panel and add the IP address, port number and shared secret for your RADIUS server connection.

Secondly, from the ‘Wireless Security’ panel go to the 802.1X Security section and enable it, select your required key size and group key re-key settings.

No rekeying – the clients will not have to re-key the password to re-authenticate to the RADIUS server.

Rekeying every X minutes – this refers to the number of minutes before the client will have to re-enter the password.

Rekeying every X packets – this refers to the number of transmitted packets before the client will have to re-enter the password.

Once you do all this you can move on to the next stage of configuring the Certificate Authority on your Windows 2003 Server.

Windows 2003 Certification Authority

The PEAP protocol needs the IAS Server to identify itself to the wireless client before the client passes any encrypted credentials to it. Once the IAS Server has a certificate installed, it gets a private keys which it then uses to decrypt the encrypted credentials sent by the wireless client. The wireless client uses the certificate’s public key to encrypt the username and password.

To install the certification authority console you will have to run the Add/Remove components wizard and select Certificate Services from the list. Keep in mind that to make use of the Web Enrollment Wizard (web interface used to request and generate certificates) you will have to have IIS installed.

NOTE:
Before initiating the installation you will be warned about how changing the machine name or domain membership will invalidate any certificates coming from the CA due to the fact that CA information is stored, and bound, in Active Directory. Make sure you have all the properties of your machine setup properly before you continue.

As part of the installation you will be asked to select the type of CA you want to set up. You have a choice of Enterprise CA, Enterprise Subordinate, Standalone CA and Standalone Subordinate, with Enterprise CA being the most trusted Certificate Authority in the enterprise. Make your choice and follow the wizard to complete the installation.

Once the CA console is installed you will have to Issue a certificate for the computer running IAS. Do this from the web enrollment wizard (which is created automatically when you install Certification Services unless you manually specified for it not to be installed). By default you can logon and request a certificate by opening Internet Explorer and navigating to http:///certsrv

Install user and computer certificates on wireless clients in the same manner as stated above.

Windows 2003 Active Directory Service Configuration

Your next step is to create a group for wireless user and computer accounts in AD. Alternatively you could just create individual users but, it goes without saying that groups are easier to manage. In the properties of the user account, go to the Dial-In properties account and select the “Control Access through Remote Access Policy” option in the Remote Access Permission section.

NOTE:
If “Control Access through Remote Access Policy” is disabled then your current domain functional level is probably set to Windows 2000. To change this, right click the domain name in Active Directory and select Raise Domain Functional Level. Choose Windows 2003 from the drop down list and press Apply. Once AD replication is complete, the “Control Access through Remote Access Policy” will no longer be grayed out.

You must also verify that your IAS Server is a member of the RAD and IAS Server Security Group.

Windows 2003 IAS Configuration

If you haven’t already done so you will have to install the Internet Authentication Service component from Add/Remove programs in the Control Panel. You will find it under Networking Services.

Open the IAS console from the Administrative Tools folder in either the Control Panel or Start Menu programs. Follow these steps:

Right click the main IAS node and select “Register Server in Active Directory” – this will authorize IAS to read the users’ dial in properties from the domain.
From the window on the right hand side of the console, right click anywhere and select “New RADIUS Client”. In the first screen, enter a friendly name for the RADIUS Client and also the Access Point IP Address. Press Next.

Now select the client-vendor attribute of the RADIUS client. If you are not using a remote access policy based on the client vendor’s attribute then select RADIUS Standard from the list.

Type the shared secret, as you did when configuring the 802.1X Server on your access point. The IAS Server will only allow user information to be forwarded to it by the AP once the correct shared key has been provided, so make sure that they match.

Once you have pressed Next the new client will show up in the right pane of the IAS Console.

Creating a Wireless Remote Access Policy

Your Next step is to create a Remote Access Policy for wireless access. Right click the Remote Access Policies node in the left hand pane and select New Remote Access Policy to bring up the wizard. Enter a policy name in the given text box and select whether you want to set up the policy manually or via the wizard.

NOTE:
The wizard will do what most Microsoft wizards do; help you to setup a typical scenario yet allowing you to add conditions to it later. You can set user or group access and the authentication method using Protected EAP. Manual configuration will give you the option to set all your conditions straight away and customize the setup to suit your specific needs.

