Stephen Allport

Let’s learn from my mistake. At Coruscant we are running two leased lines in parallel while we migrate everything from one ISP to another. Unfortunately we can’t keep our IP block so on our GTA Gnatbox firewall we have two external interfaces, NAT both public IP addresses to the same DMZ addresses and then just switch DNS across to the new IP. Sounds simple doesn’t it?

The problem is on one of the NAT entries you seam to need to check the “hide source” option so not to confuse the firewall/application behind it. This strips out the original source address of the session when it passes to the application. If that happens to be a web application it’s not much of an issue apart from the web logs are not as useful; but if it’s a mail server the mail server then thinks that the session is local and handles it as such. If a spammer then discovers it can sends 70,000 e-mails to address b because the mail server is acting as an open relay, passes the messages through the block check lists as it coming from a clean addresses, content filtering is also relaxed as it’s local and I get the alert to say mail server is down while it struggles to process the load…

Input validation is important for applications, if nothing else to stop’s annoying the e-mail administrator when an application starts sending junk.

Just installed DenyHosts on a debian server to discourage random people trying to ssh into it, and the install was remarkably painless. First thing to do was make sure Python was installed and a “quick apt-get install python” made sure of that. Then it’s a case of reading the fine readme.

My only advice is:
a) Don’t close your SSH session to the server straight away, just incase your denied staright away
b) If you have a static IP address for a frequently used trusted client, add it to the allowed-hosts file in the work directory (typicality /usr/share/denyhosts/data)
reason for this is I started DenyHosts and the first thing it did was see my home’s IP and various finger trouble and promptly denied me…

The really clever thing DenyHosts does is synchronise with a central server, so if someone tries to brute force attack an account on my server the offending IP address is posted to the master list and distributed to anyone else running DenyHosts and slows down an attack there.

Some people wrongly think CF is a dead language, but it’s amazing where it crops up. The phishing e-mail I got today links to a CF form…

1. Change yours often.
2. Don’t leave it lying around.
3. Don’t share yours with anyone else.
4. The longer the better.
5. Be mysterious.

Sometimes people think passwords are a hindrance and tend to be lax with them, which kind of backfired for Orange. The other piece about passwords I’ve read recenlty was this on how a simple password caused misery to someone’s life.

If your using HP’s iLoand the \ key doesn’t work in Remote Console even though the server is set-up with a British keyboard you also need to the keyboard type in iLo as well.

HP DL585 servers don’t have the normal C13/14 power connectors on the back, they have the more meaty C19 () connector, which the odds are you don’t have spare in the data centre

I’ve just upgraded to Wordpress 2.1.3 and allowed people to be able to register again to be able to post comments (Thanks to Kola for pointing that little detail out)

Recenletly I’ve started using Wordpress Widgets so you can see my Flickr pictures at random and the date shown is the date in The Shire.

Just a mention that Kola has had a nice article evangelizing ColdFusion for Java developers published over at java.net.

WinSCP 4.0 beta is out.

WinSCP is one of those handy pieces of software that just works and unlike Filezilla it can be used for scheduled tasks by having command line and scripting options. As a result Coruscant has a few servers with it installed to go off and get backups. The only thing WinSCP didn’t do was act as an FTP client but that’s one of the new features of V4.

Far more exiting of the big release of last week, Putty 0.59 has been released, with a few fixes and promises of speed improvements (mainly in the key exchange I don’t use much of but never mind)