If you select to use the wizard you will be given the option to choose a method of access for the policy. VPN, Dial-Up, Wireless and Ethernet are your typical RADIUS server options. Choose Wireless and press Next. Select whether you want to grant access to a User or Group followed by the EAP type. In the Authentication Method screen choose PEAP as an EAP Authentication Method and press the Configure button if you want to edit which certificate will be issued to identify the server. Press Next and Finish.

Summary

In this article I have shown you how Windows Server 2003 Service Pack 1 can help to improve centralized management of clients and provide better security for your wireless network. We also looked at the different steps you have to take in order to deploy the 802.1X security on a Windows 2003 RADIUS Server.

About Andrew Z. Tabona

Andrew Z. Tabona (MCSA, Network+, Security+, etc) heads a QA/CRM team at GFI Software, a leading global security and messaging software firm. Prior to this he plied his trade as a Network Administrator and an independent technical trainer. He has written a wealth of articles, manuals, white papers, etc and tries to “bridge the gap” with his easy going style of writing.

Click here for Andrew Z. Tabona’s section.

Setting up a wireless network with Windows Server 2003 and PEAP/EAP

knopix — Tue, 08 Jan 2008 06:29:51 +0000

Setting up a wireless network with Windows Server 2003 and PEAP/EAP

PEAP with IAS is a great way to setup wireless networks that require:

a)Their security to be top notch.
b)Lot’s of Access Points (greater than 10 or so).
c)Minimal administrative maintenance overhead.

It brings your wireless security up to a level that is acceptable for use on a security sensitive domain. It is approximately as secure as domain logon is on a wired network.

The whole IAS management of your AP’s as Radius Clients makes it very simple to make changes to your infrastructure without having to reprogram every AP on site to reflect a simple change (which is the case in most WPA setups). You don’t need to worry about keeping WPA keys up to date as the encryption keys are generated dynamically each time a client connects.

Below I have detailed the steps that I take when setting on of these networks up. Screenshots are on their way (I will get them next time I set up one of these networks) but most of the steps are fairly self explanatory.

Install IAS from the Add/ Remove Windows Components area in the control panel.

Install Certificate Services from the Windows Components area in the control panel.

When prompted you want to install an “Enterprise Root CA”.

Load up the “Certificates” plugin for mmc and then submit a request for a new domain controller certificate.

Create a group in Active Directory called “WirelessUsers”.

Inside the administrative tools section load up the IAS plugin and create a “new remote access policy”. Call it “Wireless Access Policy”. Follow the wizard which is reasonably intuitive and when prompted for access restrictions you want to allow only computers and users that are a member of the “Wireless Users” group you created previously. Also make sure when prompted for the authentication method that you select EAP/PEAP.

Then right click on the policy you just created and goto “Properties”. Then click on the “Edit Profile” button and make the following changes:

1.Encryption tab: Make sure “No Encryption” is not ticked.
2.Authentication tab: Tick MSCHAP-V2.
3.Advanced tab: Add Ignore_User_Dial_In_Properties = true and also Terminate-Action = Radius-Request.

On the Access Point:

Use an access point that supports EAP/PEAP and 802.1X authentication (e.g. a DLink DWL 2100AP). Set up a DHCP reservation for it so that it is always on the same IP address.

Change the authentication mode to be WPA-EAP.
Put in the IP address of the radius server (the server you installed IAS on).
Put in the Radius server/ port numbers/ shared secret (make one up at this stage).
Remember to save/ restart the AP to make sure the settings have stuck.

Back to IAS:

Add a new Radius client. Put in the IP Address of your new AP and also the shared secret you came up with above.

Group Policy Setup:

Load up the group policy manager. Find the appropriate OU that you wish to distribute the wireless network settings to.

Create and link a new GPO here (by right clicking on it and choosing the obvious option). Then right click on the new GPO and click edit.

Goto Computer Configuration -> Windows Settings -> Security Settings -> Wireless Network.

From here you right click on the right hand window and click “Create Wireless Network Policy”.

1.Give the wireless network policy a name.
2.Select Access Point (infrastructure) networks only.

Once this is created edit the properties as follows:

1.Put in the SSID of the wireless network in to the “Network Name” box. Do not use any punctuation like (-,_,/) etc.
2.In the Wireless Network Key box. Set “Network Authentication” to WPA. with TKIP encryption.

On the IEEE 802.1X tab:

1.Set EAPOL start message to “Transmit”
2.In the parameters section you want to have : Max Start = 3 , Start Period = 10, Held Period=10, Authentication Period=10.
3.Make sure that “Authenticate as computer when computer information is available is ticked. Also make sure that computer authentication option is set to “With User Re-Authentication”.
4.Make sure that EAP Type is set to Protected EAP. Click the settings button and make sure that:

“Validate server Certificate” is ticked, that your CA (that you created above) is also in the list of “Trusted Root Certification Authorities”, Fast Connect is enabled and that “Secured Password (EAP-MSCHAAP v2)” is the selected method, click on “Configure” and make sure that automatically send my username and password is ticked.

Setup is now complete.

spam blocker use rblsmptd on qmail

knopix — Fri, 07 Dec 2007 08:47:43 +0000

(install using qmailrocks)

edit /var/qmail/supervise/qmail-smtpd/run

#!/bin/sh
QMAILQUEUE=”/var/qmail/bin/qmail-scanner-queue.pl” ;export QMAILQUEUE
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
LOCAL=`head -1 /var/qmail/control/me`
if [ -z "$QMAILDUID" -o -z "$NOFILESGID" -o -z "$MAXSMTPD" -o -z "$LOCAL" ]; then
echo QMAILDUID, NOFILESGID, MAXSMTPD, or LOCAL is unset in
echo /var/qmail/supervise/qmail-smtpd/run
exit 1
fi
if [ ! -f /var/qmail/control/rcpthosts ]; then
echo “No /var/qmail/control/rcpthosts!”
echo “Refusing to start SMTP listener because it’ll create an open relay”
exit 1
fi
exec /usr/local/bin/softlimit -m 40000000 /usr/local/bin/tcpserver -v -R -l “$LOCAL” -x /etc/tcp.smtp.cdb -c “$MAXSMTPD” -u “$QMAILDUID” -g “$NOFILESGID” 0 smtp /usr/local/bin/rblsmtpd -b -t 5 -r bl.spamcop.net -r sbl.spamhaus.org -r relays.ordb.org -r dnsbl.antispam.or.id -r bl.spamcop.net /var/qmail/bin/qmail-smtpd mail.semestamargaraya.com /home/vpopmail/bin/vchkpw /usr/bin/true 2>&1

Compile kernel on debian

knopix — Fri, 07 Dec 2007 08:38:45 +0000

debian:~# apt-get install kernel-package libncurses5-dev

wget http://www.kernel.org/pub/linux/kernel/v2.4/linux-2.4.20.tar.gz

debian:~# cd /usr/src/
debian:/usr/src# tar xzf /root/linux-2.4.20.tar.gz
debian:/usr/src# ls -la
total 2
drwxr-xr-x    3 root     root           80 Jun 12 12:00 .
drwxr-xr-x   14 root     root          360 Jun 12 12:00 ..
drwxr-xr-x   14 573      573           536 Nov 29  2002 linux-2.4.20

debian:/usr/src# mv linux-2.4.20 linux-2.4.20-mh9
debian:/usr/src# cd linux-2.4.20-mh9
debian:/usr/src/linux-2.4.20-mh9# zcat /root/patch-2.4.20-mh9.gz | patch -p1
patching file Documentation/Configure.help
patching file Makefile
patching file arch/sparc64/kernel/ioctl32.c
patching file drivers/bluetooth/Config.in
patching file drivers/bluetooth/Makefile
patching file drivers/bluetooth/btuart_cs.c
patching file drivers/bluetooth/hci_bcsp.c
patching file drivers/bluetooth/hci_bcsp.h
patching file drivers/bluetooth/hci_h4.c
patching file drivers/bluetooth/hci_h4.h
patching file drivers/bluetooth/hci_ldisc.c
patching file drivers/bluetooth/hci_uart.h
patching file drivers/bluetooth/hci_usb.c
patching file drivers/bluetooth/hci_usb.h
patching file drivers/char/pcmcia/serial_cs.c
patching file drivers/char/serial.c
patching file drivers/usb/Config.in
patching file include/net/bluetooth/bluetooth.h
patching file include/net/bluetooth/hci.h
patching file include/net/bluetooth/hci_core.h
patching file include/net/bluetooth/l2cap.h
patching file include/net/bluetooth/rfcomm.h
patching file include/pcmcia/ciscode.h
patching file net/bluetooth/Config.in
patching file net/bluetooth/Makefile
patching file net/bluetooth/af_bluetooth.c
patching file net/bluetooth/bnep/Config.in
patching file net/bluetooth/bnep/Makefile
patching file net/bluetooth/bnep/bnep.h
patching file net/bluetooth/bnep/core.c
patching file net/bluetooth/bnep/netdev.c
patching file net/bluetooth/bnep/sock.c
patching file net/bluetooth/hci_conn.c
patching file net/bluetooth/hci_core.c
patching file net/bluetooth/hci_sock.c
patching file net/bluetooth/l2cap.c
patching file net/bluetooth/rfcomm/Config.in
patching file net/bluetooth/rfcomm/Makefile
patching file net/bluetooth/rfcomm/core.c
patching file net/bluetooth/rfcomm/crc.c
patching file net/bluetooth/rfcomm/sock.c
patching file net/bluetooth/rfcomm/tty.c
patching file net/bluetooth/sco.c
patching file net/bluetooth/syms.c

debian:/usr/src/linux-2.4.20-mh9# cp /root/config-2.4.20 .config
debian:/usr/src/linux-2.4.20-mh9# make oldconfig
rm -f include/asm
( cd include ; ln -sf asm-i386 asm)
/bin/sh scripts/Configure -d arch/i386/config.in
#
# Using defaults found in .config
#
.
.
.

*** End of Linux kernel configuration.
*** Check the top-level Makefile for additional configuration.
*** Next, you must run "make dep".

debian:/usr/src/linux-2.4.20-mh9# make-kpkg kernel-image
.
.
.

debian:/usr/src/linux-2.4.20-mh9# cd ..
debian:/usr/src# ls -la
total 3534
drwxr-xr-x 3 root root 144 Jun 13 12:00 .
drwxr-xr-x 14 root root 360 Jun 12 12:00 ..
-rw-r--r-- 1 root root 3612714 Jun 11 12:42 kernel-image-2.4.20-mh9_10.00.Custom_i386.deb
drwxr-xr-x 15 573 573 856 Jun 11 12:42 linux-2.4.20-mh9
debian:/usr/src# dpkg -i kernel-image-2.4.20-mh9_10.00.Custom_i386.deb
Selecting previously deselected package kernel-image-2.4.20-mh9.
(Reading database ... 80275 files and directories currently installed.)
Unpacking kernel-image-2.4.20-mh9 (from kernel-image-2.4.20-mh9_10.00.Custom_i386.deb) ...
Setting up kernel-image-2.4.20-mh9 (10.00.Custom) ...
A new kernel image has been installed, and usually that means
that some action has to be taken to make sure that the new
kernel image is used next time the machine boots. Usually,
this entails running a "bootloader" like SILO, loadlin, LILO,
ELILO, QUIK, VMELILO, ZIPL, or booting from a floppy. (Some
boot loader, like grub, for example, do not need to be run on
each new image install, so please ignore this if you are using
such a boot loader).

A new kernel image has been installed. at /boot/vmlinuz-2.4.20-mh9
(Size: 761kB)

Symbolic links, unless otherwise specified, can be found in /

LILO sets up your system to boot Linux directly from your hard
disk, without the need for booting from a boot floppy.

WARNING
If you are keeping another operating system or another version
of Linux on a separate disk partition, you should not have LILO
install a boot block now. Wait until you read the LILO documentation.
That is because installing a boot block now might make the other
system un-bootable. If you only want to run this version of Linux,
go ahead and install the boot block here. If it does not work, you
can still boot this system from a boot floppy.

Would you like to create a boot floppy now? [No] No
You already have a LILO configuration in /etc/lilo.conf
Install a boot block using the existing /etc/lilo.conf? [Yes] Yes
Testing lilo.conf ...
Testing successful.
Installing the partition boot sector...
Installation successful.

SRC : http://www.holtmann.org/linux/kernel/debian.html

debian:/usr/src#

debian:/usr/src/linux-2.4.20-mh9#
debian:/usr/src/linux-2.4.20-mh9#
debian:/usr/src#

Membuat Certificate untuk web server

knopix — Thu, 29 Nov 2007 07:44:41 +0000

Keterangan:

$VALID_DAYS : 3650 hari
$PRIVATE_KEY : cert.key
$CERTIFICATE_FILE : cert.crt

Buka console as root, ketikkan perintah seperti berikut

openssl req -new -days $VALID_DAYS -key $PRIVATE_KEY -x509 -out $CERTIFICATE_FILE

HTB-GEN cara mudah memanage Bandwidth

knopix — Thu, 29 Nov 2007 07:31:08 +0000

Implementasi bandwidth management biasanya di terapkan pada main-gw (gateway utama) dimana main-gw menghandle beberapa klien yang mempunyai jatah bandwidth yang telah di tetapkan. Disini kita akan menggunakan tool bantu yang bernama HTB-GEN.
Pada distro linux kebanyakan sebenarnya htb/cbq sudah include di kernel default masing-masing distro, tinggal kita saja yang kurang familiar dengan perintah tc yang digunakan sebagai standar tool shaping bandwith. Untuk itulah kita menggunakan HTB-GEN disini.
Yang perlu diingat adalah :
Lisensi GPLv2 or later
Syarat dan kebutuhan untuk menjalankannya:
-bash
-QoS htb kernel support
-iproute2 tc
-iptables
-htb-init script (optional)

Ok kita mulai aja meng-implementasikan HTB-GEN ke mesin main-gw kita, langkah-langkahnya adalah sebagai berikut:
Langkah 1: Download

– htb-gen-0.8.4.tar.gz Source tarball
– htb-gen_0.8.4_all.deb Debian package
– htb-gen-0.8.4–1.noarch.rpm Aliened RPM package

Archive at http://www.praga.org.ar/dev/htb-gen/packages/

sesuaikan dengan distro based yang dipakai, disini saya pake mandriva cooker, otomatis harus download yang versi .rpm

Langkah 2: Install
untuk menginstall htb-gen di mandriva, tinggal menjalankan perintah
#urpmi htb-gen-0.8.4-1.noarch.rpm

Langkah 3: Konfigurasi
setelah langkah instalasi dilalui dengan sukses maka akan terdapat file konfigurasi standar htb-gen di direktori /etc/htb-gen.
Edit file /etc/htb-gen/htb-gen.conf, dengan editor kesayangan anda

#vim /etc/htb-gen/htb-gen.conf

perhatikan baris berikut ini:

iface_down=”eth1″ # Server LAN iface iface_up=”eth0″ # Server INET iface total_rate_down=1024 #Total download bw total_rate_up=512 #Total upload bw

Kemudian di file /etc/htb-gen/htb-gen-rates.conf, perhatikan baris berikut :

# down down up up # min max min max #ip (rate) (ceil) (rate) (ceil) 192.168.1.2 0 64 0 32 192.168.1.3 0 128 0 64 192.168.1.4 0 256 0 128 10.0.0.1/30 256 512 128 256 200.80.22.2 256 256 256 256

Seperti yang terlihat

mudah sekali untuk membatasi suatu host atau network

ip beda network juga bisa digunakan

penulisan format ip dan network mengikuti aturan standar

mendukung fixed rate b/w

nilai nol atau “0″ artinya secara otomatis akan menggunakan b/w yang ada atau b/w yang tersisa.

Selanjutnya….

Langkah 4: Menjalakannya

Untuk menjalankan htb-gen sangat mudah, secara umum htb-gen dapat di jalankan dengan opsi sebagai berikut

#htb-gen tc_all

lebih lanjut dengan opsi htb-gen, bisa di cek dengan perintah

#htb-gen –help

Situs terkait dan resmi dari htb-gen bisa di cek di http://www.praga.org.ar/wacko/DevPraga/htbgen/

sumber : http://fsdoei.wordpress.com/2007/10/30/htb-gen-cara-mudah-memanage-bandwidth/